August 20, 2014

Ahhh Vegas. Where things happen and stay, right? If you remember, we ran an exercise during the soccer world cup and we correlated final game matches to attack information.  We had so much positive feedback on that analysis that we decided to have another crack at it. This time, it was during BlackHat. I started thinking of whether or not we could draw similar valuable insights. The data is there.

Building a dataset

I decided to test for attack traffic originating in Las Vegas during BlackHat and Defcon, and a month prior to that in order to correlate to baseline. In order to do that, we collected all of the security events during that time period from our Community Defense system, mapped Geo IPs for Nevada state, and Las Vegas specifically, then we queried the Community Defense data set for all source IPs that were in the US. Finally, we summarized by date and where the city itself is Las Vegas.

The next step was mapping the “big” events in Vegas at that time, to the dates. We found that the only noticeable big event during the time period was the NAACP conference in July.

Bh3

Data analysis

It is quite interesting to look at the table that shows us how we usually see ~20 attacks originating from Las Vegas on a “normal day”, but during BlackHat and Defcon this year, that number peaked at 2612 attacks. A 130x, two orders orders of magnitude. It creates a very nice looking graph where you see attacks climb as BlackHat starts, decline when the majority of people head back home, and then again climbs again during Defcon. A day after everything ends, the numbers are back to norm.

Bh2

We also noticed a climb in attack volume during the NCAAP conference, which may possibly indicate one of a few possibilities: either that a large crowd in a conference scale event may cause a growth in attack volume due to malware on computers, or attackers are attending the conference and performing their attacks from there.  Letting our imagination run… BlackHat/Defcon are not your usual conferences. They have some of the brightest security/hacking minds in the world attending. Those guys who read every link before they click, run custom operating systems in cases and are generally very aware to security and therefor are less likely to be drive-by victims of hacking – for that reason, seeing numbers that high is more substantial at a hacker conference than in other conferences.

At this point we consider this to be an “interesting snapshot” and not a “trend” as that will require us to run our analysis for longer periods of time, which we may go for in the future.  And of course, this analysis also serves as a sneak peak into our upcoming WAAR report #5, so stay tuned…

Share:
Share on LinkedIn

Posted by Barry Shteiman at 09:00:00 AM


Tags:

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.