Health

Safety Cloud — Cisco Weblog

January 29, 2025
Ibrahim

Cisco is the Official Safety Cloud Supplier for the Black Hat Community Operations Heart (NOC). We work with the opposite official companions to deliver the {hardware}, software program and engineers to construct and safe the community, for our joint buyer: Black Hat

  • Arista: Wired and Wi-fi Community Gear 
  • Corelight: Open Community Detection and Response 
  • Palo Alto Networks: Community Safety and SOC Platform 

This was our 8th 12 months supporting Black Hat Europe and the first mission within the NOC is community resilience. The companions additionally present built-in safety, visibility and automation, a Safety Operations Heart (SOC) contained in the NOC.  

When the companions deploy to every occasion, we arrange a world class community and safety operations heart in a couple of days. Our aim stays community up time and creating higher built-in visibility and automation. Black Hat has the choose of the safety trade instruments and no firm can sponsor/purchase their manner into the NOC. It’s invitation solely, with the intention of range in companions, and an expectation of full collaboration. As a NOC workforce comprised of many applied sciences and corporations, we’re constantly innovating and integrating, to offer an total cybersecurity structure answer. 

Outdoors the NOC accomplice dashboards had been displayed for the attendees to view the quantity and safety of the community visitors.  

The function of Cisco within the Black Hat NOC continues to evolve since we had been invited to accomplice in 2016. Black Hat has limitless entry to the Cisco Safety Cloud and its capabilities. Working with the NOC leaders (Neil “Grifter” Wyler & Bart Stump) and the chief architect (Steve Fink), we examined, deployed and built-in the next applied sciences: 

Breach Safety Suite 

Person Safety Suite 

ThousandEyes: Community visibility 

The NOC leaders allowed Cisco (and the opposite NOC companions) to usher in extra software program to make our inner work extra environment friendly and have larger visibility; nonetheless, Cisco just isn’t the official supplier for Prolonged Detection and Response (XDR), Safety Incident and Occasion Administration (SIEM), Community Detection and Response (NDR), Safety Operations and Automated Response (SOAR) or collaboration.  

To raised help Black Hat, we additionally carried out: 

  • Cisco XDR: Risk Looking / Risk Intelligence Enrichment / Analyst dashboards / Automation with Webex 
  • Splunk Enterprise Safety Cloud: platform for Cisco Safety Cloud knowledge sharing, and with ThousandEyes, Palo Alto Networks and Corelight integrations with Cisco XDR; additionally govt dashboards
  • Splunk Assault Analyzer: Built-in with Safe Malware Analytics
  • Cisco Webex: Incident notification and workforce collaboration

Introducing Cisco Duo and Id Intelligence, by Ryan Maclennan

Cisco Duo is a brand new addition to the Black Hat NOC. We began with a Proof-of-Idea (PoC) in Black Hat Asia 2024 and turned it right into a full deployment at Black Hat Europe. With this deployment, our aim was to create an surroundings the place every accomplice would have a single sign-on (SSO) consumer to log into every product offered by a accomplice. We’d create teams for every consumer, which mapped to being an analyst, administrator or an approver function.

For instance, if we wished to make use of Palo Alto Networks (PANW) XSIAM product, we might log in with our consumer, however they might solely be an analyst and couldn’t make modifications on the platform. Nonetheless, if a PANW admin logged in, they may make modifications as wanted. This was vice versa for them as nicely, the PANW admins can be analysts inside our Cisco merchandise, however we might make modifications as obligatory on our personal merchandise, in coordination and approval of NOC Leaders.  

We had been capable of combine Duo SSO into the next accomplice merchandise: 

  • PANW XSIAM 
  • PANW NGFW 
  • PANW Cortex 
  • PANW Panorama 
  • Corelight Investigator 
  • Arista Cloud Imaginative and prescient 

Most of those integrations had been for on-prem merchandise (not publicly obtainable) and some had been cloud-based, displaying that we’re capable of shield an utility whether or not it’s publicly obtainable or non-public. The Cisco merchandise already had an SSO structure with our company accounts and we’ll transition to the Black Hat SSO infrastructure for Asia 2025. 

After getting all of the Duo purposes setup, we had been capable of begin getting authentication requests into Duo: 

Beneath, you possibly can see all of the purposes we created to combine Duo SSO.

After the purposes had been configured and the customers enrolled in Duo, we had been capable of begin utilizing the brand new Cisco Id Intelligence, from inside Duo. 

Cisco Id Intelligence

Cisco Id intelligence (CII) is an AI-powered answer that bridges the hole between authentication and entry. It permits us to usher in a number of authentication supply logs right into a single entity after which analyze them to find out if a consumer is reliable. CII will give a consumer a belief rating based mostly on geographic location, login instances, Working System (OS), system sorts, variety of login makes an attempt, right and incorrect logins, system belief and plenty of extra criterion. CII takes all these indicators into consideration after which makes belief ranges for every consumer. You may see our belief rating unfold within the beneath screenshot: 

You may see within the screenshot above that there was an untrusted consumer, three impartial, and 9 trusted customers. Lots of the impartial customers had been as a result of CII didn’t have sufficient knowledge to baseline the consumer but and was nonetheless figuring out the way it ought to classify them. The one untrusted consumer was me; as a result of the consumer I used to manage Duo and CII was the identical that I used login with to all the opposite purposes.

Earlier than the London based mostly convention, I used to be administering Duo and CII in the US. I then used a VPN a couple of instances whereas in Europe, so my geography was rapidly altering. These occasions contributed to my ‘Untrusted’ standing, worthy of investigation.

Beneath, we will see the dashboard view of CII, with the short view of data which an administrator could also be considering seeing.

Within the above screenshot, we will see the month-to-month sign-ins and whether or not they had been profitable or not. Additionally, the kind of Multifactor Authentication (MFA) utilized by customers, delicate purposes and the nations the place logins had been tried from. 

Because the Black Hat convention international circuit continues, I’m excited to see the place we will take CII and use its knowledge to higher safe our NOC accomplice merchandise. 

Dynamic Malware Evaluation, by Ryan Maclennan

For Cisco, a core built-in operate within the Black Hat NOC/SOC is offering the platform for our companions to ship suspicious information to Safe Malware Analytics (aka Risk Grid) for dynamic malware evaluation (aka sandboxing). We have now expanded the combination through the years, with each Corelight OpenNDR and Palo Alto Networks Firewalls submitting samples. At Black Hat Europe 2024, over 12,000 supported samples had been submitted. 

The menace hunters additionally used Safe Malware Analytics to research suspicious URLs and information, with out the danger of an infection. Many of the convictions had been on URLs submitted by the NOC analysts. 

At every convention, we see examples of private figuring out data despatched over the community within the clear. One which stood out was a school pupil’s transcript in clear textual content. That is what occurs whenever you use http on port 80 for communications (as an alternative of https). The next particulars of the scholar had been clearly obtainable from the contents downloaded from the self-hosted area: 

  • Title 
  • Date Of Beginning 
  • Social Safety Quantity 
  • Faculty attended and when 

…and that’s all it is advisable craft an identification theft and/or phishing assault on the unassuming pupil. At all times confirm your connection safety! 

Splunk Assault Analyzer

As a PoC at Black Hat USA, we deployed Splunk Assault Analyzer (SAA) as one other malware sandboxing instrument. This was a brand new integration created with the assistance of the Corelight workforce and was made on the spot. This time round in Europe, we had been capable of allow all of SAA’s capabilities and despatched all information to it to match with Safe Malware Analytics. Right here is dashboard abstract of the information analyzed by SAA: 

Taking a look at this we will see the whole quantity of information analyzed by SAA and what was convicted as malicious. Of the convictions we received, we discovered that two had been Phish Kits.   

You’ll have seen that Safe Malware Analytics analyzed 1000’s extra information than SAA. It is because we began to hit a charge restrict, and our SAA occasion didn’t catch it in time.  For the following convention, we will probably be working with Corelight to make the combination extra sturdy to deal with the speed limiting effectively.

