Black Hat USA 2021 Network Operations Center
Black Hat back is!
What an event to be attending the initial major cybersecurity conference because the lockdowns of the COVID-19 pandemic.
Cisco Secure returned as a supporting partner of the Black Hat USA 2021 Network Operations Center (NOC) for the 5 th year ; signing up for conference producer Informa Tech and its own other security partners. Like other Black Hat conferences, the mission of the NOC would be to create a conference network that’s secure, accessible and stable for working out events, briefings, attendees and sponsors. This involves a robust link with the web (Lumen and Gigamon), firewall protection (Palo Alto Networks), segmented wireless network (Commscope Ruckus) and network full packet capture & forensics and SIEM (RSA NetWitness); with Cisco providing cloud-based intelligence and security support.
For quite some time, Cisco Secure provided DNS visibility and architecture intelligence with Cisco Umbrella and Cisco Umbrella Investigate ; and automatic malware analysis and threat intelligence with Cisco Secure Malware Analytics (Threat Grid) , supported by Cisco Talos Intelligence and Cisco SecureX .
New in 2021, Cisco Secure was asked to safeguard 340+ (22 as spares) iPads useful for the Black Hat conference registration and sponsor lead retrieval. With this type of large number of cellular devices, the initial task was to utilize the vendor to put them in ‘supervised mode’ and enroll them with the Cisco Meraki Systems Manager (SM) mobile device management (MDM) platform. The enrollment has been completed once, we could actually secure the iPads by deploying the Cisco Secure Endpoint for iOS/Security Connector .
We could actually manage all areas of the iPads remotely. Several was included with out-of-date iOS. We could actually up-date them into compliance remotely.
Meraki SM was also in a position to deploy the applications to be utilized for attendee lead and registration retrieval.
We also deployed the profile for connecting to the SSID reserved for the conference administration, by MAC address, with a distinctive sixteen-character password for every iPad, allowing you to connect to the Commscope Ruckus access points. With the satellite map look at, we could actually see the located area of the iPads, and something were to ‘stroll away’ from the conference, we’d the opportunity to remotely wipe all of the data and ‘brick’ these devices.
The largest challenge was keeping 340+ iPads charged for the registration team to reach and take physical possession .
Developing a Secure Network for several
The trainers, sponsors and briefers have to be in a position to access and demonstrate malicious code and network activity; without infecting attendees or other networks, or encountering an outage. This is a balancing act that the NOC team loves generating at each conference. This season the NOC was shut to attendees, but had been streamed live and open to be looked at from outside the NOC and in the home via their Twitch channel , with presentations from NOC leaders Neil Wyler (@grifter801) and Bart Stump (@thestump3r).
From Russia With Adore
Threat hunting is really a core mission of the Cisco Secure team, while monitoring the DNS activity for malicious activity potentially. Also, to examine the automatic malware analysis of samples submitted by RSA NetWitness for maliciousness.
The PAN firewall team observed Russian IP 45[.]146[.]164[.]110. banging round the Registration Server, the main element asset most of us ongoing work to safeguard.
The Cisco threat hunting team investigated the chance in SecureX threat response, that was integrated with 20+ Cisco and partner threat intelligence platforms.
Cisco Technologies |
third party Technologies |
| Talos Intelligence | alphaMountain.ai Threat Intelligence |
| Threat Grid (Secure Malware Analytics) | APIVoid |
| Umbrella | AbuseIPDB IP Checker |
| AMP for Endpoints (Secure Endpoint) | Akamai |
| AMP File Reputation | AlienVault Open up Threat Exchange |
| AMP Global Intelligence | CyberCrime Tracker |
| Private Intelligence (Threat Grid feeds) | Farsight Security DNSDB |
| SecureX orchestration | Palo Alto Networks AutoFocus |
| Documented Future | |
| Shodan | |
| Threatscore | Cyberprotect | |
| urlscan.io |
With those integrations, we confirmed the malicious popularity from several sources and found an associated domain/URL.
Firewall team requested a block for the IP, just because a couple was tried because of it of remote control code executions attacks plus some scans. Cisco Umbrella team blocked the mastercommunications[.]ru domain, so no devices in the network can connect out. It really is rare that step is used by us, the only real previous time was whenever a spear phishing attack has been delivered against our registration laptops in Black Hat Europe 2018.
We saw similar attacks from IPs in Germany and China, and the firewall team blocked them very much the same.
Protecting Attendees from Malware, Cryptomining and Themselves
For the two 2 nd year (1 st in 2019), Black Hat USA, used captured webpage notifications for users who linked to the Black Hat network and were found to be infected with malware, at an increased risk for phishing attack, shared credentials within the had been or clear working cryptomining. The notifications were completed by moving affected users right into a combined group within the PAN Firewall.
This way, those people who are delivering presentations and demos can reach their attended target still, but unaware attendees could be protected.
The Umbrella team appeared for potential threats to the attendees actively.
For instance, we observed link with a known phishing site.
SECURITY CATEGORY (PHISHING)
app.nihaocloud[.]com
Event Details (1 of 2)
Date & Time: Aug 5, 2021 at 6:32 AM
Internal IP: 63.231.217.168
Very quickly, we could actually visualize the complete architecture of the phishing infrastructure in SecureX threat response. We notified the firewall team, who additional the domain to the captive portal list.
In another exemplory case of collaboration, the RSA NetWitness team observed link with a suspicious domain from an attendee utilizing a Macintosh.
The Umbrella threat hunting team confirmed the maliciousness and that it could have already been blocked in a production environment. The firewall team additional the domain to the captive portal list.
Day of the business enterprise Hall cryptomining appeared on the initial. We alerted the firewall team, who positioned a captive portal for all those accessing the domains, so should they wished to cryptomine could keep on then. If they had been unaware that their machines had been mining, they could do something. The mining stopped.
Malware Analysis
With having less classroom move and training to mobile access, no malware samples were observed at Black Hat USA 2021. RSA NetWitness Orchestrator carved the files off the network stream and delivered them to Cisco Secure Malware Analytics (Threat Grid). The week over, 279 samples were delivered for analysis.
However, there is a breach of private information concerning contract security personnel, submitted an ordinary text email, with the attachments seen in Threat Grid. This same incident occurred in 2019 and the RSA NetWitness team do another full report for remediation.
Aditya on we made a custom dashboard tile to alert us on Umbrella security events, to lessen the pressure on our analysts to track multiple screens simultaneously. Choose a blog from Aditya on what he achieved this with SecureX orchestration.
DNS traffic at Record Low
In 2021, we saw ~11 million DNS requests, with the drop in live attendance. On the other hand, in 2018 there have been 42 about.4 million DNS requests on the Black Hat USA network. In 2019, there have been 49.6 million requests. About 1,900 could have already been blocked in a production environment, as violating security policies.
It’s an App World
In 2021, over 2,600 different apps linked to the BH network, reflecting the proceed to mobile. In 2019, about 3,600 apps connected in once frame, with five times just as much DNS requests.
With the success of Vegas under our belts, another focus is Black Hat Europe .
Take note : The staff of the NOC had been all vaccinated against COVID-19. We wore our masks for the whole Black Hat USA 2021; with this particular one exception, for an instant photo to notice our shiny faces.
Acknowledgements : Special because of the Cisco Secure Black Hat NOC team: Jonny Noble, Alejo Calaogan, Christian Clasen and Aditya Sankar; with remote support by Aaron Woland, Ian Redden and Krishan Veer. Also, to your NOC partners RSA (especially the RSA Security team brought by Percy Tucker), Palo Alto Networks (especially Lance Knittig), Commscope Ruckus (especially Jim Palmer), Gigamon, IronNet, Lumen and the complete Black Hat / Informa Tech staff Marissa Parker - Queen of the NOC (especially, Steve Fink - Chief Architect, Neil Wyler and Bart Stump).About Black Hat
For more than twenty years, Black Hat has provided attendees with the latest in information security research, development, and trends. These high-profile global trainings and events are powered by the requirements of the security community, striving to bring the very best minds in the market together. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the private and public sectors. Black Hat Briefings and Trainings are kept in the usa annually, Europe and Asia. More info can be acquired at blackhat.com . Black Hat is presented by Informa Tech.
We’d want to hear everything you think. Ask a relevant question, Comment Below, and Remain Linked to Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
You must be logged in to post a comment.