(844) 773-7734 mk@mkss.us

Black Hat USA 2021 Network Operations Center

Black Hat is back!

What an experience to be attending the first major cybersecurity conference since the lockdowns of the COVID-19 pandemic.

Cisco Secure returned as a supporting partner of the Black Hat USA 2021 Network Operations Center (NOC) for the 5th year; joining conference producer Informa Tech and its other security partners. Like other Black Hat conferences, the mission of the NOC is to build a conference network that is secure, stable and accessible for the training events, briefings, sponsors and attendees. This requires a robust connection to the Internet (Lumen and Gigamon), firewall protection (Palo Alto Networks), segmented wireless network (Commscope Ruckus) and network full packet capture & forensics and SIEM (RSA NetWitness); with Cisco providing cloud-based security and intelligence support.

Presentation being given at Black Hat USA 2021 Network Operations Center

For several years, Cisco Secure provided DNS visibility and architecture intelligence with Cisco Umbrella and Cisco Umbrella Investigate; and automated malware analysis and threat intelligence with Cisco Secure Malware Analytics (Threat Grid), backed by Cisco Talos Intelligence and Cisco SecureX.

Technology presentation being given at Black Hat USA 2021 Network Operations Center

New in 2021, Cisco Secure was asked to protect 340+ (22 as spares) iPads used for the Black Hat conference registration and sponsor lead retrieval. With such a large number of mobile devices, the first task was to work with the vendor to place them in ‘supervised mode’ and enroll them with the Cisco Meraki Systems Manager (SM) mobile device management (MDM) platform. Once the enrollment was completed, we were able to secure the iPads by deploying the Cisco Secure Endpoint for iOS/Security Connector.

We were able to manage all aspects of the iPads remotely. Several came with out-of-date iOS. We were able to remotely update them into compliance.

View of iOS Compliance Dashboard

Meraki SM was also able to deploy the applications to be used for attendee registration and lead retrieval.

List of top managed Meraki apps

We also deployed the profile to connect to the SSID reserved for the conference administration, by MAC address, with a unique sixteen-character password for each iPad, for connecting to the Commscope Ruckus access points. With the satellite map view, we were able to see the location of the iPads, and one were to ‘walk away’ from the conference, we had the ability to remotely wipe all the data and ‘brick’ the device.

View of Meraki Device Location dashboard

The biggest challenge was keeping 340+ iPads charged for the registration team to arrive and take physical possession.

Stacks of 340 iPads being charged for BH registration team.

Creating a Secure Network for All

The trainers, briefers and sponsors need to be able to access and demonstrate malicious code and network activity; without infecting attendees or other networks, or experiencing an outage. It is a balancing act that the NOC team enjoys creating at each conference. The NOC was closed to attendees this year, but was streamed live and available to be viewed from outside of the NOC and at home via their Twitch channel, with presentations from NOC leaders Neil Wyler (@grifter801) and Bart Stump (@thestump3r).

Monitors displaying sponsors at Black Hat

From Russia With Love

Threat hunting is a core mission of the Cisco Secure team, while monitoring the DNS activity for potentially malicious activity. Also, to review the automated malware analysis of samples submitted by RSA NetWitness for maliciousness.

Cisco Secure team at Black Hat

The PAN firewall team observed Russian IP 45[.]146[.]164[.]110. banging around the Registration Server, the key asset we all work to protect.

Firewall Log of Russian Scan

The Cisco threat hunting team investigated the risk in SecureX threat response, which was integrated with 20+ Cisco and partner threat intelligence platforms.

View of SecureX Integrations dashboard

 

Cisco Technologies

3rd Party Technologies

Talos Intelligence alphaMountain.ai Threat Intelligence
Threat Grid (Secure Malware Analytics) APIVoid
Umbrella AbuseIPDB IP Checker
AMP for Endpoints (Secure Endpoint) Akamai
AMP File Reputation AlienVault Open Threat Exchange
AMP Global Intelligence CyberCrime Tracker
Private Intelligence (Threat Grid feeds) Farsight Security DNSDB
SecureX orchestration Palo Alto Networks AutoFocus
Recorded Future
Shodan
Threatscore | Cyberprotect
urlscan.io

With those integrations, we confirmed the malicious reputation from multiple sources and found an associated domain/URL.

View of SecureX Threat Response Investigation Dashboard

Firewall team requested a block for the IP, because it tried a couple of remote code executions attacks and some scans. Cisco Umbrella team also blocked the mastercommunications[.]ru domain, so no devices in the network can connect out. It is rare that we take this step, the only previous time was when a spear phishing attack was sent against our registration laptops in Black Hat Europe 2018.