In case you missed it, SAA now has Safe Malware Analytics (SMA) as an engine. This implies, whenever you hyperlink your SMA account to SAA, SAA will now ship information to be analyzed by SMA as nicely and use its dedication as a part of its personal scoring.

Prolonged Detection and Automation, by Ivan Berlinson and Aditya Raghavan

The Cisco XDR Command Heart dashboard tiles made it simple to see the standing of every of the related Cisco Safe applied sciences, and the automation workflows iterations over the week. 

Beneath are the Cisco XDR integrations for Black Hat Europe, empowering our menace hunters to research Indicators of Compromise (IOC) in a short time, with one search. 

We respect alphaMountain.ai, Pulsedive and Recorded Future donating full licenses to Cisco, to be used within the Black Hat Europe 2024 NOC. 

The view within the XDR Integrations consumer interface: 

Unleashing the Energy of Cisco XDR Automate at Black Hat Europe

With the ever-evolving technological panorama, automation stands as a cornerstone in attaining XDR outcomes. It’s certainly a testomony to the prowess of Cisco XDR that it boasts a totally built-in, sturdy automation engine.

Cisco XDR Automation embodies a user-friendly, no-to-low code platform with a drag-and-drop workflow editor. This modern function empowers your SOC to hurry up its investigative and response capabilities. You may faucet into this potential by importing workflows throughout the XDR Automate Trade from Cisco, or by flexing your inventive muscle tissue and crafting your personal.

Bear in mind from our previous blogs, we used automation for incident notifications into Webex, in addition to ‘Creating an Incident’ in XDR for Umbrella class blocks. Each these workflows had been spruced up and used extensively at Black Hat Europe 2024. We now see the final replace timestamp proper within the incident title itself and the Webex message, which enormously simplifies the understanding of a detection for our menace hunters.

The next automation workflows had been constructed particularly for Black Hat use instances: 

  1. Cisco SMA Malicious submission – XDR incident and notification 
  2. Cisco SMA – Monitor Non-Malicious paperwork submission 
  3. Palo Alto Networks Firewall – Create Cisco XDR incident – V2 
  4. Splunk – Corelight – Create Cisco XDR incident V2 
  5. Splunk – ThousandEyes – Create XDR create incident V2 
  6. Incident Enrichment – Add Room and Objective 
  7. Palo Alto Risk Logs to Splunk 

In addition to #1 and #3, the remainder of these workflows had been premiered at Black Hat Europe 2024, because of the work and inspiration of Ivan. 

Splunk Enterprise Safety Cloud, by Ivan Berlinson, Aditya Raghavan and Ryan Maclennan

To make our menace hunters’ lives richer with extra context from ours and our companions’ instruments, we introduced in Splunk Enterprise Safety Cloud at this Black Hat occasion to ingest detections from Cisco XDR, Safe Malware Analytics, Umbrella, ThousandEyes, Corelight and Palo Alto Networks and visualize them into useful dashboards for govt reporting. The Splunk Cloud occasion was configured with the next integrations:

  1. Cisco XDR and Cisco Safe Malware Analytics, utilizing the Cisco Safety Cloud app
  2. Cisco Umbrella, utilizing the Cisco Cloud Safety App for Splunk 
  3. ThousandEyes, utilizing the Splunk HTTP Occasion Collector (HEC) 
  4. Corelight, utilizing Splunk HTTP Occasion Collector (HEC) 
  5. Palo Alto Networks, utilizing the Splunk HTTP Occasion Collector (HEC) 

The ingested knowledge for every built-in platform was deposited into their respective indexes. That made knowledge searches for our menace hunters cleaner. Looking for knowledge is the place Splunk shines! You start by merely navigating to Apps > Search and Reporting and typing your search question. You do have to know the Splunk Question Language (SQL) to construct your queries however that’s only a fast tutorial away.  

We discovered our manner by means of wanting on the knowledge and iterating. An instance of a easy seek for acquiring the depend of all alerts from the Suricata engine of Corelight logs is beneath.

The Visualization tab lets you rapidly convert this knowledge into a visible format for previewing. And now, off we went to construct search queries throughout all of the datasets we ingested. These search queries had been then aggregated and visualized into an govt view utilizing Splunk Dashboard Studio. Since we ended up with extra widgets than can slot in a single Government display screen, we utilized the tabbed dashboard function. The next two screenshots present the ultimate dashboards together with callouts for the sources of the assorted widgets. 

The Splunk dashboard in the BH Europe NOC
The Splunk dashboard in the BH Europe NOC

With the constitution for us at Black Hat being a ‘SOC inside a NOC’, the chief dashboards had been reflective of bringing networking and safety reporting collectively. That is fairly highly effective and will probably be expanded in future Black Hat occasions, so as to add extra performance and broaden its utilization as one of many main consoles for our menace hunters in addition to reporting dashboards on the massive screens within the NOC. 

Risk Hunters’ Story, by Ivan Berlinson

In the course of the Black Hat occasion, the NOC opens early earlier than the occasion Registration and closes after the trainings and briefings full for the day. Which means that each menace hunter’s place have to be lined by bodily, uninterrupted presence for about 11 hours per day. Even with the utmost dedication to your function, typically you want a break, and a brand new potential incident doesn’t wait till you’ve completed the earlier one.  

Aditya and I shared the obligations as Risk Hunters staffing the Cisco XDR, Malware Analytics and Splunk Cloud consoles, alternating between morning and afternoon shifts. Although in actuality each of us stayed on a lot of the day as we had a lot enjoyable writing automation workflows and constructing dashboards, apart from finishing up our main obligations. 

An instance of a few of these workflows in motion collectively helped us seek out a possible case of cryptomining within the NOC itself, throughout the early hours of Dec 12! Because of the Corelight and PANW firewalls integrations in XDR, we had ourselves a singular correlated incident, with detections from each companions.  

The workflows I constructed embrace a examine to seek out any open incidents with the property and/or observables in query, to append the detection below course of. If there may be none, it might create a brand new incident. As we will see, the detection from Corelight got here in at 09:40 GMT, adopted by the detection from PANW firewalls a couple of minutes later.  

As new detections had been getting appended into the incident, I rapidly up to date the automation workflows to incorporate a timestamp indicating the final seen sighting for that incident proper within the title. Whereas this won’t be what you’ll do in a manufacturing surroundings, it enormously simplifies the power for our menace hunters to research all of the incidents as they arrive in.

As I investigated the incident, I uncovered one other detection that had are available in simply earlier than, this time the supply of the detection was Umbrella and nearly went below the radar on account of it bearing a decrease precedence rating. This incident got here in by means of the automation workflow used prior to now years. This offered the affirmation of the cryptomining exercise on the endpoint.  

Subsequent query – who is that this 10.X.X.X system? And may they be cryptomining at Black Hat? Thanks to a different automation workflow, with a click on of a Response motion of the Incident Response playbook we had attribution with bodily room title and site throughout the occasion heart from a pre-defined database for the recognized asset within the incident. 

Lo and behold – the asset was in Degree 3, Capital Suite, Room 1 related to the NOC Wi-Fi; proper in the identical room as me! I had constructed one other automation workflow that brings in Corelight and PANW firewall menace detections into Splunk Cloud, by means of which we had been capable of monitor down the system within the room to a MacBook and an MAC deal with.  

Time to faucet on somebody’s shoulder. 

Community Visibility with ThousandEyes, by Jessica Santos, MD Foysol Ferdous, Ryan MacLennan

Black Hat Europe 2024 is the sixth consecutive occasion with a ThousandEyes (TE) deployment. We unfold that visibility throughout core switching, Registration, the Enterprise Corridor, two- and four-day coaching rooms, and Keynote areas. Beneath is Among the {hardware} Black Hat bought for the ThousandEyes brokers. 

We labored with Michael Spicer on the placement of the agent deployment to make sure consultant protection and the categories / frequency of scheduled testing.  

Optimizing Community Monitoring with Thousand Eyes 

We had a dashboard within the NOC, so the leaders and architect might see points in actual time, and ThousandEyes widgets within the Splunk govt dashboard, as seen earlier within the weblog.  

At Black Hat Europe 2024, we had an issue the place the ThousandEyes brokers had been displaying a excessive latency time to Azure. We had been receiving calls about entry to Azure being gradual, however being the proactive NOC we’re, we went forward and investigated what’s inflicting the excessive response time.  

We investigated the Azure Community path that’s recorded by ThousandEyes and located there are three locations the Azure standing portal makes use of.

Two of these locations are exterior of the UK: one in the US and one in Japan. For those who look within the screenshot above, you possibly can see a single purple hyperlink and it may be used for both the US or Japan Azure standing portal. That is the most certainly trigger for the elevated response time we had been seeing apart from the geographic distance. Seeing this, we SSH’ed into one the ThousandEyes brokers and used the HTTP’ing instrument to do an identical take a look at to Azure. Once we ran the take a look at to the Azure portal standing web page, we might see some regular response instances after which many latent response instances. This matched as much as what ThousandEyes reported. This led us to the conclusion that the Azure standing portal workload balances however doesn’t do geographic load balancing. 

With this knowledge, we determined to arduous code the IP of the UK server into the ThousandEyes take a look at to higher signify how attendees will entry Azure.   

ThousandEyes is a really highly effective instrument, and it is ready to decide whether or not the problem resides contained in the community or exterior the place we can not management it. Beneath is a screenshot of what number of completely different community paths can take to a single useful resource. This reveals the significance of having the ability to pinpoint precisely the place a problem is happening. 

Meraki Methods Supervisor, by Paul Fidler and Connor Loughlin

Our fourth 12 months of deploying Meraki Methods Supervisor at Black Hat Europe, because the official Cell Units Administration platform, went very easily. We launched a brand new caching operation to replace iOS gadgets on the native community, for pace and effectivity. Going into the occasion, we deliberate for the next variety of gadgets and functions: 

  • iPhone Lead Scanning Units: 68 
  • iPads for Registration: 9 
  • iPads for Session Scanning: 12 
  • Variety of gadgets deliberate in whole: 89

We registered the gadgets upfront of the occasion. Upon arrival, we turned every system on.  

The Wi-Fi profile that we want for the Black Hat iOS gadgets was not put in. Nonetheless, I introduced a Meraki Z3C, with mobile and Wi-Fi functionality. I’d introduced this as a result of it usually takes a few days to get Wi-Fi down in Registration, the place we arrange the gadgets earlier than deployment. So, inside actually 15 seconds, I’d spun up a brand new SSID, prefixed it with a full cease in order that it appeared on the high of the obtainable Wi-Fi networks, and earlier than the primary iOS system had powered on, the Z3C was broadcasting this. So, with only a handful of seconds toil on every system, we’d received them connecting again to Meraki Dashboard to get the right Wi-Fi profile. 

Extra ache: Location companies

Location companies is a ache level for cellular system administration. Firstly, you have to be certain that Location is NOT skipped on the time of system supervision utilizing Apple Configurator. Which means that it’s an additional step on the time of enrollment (that means half a second of toil), reasonably than having to open settings, scroll all the way down to Privateness, then Location, then flick the toggle. Sadly, this was skipped for the occasion preparation by the contractor, so we needed to allow manually this for every system. 

Location of gadgets is essential for theft retrieval or if the system is misplaced. Location is enabled by opening the System Supervisor app and tapping Location, then Allow, then “While utilizing the appliance.” You may then faucet it once more and click on “At all times enable” which permits for location when the app is within the background. Due to (and that is the place you can find yourself in a heated dialogue) Apple’s stance on privateness, it’s such a disgrace that this may’t be managed. 

Beneath is a fast screenshot of the Z3C consumer dashboard after an hour of the gadgets being turned on. 

Fascinating to see the place the system is looking out to, within the screenshot beneath. 

Utility Updates 

Having purposes up to date in the course of an occasion can have disastrous penalties. While there isn’t an total setting or restriction to stop this, it’s doable to do it on the utility layer. And, in fact, Meraki Methods Supervisor allowed us to do that for all apps on the similar time. 

OS Updates 

I feel this goes with out saying, however the capability to remotely replace gadgets within the occasion of an pressing vulnerability repair is invaluable, like we had final 12 months in Las Vegas with Apple. 

Firewall Guidelines 

The safety of the Registration community is paramount as there may be Private Figuring out Data knowledge on this community. So, now we have some fairly strict inbound and outbound guidelines. 

Managing Apple gadgets requires that 17.0.0.0/8 be saved open for port 80 and 443 visitors. Moreover, Meraki lets you obtain a dynamically created listing of servers that it must be open to in order that endpoints might be managed. However, as we’re utilizing Cisco Umbrella and AMP (Safe Endpoint), there’s an entire host of different endpoints that have to be opened. These are listed right here.  

Content material Caching 

One of many greatest issues affecting the iOS gadgets at previous Black Hat occasions was the rapid have to each replace the iOS system’s OS on account of a patch to repair a zero-day vulnerability and to replace the Black Hat iOS app on the gadgets. On the USA occasions, there are lots of of gadgets, so this was a problem for every to obtain and set up. So, I took the initiative into wanting into Apple’s Content material Caching service constructed into macOS. 

Now, simply to be clear, this wasn’t caching EVERYTHING… Simply Apple App retailer updates and OS updates. 

That is turned on withing System Setting and begins working instantly.  

I’m not going to get into the weeds of setting this up, as a result of there’s a lot to plan for. However I’d recommend that you just begin right here. The setting I did change was: 

I checked to see that we had one level of egress from Black Hat to the Web. Apple doesn’t go into an excessive amount of element as to how this all works, however I’m assuming that the caching server registers with Apple and when gadgets examine in for App retailer / OS replace queries, they’re then instructed the place to look on the community for the caching server. 

Instantly after turning this on, you possibly can see the default settings and metrics: 

% AssetCacheManagerUtil settings
Content material caching settings:


AllowPersonalCaching: true
AllowSharedCaching: true
AllowTetheredCaching: true
CacheLimit: 150 GB
DataPath: /Library/Utility Assist/Apple/AssetCache/Information
ListenRangesOnly: false
LocalSubnetsOnly: true
ParentSelectionPolicy: round-robin
PeerLocalSubnetsOnly: true

And after having this run for a while: 

% AssetCacheManagerUtil settings
Content material caching standing


Activated: true
Energetic: true
ActualCacheUsed: 528.2 MB
CacheDetails: (1)

Different: 528.2 MB

CacheFree: 149.47 GB
CacheLimit: 150 GB
CacheStatus: OK
CacheUsed: 528.2 MB
MaxCachePressureLast1Hour: 0%
Dad and mom: (none)
Friends: (none)
PersonalCacheFree: 150 GB
PersonalCacheLimit: 150 GB
PersonalCacheUsed: Zero KB
Port: 49180
PrivateAddresses: (1)

x.x.x.x

PublicAddress: x.x.x.x
RegistrationStatus: 1
RestrictedMedia: false
ServerGUID: xxxxxxxxxxxxxxxxxx
StartupStatus: OK
TetheratorStatus: 1
TotalBytesAreSince: 2023-12-01 13:35:10
TotalBytesDropped: Zero KB

TotalBytesImported: Zero KB
TotalBytesReturnedToClients: 528.2 MB
TotalBytesStoredFromOrigin: 528.2 MB

Now, helpfully, Apple additionally pop this knowledge periodically right into a database situated at:  

Library/Utility Assist/Apple/AssetCache/Metrics/Metrics.db in a desk referred to as ZMETRICS. 

That is additionally obtainable in Exercise Monitor

And with a small variety of gadgets, you possibly can see how rapidly the server begins decreasing the affect on the WAN. Now, given the above, getting the information from the command line often is painful, particularly within the format that it’s introduced.  

Apple, helpfully, enable to append a –j to the tip of the standing command to current the knowledge in JSON: 

{"title":"standing","end result":{"Activated":true,"Energetic":true,"ActualCacheUsed":2327774501,"CacheDetails":{"iCloud":109949295,"iOS Software program":20800617,"Mac Software program":11984379,"Different":2226505758},"CacheFree":247630759951,"CacheLimit":250000000000,"CacheStatus":"OK","CacheUsed":2369240049,"MaxCachePressureLast1Hour":0,"Dad and mom":[],"Friends":[],"PersonalCacheFree":249890050705,"PersonalCacheLimit":250000000000,"PersonalCacheUsed":109949295,"Port":49181,"PrivateAddresses":["10.10.10.10"],"PublicAddress":"X.X.X.X","RegistrationStatus":1,"RestrictedMedia":false,"ServerGUID":"FDE578EE-XXXX-XXXX-XXXX-102B60869501","StartupStatus":"OK","TetheratorStatus":0,"TotalBytesAreSince":"2024-12-12 11:58:04 +0000","TotalBytesDropped":0,"TotalBytesImported":0,"TotalBytesReturnedToChildren":0,"TotalBytesReturnedToClients":11482694,"TotalBytesReturnedToPeers":0,"TotalBytesStoredFromOrigin":1164874,"TotalBytesStoredFromParents":0,"TotalBytesStoredFromPeers":0}}

ThousandEyes Agent for the Caching Server 

On condition that now we have an Apple MacMini on the Registration community, it was a easy resolution to put in the ThousandEyes macOS agent on it systematically utilizing Meraki Methods Supervisor. 

This may be downloaded from Endpoint Brokers > Agent Settings > Add new Endpoint Agent.

Nonetheless, as I discovered to my detriment, there’s not but a Common installer, so ensure you get your processor structure proper (ARM vs x86!) 

In Meraki Methods Supervisor, we configure the app like this: 

Now, we talked earlier about firewall settings. A System Supervisor customized app might be hosted in two methods: 

  • Hosted by yourself Infra or 
  • Meraki will host it 

For those who’re selecting the latter, simply be conscious that Meraki really hosts it on AWS. Particulars right here

So, just be sure you have the proper AWS occasion open in your firewalls, or host packages your self.  

Checking with the PANW firewall workforce, we decided the caching server saved 5% of the visitors for the week, liberating up bandwidth for coaching and demos. For Black Hat Asia 2025, we plan to discover host Home windows Updates, a big client of bandwidth, on the primary day of coaching and briefings. 

Maintaining with Encrypted DNS, by Christian Clasen and Justin Murphy 

For the previous couple of years, now we have been using the PANW edge firewalls to redirect outbound DNS queries in the direction of our inner resolvers. This closed a spot in coverage and visibility that existed for attendees on the Black Hat occasion. As evidenced by the DNS Statistics charts later within the weblog, the technique paid off with a noticeable soar in noticed queries. However because it so typically goes in expertise (and safety in particular), these kinds of methods can result in an arms race of kinds. 

In those self same years, browser and working system builders have expanded the deployment of encrypted DNS protocols. Along with wrapping DNS in uncooked TLS and HTTPS, extra unique applied sciences are actually within the combine. Chief amongst them is Apple’s implementation of Oblivious DNS over HTTPS (ODoT). The aim of ODoT is to stop the snooping of DNS queries –not simply on the native LAN, but additionally by the DNS suppliers themselves. I offered an outline of this expertise in my “Historical past of DNS Safety” Cisco Stay speak. 

The gist of the ODoH is as follows:  

  • The “first hop” recursive DNS resolver accepts receives the consumer lookup, however the consumer has carried out one thing sneaky to stop this preliminary resolver from figuring out what the area title is that the consumer is in search of. It has wrapped the unique question in an encrypted blob and added a bogus title to the “outer” message.
  • When the recursive resolver sends the question upstream to the authoritative title server for the “bogus” area, the message might be decrypted as a result of that title server is an ODoH-aware server that expects this encrypted message! 
  • The server sees the question data and might recurse the DNS for the reply as regular however is rarely made conscious of the unique consumer IP…it is just servicing the primary recursive resolver as its consumer.

This separation of duties ensures that, within the absence of collusion between the primary and second DNS suppliers, a consumer and its queries can by no means be correlated, and helpful monitoring is rendered not possible. 

Apple implements this structure in its Personal Relay function. Along with all of the privateness options detailed above, Personal Relay makes use of QUIC to move packets to Apple making the communication much more opaque to community operators like us within the Black Hat NOC. The broad deployment of Personal Relay has led to a drop in DNS queries evaluated and logged by Umbrella.  

We introduced our observations and advice to the NOC Leaders, who determined it might be greatest to try to block these protocols (DoT, DoH and Personal Relay) for higher visibility. The morning of final day, we added the coverage to Umbrella. 

We instantly noticed blocks for domains related to Apple’s MASQUE proxies within the exercise search, in addition to these utilized by Android telephones for DoT. The tip consumer expertise was not impacted.  

Over 129k of those blocks occurred from 11:05am to the shutdown at 6pm on the final day, 12 December. 

We’ll proceed this coverage going ahead at different Black Hat occasions and monitor the statistics as common. 

DNS Statistics, by Christian Clasen and Justin Murphy 

We will see the soar in queries on account of compelled DNS redirection on the edge, and the drop as a result of enlargement of Apple Personal Relay (see earlier weblog part for detailed evaluation). 

The highest classes for 2024 (and 2023) are beneath.  

Umbrella tracks the distinctive apps connecting to community. We noticed a marked enhance in GenAI. If wanted, we will block apps that reveal a menace to the convention. 

2021: 2,162 apps 

2022: 4,159 apps  

2023: 4,340 apps 

2024: 4,902 apps 

All in all, we’re very happy with the collaborative efforts made right here at Black Hat Europe by each the Cisco workforce and our companions within the NOC. Nice work all people! 

Black Hat Asia will probably be in April 2025, on the Marina Bay Sands, Singapore…hope to see you there! 

Acknowledgments 

Thanks to the Cisco NOC workforce: 

  • Cisco Safety: Ivan Berlinson, Aditya Raghavan, Christian Clasen, Justin Murphy and Ryan Maclennan 
  • Meraki Methods Supervisor: Paul Fidler and Connor Loughlin
  • ThousandEyes: MD Foysol Ferdous and Jessica Santos
  • Extra Assist and Experience: Tony Iacobelli and Abhishek Sha

Additionally, to our NOC companions Palo Alto Networks (particularly James Holland and Jason Reverri), Corelight (particularly Dustin Lee and Mark Overholser), Arista Networks (particularly Jonathan Smith), and the complete Black Hat / Informa Tech employees (particularly Grifter ‘Neil Wyler’, Bart Stump, Steve Fink, James Pope, Michael Spicer, Jess Stafford and Steve Oldenbourg). 

About Black Hat 

Black Hat is the cybersecurity trade’s most established and in-depth safety occasion collection. Based in 1997, these annual, multi-day occasions present attendees with the most recent in cybersecurity analysis, growth, and traits. Pushed by the wants of the group, Black Hat occasions showcase content material immediately from the group by means of Briefings shows, Trainings programs, Summits, and extra. Because the occasion collection the place all profession ranges and educational disciplines convene to collaborate, community, and focus on the cybersecurity matters that matter most to them, attendees can discover Black Hat occasions in the US, Canada, Europe, Center East and Africa and Asia at: Black Hat.com. Black Hat is delivered to you by Informa Tech. 

We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safe on social!

Cisco Safety Social Channels

Instagram
Fb
Twitter
LinkedIn

Share:


Leave a Reply

Your email address will not be published. Required fields are marked *