Thursday, July 7, 2022
HomeCyber SecurityBlack Hat Asia 2022: Constructing the Community

Black Hat Asia 2022: Constructing the Community

Partially considered one of this situation of our Black Hat Asia NOC weblog, you will see: 

  • From attendee to press to volunteer – coming again to Black Hat as NOC volunteer by Humphrey Cheung 
  • Meraki MR, MS, MX and Methods Supervisor by Paul Fidler 
  • Meraki Scanning API Receiver by Christian Clasen 

Cisco Meraki was requested by Black Hat Occasions to be the Official Wired and Wi-fi Community Gear, for Black Hat Asia 2022, in Singapore, 10-13 Might 2022; along with offering the Cellular System Administration (since Black Hat USA 2021), Malware Evaluation (since Black Hat USA 2016), & DNS (since Black Hat USA 2017) for the Community Operations Middle. We have been proud to collaborate with NOC companions Gigamon, IronNet, MyRepublic, NetWitness and Palo Alto Networks. 

To perform this enterprise in a number of weeks’ time, after the convention had a inexperienced gentle with the brand new COVID protocols, Cisco Meraki and Cisco Safe management gave their full help to ship the mandatory {hardware}, software program licenses and workers to Singapore. 13 Cisco engineers deployed to the Marina Bay Sands Conference Middle, from Singapore, Australia, United States and United Kingdom; with two further distant Cisco engineers from america.

From attendee to press to volunteer – coming again to Black Hat as NOC volunteer by Humphrey Cheung

Loops within the networking world are normally thought of a nasty factor. Spanning tree loops and routing loops occur right away and may wreck your entire day, however over the 2nd week in Might, I made a unique type of loop. Twenty years in the past, I first attended the Black Hat and Defcon conventions – yay Caesars Palace and Alexis Park – a wide-eyed tech beginner who barely knew what WEP hacking, Driftnet picture stealing and session hijacking meant. The group was superb and the friendships and information I gained, springboarded my IT profession.

In 2005, I used to be fortunate sufficient to change into a Senior Editor at Tom’s {Hardware} Information and attended Black Hat as accredited press from 2005 to 2008. From writing in regards to the newest {hardware} zero-days to studying how one can steal cookies from the grasp himself, Robert Graham, I can say, with none doubt, Black Hat and Defcon have been my favourite occasions of the 12 months.

Since 2016, I’ve been a Technical Options Architect at Cisco Meraki and have labored on insanely massive Meraki installations – some with twenty thousand branches and greater than 100 thousand entry factors, so organising the Black Hat community ought to be a bit of cake proper? Heck no, that is not like any community you’ve skilled!

As an attendee and press, I took the Black Hat community without any consideration. To take a phrase that we regularly hear about Cisco Meraki tools, “it simply works”. Again then, whereas I did see entry factors and switches across the present, I by no means actually dived into how the whole lot was arrange.

A critical problem was to safe the wanted {hardware} and ship it in time for the convention, given the worldwide provide chain points. Particular recognition to Jeffry Handal for finding the {hardware} and acquiring the approvals to donate to Black Hat Occasions. For Black Hat Asia, Cisco Meraki shipped:

Let’s begin with availability. iPads and iPhones are scanning QR codes to register attendees. Badge printers want entry to the registration system. Coaching rooms all have their separate wi-fi networks – in any case, Black Hat attendees get a baptism by fireplace on community protection and assault. To prime all of it off, tons of of attendees gulped down terabytes of information by means of the principle convention wi-fi community.

All this connectivity was supplied by Cisco Meraki entry factors, switches, safety home equipment, together with integrations into SecureX, Umbrella and different merchandise. We fielded a literal military of engineers to face up the community in lower than two days… simply in time for the coaching periods on Might 10  to 13th and all through the Black Hat Briefings and Enterprise Corridor on Might 12 and 13.

Let’s speak safety and visibility. For a number of days, the Black Hat community might be one of the crucial hostile on this planet. Attendees be taught new exploits, obtain new instruments and are inspired to check them out. With the ability to drill down on attendee connection particulars and visitors was instrumental on making certain attendees didn’t get too loopy.

On the wi-fi entrance, we made in depth use of our Radio Profiles to scale back interference by tuning energy and channel settings. We enabled band steering to get extra shoppers on the 5GHz bands versus 2.4GHz and watched the Location Heatmap like a hawk searching for hotspots and lifeless areas. Dealing with the barrage of wi-fi change requests – allow or disabling this SSID, shifting VLANs (Digital Native Space Networks), enabling tunneling or NAT mode, – was a snap with the Meraki Dashboard.

Shutting Down a Community Scanner

Whereas the Cisco Meraki Dashboard is extraordinarily highly effective, we fortunately supported exporting of logs and integration in main occasion collectors, such because the NetWitness SIEM and even the Palo Alto firewall. On Thursday morning, the NOC group discovered a probably malicious Macbook Professional performing vulnerability scans towards the Black Hat administration community. It’s a steadiness, as we should permit trainings and demos hook up with malicious web sites, obtain malware and execute. Nonetheless, there’s a Code of Conduct to which all attendees are anticipated to comply with and is posted at Registration with a QR code.

The Cisco Meraki community was exporting syslog and different info to the Palo Alto firewall, and after correlating the info between the Palo Alto Dashboard and Cisco Meraki shopper particulars web page, we tracked down the laptop computer to the Enterprise Corridor.

We briefed the NOC administration, who confirmed the scanning was violation of the Code of Conduct, and the machine was blocked within the Meraki Dashboard, with the instruction to come back to the NOC.

The machine title and placement made it very straightforward to find out to whom it belonged within the convention attendees.

A delegation from the NOC went to the Enterprise Corridor, politely waited for the demo to complete on the sales space and had a considerate dialog with the individual about scanning the community. 😊

Coming again to Black Hat as a NOC volunteer was a tremendous expertise.  Whereas it made for lengthy days with little sleep, I actually can’t consider a greater solution to give again to the convention that helped jumpstart my skilled profession.

Meraki MR, MS, MX and Methods Supervisor by Paul Fidler

With the invitation prolonged to Cisco Meraki to offer community entry, each from a wired and wi-fi perspective, there was a chance to point out the worth of the Meraki platform integration capabilities of Entry Factors (AP), switches, safety home equipment and cellular machine administration.

The primary amongst this was using the Meraki API. We have been capable of import the checklist of MAC addresses of the Meraki MRs, to make sure that the APs have been named appropriately and tagged, utilizing a single supply of fact doc shared with the NOC administration and companions, with the power to replace en masse at any time.

Ground Plan and Location Heatmap

On the primary day of NOC setup, the Cisco group walked across the venue to debate AP placements with the workers of the Marina Bay Sands. While we had a easy Powerpoint exhibiting approximate AP placements for the convention, it was famous that the venue group had an extremely detailed flooring plan of the venue. This was acquired in PDF and uploaded into the Meraki Dashboard; and with somewhat superb tuning, aligned completely with the Google Map.

Meraki APs have been then positioned bodily within the venue assembly and coaching rooms, and very roughly on the ground plan. One of many group members then used a printout of the ground plan to mark precisely the position of the APs. Having the APs named, as talked about above, made this a simple activity (strolling across the venue however!). This enabled correct heatmap functionality.

The Location Heatmap was a brand new functionality for Black Hat NOC, and the shopper knowledge visualized in NOC continued to be of nice curiosity to the Black Hat administration group, resembling which coaching, briefing and sponsor cubicles drew essentially the most curiosity.

SSID Availability

The flexibility to make use of SSID Availability was extremely helpful. It allowed ALL of the entry factors to be positioned inside a single Meraki Community. Not solely that, due to the coaching occasions taking place through the week, in addition to TWO devoted SSIDs for the Registration and lead monitoring iOS units (extra of which later), one for preliminary provisioning (which was later turned off), and one for certificated primarily based authentication, for a really safe connection.

Community Visibility

We have been capable of monitor the variety of linked shoppers, community utilization, the individuals passing by the community and placement analytics, all through the convention days. We supplied visibility entry to the Black Hat NOC administration and the expertise companions (together with full API entry), so they might combine with the community platform.


Meraki alerts are precisely that: the power to be alerted to one thing that occurs within the Dashboard. Default conduct is to be emailed when one thing occurs. Clearly, emails acquired misplaced within the noise, so an online hook was created in SecureX orchestration to have the ability to eat Meraki alerts and ship it to Slack (the messaging platform throughout the Black Hat NOC), utilizing the native template within the Meraki Dashboard. The primary alert to be created was to be alerted if an AP went down. We have been to be alerted after 5 minutes of an AP happening, which is the smallest period of time accessible earlier than being alerted.

The bot was prepared; nevertheless, the APs stayed up your complete time! 

Meraki Methods Supervisor

Making use of the teachings realized at Black Hat Europe 2021, for the preliminary configuration of the convention iOS units, we arrange the Registration iPads and lead retrieval iPhones with Umbrella, Safe Endpoint and WiFi config. Units have been, as in London, initially configured utilizing Apple Configurator, to each supervise and enroll the units into a brand new Meraki Methods Supervisor occasion within the Dashboard.

Nonetheless, Black Hat Asia 2022 provided us a singular alternative to point out off a number of the extra built-in performance.

System Apps have been hidden and varied restrictions (disallow becoming a member of of unknown networks, disallow tethering to computer systems, and so forth.) have been utilized, in addition to a normal WPA2 SSID for the units that the machine vendor had arrange (we gave them the title of the SSID and Password).

We additionally stood up a brand new SSID and turned-on Sentry, which lets you provision managed units with, not solely the SSID info, but additionally a dynamically generated certificates. The certificates authority and radius server wanted to do that 802.1x is included within the Meraki Dashboard robotically! When the machine makes an attempt to authenticate to the community, if it doesn’t have the certificates, it doesn’t get entry. This SSID, utilizing SSID availability, was solely accessible to the entry factors within the Registration space.

Utilizing the Sentry allowed us to simply establish units within the shopper checklist.

One of many alerts generated with SysLog by Meraki, after which viewable and correlated within the NetWitness SIEM, was a ‘De Auth’ occasion that got here from an entry level. While we had the IP handle of the machine, making it straightforward to seek out, as a result of the occasion was a de auth, which means 802.1x, it narrowed down the units to JUST the iPads and iPhones used for registration (as all different entry factors have been utilizing WPA2). This was additional enhanced by seeing the certificates title used within the de-auth:

Together with the certificates title was the title of the AP: R**

System Location

One of many inherent issues with iOS machine location is when units are used indoors, as GPS indicators simply aren’t robust sufficient to penetrate fashionable buildings. Nonetheless, as a result of the correct location of the Meraki entry factors was positioned on the ground plan within the Dashboard, and since the Meraki Methods Supervisor iOS units have been in the identical Dashboard group because the entry factors, we acquired to see a way more correct map of units in comparison with Black Hat Europe 2021 in London.

When the convention Registration closed on the final day and the Enterprise Corridor Sponsors all returned their iPhones, we have been capable of remotely wipe the entire units, eradicating all attendee knowledge, previous to returning to the machine contractor.

Meraki Scanning API Receiver by Christian Clasen

Leveraging the ubiquity of each WiFi and Bluetooth radios in cellular units and laptops, Cisco Meraki’s wi-fi entry factors can detect and supply location analytics to report on consumer foot visitors conduct. This may be helpful in retail situations the place prospects want location and motion knowledge to raised perceive the tendencies of engagement of their bodily shops.

Meraki can mixture real-time knowledge of detected WiFi and Bluetooth units and triangulate their location quite exactly when the floorplan and AP placement has been diligently designed and documented. On the Black Hat Asia convention, we made certain to correctly map the AP places rigorously to make sure the best accuracy attainable.

This scanning knowledge is obtainable for shoppers whether or not they’re related to the entry factors or not. On the convention, we have been capable of get very detailed heatmaps and time-lapse animations representing the motion of attendees all through the day. This knowledge is effective to convention organizers in figuring out the recognition of sure talks, and the attendance at issues like keynote displays and foot visitors at cubicles.

This was nice for monitoring through the occasion, however the Dashboard would solely present 24-hours of scanning knowledge, limiting what we may do when it got here to long-term knowledge evaluation. Fortuitously for us, Meraki affords an API service we are able to use to seize this treasure trove offline for additional evaluation. We solely wanted to construct a receiver for it.

The Receiver Stack

The Scanning API requires that the shopper arise infrastructure to retailer the info, after which register with the Meraki cloud utilizing a verification code and secret. It’s composed of two endpoints:

  1. Validator

Returns the validator string within the response physique

[GET] https://yourserver/

This endpoint is named by Meraki to validate the receiving server. It expects to obtain a string that matches the validator outlined within the Meraki Dashboard for the respective community.

  1. Receiver

Accepts an commentary payload from the Meraki cloud

[POST] https://yourserver/

This endpoint is accountable for receiving the commentary knowledge supplied by Meraki. The URL path ought to match that of the [GET] request, used for validation.

The response physique will include an array of JSON objects containing the observations at an mixture per community stage. The JSON might be decided primarily based on WiFi or BLE machine observations as indicated within the sort parameter.

What we wanted was a easy expertise stack that will include (at minimal) a publicly accessible net server able to TLS. In the long run, the only implementation was an online server written utilizing Python Flask, in a Docker container, deployed in AWS, linked by means of ngrok.

In fewer than 50 strains of Python, we may settle for the inbound connection from Meraki and reply with the chosen verification code. We’d then hear for the incoming POST knowledge and dump it into an area knowledge retailer for future evaluation. Since this was to be a short lived answer (the period of the four-day convention), the considered registering a public area and configuring TLS certificates wasn’t significantly interesting. A wonderful answer for a majority of these API integrations is ngrok ( And a helpful Python wrapper was accessible for easy integration into the script (

We wished to simply re-use this stack subsequent time round, so it solely made sense to containerize it in Docker. This manner, the entire thing could possibly be stood up on the subsequent convention, with one easy command. The picture we ended up with would mount an area quantity, in order that the ingested knowledge would stay persistent throughout container restarts.

Ngrok allowed us to create a safe tunnel from the container that could possibly be linked within the cloud to a publicly resolvable area with a trusted TLS certificates generated for us. Including that URL to the Meraki Dashboard is all we wanted to do begin ingesting the huge treasure trove of location knowledge from the Aps – almost 1GB of JSON over 24 hours.

This “fast and soiled” answer illustrated the significance of interoperability and openness within the expertise area when enabling safety operations to collect and analyze the info they require to watch and safe occasions like Black Hat, and their enterprise networks as properly. It served us properly through the convention and will definitely be used once more going ahead.

Take a look at half two of the weblog, Black Hat Asia 2022 Continued: Cisco Safe Integrations, the place we’ll focus on integrating NOC operations and making your Cisco Safe deployment simpler:

  • SecureX: Bringing Risk Intelligence Collectively by Ian Redden
  • System sort spoofing occasion by Jonny Noble
  • Self Service with SecureX Orchestration and Slack by Matt Vander Horst
  • Utilizing SecureX sign-on to streamline entry to the Cisco Stack at Black Hat by Adi Sankar
  • Future Risk Vectors to Take into account – Cloud App Discovery by Alejo Calaoagan
  • Malware Risk Intelligence made straightforward and accessible, with Cisco Safe Malware Analytics and SecureX by Ben Greenbaum

Acknowledgements: Particular because of the Cisco Meraki and Cisco Safe Black Hat NOC group: Aditya Sankar, Aldous Yeung, Alejo Calaoagan, Ben Greenbaum, Christian Clasen, Felix H Y Lam, George Dorsey, Humphrey Cheung, Ian Redden, Jeffrey Chua, Jeffry Handal, Jonny Noble, Matt Vander Horst, Paul Fidler and Steven Fan.

Additionally, to our NOC companions NetWitness (particularly David Glover), Palo Alto Networks (particularly James Holland), Gigamon, IronNet (particularly Invoice Swearington), and your complete Black Hat / Informa Tech workers (particularly Grifter ‘Neil Wyler’, Bart Stump, James Pope, Steve Fink and Steve Oldenbourg).

About Black Hat

For greater than 20 years, Black Hat has supplied attendees with the very newest in info safety analysis, growth, and tendencies. These high-profile world occasions and trainings are pushed by the wants of the safety group, striving to convey collectively the perfect minds within the business. Black Hat evokes professionals in any respect profession ranges, encouraging development and collaboration amongst academia, world-class researchers, and leaders in the private and non-private sectors. Black Hat Briefings and Trainings are held yearly in america, Europe and Asia. Extra info is obtainable at: Black Hat is dropped at you by Informa Tech.

We’d love to listen to what you assume. Ask a Query, Remark Beneath, and Keep Linked with Cisco Safe on social!

Cisco Safe Social Channels





Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments