Palo Alto Networks Secures Black Hat from Itself

Founded by Jeff Moss in 1997, the Black Hat conference has grown considerably. Since its inception, it has gone from a maverick event that gave attendees a glimpse into the hacker mindset, to a global event series held in Europe, Asia and the Middle East. It has evolved into the “intersection of network security and hacker ingenuity… where the establishment and the underground are equally at home.”

The network and security operations center (NOC/SOC) at the Black Hat USA Conference serves the critical role of ensuring that the conference's entire network is running smoothly and efficiently, as well as detecting and responding to any security threats. Black Hat can be an attractive target for threat actors looking for the infamy associated with disrupting the conference or stealing personally identifiable information (PII) from attendees.

To thwart attacks from both internal attendees and external actors, Black Hat partners with a select group of cybersecurity organizations. Each partner serves a different function to provide solutions that work together to establish and defend a stable and well-protected network. For example, Black Hat features some of the top training in the world with students eager to try out the latest attack techniques on live targets. In addition, Palo Alto Networks Next-Generation Firewalls (NGFWs) isolate that activity from the rest of the network.

Trusted Partner of Black Hat

As a trusted partner, Palo Alto Networks has officially supported Black Hat 18 times over the last six years at their conferences around the world. At this year’s Black Hat USA, we are providing three functions within the NOC/SOC:

1. We will provide network firewall services, including full layer 3 dynamic routing, proper network segmentation/isolation and protection of the Black Hat owned infrastructure from any network-based attacks.
2. We’ll collaborate with other vendors to provide threat hunting and threat context of traffic to help the NOC team determine appropriate courses of action.
3. We will exclusively provide the NOC with security orchestration, automation and response (SOAR) with a wide range of automation and integration with the different products used by the NOC.

A significant portion of the Palo Alto Networks products portfolio is used to provide these services. Cortex XDR provides visibility and reporting for threat hunters and NOC guests. Our PA-5280 NGFWs will be deployed in High Availability, protecting Black Hat owned systems and internal infrastructure. The firewalls also provide network App-ID visibility and CDSS alert profiles on the entire network.

Our threat hunters will leverage dedicated NGFWs enabled with the CDSS suite:

• Advanced Threat Prevention to detect network attacks, defend against vulnerabilities, detect malleable C2 and zero day SQLi, as well as CMDi attacks.
• DNS Security to identify bad Domains and detect threats, which leverage DNS as a vector.
• Advanced URL to identify malicious URLs and detect threats, which leverage HTTP(s).
• Advanced WildFire to identify malicious files.
• IoT security to identify the target/source device types used in incident response prioritization.

All the NGFWs and services will be monitored using our Panorama Network Security Management M-300. Panorama also provides log access to threat hunters, including other vendor’s teams.

Cortex XSOAR is key to the NOC automation workflows and integrations with the other products supporting the Black Hat team. XSOAR is connected to the other partners operating in the NOC, such as Artista, the wireless LAN vendor. It is also paired with threat intelligence from Palo Alto Networks and the other vendors in the SOC. XSOAR playbooks are used to automatically provide context and enrichment to any incidents that occur, then progress the incidents to investigation and closure.

XSOAR also changes automation processes based on how the Black Hat infrastructure is segmented. This means incidents originating from training classrooms are treated differently and with lower priority compared to live attacks sent from the internet towards the external perimeter of the environment or the registration network, which are a much higher priority.

Black Hat’s Infrastructure Is a Target

As one of the largest cybersecurity conferences in the world, Black Hat has some of the most talented researchers attending and speaking about their projects, who oftentimes highlight new attack techniques and vulnerabilities. Over the years, we have seen attendees immediately test these attacks on the network. They even attempt to attack fellow attendees or the conference infrastructure. This is an excellent example of what organizations face today: Attackers don't need much time to find ways to abuse a software bug. The conference focuses on the learning and education of advanced attack and defense techniques. With the partners in the NOC, this can happen without being disruptive to all the attendees, effectively protecting Black Hat from itself.

The Palo Alto Networks threat hunting team is in the NOC, actively reporting credible threats to the Black Hat team, specifically attacks against the registration and internal infrastructure. Based on this threat intel, the Black Hat staff is able to leverage a Cortex XSOAR slack integration to instantly block bad actors through address tagging on the firewall. The team works in close collaboration with the other NOC partners: Arista, Cisco, Corelight, Lumen and Netwitness.

To see this NOC team in action, the Black Hat NOC will be streamed live via the conference Twitch channel, or you can visit and tour the NOC on-site. With the help of partners like Palo Alto Networks, Black Hat is able to provide a strong network and security infrastructure that allows attendees to focus on learning and networking without worrying about their cybersecurity.

For more information about Palo Alto Networks cybersecurity solutions and its support of the Black Hat NOC, visit our Booth #1332 and watch the live feed of the NOC during the conference.