View of Umbrella Destination Lists page from Black Hat USA NOC 2021

We saw similar attacks from IPs in China and Germany, and the firewall team blocked them in the same manner.

Protecting Attendees from Malware, Cryptomining and Themselves

For the 2nd year (1st in 2019), Black Hat USA, used captured webpage notifications for users who connected to the Black Hat network and were found to be infected with malware, at risk for phishing attack, shared credentials in the clear or were running cryptomining. The notifications were done by moving affected users into a group within the PAN Firewall.

This way, those who are delivering presentations and demos can still reach their attended target, but unaware attendees can be protected.

Black Hat NOC Warning Screen from Black Hat USA NOC 2021

The Umbrella team actively looked for potential threats to the attendees.

Cisco Umbrella Security Activity screen from Black Hat USA NOC 2021

For example, we observed connection to a known phishing site.

SECURITY CATEGORY (PHISHING)
app.nihaocloud[.]com
Event Details (1 of 2)
Date & Time: Aug 5, 2021 at 6:32 AM
Internal IP: 63.231.217.168

Very quickly, we were able to visualize the entire architecture of the phishing infrastructure in SecureX threat response. We notified the firewall team, who added the domain to the captive portal list.

Threat Response screen from nihaocloud phishing site at Black Hat USA NOC 2021

In another example of collaboration, the RSA NetWitness team observed connection to a suspicious domain from an attendee using a Macintosh.

Screen showing code detecting a suspicious domain at Black Hat USA NOC 2021

The Umbrella threat hunting team confirmed the maliciousness and that it would have been blocked in a production environment. The firewall team added the domain to the captive portal list.

Cisco Umbrella Smart Search view from Black Hat USA NOC 2021

Cryptomining appeared on the first day of the Business Hall. We alerted the firewall team, who placed a captive portal for those accessing the domains, so if they wanted to cryptomine then could continue. If they were unaware that their machines were mining, they could take action. The mining stopped.

Report showing detection of cryptomining at Black Hat USA NOC 2021

Malware Analysis

With the lack of classroom training and move to mobile access, no malware samples were observed at Black Hat USA 2021. RSA NetWitness Orchestrator carved the files off the network stream and sent them to Cisco Secure Malware Analytics (Threat Grid). Over the week, 279 samples were sent for analysis.

SecureX Dashboard view from Black Hat USA NOC 2021

However, there was a breach of personal information concerning contract security personnel, sent in a plain text email, with the attachments observed in Threat Grid. This same incident happened in 2019 and the RSA NetWitness team did another full report for remediation.

Employee status reports in SecureX Threat Grid view from Black Hat USA NOC 2021

Aditya on our team made a custom dashboard tile to alert us on Umbrella security events, to reduce the pressure on our analysts to track multiple screens at the same time. Look for a blog from Aditya on how he accomplished this with SecureX orchestration.

SecureX custom dashboard at Black Hat USA

DNS traffic at Record Low

In 2021, we saw ~11 million DNS requests, with the drop in live attendance. In contrast, in 2018 there were about 42.4 million DNS requests on the Black Hat USA network. In 2019, there were 49.6 million requests. About 1,900 would have been blocked in a production environment, as violating security policies.

Umbrella Activity Volume view

It’s an App World

In 2021, over 2,600 different apps connected to the BH network, reflecting the move to mobile. In 2019, about 3,600 apps connected in the same time frame, with five times as much DNS requests.

Umbrella App Discovery view

Umbrella App Discovery view (continued)

With the success of Vegas under our belts, the next focus is Black Hat Europe.

Group photo of Black Hat USA NOC 2021 team

Note: The staff of the NOC were all vaccinated against COVID-19. We wore our masks for the entire Black Hat USA 2021; with this one exception, for a quick photo to see our shiny faces.

Acknowledgements: Special thanks to the Cisco Secure Black Hat NOC team: Jonny Noble, Alejo Calaogan, Christian Clasen and Aditya Sankar; with remote support by Aaron Woland, Ian Redden and Krishan Veer. Also, to our NOC partners RSA (especially the RSA Security team led by Percy Tucker), Palo Alto Networks (especially Lance Knittig), Commscope Ruckus (especially Jim Palmer), Gigamon, IronNet, Lumen and the entire Black Hat / Informa Tech staff (especially Marissa Parker – Queen of the NOC, Steve Fink – Chief Architect, Neil Wyler and Bart Stump).

 


About Black Hat

For more than 20 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and Asia. More information is available at blackhat.com. Black Hat is brought to you by Informa Tech.

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn