Partly considered one of our Black Hat Asia 2022 NOC weblog, we mentioned constructing the community with Meraki:
- From attendee to press to volunteer – coming again to Black Hat as NOC volunteer by Humphrey Cheung
- Meraki MR, MS, MX and Techniques Supervisor by Paul Fidler
- Meraki Scanning API Receiver by Christian Clasen
On this half two, we’ll talk about:
- SecureX: Bringing Menace Intelligence Collectively by Ian Redden
- Machine kind spoofing occasion by Jonny Noble
- Self Service with SecureX Orchestration and Slack by Matt Vander Horst
- Utilizing SecureX sign-on to streamline entry to the Cisco Stack at Black Hat by Adi Sankar
- Future Menace Vectors to Think about – Cloud App Discovery by Alejo Calaoagan
- Malware Menace Intelligence made straightforward and out there, with Cisco Safe Malware Analytics and SecureX by Ben Greenbaum
SecureX: Bringing Menace Intelligence Collectively by Ian Redden
Along with the Meraki networking gear, Cisco Safe additionally shipped two Umbrella DNS digital home equipment to Black Hat Asia, for inner community visibility with redundancy, along with offering:
Cisco Safe Menace Intelligence (correlated by SecureX)
Donated Companion Menace Intelligence (correlated by SecureX)
Open-Supply Menace Intelligence (correlated by SecureX)
Continued Integrations from previous Black Hat occasions
- NetWitness PCAP file carving and submission to Cisco Safe Malware Analytics (previously Menace Grid) for evaluation
New Integrations Created at Black Hat Asia 2022
- SecureX menace response and NetWitness SIEM: Sightings in investigations
- SecureX orchestration workflows for Slack that enabled:
- Directors to dam a tool by MAC handle for violating the convention Code of Conduct
- NOC members to question Meraki for details about community gadgets and their purchasers
- NOC members to replace the VLAN on a Meraki switchport
- NOC members to question Palo Alto Panorama for shopper data
- Notification if an AP went down
- NetWitness SIEM integration with Meraki syslogs
- Palo Alto Panorama integration with Meraki syslogs
- Palo Alto Cortex XSOAR integration with Meraki and Umbrella
Machine kind spoofing occasion by Jonny Noble
Throughout the convention, a NOC Companion knowledgeable us that they acquired an alert from Could 10 regarding an endpoint shopper that accessed two domains that they noticed as malicious:
Consumer particulars from Companion:
- Non-public IP: 10.XXX.XXX.XXX
- Consumer identify: LAPTOP-8MLGDXXXX
- MAC: f4:XX:XX:XX:XX:XX
- Person agent for detected incidents: Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_2 like Mac OS X) AppleWebKit/602.2.8 (KHTML, like Gecko) Model/11.0 Cellular/14B55c Safari/602.1
Primarily based on the person agent, the accomplice derived that the gadget kind was an Apple iPhone.
- legendarytable[.]com à Judgement of Suspicious by alphaMountain.ai
- drakefollow[.]com à Judgement of Malicious by alphaMountain.ai
Umbrella Examine evaluation
Umbrella Examine positions each domains as low threat, each registered not too long ago in Poland, and each hosted on the identical IP:
Regardless of the low-risk rating, the nameservers have excessive counts of malicious related domains:
Focusing on customers in ASA, UK, and Nigeria:
Primarily based on the time of the incident, we will hint the gadget’s location (primarily based on its IP handle). That is because of the hassle we invested in mapping out the precise location of all Meraki APs, which we deployed throughout the conference middle with an overlay of the occasion map protecting the world of the occasion:
- Entry Level: APXX
- Room: Orchid Ballroom XXX
- Coaching course at time in location: “Net Hacking Black Belt Version”
Additional evaluation and conclusions
The gadget identify (LAPTOP-8MLGXXXXXX) and MAC handle seen (f4:XX:XX:XX:XX:XX) each matched throughout the accomplice and Meraki, so there was no query that we had been analyzing the identical gadget.
Primarily based on the useragent captured by the accomplice, the gadget kind was an Apple iPhone. Nevertheless, Meraki was reporting the Machine and its OS as “Intel, Android”
A fast lookup for the MAC handle confirmed that the OUI (organizationally distinctive identifier) for f42679 was Intel Malaysia, making it unlikely that this was an Apple iPhone.
The outline for the coaching “Net Hacking Black Belt Version” may be seen right here:
It’s extremely seemingly that the coaching content material included using instruments and methods for spoofing the visibility of useragent or gadget kind.
There’s additionally a excessive likelihood that the 2 domains noticed had been used as a part of the coaching exercise, quite than this being a part of a stay assault.
It’s clear that integrating the varied Cisco applied sciences (Meraki wi-fi infrastructure, SecureX, Umbrella, Examine) used within the investigation of this incident, along with the shut partnership and collaboration of our NOC companions, positioned us the place we would have liked to be and supplied us with the instruments we would have liked to swiftly acquire the information, be a part of the dots, make conclusions, and efficiently deliver the incident to closure.
Self Service with SecureX Orchestration and Slack by Matt Vander Horst
Since Meraki was a brand new platform for a lot of the NOC’s employees, we wished to make data simpler to collect and allow a specific amount of self-service. Because the Black Hat NOC makes use of Slack for messaging, we determined to create a Slack bot that NOC employees may use to work together with the Meraki infrastructure in addition to Palo Alto Panorama utilizing the SecureX Orchestration distant equipment. When customers talk with the bot, webhooks are despatched to Cisco SecureX Orchestration to do the work on the again finish and ship the outcomes again to the person.
Right here’s how this integration works:
- When a Slack person triggers a ‘/’ “slash command” or different kind of interplay, a webhook is shipped to SecureX Orchestration. Webhooks set off orchestration workflows which may do any variety of issues. On this case, we have now two completely different workflows: one to deal with slash instructions and one other for interactive parts resembling kinds (extra on the workflows later).
- As soon as the workflow is triggered, it makes the required API calls to Meraki or Palo Alto Panorama relying on the command issued.
- After the workflow is completed, the outcomes are handed again to Slack utilizing both an API request (for slash instructions) or webhook (for interactive parts).
- The person is offered with the outcomes of their inquiry or the motion they requested.
Workflow #1: Deal with Slash Instructions
Slash instructions are a particular kind of message constructed into Slack that enable customers to work together with a bot. When a Slack person executes a slash command, the command and its arguments are despatched to SecureX Orchestration the place a workflow handles the command. The desk beneath exhibits a abstract of the slash instructions our bot supported for Black Hat Asia 2022:
Right here’s a pattern of a portion of the SecureX Orchestration workflow that powers the above instructions:
And right here’s a pattern of firewall logs as returned from the “/pan_traffic_history” command:
Workflow #2: Deal with Interactivity
A extra superior type of person interplay comes within the type of Slack blocks. As a substitute of together with a command’s arguments within the command itself, you possibly can execute the command and Slack will current you with a type to finish, like this one for the “/update_vlan” command:
These kinds are far more person pleasant and permit data to be pre-populated for the person. Within the instance above, the person can merely choose the swap to configure from a drop-down listing as an alternative of getting to enter its identify or serial quantity. When the person submits considered one of these kinds, a webhook is shipped to SecureX Orchestration to execute a workflow. The workflow takes the requested motion and sends again a affirmation to the person:
Whereas these two workflows solely scratched the floor of what may be completed with SecureX Orchestration webhooks and Slack, we now have a basis that may be simply expanded upon going ahead. We are able to add further instructions, new types of interactivity, and proceed to allow NOC employees to get the data they want and take needed motion. The aim of orchestration is to make life easier, whether or not it’s by automating our interactions with know-how or making these interactions simpler for the person.
Future Menace Vectors to Think about – Cloud App Discovery by Alejo Calaoagan
Since 2017 (beginning in Black Hat USA – Las Vegas), Cisco Umbrella has supplied DNS safety to the Black Hat attendee community, added layers of site visitors visibility beforehand not seen. Our efforts have largely been profitable, figuring out 1000’s of threats over time and mitigating them by way of Umbrella’s blocking capabilities when needed. This was taken a step additional at Black Hat London 2021, the place we launched our Digital Home equipment to offer supply IP attribution to the gadgets making requests.
Right here at Black Hat Asia 2022, we’ve been noodling on further methods to offer superior safety for future exhibits, and it begins with Umbrella’s Cloud Software Discovery’s function, which recognized 2,286 distinctive functions accessed by customers on the attendee community throughout the four-day convention. Taking a look at a snapshot from a single day of the present, Umbrella captured 572,282 DNS requests from all cloud apps, with over 42,000 posing both excessive or very excessive threat.
Digging deeper into the information, we see not solely the varieties of apps being accessed…
…but additionally see the apps themselves…
…and we will flag apps that look suspicious.
We additionally embrace threat downs breaks by class…
…and drill downs on every.
Whereas this information alone gained’t present sufficient data to take motion, together with this information in evaluation, one thing we have now been doing, could present a window into new menace vectors which will have beforehand gone unseen. For instance, if we determine a compromised gadget contaminated with malware or a tool trying to entry issues on the community which are restricted, we will dig deeper into the varieties of cloud apps these gadgets are utilizing and correlate that information with suspicious request exercise, potential uncovering instruments we must be blocking sooner or later.
I can’t say for sure how a lot this additional information set will assist us uncover new threats, however, with Black Hat USA simply across the nook, we’ll discover out quickly.
Utilizing SecureX sign-on to streamline entry to the Cisco Stack at Black Hat by Adi Sankar
From 5 years in the past to now, Cisco has tremendously expanded our presence at Black Hat to incorporate a large number of merchandise. In fact, sign-on was easy when it was only one product (Safe Malware Analytics) and one person to log in. When it got here time so as to add a brand new know-how to the stack it was added individually as a standalone product with its personal methodology of logging in. Because the variety of merchandise elevated, so did the variety of Cisco employees on the convention to help these merchandise. This implies sharing usernames and passwords grew to become tedious and to not point out insecure, particularly with 15 Cisco employees, plus companions, accessing the platforms.
The Cisco Safe stack at Black Hat consists of SecureX, Umbrella, Malware Analytics, Safe Endpoint (iOS readability), and Meraki. All of those applied sciences help utilizing SAML SSO natively with SecureX sign-on. Which means that every of our Cisco employees members can have a person SecureX sign-on account to log into the varied consoles. This leads to higher role-based entry management, higher audit logging and an general higher login expertise. With SecureX sign-on we will log into all of the merchandise solely having to kind a password one time and approve one Cisco DUO Multi-Issue Authentication (MFA) push.
How does this magic work behind the scenes? It’s really quite easy to configure SSO for every of the Cisco applied sciences, since all of them help SecureX sign-on natively. Before everything, you will need to arrange a brand new SecureX org by making a SecureX sign-on account, creating a brand new group and integrating at the very least one Cisco know-how. On this case I created a brand new SecureX group for Black Hat and added the Safe Endpoint module, Umbrella Module, Meraki Techniques Supervisor module and the Safe Malware Analytics module. Then from Administration à Customers in SecureX, I despatched an invitation to the Cisco staffers that may be attending the convention, which contained a hyperlink to create their account and be a part of the Blackhat SecureX group. Subsequent let’s check out the person product configurations.
Within the Meraki group settings allow SecureX sign-on. Then below Group à Directors add a brand new person and specify SecureX sign-on because the authentication methodology. Meraki even permits you to restrict customers to explicit networks and set permission ranges for these networks. Accepting the e-mail invitation is straightforward for the reason that person ought to already be logged into their SecureX sign-on account. Now, logging into Meraki solely requires an e-mail handle and no password or further DUO push.
Below Admin à Authentication configure SecureX sign-on which requires a take a look at login to make sure you can nonetheless login earlier than utilizing SSO for authentication to Umbrella. There isn’t any must configure MFA in Umbrella since SecureX sign-on comes with inbuilt DUO MFA. Current customers and any new customers added in Umbrella below Admin à Accounts will now be utilizing SecureX sign-on to login to Umbrella. Logging into Umbrella is now a seamless launch from the SecureX dashboard or from the SecureX ribbon in any of the opposite consoles.
Safe Malware Analytics:
A Safe Malware Analytics group admin can create new customers of their Menace Grid tenant. This username is exclusive to Malware Analytics, however it may be linked to a SecureX sign-on account to benefit from the seamless login circulate. From the e-mail invitation the person will create a password for his or her Malware Analytics person and settle for the EULA. Then within the prime proper below My Malware Analytics Account, the person has an possibility to attach their SecureX sign-on account which is a one click on course of if already signed in with SecureX sign-on. Now when a person navigates to Malware Analytics login web page, merely clicking “Login with SecureX Signal-On” will grant them entry to the console.
The Safe Endpoint deployment at Blackhat is proscribed to IOS readability by Meraki Techniques Supervisor for the convention IOS gadgets. Many of the asset data we want concerning the iPhones/iPads is introduced in by the SecureX Machine Insights stock. Nevertheless, for preliminary configuration and to view gadget trajectory it’s required to log into Safe Endpoint. A brand new Safe Endpoint account may be created below Accounts à Customers and an invitation is shipped to corresponding e-mail handle. Accepting the invite is a easy course of for the reason that person is already signed in with SecureX sign-on. Privileges for the person within the Endpoint console may be granted from inside the person account.
To sum all of it up, SecureX sign-on is the usual for the Cisco stack transferring ahead. With a brand new SecureX group instantiated utilizing SecureX sign-on any new customers to the Cisco stack at Black Hat will probably be utilizing SecureX sign-on. SecureX sign-on has helped our person administration be far more safe as we have now expanded our presence at Black Hat. SecureX sign-on supplies a unified login mechanism for all of the merchandise and modernized our login expertise on the convention.
Malware Menace Intelligence made straightforward and out there, with Cisco Safe Malware Analytics and SecureX by Ben Greenbaum
I’d gotten used to individuals’s reactions upon seeing SecureX in use for the primary time. Just a few occasions at Black Hat, a small viewers gathered simply to look at us effortlessly correlate information from a number of menace intelligence repositories and a number of other safety sensor networks in only a few clicks in a single interface for fast sequencing of occasions and an intuitive understanding of safety occasions, conditions, causes, and penalties. You’ve already examine a couple of of those cases above. Right here is only one instance of SecureX mechanically placing collectively a chronological historical past of noticed community occasions detected by merchandise from two distributors (Cisco Umbrella and NetWitness) . The participation of NetWitness on this and all of our different investigations was made doable by our open structure, out there APIs and API specs, and the creation of the NetWitness module described above.
Along with the site visitors and on-line actions of a whole lot of person gadgets on the community, we had been accountable for monitoring a handful of Black Hat-owned gadgets as nicely. Safe X Machine Insights made it straightforward to entry details about these property, both en masse or as required throughout an ongoing investigation. iOS Readability for Safe Endpoint and Meraki System Supervisor each contributed to this great tool which provides enterprise intelligence and asset context to SecureX’s native occasion and menace intelligence, for extra full and extra actionable safety intelligence general.
