Ahhh Vegas. Where things happen and stay, right? If you remember, we ran an exercise during the soccer world cup and we correlated final game matches to attack information. We had so much positive feedback on that analysis that we decided to have another crack at it. This time, it was during BlackHat. I started thinking of whether or not we could draw similar valuable insights. The data is there.
Building a dataset
I decided to test for attack traffic originating in Las Vegas during BlackHat and Defcon, and a month prior to that in order to correlate to baseline. In order to do that, we collected all of the security events during that time period from our Community Defense system, mapped Geo IPs for Nevada state, and Las Vegas specifically, then we queried the Community Defense data set for all source IPs that were in the US. Finally, we summarized by date and where the city itself is Las Vegas.
The next step was mapping the “big” events in Vegas at that time, to the dates. We found that the only noticeable big event during the time period was the NAACP conference in July.
It is quite interesting to look at the table that shows us how we usually see ~20 attacks originating from Las Vegas on a “normal day”, but during BlackHat and Defcon this year, that number peaked at 2612 attacks. A 130x, two orders orders of magnitude. It creates a very nice looking graph where you see attacks climb as BlackHat starts, decline when the majority of people head back home, and then again climbs again during Defcon. A day after everything ends, the numbers are back to norm.
We also noticed a climb in attack volume during the NCAAP conference, which may possibly indicate one of a few possibilities: either that a large crowd in a conference scale event may cause a growth in attack volume due to malware on computers, or attackers are attending the conference and performing their attacks from there. Letting our imagination run… BlackHat/Defcon are not your usual conferences. They have some of the brightest security/hacking minds in the world attending. Those guys who read every link before they click, run custom operating systems in cases and are generally very aware to security and therefor are less likely to be drive-by victims of hacking – for that reason, seeing numbers that high is more substantial at a hacker conference than in other conferences.
At this point we consider this to be an “interesting snapshot” and not a “trend” as that will require us to run our analysis for longer periods of time, which we may go for in the future. And of course, this analysis also serves as a sneak peak into our upcoming WAAR report #5, so stay tuned…