Security Automation at BlackHat Europe 2022: Part 1

In part 1 of this double-header, we look at the build and configuration tasks for the conference.

Roll Your Own

A dedicated infrastructure that does not rely (as far as is possible) on the venue’s own network and security capabilities is the only feasible way to host this kind of community of keen security professionals. Building an infrastructure per conference means that a multi-disciplined team, from a variety of vendors and backgrounds, must find ways to make the build as streamlined as possible. Automation is key to the approach.

Automating the Build Process

The build happens in a short period of time; the core infrastructure went from cardboard boxes to “live” in just over one day for the Europe 2022 conference. A design including complete segmentation of each conference area (including segmenting each training class, the Arsenal, the exhibiting vendors, the registration area, the NOC itself, and more), requires a lot of IP subnets and VLANs, multiple wireless SSIDs, and several DHCP servers and scopes. Some DHCP scopes require reservations, particularly where infrastructure components require predictable IP addressing, but there are too many of them for configuration of static addressing to be feasible. And change happens; IT security is a fast-paced industry, and we knew from experience that we would be adding, moving or changing the configuration data as the conference progressed.

Automatically Keeping an Eye on Suspicious Hosts

It is rare that the Black Hat team has to take any action against a conference attendee; the majority of seemingly malicious activity is usually part of the trainings, a demo in the Arsenal, or something else “expected”. Occasionally attendees approach or cross the line of acceptable behaviour, and during those instances and investigations it is very useful to be able to view the historical data across the conference.

Part Two

The second part of this double-header will focus on the operations side of the conference infrastructure, as the team (below) move into threat hunting mode. Carry on reading here…

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store