Thursday, January 19, 2023
HomeHealthBlack Hat USA 2022 Continued: Innovation within the NOC

Black Hat USA 2022 Continued: Innovation within the NOC

Partly one among our Black Hat USA 2022 NOC weblog, we mentioned constructing the community with Meraki:

  • Adapt and Overcome
  • Constructing the Hacker Summer time Camp community, by Evan Basta
  • The Cisco Stack’s Potential in Motion, by Paul Fidler
  • Port Safety, by Ryan MacLennan, Ian Redden and Paul Fiddler
  • Mapping Meraki Location Knowledge with Python, by Christian Clausen

On this half two, we’ll focus on:

  • Bringing all of it along with SecureX
  • Creating Customized Meraki Dashboard Tiles for SecureX, by Matt Vander Horst
  • Talos Risk Looking, by Jerzy ‘Yuri’ Kramarz and Michael Kelley
  • Unmistaken Id, by Ben Greenbaum
  • 25+ Years of Black Hat (and a few DNS stats), by Alejo Calaoagan

Cisco is a Premium Associate of the Black Hat NOC, and is the Official Wired & Wi-fi Community Gear, Cell Gadget Administration, DNS (Area Title Service) and Malware Evaluation Supplier of Black Hat.

Black Hat USA is my favourite a part of my skilled life every year. We had an unbelievable employees of 20 Cisco engineers to construct and safe the community. Additionally, for the primary time, we had two Talos Risk Hunters from the Talos Incident Response (TIR) workforce, offering distinctive views and abilities to the assaults on the community. I actually appreciated the shut collaboration with the Palo Alto Networks and NetWitness workforce members. We created new integrations and the NOC continued to function an incubator for innovation.

We should permit actual malware on the community for coaching, demonstrations, and briefing periods; whereas defending the attendees from assault throughout the community from their fellow attendees and forestall unhealthy actors utilizing the community to assault the Web. It’s a vital steadiness to make sure everybody has a secure expertise, whereas nonetheless having the ability to study from actual world malware, vulnerabilities, and malicious web sites. So, context is what actually issues when investigating a possible assault and bringing so many applied sciences collectively in SecureX actually accelerated investigation and response (when wanted).

All of the Black Hat community visitors was supported by Meraki switches and wi-fi entry factors, utilizing the most recent Meraki gear donated by Cisco. Our Meraki workforce was capable of block individuals from the Black Hat community, when an investigation confirmed they did one thing in violation of the attendee Code of Conduct, upon overview and approval by the Black Hat NOC management.

Cisco Safe offered all of the area title service (DNS) requests on the Black Hat community by way of Umbrella, each time attendees needed to hook up with a web site. If there’s a particular DNS assault that threatened the convention, we supported Black Hat in blocking it to guard the community. Nonetheless, by default, we permit and monitor DNS requests to malware, command and management, phishing, crypto mining, and different harmful domains, which might be blocked in a manufacturing atmosphere. That steadiness of permitting cybersecurity coaching and demos to happen, however prepared to dam when wanted.

Along with the Meraki networking gear, Cisco Safe additionally shipped an Umbrella DNS digital equipment to Black Hat USA, for inside community visibility with redundancy. The Intel NUC containing the digital equipment additionally contained the bridge to the NetWitness on-premises SIEM, customized developed by Ian Redden.

We additionally deployed the next cloud-based safety software program:

We analyzed recordsdata that had been downloaded on the community, checking them for malicious conduct. When malware is downloaded, we affirm it’s for a coaching, briefing or demonstration, and never the beginning of an assault on attendees.

Throughout an investigation, we used SecureX to visualise the menace intelligence and associated artifacts, correlating information. Within the instance under, an attacker was making an attempt distant code execution on the Registration Servers, alerted by the Palo Alto workforce, investigated by the NOC menace hunters, and blocked by order of the NOC management upon the outcomes of the investigation.

Cisco Safe Risk Intelligence (correlated by way of SecureX)

Donated Associate Risk Intelligence (correlated by way of SecureX)

Open-Supply Risk Intelligence (correlated by way of SecureX)

Continued Integrations from previous Black Hat occasions

  • NetWitness SIEM integration with SecureX
  • NetWitness PCAP file carving and submission to Cisco Safe Malware Analytics (previously Risk Grid) for evaluation
  • Meraki syslogs into NetWitness SIEM and Palo Alto Firewall
  • Umbrella DNS into NetWitness SIEM and Palo Alto Firewall 

New Integrations Created at Black Hat USA 2022

  • Safe Malware Analytics integration with Palo Alto Cortex XSOAR, extracting recordsdata from the community stream through the firewall

The NOC companions, particularly NetWitness and Palo Alto Networks, had been so collaborative and we left Vegas with extra concepts for future integration improvement

Creating Customized Meraki Dashboard Tiles for SecureX, by Matt Vander Horst

One of many largest advantages of Cisco SecureX is its open structure. Anybody can construct integrations for SecureX if they’ll develop an API with the correct endpoints that talk the correct language. Within the case of SecureX, the language is the Cisco Risk Intelligence Mannequin (CTIM). As talked about above, Cisco Meraki powered Black Hat USA 2022 by offering wired and wi-fi networking for your complete convention. This meant plenty of tools and customers to maintain monitor of. To keep away from having to change between two totally different dashboards within the NOC, we determined to construct a SecureX integration that would supply Meraki dashboard tiles immediately into our single pane of glass: SecureX.

Constructing an integration for SecureX is straightforward: determine what performance you need your integration to supply, construct an internet-accessible API that gives these features, after which add the mixing to SecureX. At Black Hat, our Meraki integration supported two capabilities: well being and dashboard. Right here’s a abstract of these capabilities and the API endpoints they anticipate:

Functionality Description API Endpoints
Well being Permits SecureX to verify the module is reachable and dealing correctly. /well being
Dashboard Gives a listing of accessible dashboard tiles and, after a tile is added to a dashboard, the tile information itself. /tiles



With our capabilities determined, we moved on to constructing the API for SecureX to speak to. SecureX doesn’t care the way you construct this API if it has the anticipated endpoints and speaks the correct language. You could possibly construct a SecureX-compatible API immediately into your product, as a serverless Amazon Internet Providers (AWS) Lambda, as a Python script with Django, and so forth. To allow fast improvement at Black Hat, we selected to construct our integration API on an current Ubuntu server in AWS operating Apache and PHP.

After constructing the API framework on our AWS server, we needed to determine which dashboard tiles to supply. Right here’s what we ended up supporting:

Tile Title Description
High Purposes Reveals the highest 10 functions by move rely
Consumer Statistics Reveals a abstract of purchasers
High SSIDs by Utilization in GB Reveals the highest 10 SSIDs by information utilization in GB
Entry Level Standing Reveals a abstract of entry factors


Lastly, as soon as the API was up and operating, we may add the mixing to SecureX. To do that, you could create a module definition after which push it to SecureX utilizing its IROH-INT API. After the module is created, it seems within the Accessible Integration Modules part of SecureX and will be added. Right here’s what our module seemed like after being added to the Black Hat SecureX occasion:

After including our new tiles to the SecureX dashboard, SecureX would ask our API for information. The API we constructed would fetch the information from Meraki’s APIs, format the information from Meraki for SecureX, after which return the formatted information. Right here’s the consequence:

These dashboard tiles gave us helpful insights into what was occurring within the Meraki community atmosphere alongside our current dashboard tiles for different merchandise comparable to Cisco Safe Endpoint, Cisco Umbrella, Cisco Safe Malware Analytics, and so forth.

If you wish to study extra about constructing integrations with SecureX, try these sources:

Talos Risk Looking, by Jerzy ‘Yuri’ Kramarz and Michael Kelly

Black Hat USA 2022 was our first absolutely supported occasion, the place we deployed an onsite menace searching workforce from Talos Incident Response (TIR). Our colleagues and associates from numerous enterprise items, linked by SecureX integration, granted us entry to all of the underlying consoles and API factors to help the menace searching efforts enhanced by Talos Intelligence.

The menace searching workforce centered on answering three key hypothesis-driven questions and matched that with information modelling throughout all the totally different expertise stacks deployed in Black Hat NOC:

  • Are there any attendees making an attempt to breach one another’s techniques in or outdoors of a classroom atmosphere?
  • Are there any attendees making an attempt to subvert any NOC Techniques?
  • Are there any attendees which are compromised and we may warn them about that?

