Saturday, August 20, 2022
HomeCyber SecurityBlack Hat Asia 2022 Continued: Cisco Safe Integrations

Black Hat Asia 2022 Continued: Cisco Safe Integrations


Partially considered one of our Black Hat Asia 2022 NOC weblog, we mentioned constructing the community with Meraki: 

  • From attendee to press to volunteer – coming again to Black Hat as NOC volunteer by Humphrey Cheung 
  • Meraki MR, MS, MX and Techniques Supervisor by Paul Fidler 
  • Meraki Scanning API Receiver by Christian Clasen 

On this half two, we are going to focus on:  

  • SecureX: Bringing Risk Intelligence Collectively by Ian Redden 
  • Gadget kind spoofing occasion by Jonny Noble 
  • Self Service with SecureX Orchestration and Slack by Matt Vander Horst 
  • Utilizing SecureX sign-on to streamline entry to the Cisco Stack at Black Hat by Adi Sankar 
  • Future Risk Vectors to Take into account – Cloud App Discovery by Alejo Calaoagan 
  • Malware Risk Intelligence made simple and accessible, with Cisco Safe Malware Analytics and SecureX by Ben Greenbaum 

SecureX: Bringing Risk Intelligence Collectively by Ian Redden 

Along with the Meraki networking gear, Cisco Safe additionally shipped two Umbrella DNS digital home equipment to Black Hat Asia, for inside community visibility with redundancy, along with offering: 

Cisco Safe Risk Intelligence (correlated via SecureX)

Donated Associate Risk Intelligence (correlated via SecureX)

Open-Supply Risk Intelligence (correlated via SecureX)

Continued Integrations from previous Black Hat occasions

  • NetWitness PCAP file carving and submission to Cisco Safe Malware Analytics (previously Risk Grid) for evaluation

New Integrations Created at Black Hat Asia 2022

  • SecureX risk response and NetWitness SIEM: Sightings in investigations
  • SecureX orchestration workflows for Slack that enabled:
    • Directors to dam a tool by MAC deal with for violating the convention Code of Conduct
    • NOC members to question Meraki for details about community gadgets and their purchasers
    • NOC members to replace the VLAN on a Meraki switchport
    • NOC members to question Palo Alto Panorama for consumer data
    • Notification if an AP went down
  • NetWitness SIEM integration with Meraki syslogs
  • Palo Alto Panorama integration with Meraki syslogs
  • Palo Alto Cortex XSOAR integration with Meraki and Umbrella

Gadget kind spoofing occasion by Jonny Noble

Overview

In the course of the convention, a NOC Associate knowledgeable us that they acquired an alert from Might 10 regarding an endpoint consumer that accessed two domains that they noticed as malicious:

  • legendarytable[.]com
  • drakefollow[.]com

Consumer particulars from Associate:

  • Personal IP: 10.XXX.XXX.XXX
  • Consumer title: LAPTOP-8MLGDXXXX
  • MAC: f4:XX:XX:XX:XX:XX
  • Person agent for detected incidents: Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_2 like Mac OS X) AppleWebKit/602.2.8 (KHTML, like Gecko) Model/11.0 Cellular/14B55c Safari/602.1

Primarily based on the person agent, the associate derived that the system kind was an Apple iPhone.

SecureX evaluation

  • legendarytable[.]com à Judgement of Suspicious by alphaMountain.ai
  • drakefollow[.]com à Judgement of Malicious by alphaMountain.ai

Umbrella Examine evaluation

Umbrella Examine positions each domains as low danger, each registered lately in Poland, and each hosted on the identical IP:

Regardless of the low-risk rating, the nameservers have excessive counts of malicious related domains:

Concentrating on customers in ASA, UK, and Nigeria:

Meraki evaluation

Primarily based on the time of the incident, we are able to hint the system’s location (primarily based on its IP deal with). That is due to the trouble we invested in mapping out the precise location of all Meraki APs, which we deployed throughout the conference middle with an overlay of the occasion map protecting the world of the occasion:

  • Entry Level: APXX
  • Room: Orchid Ballroom XXX
  • Coaching course at time in location: “Internet Hacking Black Belt Version”

Additional evaluation and conclusions

The system title (LAPTOP-8MLGXXXXXX) and MAC deal with seen (f4:XX:XX:XX:XX:XX) each matched throughout the associate and Meraki, so there was no query that we had been analyzing the identical system.

Primarily based on the useragent captured by the associate, the system kind was an Apple iPhone. Nevertheless, Meraki was reporting the Gadget and its OS as “Intel, Android”

A fast search for for the MAC deal with confirmed that the OUI (organizationally distinctive identifier) for f42679 was Intel Malaysia, making it unlikely that this was an Apple iPhone.

The outline for the coaching “Internet Hacking Black Belt Version” may be seen right here:

https://www.blackhat.com/asia-22/coaching/schedule/#web-hacking-black-belt-edition–day-25388

It’s extremely doubtless that the coaching content material included using instruments and strategies for spoofing the visibility of useragent or system kind.

There’s additionally a excessive chance that the 2 domains noticed had been used as a part of the coaching exercise, moderately than this being a part of a stay assault.

It’s clear that integrating the varied Cisco applied sciences (Meraki wi-fi infrastructure, SecureX, Umbrella, Examine) used within the investigation of this incident, along with the shut partnership and collaboration of our NOC companions, positioned us the place we wanted to be and offered us with the instruments we wanted to swiftly gather the info, be a part of the dots, make conclusions, and efficiently deliver the incident to closure.

Self Service with SecureX Orchestration and Slack by Matt Vander Horst

Overview

Since Meraki was a brand new platform for a lot of the NOC’s workers, we wished to make data simpler to assemble and allow a certain quantity of self-service. Because the Black Hat NOC makes use of Slack for messaging, we determined to create a Slack bot that NOC workers might use to work together with the Meraki infrastructure in addition to Palo Alto Panorama utilizing the SecureX Orchestration distant equipment. When customers talk with the bot, webhooks are despatched to Cisco SecureX Orchestration to do the work on the again finish and ship the outcomes again to the person.

Design

Right here’s how this integration works:

  1. When a Slack person triggers a ‘/’ “slash command” or different kind of interplay, a webhook is distributed to SecureX Orchestration. Webhooks set off orchestration workflows which may do any variety of issues. On this case, we’ve two completely different workflows: one to deal with slash instructions and one other for interactive parts akin to kinds (extra on the workflows later).
  2. As soon as the workflow is triggered, it makes the mandatory API calls to Meraki or Palo Alto Panorama relying on the command issued.
  3. After the workflow is completed, the outcomes are handed again to Slack utilizing both an API request (for slash instructions) or webhook (for interactive parts).
  4. The person is introduced with the outcomes of their inquiry or the motion they requested.

Workflow #1: Deal with Slash Instructions

Slash instructions are a particular kind of message constructed into Slack that permit customers to work together with a bot. When a Slack person executes a slash command, the command and its arguments are despatched to SecureX Orchestration the place a workflow handles the command. The desk under reveals a abstract of the slash instructions our bot supported for Black Hat Asia 2022:

Right here’s a pattern of a portion of the SecureX Orchestration workflow that powers the above instructions:

And right here’s a pattern of firewall logs as returned from the “/pan_traffic_history” command:

Workflow #2: Deal with Interactivity

A extra superior type of person interplay comes within the type of Slack blocks. As an alternative of together with a command’s arguments within the command itself, you possibly can execute the command and Slack will current you with a type to finish, like this one for the “/update_vlan” command:

These kinds are far more person pleasant and permit data to be pre-populated for the person. Within the instance above, the person can merely choose the swap to configure from a drop-down record as a substitute of getting to enter its title or serial quantity. When the person submits considered one of these kinds, a webhook is distributed to SecureX Orchestration to execute a workflow. The workflow takes the requested motion and sends again a affirmation to the person:

Conclusion

Whereas these two workflows solely scratched the floor of what may be performed with SecureX Orchestration webhooks and Slack, we now have a basis that may be simply expanded upon going ahead. We will add extra instructions, new types of interactivity, and proceed to allow NOC workers to get the data they want and take crucial motion. The aim of orchestration is to make life less complicated, whether or not it’s by automating our interactions with expertise or making these interactions simpler for the person. 

Future Risk Vectors to Take into account – Cloud App Discovery by Alejo Calaoagan

Since 2017 (beginning in Black Hat USA – Las Vegas), Cisco Umbrella has offered DNS safety to the Black Hat attendee community, added layers of site visitors visibility beforehand not seen. Our efforts have largely been profitable, figuring out 1000’s of threats through the years and mitigating them through Umbrella’s blocking capabilities when crucial. This was taken a step additional at Black Hat London 2021, the place we launched our Digital Home equipment to supply supply IP attribution to the gadgets making requests.

 

 

Right here at Black Hat Asia 2022, we’ve been noodling on extra methods to supply superior safety for future reveals, and it begins with Umbrella’s Cloud Software Discovery’s function, which recognized 2,286 distinctive purposes accessed by customers on the attendee community throughout the four-day convention.   a snapshot from a single day of the present, Umbrella captured 572,282 DNS requests from all cloud apps, with over 42,000 posing both excessive or very excessive danger.

Digging deeper into the info, we see not solely the kinds of apps being accessed…

…but additionally see the apps themselves…

…and we are able to flag apps that look suspicious.

We additionally embody danger downs breaks by class…

…and drill downs on every.

Whereas this knowledge alone received’t present sufficient data to take motion, together with this knowledge in evaluation, one thing we’ve been doing, might present a window into new risk vectors which will have beforehand gone unseen. For instance, if we determine a compromised system contaminated with malware or a tool making an attempt to entry issues on the community which are restricted, we are able to dig deeper into the kinds of cloud apps these gadgets are utilizing and correlate that knowledge with suspicious request exercise, potential uncovering instruments we must be blocking sooner or later.

I can’t say for sure how a lot this additional knowledge set will assist us uncover new threats, however, with Black Hat USA simply across the nook, we’ll discover out quickly.

Utilizing SecureX sign-on to streamline entry to the Cisco Stack at Black Hat by Adi Sankar

From 5 years in the past to now, Cisco has tremendously expanded our presence at Black Hat to incorporate a large number of merchandise. After all, sign-on was easy when it was only one product (Safe Malware Analytics) and one person to log in. When it got here time so as to add a brand new expertise to the stack it was added individually as a standalone product with its personal methodology of logging in. Because the variety of merchandise elevated, so did the variety of Cisco workers on the convention to help these merchandise. This implies sharing usernames and passwords turned tedious and to not point out insecure, particularly with 15 Cisco workers, plus companions, accessing the platforms.

The Cisco Safe stack at Black Hat contains SecureX, Umbrella, Malware Analytics, Safe Endpoint (iOS readability), and Meraki. All of those applied sciences help utilizing SAML SSO natively with SecureX sign-on. Which means every of our Cisco workers members can have a person SecureX sign-on account to log into the varied consoles. This leads to higher role-based entry management, higher audit logging and an general higher login expertise. With SecureX sign-on we are able to log into all of the merchandise solely having to kind a password one time and approve one Cisco DUO Multi-Issue Authentication (MFA) push.

How does this magic work behind the scenes? It’s truly moderately easy to configure SSO for every of the Cisco applied sciences, since all of them help SecureX sign-on natively. Before everything, you need to arrange a brand new SecureX org by making a SecureX sign-on account, creating a brand new group and integrating not less than one Cisco expertise. On this case I created a brand new SecureX group for Black Hat and added the Safe Endpoint module, Umbrella Module, Meraki Techniques Supervisor module and the Safe Malware Analytics module. Then from Administration à Customers in SecureX, I despatched an invitation to the Cisco staffers that may be attending the convention, which contained a hyperlink to create their account and be a part of the Blackhat SecureX group. Subsequent let’s check out the person product configurations.

Meraki:

Within the Meraki group settings allow SecureX sign-on. Then underneath Group à Directors add a brand new person and specify SecureX sign-on because the authentication methodology. Meraki even permits you to restrict customers to explicit networks and set permission ranges for these networks. Accepting the e-mail invitation is simple because the person ought to already be logged into their SecureX sign-on account. Now, logging into Meraki solely requires an e-mail deal with and no password or extra DUO push.

Umbrella:

Underneath Admin à Authentication configure SecureX sign-on which requires a take a look at login to make sure you can nonetheless login earlier than utilizing SSO for authentication to Umbrella. There isn’t any must configure MFA in Umbrella since SecureX sign-on comes with inbuilt DUO MFA. Present customers and any new customers added in Umbrella underneath Admin à Accounts will now be utilizing SecureX sign-on to login to Umbrella. Logging into Umbrella is now a seamless launch from the SecureX dashboard or from the SecureX ribbon in any of the opposite consoles.

Safe Malware Analytics:

A Safe Malware Analytics group admin can create new customers of their Risk Grid tenant. This username is exclusive to Malware Analytics, however it may be related to a SecureX sign-on account to reap the benefits of the seamless login circulation. From the e-mail invitation the person will create a password for his or her Malware Analytics person and settle for the EULA. Then within the high proper underneath My Malware Analytics Account, the person has an choice to attach their SecureX sign-on account which is a one click on course of if already signed in with SecureX sign-on. Now when a person navigates to Malware Analytics login web page, merely clicking “Login with SecureX Signal-On” will grant them entry to the console.

 

Safe Endpoint:

The Safe Endpoint deployment at Blackhat is proscribed to IOS readability via Meraki Techniques Supervisor for the convention IOS gadgets. Many of the asset data we want in regards to the iPhones/iPads is introduced in via the SecureX Gadget Insights stock. Nevertheless, for preliminary configuration and to view system trajectory it’s required to log into Safe Endpoint. A brand new Safe Endpoint account may be created underneath Accounts à Customers and an invitation is distributed to corresponding e-mail deal with. Accepting the invite is a clean course of because the person is already signed in with SecureX sign-on. Privileges for the person within the Endpoint console may be granted from inside the person account.

Conclusion:

To sum all of it up, SecureX sign-on is the usual for the Cisco stack transferring ahead. With a brand new SecureX group instantiated utilizing SecureX sign-on any new customers to the Cisco stack at Black Hat will probably be utilizing SecureX sign-on. SecureX sign-on has helped our person administration be far more safe as we’ve expanded our presence at Black Hat. SecureX sign-on supplies a unified login mechanism for all of the merchandise and modernized our login expertise on the convention.

Malware Risk Intelligence made simple and accessible, with Cisco Safe Malware Analytics and SecureX by Ben Greenbaum

I’d gotten used to folks’s reactions upon seeing SecureX in use for the primary time. A couple of occasions at Black Hat, a small viewers gathered simply to observe us effortlessly correlate knowledge from a number of risk intelligence repositories and a number of other safety sensor networks in only a few clicks in a single interface for speedy sequencing of occasions and an intuitive understanding of safety occasions, conditions, causes, and penalties. You’ve already examine just a few of those situations above. Right here is only one instance of SecureX mechanically placing collectively a chronological historical past of noticed community occasions detected by merchandise from two distributors (Cisco Umbrella and NetWitness) . The participation of NetWitness on this and all of our different investigations was made attainable by our open structure, accessible APIs and API specs, and the creation of the NetWitness module described above.

Along with the site visitors and on-line actions of a whole bunch of person gadgets on the community, we had been answerable for monitoring a handful of Black Hat-owned gadgets as effectively. Safe X Gadget Insights made it simple to entry details about these belongings, both en masse or as required throughout an ongoing investigation. iOS Readability for Safe Endpoint and Meraki System Supervisor each contributed to this great tool which provides enterprise intelligence and asset context to SecureX’s native occasion and risk intelligence, for extra full and extra actionable safety intelligence general.

SecureX is made attainable by dozens of integrations, every bringing their very own distinctive data and capabilities. This time although, for me, the star of the SecureX present was our malware evaluation engine, Cisco Safe Malware Analytics (CSMA). Shortly earlier than Black Hat Asia, the CSMA staff launched a brand new model of their SecureX module. SecureX can now question CSMA’s database of malware habits and exercise, together with all related indicators and observables, as an automatic a part of the common means of any investigation carried out in SecureX Risk Response.

This functionality is most helpful in two eventualities:

1: figuring out if suspicious domains, IPs and information reported by some other expertise had been noticed within the evaluation of any of the tens of millions of publicly submitted file samples, or our personal.
2: quickly gathering extra context about information submitted to the evaluation engine by the built-in merchandise within the Black Hat NOC.

The primary was a big time saver in a number of investigations. Within the instance under, we acquired an alert about connections to a suspicious area. In that state of affairs, our first plan of action is to analyze the area and some other observables reported with it (sometimes the interior and public IPs included within the alert). Because of the new CSMA module, we instantly found that the area had a historical past of being contacted by quite a lot of malware samples, from a number of households, and that data, corroborated by mechanically gathered popularity data from a number of sources about every of these information, gave us a right away subsequent route to analyze as we hunted for proof of these information being current in community site visitors or of any site visitors to different C&C assets identified for use by these households. From the primary alert to having a strong, data-driven set of associated indicators to search for, took solely minutes, together with from SecureX associate Recorded Future, who donated a full risk intelligence license for the Black Hat NOC.

The opposite state of affairs, investigating information submitted for evaluation, got here up much less steadily however when it did, the CSMA/SecureX integration was equally spectacular. We might quickly, almost instantly, search for proof of any of our analyzed samples within the atmosphere throughout all different deployed SecureX-compatible applied sciences. That proof was not restricted to looking for the hash itself, however included any of the community assets or dropped payloads related to the pattern as effectively, simply figuring out native targets who had not maybe seen the precise variant submitted, however who had nonetheless been in touch with that pattern’s Command and Management infrastructure or different associated artifacts.

And naturally, due to the presence of the ribbon within the CSMA UI, we may very well be much more environment friendly and do that with a number of samples without delay.

SecureX enormously elevated the effectivity of our small volunteer staff, and definitely made it attainable for us to analyze extra alerts and occasions, and hunt for extra threats, all extra totally, than we’d have been capable of with out it. SecureX actually took this staff to the subsequent stage, by augmenting and operationalizing the instruments and the workers that we had at our disposal.

We stay up for seeing you at Black Hat USA in Las Vegas, 6-11 August 2022!

Acknowledgements: Particular due to the Cisco Meraki and Cisco Safe Black Hat NOC staff: Aditya Sankar, Aldous Yeung, Alejo Calaoagan, Ben Greenbaum, Christian Clasen, Felix H Y Lam, George Dorsey, Humphrey Cheung, Ian Redden, Jeffrey Chua, Jeffry Handal, Jonny Noble, Matt Vander Horst, Paul Fidler and Steven Fan.

Additionally, to our NOC companions NetWitness (particularly David Glover), Palo Alto Networks (particularly James Holland), Gigamon, IronNet (particularly Invoice Swearington), and your entire Black Hat / Informa Tech workers (particularly Grifter ‘Neil Wyler’, Bart Stump, James Pope, Steve Fink and Steve Oldenbourg).

About Black Hat

For greater than 20 years, Black Hat has offered attendees with the very newest in data safety analysis, improvement, and developments. These high-profile world occasions and trainings are pushed by the wants of the safety neighborhood, striving to deliver collectively the most effective minds within the business. Black Hat evokes professionals in any respect profession ranges, encouraging development and collaboration amongst academia, world-class researchers, and leaders in the private and non-private sectors. Black Hat Briefings and Trainings are held yearly in the US, Europe and Asia. Extra data is accessible at: blackhat.com. Black Hat is delivered to you by Informa Tech.

Share:

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments