* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Events](https://www.paloaltonetworks.com/blog/category/events/)
* 2017 Black Hat Europe NOC...

# 2017 Black Hat Europe NOC: Tales of Coverage and Compromise

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2018%2F01%2F2017-black-hat-europe-noc-tales-coverage-compromise%2F)  
[](https://twitter.com/share?text=2017+Black+Hat+Europe+NOC%3A+Tales+of+Coverage+and+Compromise&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2018%2F01%2F2017-black-hat-europe-noc-tales-coverage-compromise%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2018%2F01%2F2017-black-hat-europe-noc-tales-coverage-compromise%2F&title=2017+Black+Hat+Europe+NOC%3A+Tales+of+Coverage+and+Compromise&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2018/01/2017-black-hat-europe-noc-tales-coverage-compromise/&ts=markdown)  
\[\](mailto:?subject=2017 Black Hat Europe NOC: Tales of Coverage and Compromise)  
Link copied  
By [Dan Ward](https://www.paloaltonetworks.com/blog/author/dan-ward/?ts=markdown "Posts by Dan Ward"), [Etay Nir](https://www.paloaltonetworks.com/blog/author/etay-nir/?ts=markdown "Posts by Etay Nir"), [Jamie Brummell](https://www.paloaltonetworks.com/blog/author/jamie-brummell/?ts=markdown "Posts by Jamie Brummell"), [Sandra Wenzel](https://www.paloaltonetworks.com/blog/author/sandra-wenzel/?ts=markdown "Posts by Sandra Wenzel") and [Tom Brookes](https://www.paloaltonetworks.com/blog/author/tom-brookes/?ts=markdown "Posts by Tom Brookes")  
Jan 08, 2018  
4 minutes  
[Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Black Hat Europe](https://www.paloaltonetworks.com/blog/tag/black-hat-europe/?ts=markdown)  
[Network Operations Center](https://www.paloaltonetworks.com/blog/tag/network-operations-center/?ts=markdown)  
[NOC](https://www.paloaltonetworks.com/blog/tag/noc/?ts=markdown)

Overview of the Black Hat NOC

In the beginning of December, Palo Alto Networks participated in the Black Hat Network Operations Center (NOC) in London as the official network security platform provider. The team included systems engineers and consulting engineers with the aim of not only protecting the network but actively monitoring and collaborating with other participating network and security vendors as well. These vendors included those that provide substantial contributions to the [Cyber Threat Alliance](https://www.cyberthreatalliance.org/) of which Palo Alto Networks is a founding member.

In this blog post, we'll provide an overview on how the Palo Alto Networks NGFW was utilized for the Black Hat Europe event and also discuss our findings of the types of malware that were trending this holiday season.  
![Blackhat\_1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/01/Blackhat_1.png)

Coverage

While setting up for the week, the team looked to implement best practice configuration for all stages of the attack lifecycle to ensure complete understanding of threats and visibility of traffic. We needed to be able to quickly and easily determine what was just a classroom module malware drop versus a genuine attack on the network.

![Blackhat\_2](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/01/Blackhat_2.png)

*Each stage offering context in a single platform*

Building further context into the traffic is always key, so the team cleverly utilized the XML API, whereby the hostname and/or MAC address related to a DHCP-allocated IP address were fed in to the User-ID database and kept automatically updated. This proved invaluable, allowing identification of the users at the root of the incidents, rather than simply their IP address, highlighting repeat offenders (some of which were actually unsuspecting victims) over the duration of the event.

As more teams are benefiting from the context provided by Palo Alto Networks correlation, a byproduct is more firewall user access being required. To mitigate this, we teamed up with RSA to utilize their Secure-ID MFA for RBAC. Role-based administration delegates feature-level access, including availability of data (enabled, read-only, or disabled and hidden from view), to distinct device users. Individuals can be given access to tasks that are pertinent to their job, but no more than that.

While we provide always-on, Layer 7 inspection with predictable, reliable performance, we are proud to report that not only did the Black Hat NOC team achieve 100 percent uptime but the team was able to showcase integrated technology, information sharing and adaptability executing a complex configuration.

Compromise

Early into the week, the Black Hat NOC team noticed distinct and peculiar network behavior from a single host. The host was phoning home in a series to a specific set of subdomains. The callouts on these subdomains were sandwiched between URLs that contained random characters.

![Blackhat\_3](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/01/Blackhat_3.png)

With these indicators of compromise, the team was able to collaborate and associate the data with RSA and Cisco. The final outcome of this investigation was that the host had been compromised via a browser hijack, and the host's resources were being used for crypto mining, which you can [learn more about from Unit 42](https://www.paloaltonetworks.com/blog/tag/cryptocurrency/?ts=markdown).

The day after the crypto-mining incident, we noted several critical severity C2 detections in the threat log for Sofacy-related C2 traffic.

![Blackhat\_4](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/01/Blackhat_4.png)

As shown above, destination URLs for the C2 communications were listed in the threat log as hxxp://itunes-helper\[.\]net and hxxp://appleupdate\[.\]org.

To validate and further analyze the context of the threat, we pivoted from the Next-Generation Firewall threat log to AutoFocus. This allowed us to search WildFire data for samples seen to be accessing these domains.

![Blackhat\_5](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/01/Blackhat_5.png)

Samples were found in AutoFocus, validating that these domains are used in Sofacy (aka Fancy Bear/APT 28) campaigns. We were able to reference [Unit 42's blog post detailing the Sofacy group and related Komplex OS X malware](https://www.paloaltonetworks.com/blog/2016/09/unit42-sofacys-komplex-os-x-trojan/?ts=markdown), and the domains we saw in our C2 logs matched up with domains detailed in the blog.

We worked with the RSA team to further validate that it was indeed a Komplex Trojan infection based on their full packet captures.

Summary

Being placed in a purpose-built, hostile environment not only challenged the teams to think outside the box but also encouraged collaboration among the security vendors present at the event. The team not only worked in an operational capacity but was able to provide enriched context and value in incident response by incorporating the entire platform in the environment.

These types of experiences are an absolute privilege and a challenge that is most welcome. This is the Palo Alto Network's Black Hat NOC team signing off and wishing you a Happy New Year!

*** ** * ** ***

## Related Blogs

### [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Come Engage with Us at Black Hat USA 2018!](https://www.paloaltonetworks.com/blog/2018/08/come-engage-us-black-hat-usa-2018/)

### [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### Security Operations Under Fire Inside Black Hat's NOC](https://www.paloaltonetworks.com/blog/2025/09/security-operations-inside-black-hats-noc/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Black Hat NOC: Protecting One of the World's Most Dangerous Networks](https://www.paloaltonetworks.com/blog/security-operations/black-hat-noc-protecting-one-of-the-worlds-most-dangerous-networks/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Entering the Next Chapter of SASE at InterSECt 2024](https://www.paloaltonetworks.com/blog/2024/04/next-chapter-of-sase-at-intersect-2024/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Transforming Network Security with AI-Powered Innovations in SASE](https://www.paloaltonetworks.com/blog/2023/04/ai-powered-innovations-in-sase/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [SD-WAN](https://www.paloaltonetworks.com/blog/sase/category/sd-wan/?ts=markdown)

[#### What's Next for Prisma SASE with New AI-Powered Innovations](https://www.paloaltonetworks.com/blog/2023/03/prisma-sase-with-new-ai-powered-innovations/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language