To reply the above speculation, our evaluation began with understanding of how the community structure is laid out and how much information entry is granted to NOC. We shortly realized that our vital companions are key to extending visibility past Cisco deployed applied sciences. Nice many thanks go to our associates from NetWitness and Palo Alto Networks for sharing full entry to their applied sciences, to make sure that searching didn’t cease on simply Cisco package and contextual intelligence may very well be gathered throughout totally different safety merchandise.

Day by day menace hunt began with gathering information from Meraki API to determine IP and DNS stage requests leaving the gadgets linked to wi-fi entry factors throughout total convention. Though Meraki doesn’t immediately filter the visitors, we needed to seek out indicators of malicious exercise comparable to DNS exfiltration makes an attempt or connections to identified and malicious domains which weren’t a part of the category educating. Given the extent of entry, we had been then capable of examine community visitors seize related to suspicious connections and verify for suspected Command and Management (C2) factors (there have been a couple of from totally different menace actors!) or makes an attempt to attach again to malicious DNS or Quick Flux domains which indicated that a number of the attendee gadgets had been certainly compromised with malware.

That mentioned, that is to be anticipated given hostility of the community we had been researching and the truth that classroom environments have customers who can convey their very own gadgets for hands-on labs. SecureX allowed us to shortly plot this internally to seek out particular hosts which had been connecting and speaking with malicious endpoints whereas additionally displaying a variety of further datapoints which had been helpful for the investigation and searching. Under is one such investigation, utilizing SecureX menace response.

Whereas inside visitors, we have now additionally discovered and plotted fairly a couple of totally different port-scans operating throughout the inner community. Whereas not stopping these, it was fascinating to see totally different tries and makes an attempt by college students to seek out ports and gadgets throughout networks. Good factor that community isolation was in place to forestall that! We blurred out the IP and MAC addresses within the picture under.

Right here is one other instance of very nice port scan clusters that had been operating throughout each inside and exterior networks we have now discovered. This time it was the case of a number of hosts scanning one another and seeking to discovery ports regionally and throughout lots of the Web-based techniques. All of that was a part of the category however we needed to confirm that because it seemed fairly suspicious from the outset. Once more, blurred image for anonymity.

In a couple of cases, we additionally recognized remarkably fascinating clear-text LDAP visitors leaving the atmosphere and giving a transparent indicator of which group the precise gadget belonged to easily due to the area title which was requested within the cleartext. It was fairly fascinating to see that in 2022, we nonetheless have plenty of gadgets speaking clear textual content protocols comparable to POP3, LDAP, HTTP or FTP, that are straightforward to subvert through Man-In-The-Center sort of assaults and may simply disclose the content material of essential messages comparable to e-mail or server credentials. Under is an instance of the plain textual content e-mail attachments, seen in NetWitness and Cisco Safe Malware Analytics.

By way of the exterior assaults, Log4J exploitation makes an attempt had been just about a every day incidence on the infrastructure and functions used for attendee registration together with different typical web-based assaults comparable to SQL injections or path traversals. Total, we noticed a very good variety of port scans, floods, probes and all form of internet utility exploitation makes an attempt displaying up every day, at numerous peak hours. Thankfully, all of them had been efficiently recognized for context (is that this a part of a coaching class or demonstration) and contained (if acceptable) earlier than inflicting any hurt to exterior techniques. Given the truth that we may intercept boundary visitors and examine particular PCAP dumps, we used all these assaults to determine numerous command-and-control servers for which we additionally hunted internally to make sure that no inside system is compromised.

The ultimate piece of the puzzle we seemed to handle, whereas menace searching throughout Black Hat 2022, was automation to find fascinating investigation avenues. Each of us investigated a risk of menace searching utilizing Jupyter playbooks to seek out outliers that warrant a better look. We have now created and developed a set of scripts which might collect the information from API endpoints and create a knowledge frames which may very well be modeled for additional evaluation. This allowed us to shortly collect and filter out techniques and connections which weren’t that fascinating. Then, concentrate on particular hosts we must be checking throughout totally different expertise stacks comparable to NetWitness and Palo Alto.

Unmistaken Id, by Ben Greenbaum

An uncommon side of the Black Hat NOC and related safety operations actions is that that is an deliberately hostile community. Folks come to study new methods and to conduct what would in every other circumstance be considered rightfully as malicious, undesirable conduct. So, figuring out whether or not that is “acceptable” or “unacceptable” malicious conduct is an added step. Moreover, this can be a closely BYOD atmosphere and whereas we don’t need attendees attacking one another, or our infrastructure, there’s a specific amount of suspicious or indicative conduct we could must overlook to concentrate on increased precedence alerts.

In brief, there are broadly talking 3 ranges of safety occasion at Black Hat:

  • Allowed – classroom or demonstration actions; i.e. a big a part of the aim of Black Hat
  • Tolerated –C&C communications from BYOD techniques, different proof of infections that aren’t proof of direct assaults; attendee cleartext communications that must be encrypted, however are usually not related to the operation of the convention.
  • Forbidden – direct assaults on attendees, instructors, or infrastructure; overt legal exercise, or different violations of the Code of Conduct

When Umbrella alerted us (through a SecureX orchestration Webex workflow) of DNS requests for a website concerned in “Unlawful Exercise” it was harking back to an occasion at a earlier convention the place an attendee was caught utilizing the convention community to obtain solid vaccination paperwork.

Utilizing the Cisco Safe Malware Analytics platform’s phishing investigation instruments, I loaded and explored the topic area and located it to be a device that generates and offers pseudo-randomized pretend identities, customizable in numerous methods to match on demographics. Actually, one thing that may very well be used for nefarious functions, however is just not unlawful in and of itself. Bodily safety and entry management is, nevertheless, additionally essential at Black Hat, and if this exercise was a part of an effort to undermine that, then this was nonetheless a priority.

That is, nevertheless, additionally the form of factor that will get taught at Black Hat…

Utilizing the reported inside host IP from Umbrella, Meraki’s connection information, and the Meraki entry level map, we had been capable of slim the exercise all the way down to a particular classroom. Wanting up what was being taught in that room, we had been capable of affirm that the exercise was associated to the course’s subject material

Community house owners and directors, particularly companies, sometimes don’t need their community for use for crimes. Nonetheless, right here at Black Hat what some would contemplate “crimes” is simply “the curriculum”. This provides a layer of complexity to securing and defending not simply Black Hat, but additionally Black Hat attendees. In safety operations, not each investigation results in a smoking gun. At Black Hat, even when it does, chances are you’ll discover that the smoking gun was fired in a secure method at an accepted goal vary. Having the correct instruments readily available will help you make these determinations shortly and free you as much as examine the subsequent potential menace.

25 Years of Black Hat – Musings from the present (and a few DNS stats), by Alejo Calaoagan

Again in Singapore, I wrote about cloud app utilization and the potential menace panorama surrounding them.  My unique plan at Black Hat USA was to dig deeper into this vector to see what fascinating tidbits I may discover on our attendee community. Nonetheless, provided that this was the twenty fifth anniversary of Black Hat (and my 14th in complete between Vegas, Singapore, and London), I’ve determined to pivot to speak in regards to the present itself.

I believe it’s secure to say, after two tough pandemic years, Black Hat is again. Perhaps it’s the truth that nearly everybody has caught COVID by now (or that lots of people simply stopped caring). I caught it myself at RSA this yr again in June, the primary of consecutive summer season tremendous unfold occasions (Cisco Stay Vegas was the next week). Each of these exhibits had been within the 15-18k attendee vary, nicely under their pre-pandemic numbers. Black Hat USA 2022 was estimated at 27,000 attendees.

If I bear in mind appropriately, 2019 was within the 25-30K vary. Final yr in Vegas, there have been ~3,000 individuals on the occasion, tops. 2021 in London, was even decrease…it felt like there have been lower than 1,000 attendees. Issues definitely picked up in Singapore (2-3k attendees), although that occasion doesn’t sometimes see attendee numbers as excessive as the opposite areas. All in all, whereas the pandemic definitely isn’t over, Las Vegas gave glimpses of what issues had been like earlier than the “Rona” took over our lives.

The present ground was definitely again to the norm, with swag flying off the counter tops and contours for Nike sneaker and Lego giveaways wrapping round totally different cubicles.  The grins on individuals’s faces as they pitched, offered, hustled, and educated the plenty jogged my memory how a lot I missed this stage of engagement.  RSA gave me this sense as nicely, earlier than COVID sidelined me halfway by way of the present anyway.

Not every part was fairly the identical. The Black Hat celebration scene definitely is just not what it was once. There was no Speedy 7 rager this yr or final, or a contented hour occasion thrown by a safety firm you’ve by no means heard of at each bar you stroll by on the strip. There have been nonetheless some good networking occasions right here and there, and there have been some awesomely random Vanilla Ice, Sugar Ray, and Smashmouth exhibits. For these of you conversant in Jeremiah Grossman’s annual Black Hat BJJ throwdown, that’s nonetheless, fortunately, a factor. Hopefully, within the coming years, a few of that previous awesomeness returns….

Sufficient reminiscing, listed here are our DNS numbers from the present:

From a sheer visitors perspective, this was the busiest Black Hat ever, with over 50 million DNS requests made…

Digging into these numbers, Umbrella noticed over 1.3 million safety occasions, together with numerous forms of malware throughout the attendee community. Our menace searching workforce was busy all week!

We’ve additionally seen a rise in app utilization at Black Hat:

  • 2019: ~3,600
  • 2021: ~2,600
  • 2022: ~6,300

In a real-world manufacturing atmosphere, Umbrella can block unapproved or high-risk apps through DNS.

The will increase in DNS visitors quantity and Cloud App utilization clearly mirrors Black Hat’s return to the middle stage of safety conferences, following two years of pandemic uncertainty. I’m hopeful that issues will proceed to pattern in a optimistic route main as much as London and, hopefully, we’ll see you all there.


Hats off to your complete NOC workforce. Take a look at Black Hat Europe in London, 5-8 December 2022!

Acknowledgements: Particular because of the Cisco Meraki and Cisco Safe Black Hat NOC workforce.

SecureX menace response, orchestration, gadget insights, customized integrations and Malware Analytics: Ian Redden, Aditya Sankar, Ben Greenbaum, Matt Vander Horst and Robert Taylor

Umbrella DNS: Christian Clasen and Alejo Calaoagan

Talos Incident Response Risk Hunters: Jerzy ‘Yuri’ Kramarz and Michael Kelley

Meraki Techniques Supervisor: Paul Fidler (workforce chief), Paul Hasstedt and Kevin Carter

Meraki Community Engineering: Evan Basta (workforce chief), Gregory Michel, Richard Fung and CJ Ramsey

Community Design and Wi-fi Website Survey: Jeffry Handal, Humphrey Cheung, JW McIntire and Romulo Ferreira

Community Construct/Tear Down: Dinkar Sharma, Ryan Maclennan, Ron Taylor and Leo Cruz

Important help in sourcing and delivering the Meraki APs and switches: Lauren Frederick, Eric Goodwin, Isaac Flemate, Scott Pope and Morgan Mann

Additionally, to our NOC companions NetWitness (particularly David Glover), Palo Alto Networks (particularly Jason Reverri), Lumen, Gigamon, IronNet, and your complete Black Hat / Informa Tech employees (particularly Grifter ‘Neil Wyler’, Bart Stump, Steve Fink, James Pope, Jess Stafford and Steve Oldenbourg).

About Black Hat

For 25 years, Black Hat has offered attendees with the very newest in data safety analysis, improvement, and tendencies. These high-profile world occasions and trainings are pushed by the wants of the safety neighborhood, striving to convey collectively the very best minds within the business. Black Hat conjures up professionals in any respect profession ranges, encouraging progress and collaboration amongst academia, world-class researchers, and leaders in the private and non-private sectors. Black Hat Briefings and Trainings are held yearly in the US, Europe and USA. Extra data is out there at: Black Hat is dropped at you by Informa Tech.

We’d love to listen to what you assume. Ask a Query, Remark Under, and Keep Linked with Cisco Safe on social!

Cisco Safe Social Channels





Please enter your comment!
Please enter your name here

Most Popular

Recent Comments