Top
Home / Cyber Security
Cyber Security, Featured

Corelight transforms Black Hat’s NOC into a real-time lab

By

In this interview, we delve into Corelight’s role in transforming the Black Hat Network Operations Center (NOC) into an interactive “live lab” for cybersecurity professionals. Corelight and its partner organisations were entrusted with running the NOC, building the network, and defending it against simulated attacks. The discussion explores the challenges of managing network security in real-time during such a high-profile event, highlighting Corelight’s ability to distinguish between legitimate educational attacks and real malicious threats. Additionally, we gain insight into the unique value participants experience by observing the NOC in action and how Corelight’s approach to threat detection sets it apart in cybersecurity.

What inspired Corelight to transform the Black Hat Network Operations Center (NOC) into an interactive “live lab” for participants?

Corelight was chosen, together with their selected partner organisations, by Black Hat to run the NOC, build the network and defend it against attacks. 

Can you elaborate on your team’s biggest challenges in managing network security in real-time during such a high-profile event?

The biggest challenge is distinguishing between “needles in needles” — legitimate attacks executed for educational purposes and real malicious threats attempting to exploit the environment. With attendees actively demonstrating sophisticated attack techniques, the noise of intentional but benign activities makes it harder to pinpoint actual threats targeting the event’s infrastructure. Corelight excels here by providing high-fidelity, context-rich alerts. Its ability to parse and enrich data helps analysts quickly determine intent and severity, enabling the team to separate genuine risks from simulated activities without wasting resources on false alarms. This precision is crucial in such a high-signal environment.

What unique insights do participants gain from observing the NOC in action compared to traditional cybersecurity training methods?

Participants gain a unique opportunity to observe the intensity and complexity of defending a live, high-profile network. Watching NOC analysts work in real-time, supported by live dashboards displaying real network data, provides insights into the challenges of identifying and mitigating threats during an event like Black Hat.

With NOC presentations and opportunities to ask questions, attendees gain a deeper understanding of how to apply advanced tools and processes in a live environment. While this experience offers invaluable context and exposure, traditional training remains essential for building the foundational skills required to operate effectively in such scenarios.

How does Corelight’s approach to threat detection and response differ from other cybersecurity solutions on the market?

Corelight’s approach to threat detection and response stands out due to its focus on enriching raw network traffic with context-rich data derived from Zeek (formerly Bro) and Suricata. Instead of relying solely on signature-based detection, Corelight provides a broader view of network activity by turning traffic into structured, readable logs. This enables security teams to quickly understand what is happening on their networks and uncover sophisticated threats that might evade traditional tools.

Feedback: Black Hat NOC experience
Black Hat NOC experience
Corelight
Corelight
Corelight
Black Hat NOC experience

Unlike many solutions prioritising alerts over context, Corelight emphasises high-fidelity data and open formats, allowing seamless integration with existing SIEMs and security tools. This flexibility empowers analysts to pivot quickly, conduct deep investigations, and automate responses, making Corelight an indispensable part of a modern, proactive security stack.

Can you describe the types of threats that your team typically encounters in an event environment like Black Hat?

During Black Hat, the team encounters a wide range of threats, from benign experimentation to legitimate attacks. These include targeted attempts against infrastructure like registration systems and backend services and cross-room activity where participants test newly learned tools on each other. Devices brought to the event often arrive already compromised, adding further complexity.

Additionally, cleartext exposures of sensitive data, such as credentials or session tokens, frequently surface due to misconfigurations. The environment’s mix of benign experimentation and genuine malicious attempts requires rapid identification of intent, ensuring legitimate threats are mitigated while preserving the educational nature of the event.

What lessons can businesses and organisations learn from the real-world defences demonstrated at the NOC?

The NOC at Black Hat presents a unique scenario that differs from most corporate environments yet still requires similar levels of protection. Unlike typical organisations where endpoints are managed and EDR solutions play a crucial role in threat detection, Black Hat’s NOC has no control over the endpoints. As a result, traditional EDR tools cannot be relied upon. EDR is a critical first line of defence for most organisations, often accounting for 60-70% of their active security posture. In contrast, Black Hat’s NOC exclusively depends on monitoring network traffic to identify threats.

As highlighted in previous responses, valuable insights can be gathered from encrypted network traffic. In many instances, threats were only detectable through network analysis, especially in the early stages of an attack. For organisations that rely heavily on EDR, understanding how the Black Hat NOC leverages NDR and other network security technologies to detect threats can offer valuable lessons on enhancing and extending their own security frameworks.

Tags: ,
0

Andriani has been working in Publishing Industry since 2010. She has worked in major Publishing Houses in UK and Greece, such as Cambridge University Press and ProQuest. She gained experience in different departments in Publishing, including editing, sales, marketing, research and book launch (event planning). She started as Social Media Manager in 4i magazine, but very quickly became the Editor in Chief. At the moment, she lives in Greece, where she is mentoring women with job and education matters; and she is the mother of 3 boys.

RELATED POSTS

News, Tech

Black Hat, the cybersecurity industry’s most established and in-depth security event series, today announced Frédérick Douzet, director of the Center Geopolitics of the Datasphere (GEODE); and Éric Freyssinet, brigadier general in the French Gendarmerie Nationale and senior advisor on cybercrime

News, Tech

Black Hat, the cybersecurity industry’s most established and in-depth security event series, today announced the release of its content lineup for Black Hat Europe 2024. The live, in-person event will take place at the ExCeL London from December 9 to

Cyber, Cyber Security, News

Black Hat, the cybersecurity industry’s most established and in-depth security event series, announced the successful completion of the in-person component of Black Hat Asia 2024. The event welcomed more than 3,000 unique attendees joining in-person from April 16 to April 19

4i magazine was founded with the vision of enabling our readers to make sense of the modern world. Our mission is to provide our audience with the most important, cutting-edge tech news and insights. Today's media landscape features too much information and not enough knowledge. Our coverage aims to fix that, by focusing the spotlight on developing trends, up-and-coming talents, and news that's worth your attention.

info@4imag.com
jobs@4imag.com

© Copyright 4i Mag 2022 All Rights Reserved