Black Hat Asia 2025: Innovation within the SOC

Cisco is honored to be a companion of the Black Hat NOC (Network Operations Center), because the Official Security Cloud Provider. This was our ninth yr supporting Black Hat Asia.

We work with different official suppliers to carry the {hardware}, software program and engineers to construct and safe the Black Hat community: Arista, Corelight, MyRepublic and Palo Alto Networks.

The major mission within the NOC is community resilience. The companions additionally present built-in safety, visibility and automation, a SOC (Security Operations Center) contained in the NOC.

On screens outdoors the NOC, companion dashboards gave attendees an opportunity to view the quantity and safety of the community site visitors.

From Malware to Security Cloud

Cisco joined the Black Hat NOC in 2016, as a companion to offer automated malware evaluation with Threat Grid. The Cisco contributions to the community and safety operations developed, with the wants of the Black Hat convention, to incorporate extra parts of the Cisco Security Cloud.

Cisco Breach Protection Suite

Cisco User Protection Suite

Cisco Cloud Protection Suite

When the companions deploy to every convention, we arrange a world-class community and safety operations middle in three days. Our major mission is community uptime, with higher built-in visibility and automation. Black Hat has the choose of the safety business instruments and no firm can sponsor/purchase their manner into the NOC. It is invitation solely, with the intention of range in companions, and an expectation of full collaboration.

As a NOC workforce comprised of many applied sciences and firms, we’re constantly innovating and integrating, to offer an total SOC cybersecurity structure answer.

The integration with Corelight NDR and each Secure Malware Analytics and Splunk Attack Analyzer is a core SOC perform. At every convention, we see plain textual content knowledge on the community. For instance, a coaching scholar accessed a Synology NAS over the web to entry SMB shares, as noticed by Corelight NDR. The doc was downloaded in plain textual content and contained API keys & cloud infrastructure hyperlinks. This was highlighted within the NOC Report for example of learn how to make use of higher safety posture.

As the malware evaluation supplier, we additionally deployed Splunk Attack Analyzer because the engine of engines, with information from Corelight and built-in it with Splunk Enterprise Security.

The NOC leaders allowed Cisco (and the opposite NOC companions) to herald extra software program and {hardware} to make our inner work extra environment friendly and have larger visibility. However, Cisco isn’t the official supplier for Extended Detection & Response (XDR), Security Event and Incident Management (SEIM), Firewall, Network Detection & Response (NDR) or Collaboration.

Breach Protection Suite

• Cisco XDR: Threat Hunting, Threat Intelligence Enrichment, Executive Dashboards, Automation with Webex
• Cisco XDR Analytics (previously Secure Cloud Analytics/Stealthwatch Cloud): Network site visitors visibility and risk detection

Splunk Cloud Platform: Integrations and dashboards

Cisco Webex: Incident notification and workforce collaboration

In addition, we deployed proof of worth tenants for safety:

The Cisco XDR Command Center dashboard tiles made it straightforward to see the standing of every of the linked Cisco Security applied sciences.

Below are the Cisco XDR integrations for Black Hat Asia, empowering analysts to research Indicators of Compromise (IOC) in a short time, with one search.

We recognize alphaMountain.ai and Pulsedive donating full licenses to Cisco, to be used within the Black Hat Asia 2025 NOC.

The view within the Cisco XDR integrations web page:

SOC of the Future: XDR + Splunk Cloud

Authored by: Ivan Berlinson, Aditya Raghavan

As the technical panorama evolves, automation stands as a cornerstone in reaching XDR outcomes. It’s a testomony to the prowess of Cisco XDR that it boasts a totally built-in, sturdy automation engine.

Cisco XDR Automation embodies a user-friendly, no-to-low code platform with a drag-and-drop workflow editor. This revolutionary characteristic empowers your SOC to hurry up its investigative and response capabilities. You can faucet into this potential by importing workflows inside the XDR Automate Exchange from Cisco, or by flexing your inventive muscle groups and crafting your individual.

Remember from our previous Black Hat blogs, we used automation for creating incidents in Cisco XDR from Palo Alto Networks and Corelight.

The following automation workflows have been constructed particularly for Black Hat use instances:

Category: Create or replace an XDR incident

• Via Splunk Search API — XDR incident from Palo Alto Networks NGFW Threats Logs
• Via Splunk Search API — XDR incident from Corelight Notice and Suricata logs
• Via Splunk Search API — XDR incident from Cisco Secure Firewall Intrusion logs
• Via Splunk Search API — XDR Incident from ThousandEyes Alert
• Via Umbrella Reporting API — XDR Incident from Umbrella Security Events
• Via Secure Malware Analytics API — XDR Incident on samples submitted and convicted as malicious

Category: Notify/Collaborate/Reporting

• Webex Notification on new Incident
• Last 6 hours reviews to Webex
• Last 24 hours reviews to Webex

Category: Investigate

• Via Splunk Search API and Global Variables (Table) — Identify Room and Location (incident guidelines on standing new)
• Identify Room and Location (incident playbook)
• Identify Room and Location (Pivot Menu on IP)
• Webex Interactive Bot: Deliberate Observable
• Webex Interactive Bot: Search in Splunk
• Webex Interactive Bot: Identify Room and Location

Category: Report

• XDR incident statistics to Splunk

Category: Correlation

Workflows Description

Via Splunk Search API: Create or Update XDR Incident

These workflows are designed to run each 5 minutes and search the Splunk Cloud occasion for brand new logs matching sure predefined standards. If new logs are discovered for the reason that final run, the next actions are carried out for every of them:

1. Create a sighting in XDR non-public intelligence, together with a number of items of knowledge helpful for evaluation throughout an incident investigation (e.g., supply IP, vacation spot IP and/or area, vacation spot port, licensed or blocked motion, packet payload, and many others.). These alerts can then be used to create or replace an incident (see subsequent steps), but additionally to complement the analyst’s investigation (XDR Investigate) like different built-in modules.
2. Link the sighting to an present or a brand new risk indicator
3. Create a brand new XDR incident or replace an present incident with the brand new sighting and MITRE TTP.
   • To replace an present incident, the workflow makes use of the tactic described beneath, enabling the analyst to have an entire view of the totally different phases of an incident, and to determine whether or not it may probably be a part of a Training Lab (a number of Assets performing the identical actions):
     • If there may be an XDR incident with the identical observables associated to the identical indicator, then replace the incident
     • If not, verify if there may be an XDR incident with the identical observables and provided that the observable kind is IP or Domain then replace the incident
     • If not, verify if an XDR incident exists with the identical goal asset, then replace the incident
     • If not, create a brand new incident

Identify Room and Location

It was essential for the analysts to acquire as a lot info as attainable to assist them perceive whether or not the malicious conduct detected as a part of an incident was a real safety incident with an influence on the occasion (a True Positive), or whether or not it was legit within the context of a Black Hat demo, lab and coaching (a Black Hat Positive).

One of the strategies we used was a workflow to search out out the situation of the property concerned and the aim of it. The workflow is designed to run:

• Automatically on new XDR incident and add the end in a be aware
• On demand by way of a activity within the XDR incident playbook
• On demand by way of the XR pivot menu
• On demand by way of the Webex interactive bot

The workflow makes use of a number of IP addresses as enter, and for every of them:

• Queries an array (international variable XDR), together with the community deal with of every room/space of the occasion and function (Lab XYZ, Registration, Genera Wi-Fi, and many others.)
• Runs a search in Splunk on Palo Alto Networks NGFW Traffic Logs to get the Ingress Interface of the given IP
• Run a search in Splunk on Umbrella Reporting Logs to get to the Umbrella Network Identities

Webex Notification and Interactive Bot

Proper communication and notification are key to make sure no incident is ignored.

In addition to Slack, we have been leveraging Cisco Webex to obtain a notification when a brand new incident was raised in Cisco XDR and an interactive Bot to retrieve extra info and assist in step one of the investigation.

Notification

On new incident an automation was triggering a workflow to seize a abstract of the incident, set off the enrichment of the situation and function of the room (see earlier workflow) and ship a Notification in our collaborative room with particulars concerning the incident and a direct hyperlink to it in XDR.

Interactive Bot

An interactive Webex Bot software was additionally used to assist the analyst. Four instructions have been obtainable to set off a workflow in Cisco XDR by way of a Webhook and show the outcome as a message in Cisco Webex.

1. find [ip] — Search for location and function for a given IP
2. deliberate [observable] — Obtain verdicts for a given observable (IP, area, hash, URL, and many others.) from the assorted risk intelligence sources obtainable in Cisco XDR (native and built-in module)
3. splunk — Perform a Splunk search of all indexes for a given key phrase and show the final two logs
4. csplunk [custom search query] — Search Splunk with a customized search question

Last 6/24 hours reviews to Webex

Both workflows run each 6 hours and each 24 hours to generate and push to our Webex collaboration rooms a report together with the Top 5 property, domains and goal IPs within the safety occasion logs collected by Splunk from Palo Alto Networks Firewall, Corelight NDR and Cisco Umbrella (search […] | stats rely by […]).

Merge XDR Incident

Cisco XDR makes use of a number of superior strategies to determine a sequence of assault and correlate numerous associated safety detections collectively in a single incident. However, generally solely the analyst’s personal investigation can reveal the hyperlink between the 2. It was essential for analysts to have the choice, once they uncover this hyperlink, of merging a number of incidents into one and shutting the beforehand generated incidents.

We’ve designed this workflow with that in thoughts.

During the identification part, the analyst can run it from the “merge incident” activity within the Incident playbook of any of them.

At runtime, analysts can be prompted to pick out the observables which are half of the present incident that they want to seek for in different incidents that embody them.

The workflow will then search in XDR for different incidents involving the identical observables and report incidents discovered within the present incident notes.

Analysts are then invited by way of a immediate to resolve and point out the factors on which they want the merger to be primarily based.

The prompts embody:

• All incidents — Accept the record of incidents discovered and merge all of them
• Manual lists of incidents — Manually enter the identifier of the incidents you want to merge; the record might embody the identifier of an incident found by the workflow or one other found by the analyst
• Merge in a brand new incident or In the latest one
• Close different incidents — Yes/No

The workflow then extracts all the data from the chosen incident and creates a brand new one with all this info (or updates the latest incident).

To make our risk hunters’ lives richer with extra context from ours and our companions’ instruments, we introduced in Splunk Enterprise Security Cloud on the final Black Hat Europe 2024 occasion to ingest detections from Cisco XDR, Secure Malware Analytics, Umbrella, ThousandEyes, Corelight OpenNDR and Palo Alto Networks Panorama and visualize them into purposeful dashboards for govt reporting. The Splunk Cloud occasion was configured with the next integrations:

1. Cisco XDR and Cisco Secure Malware Analytics, utilizing the Cisco Security Cloud app
2. Cisco Umbrella, utilizing the Cisco Cloud Security App for Splunk
3. ThousandEyes, utilizing the Splunk HTTP Event Collector (HEC)
4. Corelight, utilizing Splunk HTTP Event Collector (HEC)
5. Palo Alto Networks, utilizing the Splunk HTTP Event Collector (HEC)

The ingested knowledge for every built-in platform was deposited into their respective indexes. That made knowledge searches for our risk hunters cleaner. Searching for knowledge is the place Splunk shines! And to showcase all of that, key metrics from this dataset have been transformed into numerous dashboards in Splunk Dashboard Studio. The workforce used the SOC dashboard from the final Black Hat Europe 2024 as the bottom and enhanced it. The extra work introduced extra insightful widgets needing the SOC dashboard damaged into the next 4 areas for streamlined reporting:

1. Incidents

2. DNS

3. Network Intrusion

4. Network Metrics

With the constitution for us at Black Hat being a ‘SOC within a NOC’, the manager dashboards have been reflective of bringing networking and safety reporting collectively. This is sort of highly effective and can be expanded in future Black Hat occasions, so as to add extra performance and develop its utilization as one of many major consoles for our risk hunters in addition to reporting dashboards on the massive screens within the NOC.

Threat Hunter’s Corner

Authored by: Aditya Raghavan and Shaun Coulter

In the Black Hat Asia 2025 NOC, Shaun staffed the morning shifts, and Aditya the afternoon shifts as traditional. Unlike the sooner years, each hunters had loads of rabbit holes to down into resulting in a spot of “involved joy” for each.

Activities involving malware what could be blocked on a company community have to be allowed, inside the confines of Black Hat Code of Conduct.

Fishing With Malware: Who Caught the Fish?

It all began with uncommon community exercise originating from a tool in a lab class. Doesn’t it at all times?

“Look beyond the endpoint.”

A saying that involves life every day at Black Hat

That mentioned, a tool was discovered connecting to a web site flagged as suspicious by risk intelligence programs. Next, this web site was being accessed by way of a direct IP deal with which is sort of uncommon. And to prime all of it off, the machine exchanged credentials in clear textual content.

Sounds like your typical phishing incident, and it raised our hunters’ eyebrows. The preliminary speculation was {that a} machine had been compromised in a phishing assault. Given the character of the site visitors — bi-directional communication with a recognized suspicious web site — this appeared like a basic case of a phishing exploit. We utilized Cisco XDR to correlate these detections into an incident and visualize the connections concerned.

As is obvious from the screenshot beneath, a detection from Corelight OpenNDR for attainable phishing kicked this off. Further investigation revealed related site visitors patterns from different units inside the convention corridor, this time on General Wi-Fi community as properly.

The vacation spot for all of them, 139.59.108.141, had been marked with a suspicious disposition by alphaMountain.ai risk intelligence.

Thanks to the automation carried out to question Umbrella Identities, the machine’s location was rapidly confirmed to be inside the Advanced Malware Traffic Analysis class. The hunters’ used this perform each single time to such impact that it was determined to automate this workflow to be run and response obtained for each incident in order that the hunters’ have this knowledge prepared at hand as step one whereas investigating the incident.

Next step, our risk hunters as anticipated dived into Cisco Splunk Cloud to research the logs for any extra context. This investigation revealed essential insights such because the site visitors from the machine being in clear textual content, permitting the payload to be extracted. This discovery was key as a result of it revealed that this was not a typical phishing assault however a part of a coaching train.

Additionally, it was found a number of different units from the identical subnet have been additionally speaking with the identical suspicious vacation spot. These units exhibited practically similar site visitors patterns, additional supporting the idea that this was a part of a lab train.

The variation within the site visitors quantity from the totally different units prompt that numerous college students have been at totally different phases of the lab.

Lessons Learned: The Lost Last Part of PICERL

Being capable of modify what’s offered to an analyst on the fly is without doubt one of the most enjoyable elements of working occasions. In many organizations, “lessons learned” from an incident or cluster of occasions are reviewed a lot later if in any respect, and suggestions enacted even later.

In the Black Hat occasion surroundings, we’re persistently on the lookout for enhancements and making an attempt new issues; to check the bounds of the instruments we’ve readily available.

At Black Hat our mandate is to take care of a permissive surroundings, which leads to a really powerful job in figuring out precise malicious exercise. Because there may be a lot exercise, time is at a premium. Anything to cut back the noise and scale back the period of time in triage is of profit.

Repeated exercise was seen, comparable to UPNP site visitors inflicting false positives. Fine, straightforward to identify however nonetheless it clogs up the work queue, as every occasion was at first making a single incident.

Noise comparable to this causes frustration and that in flip could cause errors of judgement within the analyst. Therefore, sharpening the analysts’ instruments is of premium significance.

The total BH workforce is at all times open to ideas for enchancment to the processes and automation routines that we run on XDR.

One of those was to put the Corelight NDR occasion payload straight into the outline of an occasion entry in XDR.

This easy change offered the small print wanted straight within the XDR dashboard, with none pivot into different instruments, shortening the triage course of.

The above instance reveals exercise within the Business Hall from demonstrator cubicles. It is obvious to see what seems to be repeated beaconing of a vendor machine and was subsequently straightforward and fast to shut. Previously this required pivoting to the Splunk search to question for the occasion(s) and if the data was not obvious, then once more pivot to the submitting platform. Here is the overview of lesson realized, and the applying of suggestions, thought-about my strategy of investigation and automatic these two steps.

Again, In the next instance reveals attention-grabbing site visitors which seems to be like exterior scanning utilizing ZDI instruments.

Through having the payload type Corelight current within the occasion sequence within the XDR “Analyst workbench”, I used to be capable of see: /autodiscover/autodiscover.json which is usually utilized by Microsoft Exchange servers to offer autodiscovery info to purchasers like Outlook.

The presence of this path prompt a probing for Exchange companies.

• @zdi/Powershell Query Param — @zdi might check with the Zero Day Initiative, a recognized vulnerability analysis program. This may point out a check probe from a researcher, or a scan that mimics or checks for weak Exchange endpoints.
• User-Agent: zgrab/0.x — zgrab is an open-source, application-layer scanner, usually used for internet-wide surveys (e.g., by researchers or risk actors).

The software is probably going a part of the ZMap ecosystem, which greater than doubtless implies that it’s somebody performing scanning or reconnaissance operation on the Public IP for the occasion, making it worthy to proceed monitoring.

The Event Name was “WEB APPLICATION ATTACK” not very descriptive however with our high-quality tuning by offering the element straight within the incident findings, the data was fairly actually at my fingertips.

Scareware, Video Streaming and Whatnot!

On 2nd April, one of many units on the community reached out to a web site flagged as “Phishing” by Umbrella.

At first, it was suspected that the queries have been associated to a coaching class due to the timing of the area exercise. For instance, among the domains have been registered as not too long ago as a month in the past, with Umbrella displaying exercise starting solely on April 1st, coinciding with the beginning of the convention.

But if that have been the case, we might count on to see many different attendees making the identical requests from the coaching Wi-Fi SSID. This was not the case — the truth is, throughout the occasion solely a complete of 5 IPs making these DNS queries and/or net connections have been seen, and solely a type of was linked to the coaching SSID. One of these 5 units was that of an Informa gross sales worker. A NOC chief contacted them, and so they acknowledged by accident clicking on a suspicious hyperlink.

Christian Clasen expanded the search past the “Phishing” class and located heaps of searches for domains in a brief window of time for questionable classes of adware, malware and grownup websites.

On this machine, this was adopted by a detour to a pirated video streaming web site (probably an unintended click on). This web site then kicked off a sequence of pops-up to varied web sites throughout the board together with over 700 DNS queries to grownup websites. We used Secure Malware Analytics to overview the web site, with out getting contaminated ourselves.

Considering this potential chain of actions on that machine, the identical observable was detonated in Splunk Attack Analyzer for dynamic interplay and evaluation. The report for the video streaming website reveals the location repute being questionable together with indicators for phish kits and crypto funds current.

So, again to the query: Are these all linked? Looking on the numerous cases of such spurious DNS queries, Christian collated such web sites queried and the IPs they have been hosted at. DNS queries to:

• adherencemineralgravely[.]com
• cannonkit[.]com
• cessationhamster[.]com
• pl24999848[.]profitablecpmrate[.]com
• pl24999853[.]profitablecpmrate[.]com
• playsnourishbag[.]com
• resurrectionincomplete[.]com
• settlementstandingdread[.]com
• wearychallengeraise[.]com
• alarmenvious[.]com
• congratulationswhine[.]com
• markshospitalitymoist[.]com
• nannyirrationalacquainted[.]com
• pl24999984[.]profitablecpmrate[.]com
• pl25876700[.]effectiveratecpm[.]com
• quickerapparently[.]com
• suspectplainrevulsion[.]com

Which resolved to frequent infrastructure IPs:

• 172[.]240[.]108[.]68
• 172[.]240[.]108[.]84
• 172[.]240[.]127[.]234
• 192[.]243[.]59[.]13
• 192[.]243[.]59[.]20
• 192[.]243[.]61[.]225
• 192[.]243[.]61[.]227
• 172[.]240[.]108[.]76
• 172[.]240[.]253[.]132
• 192[.]243[.]59[.]12

Which are recognized to be related to the ApateWeb scareware/adware marketing campaign. The nameservers for these domains are:

• ns1.publicdnsservice[.]com
• ns2.publicdnsservice[.]com
• ns3.publicdnsservice[.]com
• ns4.publicdnsservice[.]com

Which are authoritative for a whole lot of recognized malvertising domains:

Given that one affected particular person acknowledged that they’d clicked on a suspicious hyperlink, leading to one of many occasions, we imagine that these are unrelated to coaching and in reality unrelated to one another. A Unit42 weblog could be referenced for the record of IOCs associated to this marketing campaign. Unit42’s put up notes, “The impact of this campaign on internet users could be large, since several hundred attacker-controlled websites have remained in Tranco’s top 1 million website ranking list.” Well, that may be a true constructive within the SOC right here.

Trufflehunter Monero Mining Attacks

Authored by: Ryan MacLennan

As a part of performing some extra testing and offering higher efficacy for our XDR product, we deployed a proof-of-value Firepower Threat Defense (FTD) and Firepower Management Center (FMC). It was receiving the identical SPAN site visitors that our sensor acquired for XDR Analytics, however it’s offering a totally totally different set of capabilities, these being the Intrusion Detection capabilities.

Below we are able to see a number of triggers, from a single host, on the FTD a few Trufflehunter Snort signature. The requests are going out to a number of exterior IP addresses utilizing the identical vacation spot port.

This was attention-grabbing as a result of it seems to be as if this person on the community was making an attempt to assault these exterior servers. The query was, what’s trufflehunter, are these servers malicious, is the assault on function, or is it legit site visitors right here at Black Hat for a coaching session or demo?

Taking one of many IP addresses within the record, I entered it into VirusTotal and it returned that it was not malicious. But it did return a number of subdomains associated to that IP. Taking the top-level area of these subdomains, we are able to do an extra search utilizing Umbrella.

Umbrella Investigate says this area is a low danger and freeware/shareware. At this level we are able to say that Command and Control isn’t in play. So why are we seeing hits to this random IP/area?

Taking the area for this investigation and popping it into Splunk Attack Analyzer (SAA), we are able to discover the location. Basically, the proprietor of this area is an avid explorer of information and likes to tinker with tech, the principle area was used to host their weblog. The many subdomains they’d listed have been for the totally different companies they host for themselves on their website. They had an electronic mail service, Grafana, admin login and plenty of different companies hosted right here. They even had an about part so you would get to know the proprietor higher. For the privateness of the area proprietor, I’ll omit their web site and different info.

Now that we all know this IP and area are most definitely not malicious, the query remained of why they have been being focused. Looking at their IP deal with in Shodan, it listed their IP as having port 18010 open.

Looking at a couple of different IPs that have been being focused, all of them had that very same port open. So, what’s that port used for and what CVE is the Snort signature referencing?

We see beneath that the trufflehunter signature is said to CVE-2018-3972. It is a vulnerability that enables code execution if a particular model of the Epee library is used on the host. In this case, the weak library is usually used within the Monero mining software.

Doing a search on Google confirmed that port 18080 is usually used for Monero peer-to-peer connections in a mining pool. But that’s primarily based off the AI abstract. Can we actually belief that?

Going down the outcomes, we discover the official Monero docs and so they definitely do say to open port 18080 to the world if you wish to be part of a mining pool.

We can see that there have been makes an attempt to get into these companies, however they weren’t profitable as there have been no responses again to the attacker? How is an attacker capable of finding servers around the globe to carry out these assaults on?

The reply is pretty easy. In Shodan, you’ll be able to seek for IPs with port 18080 open. The attacker can then curate their record and carry out assaults, hoping some will hit. They most likely have it automated, so there may be much less work for them on this course of. How can we, as defenders and the on a regular basis particular person, forestall ourselves from displaying up on an inventory like this?

If you’re internet hosting your individual companies and must open ports to the web, you need to attempt to restrict your publicity as a lot as attainable.

To alleviate this kind of fingerprinting/scanning you need to block Shodan scanners (in the event you can). They have a distributed system, and IPs change on a regular basis. You can block scanning actions generally in case you have a firewall, however there isn’t a assure that it’s going to forestall every part.

If you’ve an software, you developed or are internet hosting, there are different choices like fail2ban, safety teams within the cloud, or iptables that can be utilized to dam a lot of these scans. These choices can help you block all site visitors to the service besides from the IPs you need to entry it.

Alternatives to opening the port to the Internet could be to setup up tunnels from one website to a different or use a service that doesn’t expose the port however permits distant entry to it by way of a subdomain.

Snort ML Triggered Investigation

Authored by: Ryan MacLennan

During our time at Black Hat Asia, we made positive Snort ML (machine studying) was enabled. And it was positively value it. We had a number of triggers of the brand new Snort characteristic the place it was capable of detect a possible risk within the http parameters of an HTTP request. Let us dive into this new detection and see what it discovered!

Looking on the occasions, we are able to see a number of totally different IPs from a coaching class and one on the General Wi-Fi community triggering these occasions.

Investigating the occasion with the 192 deal with, we are able to see what it alerted on particularly. Here we are able to see that it alerted on the ‘HTTP URI’ subject having the parameter of ‘?ip=%3Bifconfig’. This seems to be like an try to run the ifconfig command on a distant server. This is often performed after a webshell has been uploaded to a website and it’s then used to enumerate the host it’s on or to do different duties like get a reverse shell for a extra interactive shell.

In the packet knowledge we are able to see the complete request that was made.

Looking at one other host that was in a coaching we are able to see that the Snort ML signature fired on one other command as properly. This is precisely what we need to see, we all know now that the signature is ready to detect totally different http parameters and decide if they’re a risk. In this instance we see the attacker making an attempt to get a file output utilizing the command ‘cat’ after which the file path.

With this investigation, I used to be capable of decide the final Wi-Fi person was part of the category as they have been utilizing the identical IP addresses to assault as the remainder of the category. This was attention-grabbing as a result of it was a category on pwning Kubernetes cluster purposes. We have been capable of ignore this particular occasion as it’s regular on this context (we name this a ‘Black Hat’ constructive occasion) however we by no means would have seen these assaults with out Snort ML enabled. If I had seen this come up in my surroundings, I’d think about it a excessive precedence for investigation.

Some extras for you, we’ve some dashboard knowledge so that you can peruse and see the stats of the FTD. Below is the Security Cloud Control dashboard.

Next, we’ve the FMC overview. You can see how excessive the SSL consumer software was and what our encrypted visibility engine (EVE) was capable of determine.

Lastly, we’ve a dashboard on the highest international locations by IDS occasions.

Identity Intelligence

Authored by: Ryan MacLennan

Last yr, Black Hat requested Cisco Security if we might be the Single Sign-On (SSO) supplier for all of the companions within the Black Hat NOC. The thought is to centralize our person base, make entry to merchandise simpler, present simpler person administration, and to indicate role-based entry. We began the proof-of-value at Black Hat Asia 2024 and partially deployed at Black Hat Europe 2024. We have efficiently built-in with the companions within the Black Hat NOC to allow this concept began a yr in the past. Below is a screenshot of all of the merchandise we’ve built-in with from our companions and from Cisco.

In this screenshot above, we’ve the thought of the product homeowners having administrative entry to their very own merchandise and everybody else being a viewer or analyst for that product. Allowing every companion to entry one another’s instruments for risk looking. Below, you’ll be able to see the logins of varied customers to totally different merchandise.

As part of this, we additionally present Identity Intelligence, we use Identity Intelligence to find out the belief worthiness of our customers and notify us when there is a matter. We do have an issue although. Most of the customers are usually not at each Black Hat convention and the situation of the convention modifications every time. This impacts our customers’ belief scores as you’ll be able to see beneath.

Looking on the screenshot beneath, we are able to see among the causes for the belief rating variations. As the directors of the merchandise begin to prepare for the convention, we are able to see the logins begin to rise in February, March, and at last April. Many of the February and March logins are performed from international locations not in Singapore.

Below, we are able to see customers with their belief degree, what number of checks are failing, final login, and plenty of different particulars. This is a fast look at a person’s posture to see if we have to take any motion. Luckily most of those are the identical concern talked about earlier than.

At the tip of every present and after the companions can get the information, they want from their merchandise, we transfer all non admin customers from an energetic state to a disabled group, guaranteeing the Black Hat customary of zero-trust.

Cisco Unveils New DNS Tunneling Analysis Techniques

Authored by: Christian Clasen

Cisco not too long ago introduced a new AI-driven Domain Generation Algorithm (DGA) detection functionality built-in into Secure Access and Umbrella. DGAs are utilized by malware to generate quite a few domains for command and management (C2) communications, making them a important risk vector by way of DNS. Traditional reputation-based programs wrestle with the excessive quantity of latest domains and the evolving nature of DGAs. This new answer leverages insights from AI-driven DNS tunneling detection and the Talos risk analysis workforce to determine distinctive lexical traits of DGAs. The result’s a 30% improve in actual detections and a 50% enchancment in accuracy, lowering each false positives and negatives. Enhanced detection is mechanically enabled for Secure Access and Umbrella customers with the Malware Threat class energetic.

Engineers from Cisco offered the technical particulars of this novel method on the current DNS OARC convention. The presentation discusses a way for detecting and classifying Domain Generation Algorithm (DGA) domains in real-world community site visitors utilizing Passive DNS and Deep Learning. DGAs and botnets are launched, together with the basics of Passive DNS and the instruments employed. The core of the presentation highlights a monitoring panel that integrates Deep Learning fashions with Passive DNS knowledge to determine and classify malicious domains inside the São Paulo State University community site visitors. The detector and classifier fashions, detailed in not too long ago printed scientific articles by the authors, are a key element of this technique.

This is a key functionality in environments just like the Black Hat convention community the place we should be inventive when interrogating community site visitors. Below is an instance of the detection we noticed at Black Hat Asia.

Domain Name Service Statistics

Authored by: Christian Clasen and Justin Murphy

We set up digital home equipment as important infrastructure of the Black Hat community, with cloud redundancy.

Since 2018, we’ve been monitoring DNS stats on the Black Hat Asia conferences. The historic DNS requests are within the chart beneath.

The Activity quantity view from Umbrella provides a top-level degree look of actions by class, which we are able to drill into for deeper risk looking. On pattern with the earlier Black Hat Asia occasions, the highest Security classes have been Malware and Newly Seen Domains.

In a real-world surroundings, of the 15M requests that Umbrella noticed, over 200 of them would have been blocked by our default safety insurance policies. However, since this can be a place for studying, we sometimes let every part fly. We did block the class of Encrypted DNS Query, as mentioned within the Black Hat Europe 2024 weblog.

We additionally monitor the Apps utilizing DNS, utilizing App Discovery.

• 2025: 4,625 apps
• 2024: 4,327 apps
• 2023: 1,162 apps
• 2022: 2,286 apps

App Discovery in Umbrella provides us a fast snapshot of the cloud apps in use on the present. Not surprisingly, Generative AI (Artificial Intelligence) has continued to extend with a 100% improve year-over-year.

Umbrella additionally identifies dangerous cloud purposes. Should the necessity come up, we are able to block any software by way of DNS, comparable to Generative AI apps, Wi-Fi Analyzers, or anything that has suspicious undertones.

Again, this isn’t one thing we might usually do on our General Wi-Fi community, however there are exceptions. For instance, from time to time, an attendee will study a cool hack in one of many Black Hat programs or within the Arsenal lounge AND attempt to use mentioned hack on the convention itself. That is clearly a ‘no-no’ and, in lots of instances, very unlawful. If issues go too far, we are going to take the suitable motion.

During the convention NOC Report, the NOC leaders additionally report of the Top Categories seen at Black Hat.

Overall, we’re immensely happy with the collaborative efforts made right here at Black Hat Asia, by each the Cisco workforce and all of the companions within the NOC.

We are already planning for extra innovation at Black Hat USA, held in Las Vegas the primary week of August 2025.

Acknowledgments

Thank you to the Cisco NOC workforce:

• Cisco Security: Christian Clasen, Shaun Coulter, Aditya Raghavan, Justin Murphy, Ivan Berlinson and Ryan Maclennan
• Meraki Systems Manager: Paul Fidler, with Connor Loughlin supporting
• ThousandEyes: Shimei Cridlig and Patrick Yong
• Additional Support and Expertise: Tony Iacobelli and Adi Sankar

Also, to our NOC companions Palo Alto Networks (particularly James Holland and Jason Reverri), Corelight (particularly Mark Overholser and Eldon Koyle), Arista Networks (particularly Jonathan Smith), MyRepublic and the complete Black Hat / Informa Tech employees (particularly Grifter ‘Neil Wyler’, Bart Stump, Steve Fink, James Pope, Michael Spicer, Jess Jung and Steve Oldenbourg).

About Black Hat

Black Hat is the cybersecurity business’s most established and in-depth safety occasion collection. Founded in 1997, these annual, multi-day occasions present attendees with the most recent in cybersecurity analysis, improvement, and traits. Driven by the wants of the group, Black Hat occasions showcase content material straight from the group by Briefings displays, Trainings programs, Summits, and extra. As the occasion collection the place all profession ranges and tutorial disciplines convene to collaborate, community, and talk about the cybersecurity subjects that matter most to them, attendees can discover Black Hat occasions within the United States, Canada, Europe, Middle East and Africa, and Asia. For extra info, please go to the Black Hat web site.

---

We’d love to listen to what you suppose. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

LinkedIn
Facebook
Instagram
X

Share: