What an experience to be attending the first major cybersecurity conference since the lockdowns of the COVID-19 pandemic.
Cisco Secure returned as a supporting partner of the Black Hat USA 2021 Network Operations Center (NOC) for the 5th year; joining conference producer Informa Tech and its other security partners. Like other Black Hat conferences, the mission of the NOC is to build a conference network that is secure, stable and accessible for the training events, briefings, sponsors and attendees. This requires a robust connection to the Internet (Lumen and Gigamon), firewall protection (Palo Alto Networks), segmented wireless network (Commscope Ruckus) and network full packet capture & forensics and SIEM (RSA NetWitness); with Cisco providing cloud-based security and intelligence support.
For several years, Cisco Secure provided DNS visibility and architecture intelligence with Cisco Umbrella and Cisco Umbrella Investigate; and automated malware analysis and threat intelligence with Cisco Secure Malware Analytics (Threat Grid), backed by Cisco Talos Intelligence and Cisco SecureX.
New in 2021, Cisco Secure was asked to protect 340+ (22 as spares) iPads used for the Black Hat conference registration and sponsor lead retrieval. With such a large number of mobile devices, the first task was to work with the vendor to place them in ‘supervised mode’ and enroll them with the Cisco Meraki Systems Manager (SM) mobile device management (MDM) platform. Once the enrollment was completed, we were able to secure the iPads by deploying the Cisco Secure Endpoint for iOS/Security Connector.
We were able to manage all aspects of the iPads remotely. Several came with out-of-date iOS. We were able to remotely update them into compliance.
Meraki SM was also able to deploy the applications to be used for attendee registration and lead retrieval.
We also deployed the profile to connect to the SSID reserved for the conference administration, by MAC address, with a unique sixteen-character password for each iPad, for connecting to the Commscope Ruckus access points. With the satellite map view, we were able to see the location of the iPads, and one were to ‘walk away’ from the conference, we had the ability to remotely wipe all the data and ‘brick’ the device.
The biggest challenge was keeping 340+ iPads charged for the registration team to arrive and take physical possession.
The trainers, briefers and sponsors need to be able to access and demonstrate malicious code and network activity; without infecting attendees or other networks, or experiencing an outage. It is a balancing act that the NOC team enjoys creating at each conference. The NOC was closed to attendees this year, but was streamed live and available to be viewed from outside of the NOC and at home via their Twitch channel, with presentations from NOC leaders Neil Wyler (@grifter801) and Bart Stump (@thestump3r).
Threat hunting is a core mission of the Cisco Secure team, while monitoring the DNS activity for potentially malicious activity. Also, to review the automated malware analysis of samples submitted by RSA NetWitness for maliciousness.
The PAN firewall team observed Russian IP 45[.]146[.]164[.]110. banging around the Registration Server, the key asset we all work to protect.
The Cisco threat hunting team investigated the risk in SecureX threat response, which was integrated with 20+ Cisco and partner threat intelligence platforms.
3rd Party Technologies
|Talos Intelligence||alphaMountain.ai Threat Intelligence|
|Threat Grid (Secure Malware Analytics)||APIVoid|
|Umbrella||AbuseIPDB IP Checker|
|AMP for Endpoints (Secure Endpoint)||Akamai|
|AMP File Reputation||AlienVault Open Threat Exchange|
|AMP Global Intelligence||CyberCrime Tracker|
|Private Intelligence (Threat Grid feeds)||Farsight Security DNSDB|
|SecureX orchestration||Palo Alto Networks AutoFocus|
|Threatscore | Cyberprotect|
With those integrations, we confirmed the malicious reputation from multiple sources and found an associated domain/URL.
Firewall team requested a block for the IP, because it tried a couple of remote code executions attacks and some scans. Cisco Umbrella team also blocked the mastercommunications[.]ru domain, so no devices in the network can connect out. It is rare that we take this step, the only previous time was when a spear phishing attack was sent against our registration laptops in Black Hat Europe 2018.
We saw similar attacks from IPs in China and Germany, and the firewall team blocked them in the same manner.
For the 2nd year (1st in 2019), Black Hat USA, used captured webpage notifications for users who connected to the Black Hat network and were found to be infected with malware, at risk for phishing attack, shared credentials in the clear or were running cryptomining. The notifications were done by moving affected users into a group within the PAN Firewall.
This way, those who are delivering presentations and demos can still reach their attended target, but unaware attendees can be protected.
The Umbrella team actively looked for potential threats to the attendees.
For example, we observed connection to a known phishing site.
SECURITY CATEGORY (PHISHING)
Event Details (1 of 2)
Date & Time: Aug 5, 2021 at 6:32 AM
Internal IP: 220.127.116.11
Very quickly, we were able to visualize the entire architecture of the phishing infrastructure in SecureX threat response. We notified the firewall team, who added the domain to the captive portal list.
In another example of collaboration, the RSA NetWitness team observed connection to a suspicious domain from an attendee using a Macintosh.
The Umbrella threat hunting team confirmed the maliciousness and that it would have been blocked in a production environment. The firewall team added the domain to the captive portal list.
Cryptomining appeared on the first day of the Business Hall. We alerted the firewall team, who placed a captive portal for those accessing the domains, so if they wanted to cryptomine then could continue. If they were unaware that their machines were mining, they could take action. The mining stopped.
With the lack of classroom training and move to mobile access, no malware samples were observed at Black Hat USA 2021. RSA NetWitness Orchestrator carved the files off the network stream and sent them to Cisco Secure Malware Analytics (Threat Grid). Over the week, 279 samples were sent for analysis.
However, there was a breach of personal information concerning contract security personnel, sent in a plain text email, with the attachments observed in Threat Grid. This same incident happened in 2019 and the RSA NetWitness team did another full report for remediation.
Aditya on our team made a custom dashboard tile to alert us on Umbrella security events, to reduce the pressure on our analysts to track multiple screens at the same time. Look for a blog from Aditya on how he accomplished this with SecureX orchestration.
In 2021, we saw ~11 million DNS requests, with the drop in live attendance. In contrast, in 2018 there were about 42.4 million DNS requests on the Black Hat USA network. In 2019, there were 49.6 million requests. About 1,900 would have been blocked in a production environment, as violating security policies.
In 2021, over 2,600 different apps connected to the BH network, reflecting the move to mobile. In 2019, about 3,600 apps connected in the same time frame, with five times as much DNS requests.
With the success of Vegas under our belts, the next focus is Black Hat Europe.
Note: The staff of the NOC were all vaccinated against COVID-19. We wore our masks for the entire Black Hat USA 2021; with this one exception, for a quick photo to see our shiny faces.
Acknowledgements: Special thanks to the Cisco Secure Black Hat NOC team: Jonny Noble, Alejo Calaogan, Christian Clasen and Aditya Sankar; with remote support by Aaron Woland, Ian Redden and Krishan Veer. Also, to our NOC partners RSA (especially the RSA Security team led by Percy Tucker), Palo Alto Networks (especially Lance Knittig), Commscope Ruckus (especially Jim Palmer), Gigamon, IronNet, Lumen and the entire Black Hat / Informa Tech staff (especially Marissa Parker – Queen of the NOC, Steve Fink – Chief Architect, Neil Wyler and Bart Stump).
About Black Hat
For more than 20 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and Asia. More information is available at blackhat.com. Black Hat is brought to you by Informa Tech.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels