Black Hat Europe 2022 NOC: When planning meets execution

By
Ztec 100
-
0
411
Black Hat Europe 2022 NOC: When planning meets execution


In this weblog in regards to the design, deployment and automation of the Black Hat community, we have now the next sections:

  • Designing the Black Hat Network, by Evan Basta
  • AP Placement Planning, by Sandro Fasser
  • Wi-Fi Air Marshal, by Jérémy Couture, Head of SOC, Paris 2024 Olympic Games
  • Meraki Dashboards, by Rossi Rosario Burgos
  • Meraki Systems Manager, by Paul Fidler
  • A Better Way to Design Training SSIDs/VLANs, by Paul Fidler

Cisco is honored to be a Premium Partner of the Black Hat NOC, and is the Official Network Platform, Mobile Device Management, Malware Analysis and DNS (Domain Name Service) Provider of Black Hat.

2022 was Cisco’s sixth yr as a NOC associate for Black Hat Europe. However, it was our first time constructing the community for Black Hat Europe. We used experiences of Black Hat Asia 2022 and Black Hat USA 2022 to refine the planning for community topology design and gear. Below are our fellow NOC companions offering {hardware}, to construct and safe the community, for our joint buyer: Black Hat.

Designing the Black Hat Network, by Evan Basta

We are grateful to share that Black Hat Europe 2022 was the smoothest expertise we’ve had within the years at Black Hat. This is because of the 15 Cisco Meraki and Cisco Secure engineers on web site (plus just about supporting engineers) to construct, function and safe the community; and nice NOC management and collaborative companions.

To plan, configure, deploy (in two days), keep resilience, and get better (in 4 hours) an enterprise class community, took plenty of coordination. We respect the Black Hat NOC management, Informa and the NOC companions; assembly every week to debate the most effective design, staffing, gear choice and deployment, to fulfill the distinctive wants of the convention. Check out the “Meraki Unboxed” podcast – Episode 94: Learnings from the Black Hat Europe 2022 Cybersecurity Event

We should permit actual malware on the Black Hat community: for coaching, demonstrations, and briefing classes; whereas defending the attendees from assault inside the community from their fellow attendees, and forestall unhealthy actors from utilizing the community to assault the Internet. It is a vital stability to make sure everybody has a secure expertise, whereas nonetheless having the ability to be taught from actual world malware, vulnerabilities, and malicious web sites.

In addition to the weekly conferences with Black Hat and the opposite companions, the Cisco Meraki engineering workforce of Sandro Fasser, Rossi Rosario Burgos, Otis Ioannou, Asmae Boutkhil, Jeffry Handal and I met each Friday for 2 months. We additionally mentioned the challenges in a Webex house with different engineers who labored on previous Black Hat occasions.

The mission:

Division of labor is crucial to scale back errors and keep laser targeted on safety scope. Otis took the lead engaged on community topology design with Partners. Asmae dealt with the port assignments for the switches. Rossi ensured each AP and Switch was tracked, and the MAC addresses had been supplied to Palo Alto Networks for DCHP assignments. Otis and Rossi spent two days within the server room with the NOC companions, making certain each swap was working and configured appropriately. Rossi additionally deployed and configured a distant Registration swap for Black Hat.

AP Placement Planning, by Sandro Fasser

In the weeks earlier than deployment, our digital Meraki workforce member, Aleksandar Dimitrov Vladimirov, and I targeted on planning and making a digital Wi-Fi web site survey. Multiple necessities and restrictions needed to be considered. The report was based mostly on the ExCel centre flooring plans, the house allocation necessities from Black Hat and the variety of APs we had accessible to us. Although difficult to create, with some uncertainties and infrequently altering necessities because of the variety of stakeholders concerned, the surveys AP placement for finest protection ended up being pivotal on the occasion.

Below is the Signal Strength plan for the Expo Hall Floor on the 5 GHz band. The authentic plan to go along with a dual-Band deployment was adjusted onsite and the two.4 GHz band was disabled to reinforce efficiency and throughput. This was a choice made through the community setup, in coordination with the NOC Leadership and based mostly on expertise from previous conferences.

Upon arrival on the ExCel Centre, we performed a walkthrough of the house that almost all of us had solely seen as a flooring plan and on some images. Thanks to good planning, we might begin deploying the 100+ APs instantly, with solely a small variety of modifications to optimize the deployment on-site. As the APs had been pre-staged and added to the Meraki dashboard, together with their location on the ground maps, the primary work was putting and cabling them bodily. During operation, the ground plans within the Meraki Dashboard had been a visible assist to simply spot an issue and navigate the workforce on the bottom to the fitting spot, if one thing needed to be adjusted.

As the sponsors and attendees crammed every house, within the Meraki dashboard, we had been in a position to see in real-time the variety of purchasers related to every AP, presently and over the time of the convention. This enabled fast response if challenges had been recognized, or APs could possibly be redeployed to different zones. Below is the ExCel Centre Capital Hall and London Suites, Level 0. We might swap between the 4 ranges with a single click on on the Floor Plans, and drill into any AP, as wanted.

The Location heatmaps additionally supplied important visibility into convention visitors, each on the community and footfalls of attendees. Physical safety can be an vital facet of cybersecurity; we have to understand how units transfer in house, know the place priceless belongings are situated and monitor their security.

Below is the Business Hall at lunchtime, on the opening day of the convention. You can see no reside APs within the backside proper nook of the Location heatmap. This is an instance of adapting the plan to actuality onsite. In previous Black Hat Europe conferences, the Lobby in that space was the primary entrance. Construction in 2022 closed this entrance. So, these APs had been reallocated to the Level 1 Lobby, the place attendees would naturally movement from Registration.

The flooring plans and heatmaps additionally helped with the Training, Briefings and Keynote community resilience. Capacity was simple so as to add quickly, and we had been in a position to take away it and relocate it after an area emptied.

Meraki API Integration for computerized system blocking

During our time within the NOC, we had the possibility to work with different vendor engineers and a few use instances that got here up led to attention-grabbing collaborations. One particular use case was that we wished to dam wi-fi purchasers, that present some malicious or unhealthy habits, robotically after they’ve been recognized by one of many SOC analysts on the completely different safety platforms, as well as we wished to point out them a pleasant warning web page that guides them to the SOC for a pleasant dialog.

The resolution was a script that may be triggered through the interfaces of the opposite safety merchandise and attaches a bunch coverage through the Meraki Dashboard, together with a quarantine VLAN and a splash web page, by way of the Meraki APIs. This integration was simply one of many many collaboration bits that we labored on.

Wi-Fi Air Marshal, by Jérémy Couture, Head of SOC, Paris 2024 Olympic Games

During the primary day of coaching, within the Meraki dashboard Air Marshal, I noticed packet flood assaults, towards we had been in a position to adapt and stay resilient.

I additionally noticed an AP spoofing and broadcast de-authentication assault. I used to be in a position to rapidly determine the situation of the assault, which was on the Lobby outdoors the Business Hall.  Should the assaults proceed, bodily safety had the knowledge to intervene. We additionally had the power to trace the MAC tackle all through the venue, as mentioned in Christian Clasen’s part partially two.

From our experiences at Black Hat USA 2022, we had encrypted frames enabled, blunting the assault.

Meraki Dashboards, by Rossi Rosario Burgos

The Meraki dashboards made it very simple to watch the well being of the community APs and Switches, with the power to combination information, and rapidly pivot into any swap, AP or purchasers.

Through the phases of the convention, from two days of pre-conference setup, to targeted and intense coaching the primary two days, and transition to the briefings and Business Hall, we had been in a position to visualize the community visitors.

In addition, we might see the variety of attendees who handed via the coated space of the convention, with or with out connecting to the community. Christian Clasen takes this accessible information to a brand new degree in Part 2 of the weblog.

As the particular person with core obligations for the swap configuration and uptime, the Meraki dashboard made it quite simple to rapidly change the community topology, based on the wants of the Black Hat buyer.

Meraki Systems Manager, by Paul Fidler

If you refer again to Black Hat USA 2022, you’d have seen that we had over 1,000 iOS units to deploy, with which we had a number of difficulties. For context, the corporate that leases the units to Black Hat doesn’t use a Mobile Device Management (MDM) platform for any of their different exhibits…Black Hat is the one one which does. So, as an alternative of utilizing a mass deployment know-how, like Apple’s Automated Device Enrollment, the iOS units are “prepared” utilizing Apple Configurator. This consists of importing a Wi-Fi profile to the units as a part of that course of. In Las Vegas, this Wi-Fi profile wasn’t set to auto be a part of the Wi-Fi, leading to the necessity to manually change this on 1,000 units. Furthermore, 200 units weren’t reset or ready, so we had these to reimage as nicely.

Black Hat Europe 2022 was completely different. We took the teachings from US and coordinated with the contractor to arrange the units. Now, in case you’ve ever used Apple Configurator, there’s a number of steps wanted to arrange a tool. However, all of those will be actions will be mixed right into a Blueprint:

Instead of there being a number of steps to arrange a tool, there’s now only one! Applying the Blueprint!

For Black Hat Europe, this included:

  • Wi-Fi profile
  • Enrollment, together with supervision
  • Whether to permit USB pairing
  • Setup Assistant pane skipping

There’s plenty of different issues that may be achieved as nicely, however this leads to the time taken to enroll and arrange a tool to round 30 seconds. Since units will be arrange in parallel (you’re solely restricted by the variety of USB cables / ports you’ve got), this actually streamlines the enrollment and arrange course of.

Now, for the long run, while you’ll be able to’t Export these blueprints, they’re transportable. If you open Terminal on a Mac and sort:
cd /Users/<YOUR USER NAME>/Library/Group Containers/K36BKF7T3D.group.com.apple.configurator/Library/Application Support/com.apple.configurator/Blueprints

You’ll see a file / package deal referred to as one thing.blueprint This will be zipped up and emailed to some else so, they’ll then use the very same Blueprint! You might have to reboot your laptop for the Blueprint to seem in Apple Configurator.

Device Naming / Lock Screen Messages

As talked about, the registration / lead seize / session scanning units are supplied by the contractor. Obviously, these are all catalogued and have a singular system code / QR code on the again of them. However, throughout setup, any system title provisioned on the system will get misplaced.

So, there’s three issues we do to know, with out having to resort to utilizing the unwieldy serial quantity, what units is what.

  • The very first thing that we do is to make use of the Meraki API to rename Systems Manager Devices. The script created has another performance too, resembling error dealing with, however it’s doable to do that and not using a script. You can discover it right here. This ensures that the system has a reputation: iOS units default to being referred to as iPhone or iPad in Systems Manager once they first enroll, so, already, that is extremely useful.
  • The second factor we do is to make use of a easy Restrictions profile for iOS, which retains the bodily system’s title in sync with that within the dashboard
  • Lastly, we then use a Lock Screen payload to format the message on the system when it’s locked:

In the footnote, you’ll see Device Name and Device Serial in blue. This denotes that the values are literally dynamic and alter per system. They embody:

  • Organization title
  • Network title
  • Device title
  • Device serial
  • Device mannequin
  • Device OS model
  • Device notes
  • Owner title
  • Owner e-mail
  • Owner username
  • SM system ID

On the Lock Screen, it’s now doable to see the system’s title and serial quantity, with out having to flip the system over (An issue for the registration units that are locked in a safe case) or open methods preferences.

We additionally had integration with SecureX system insights, to see the safety standing of every iOS system.

With the power to rapidly examine on system well being from the SecureX dashboard.

 

Data Security

This goes with out saying, however the iOS units (Registration, Lead Capture and Session Scanning) do have entry to private info. To make sure the safety of the information, units are wiped on the finish of the convention. This is extremely satisfying, hitting the Erase Devices button in Meraki Systems Manager, and watching the 100+ units reset!

A Better Way to Design Training SSIDs/VLANs, by Paul Fidler

Deploying a community like Black Hat takes plenty of work, and repetitive configuration. Much of this has been coated in earlier blogs. However, to make issues simpler for this occasion, as an alternative of the 60 coaching SSIDs we had in Black Hat US 2022, the Meraki workforce mentioned the advantages of shifting to iPSKs with Black Hat NOC Leadership, which accepted the plan.

For context, as an alternative of getting a single pre shared key for an SSID, iPSK performance permits you to have 1000+. Each of those iPSKs will be assigned its personal group coverage / VLAN. So, we created a script:

  • That consumed networkID, SSID, Training title, iPSK and VLAN from a CSV
  • Created a bunch coverage for that VLAN with the title of the coaching
  • Created an iPSK for the given SSID that referred to the coaching title

This solely entails 5 API calls:

  • For a given community title, get the community ID
  • Get Group Policies
  • If the group coverage exists, use that, else create a bunch coverage, retaining the group coverage ID
  • Get the SSIDs (to get the ID of the SSID)
  • Create an iPSK for the given SSID ID

The bulk of the script is error dealing with (The SSID or community doesn’t exist, for instance) and logic!

The consequence was one SSID for all of coaching: BHTraining, and every classroom had their very own password. This lowered the coaching SSIDs from over a dozen and helped clear the airwaves.

Acknowledgments

Thank you to the Cisco NOC workforce:

  • Meraki Network: Evan Basta, Sandro Fasser, Rossi Rosario Burgos, Otis Ioannou, Asmae Boutkhil, Jeffry Handal and Aleksandar Dimitrov Vladimirov
  • Meraki Systems Manager: Paul Fidler
  • Cisco Secure: Ian Redden, Christian Clasen, Aditya Sankar, Ryan MacLennan, Guillaume Buisson, Jerome Schneider, Robert Taylor, Piotr Jarzynka, Tim Wadhwa-Brown and Matthieu Sprunck
  • Threat Hunter / Paris 2024 Olympics SOC: Jérémy Couture

Also, to our NOC companions InternetWitness (particularly David Glover, Iain Davidson, Alessandro Contini and Alessandro Zatti), Palo Alto Networks (particularly James Holland, Matt Ford, Matt Smith and Mathew Chase), Gigamon, IronNet, and your entire Black Hat / Informa Tech employees (particularly Grifter ‘Neil Wyler’, Bart Stump, Steve Fink, James Pope, Jess Stafford and Steve Oldenbourg).

About Black Hat

For 25 years, Black Hat has supplied attendees with the very newest in info safety analysis, growth, and developments. These high-profile world occasions and trainings are pushed by the wants of the safety group, striving to carry collectively the most effective minds within the business. Black Hat conjures up professionals in any respect profession ranges, encouraging progress and collaboration amongst academia, world-class researchers, and leaders in the private and non-private sectors. Black Hat Briefings and Trainings are held yearly within the United States, Europe and USA. More info is accessible at: blackhat.com. Black Hat is delivered to you by Informa Tech.

We’d love to listen to what you assume. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share:

LEAVE A REPLY

Please enter your comment!
Please enter your name here