A Peek Inside the Black Hat Network Operations Center
Every year, the Black Hat conference presents two days of briefings that reveal amazing discoveries in the security realm. Those briefings are preceded by several days of trainings -- hands-on classrooms teaching all aspects of hardware, software and network hacking (and protection against hacking). Running those classrooms on the host hotel's network would be a huge mistake, so the conference organizers necessarily set up their own, separate network. The Network Operations Center (NOC) is a product of cooperation by several different security vendors, and staffed in part by dedicated industry-veteran volunteers. Naturally the hoi polloi aren't allowed inside, but glass walls mean we can get a pretty good look.
Aamir Lakhani, Senior Security Strategist at Fortinet, gave me a quick tour. The network gets its Internet connection from the same feed as the host hotel, but other than that it's entirely separate. "The people in the classrooms are learning hacking techniques," explained Lakhani. "We don't want that on the hotel network, and we can't have the network killing their connections." He noted that the network is highly segmented, so any hacking that's not part of a training can be easily identified. James Cabe, Fortinet Senior Technical Strategist, revealed that the network's analytics indicate that 90 percent of users are connecting using a VPN, up from 60-something last year. We're learning!
Fortinet, the event's Official Hardware Provider, supplied the network switches, firewalls and classroom wireless access points, as well as some network analytics software. A large screen in one corner rotates between displaying various analytic tools. Hey, this is the NOC, but it's also a place for the vendors to show off a bit. RSA is the main security analytics provider, while wireless access in areas other than the classrooms comes from Ruckus.
I asked Cabe just what the team inside the NOC actually does with their time. He said after the grueling initial setup, they haven't needed to do much more than monitor network activity. That's not to say that connecting at Black Hat is perfectly safe. If the Karma attack reported by Pwnie Express hits, you're not on the Black Hat network. In the event of any network breakdown or attack, they'd spring into action. A big couch in the middle of the center offers respite for team members who've been staring at screens for too long.
One large display represents the most active network segments as glowing, pulsing masses, with lines connecting them. I couldn't make head nor tail of it, but the experienced monitoring team can spot anomalous activity at a glance. Not everything in the bank of displays is quite so technical. The monitor just below the storm trooper figurine plays a continuous feed of hacker-themed movies.
The atmosphere in the Network Operations Center is an amalgam of laser-focused alertness, camaraderie, and a bit of just plain goofiness, as exemplified by this laser-eyed ape guarding the door. Cabe explained that once this event is over, the whole NOC gets broken down, packed for travel and shipped to the site of Black Hat Europe, then Black Hat Singapore, and so on.
This is, of course, a seriously high-level overview of the Black Hat Network Operations Center. You can't get a ton of technical detail by peeking through the windows. If you'd like to learn more about the technical side, check out Aamir Lakhani's blog post about the process of setting up the NOC at this year's Black Hat.