Some Thoughts on Black Hat and DEFCON

After attending Black Hat and DEFCON this year, I noticed that there wasn’t an overarching theme, like the Cloud, APTs or Big Data that prior years have seemed to focus on. Given the recent disclosures about NSA surveillance programs, privacy was spoke about quite a bit.

I had anticipated more Big Data discussion, not simply what Big Data actually is, but now that it’s been worked on by so many people and organizations, tangible big data security analytical techniques that have been proved out in the real world, such as LogRhythm’s Multi-Dimensional Behavioral Analytics.

Some of the specific talks I found to be most interesting were the attacks against embedded systems. Someone learned how to take over the controls of a Prius, the Z-Wave communication protocol, commonly used in wireless home security systems was discussed.

There were also several talks on RFID hacking, a technology being used more and more in our everyday lives such as in our credit cards, identification cards, passports and more.

Whenever attending these talks, I’m always asking myself “How would this activity present itself in the logs?” While consumer products often don’t provide logging options, particularly physical security systems, commercial ones often do. Badge readers, automatic cameras, and other physical security devices often provide valuable information in their log data.

For instance, let’s assume an HMI is sitting behind a badge reader. Normally a user must badge in, then log into the HMI, generating 2 logs of interest, the badge swipe, and the HMI authentication log. But if the door is pried open, there won’t be a badge swipe log.

By utilizing AI Engine, a user actually has the ability to be alarmed if an expected log isn’t generated. In this case, we would look for an HMI authentication log, and then look back in time for the expected associated badge swipe for that user. If it doesn’t exist, or comes from a different user, an alert can be sent.

Another interesting talk discussed optimizing the IPv6 overlay man in the middle attack originally demonstrated by Alec Waters in 2011. The attack basically creates an IPv6 network over an existing IPv4 network. The man in the middle host acts as a router, and because modern Windows OS’s by default prefer an IPv6 network, when they receive the router broadcasts they change over from using IPv4 to IPv6.

All the data then moves through the man in the middle, where it is translated back to IPv4 traffic when required, but also allowing the man in the middle to observe/record everything moving through it. So what might this look like in the logs? Well for one if there is some sort of network monitoring solution in place you’ll see a large portion of communications switch over to IPv6.

If traffic analysis against flow-type data is done, you’ll basically see communications being aggregated at the MITM host before going out the legitimate gateway. Traditionally detecting that would take a manual approach, but now utilizing behavioral analytics could detect it automatically.

I haven’t had a chance to test this in the lab yet, but I also suspect a Windows log might be generated when the OS switches between IPv4 and IPv6.

Overall Black Hat was a great show as always, and although only half through DEFCON, it’s shaping up to also be a lot of fun. I’m already looking forward to next year.