SecureX is made doable by dozens of integrations, every bringing their very own distinctive data and capabilities. This time although, for me, the star of the SecureX present was our malware evaluation engine, Cisco Safe Malware Analytics (CSMA). Shortly earlier than Black Hat Asia, the CSMA staff launched a brand new model of their SecureX module. SecureX can now question CSMA’s database of malware habits and exercise, together with all related indicators and observables, as an automatic a part of the common technique of any investigation carried out in SecureX Menace Response.
This functionality is most helpful in two eventualities:
1: figuring out if suspicious domains, IPs and information reported by every other know-how had been noticed within the evaluation of any of the tens of millions of publicly submitted file samples, or our personal.
2: quickly gathering further context about information submitted to the evaluation engine by the built-in merchandise within the Black Hat NOC.
The primary was a major time saver in a number of investigations. Within the instance beneath, we acquired an alert about connections to a suspicious area. In that situation, our first plan of action is to analyze the area and every other observables reported with it (sometimes the inner and public IPs included within the alert). As a result of new CSMA module, we instantly found that the area had a historical past of being contacted by a wide range of malware samples, from a number of households, and that data, corroborated by mechanically gathered status data from a number of sources about every of these information, gave us an instantaneous subsequent path to analyze as we hunted for proof of these information being current in community site visitors or of any site visitors to different C&C sources recognized for use by these households. From the primary alert to having a sturdy, data-driven set of associated alerts to search for, took solely minutes, together with from SecureX accomplice Recorded Future, who donated a full menace intelligence license for the Black Hat NOC.
The opposite situation, investigating information submitted for evaluation, got here up much less incessantly however when it did, the CSMA/SecureX integration was equally spectacular. We may quickly, practically instantly, search for proof of any of our analyzed samples within the surroundings throughout all different deployed SecureX-compatible applied sciences. That proof was not restricted to looking for the hash itself, however included any of the community sources or dropped payloads related to the pattern as nicely, simply figuring out native targets who had not maybe seen the precise variant submitted, however who had nonetheless been in touch with that pattern’s Command and Management infrastructure or different associated artifacts.
And naturally, because of the presence of the ribbon within the CSMA UI, we could possibly be much more environment friendly and do that with a number of samples directly.
SecureX enormously elevated the effectivity of our small volunteer staff, and positively made it doable for us to analyze extra alerts and occasions, and hunt for extra threats, all extra completely, than we might have been capable of with out it. SecureX really took this staff to the subsequent degree, by augmenting and operationalizing the instruments and the employees that we had at our disposal.
We stay up for seeing you at Black Hat USA in Las Vegas, 6-11 August 2022!
Acknowledgements: Particular because of the Cisco Meraki and Cisco Safe Black Hat NOC staff: Aditya Sankar, Aldous Yeung, Alejo Calaoagan, Ben Greenbaum, Christian Clasen, Felix H Y Lam, George Dorsey, Humphrey Cheung, Ian Redden, Jeffrey Chua, Jeffry Handal, Jonny Noble, Matt Vander Horst, Paul Fidler and Steven Fan.
Additionally, to our NOC companions NetWitness (particularly David Glover), Palo Alto Networks (particularly James Holland), Gigamon, IronNet (particularly Invoice Swearington), and the complete Black Hat / Informa Tech employees (particularly Grifter ‘Neil Wyler’, Bart Stump, James Pope, Steve Fink and Steve Oldenbourg).
About Black Hat
For greater than 20 years, Black Hat has supplied attendees with the very newest in data safety analysis, growth, and traits. These high-profile international occasions and trainings are pushed by the wants of the safety neighborhood, striving to deliver collectively the most effective minds within the trade. Black Hat conjures up professionals in any respect profession ranges, encouraging development and collaboration amongst academia, world-class researchers, and leaders in the private and non-private sectors. Black Hat Briefings and Trainings are held yearly in america, Europe and Asia. Extra data is out there at: blackhat.com. Black Hat is dropped at you by Informa Tech.