Safety Cloud — Cisco Weblog

The view within the XDR Integrations person interface: 

Unleashing the Energy of Cisco XDR Automate at Black Hat Europe

With the ever-evolving technological panorama, automation stands as a cornerstone in attaining XDR outcomes. It’s certainly a testomony to the prowess of Cisco XDR that it boasts a completely built-in, sturdy automation engine.

Cisco XDR Automation embodies a user-friendly, no-to-low code platform with a drag-and-drop workflow editor. This progressive function empowers your SOC to hurry up its investigative and response capabilities. You’ll be able to faucet into this potential by importing workflows throughout the XDR Automate Change from Cisco, or by flexing your artistic muscle mass and crafting your individual.

Bear in mind from our previous blogs, we used automation for incident notifications into Webex, in addition to ‘Creating an Incident’ in XDR for Umbrella class blocks. Each these workflows had been spruced up and used extensively at Black Hat Europe 2024. We now see the final replace timestamp proper within the incident title itself and the Webex message, which vastly simplifies the understanding of a detection for our menace hunters.

The next automation workflows had been constructed particularly for Black Hat use circumstances: 

1. Cisco SMA Malicious submission – XDR incident and notification 
2. Cisco SMA – Monitor Non-Malicious paperwork submission 
3. Palo Alto Networks Firewall – Create Cisco XDR incident – V2 
4. Splunk – Corelight – Create Cisco XDR incident V2 
5. Splunk – ThousandEyes – Create XDR create incident V2 
6. Incident Enrichment – Add Room and Function 
7. Palo Alto Risk Logs to Splunk 

Moreover #1 and #3, the remainder of these workflows had been premiered at Black Hat Europe 2024, due to the work and inspiration of Ivan. 

Splunk Enterprise Safety Cloud, by Ivan Berlinson, Aditya Raghavan and Ryan Maclennan

To make our menace hunters’ lives richer with extra context from ours and our companions’ instruments, we introduced in Splunk Enterprise Safety Cloud at this Black Hat occasion to ingest detections from Cisco XDR, Safe Malware Analytics, Umbrella, ThousandEyes, Corelight and Palo Alto Networks and visualize them into practical dashboards for govt reporting. The Splunk Cloud occasion was configured with the next integrations:

1. Cisco XDR and Cisco Safe Malware Analytics, utilizing the Cisco Safety Cloud app
2. Cisco Umbrella, utilizing the Cisco Cloud Safety App for Splunk 
3. ThousandEyes, utilizing the Splunk HTTP Occasion Collector (HEC) 
4. Corelight, utilizing Splunk HTTP Occasion Collector (HEC) 
5. Palo Alto Networks, utilizing the Splunk HTTP Occasion Collector (HEC) 

The ingested knowledge for every built-in platform was deposited into their respective indexes. That made knowledge searches for our menace hunters cleaner. Looking for knowledge is the place Splunk shines! You start by merely navigating to Apps > Search and Reporting and typing your search question. You do have to know the Splunk Question Language (SQL) to construct your queries however that’s only a fast tutorial away.  

We discovered our manner by wanting on the knowledge and iterating. An instance of a easy seek for acquiring the depend of all alerts from the Suricata engine of Corelight logs is beneath.

The Visualization tab means that you can shortly convert this knowledge into a visible format for previewing. And now, off we went to construct search queries throughout all of the datasets we ingested. These search queries had been then aggregated and visualized into an govt view utilizing Splunk Dashboard Studio. Since we ended up with extra widgets than can slot in a single Government display screen, we utilized the tabbed dashboard function. The next two screenshots present the ultimate dashboards together with callouts for the sources of the assorted widgets. 

With the constitution for us at Black Hat being a ‘SOC inside a NOC’, the manager dashboards had been reflective of bringing networking and safety reporting collectively. That is fairly highly effective and will likely be expanded in future Black Hat occasions, so as to add extra performance and develop its utilization as one of many main consoles for our menace hunters in addition to reporting dashboards on the big screens within the NOC. 

Risk Hunters’ Story, by Ivan Berlinson

Through the Black Hat occasion, the NOC opens early earlier than the occasion Registration and closes after the trainings and briefings full for the day. Which means each menace hunter’s place should be lined by bodily, uninterrupted presence for about 11 hours per day. Even with the utmost dedication to your function, generally you want a break, and a brand new potential incident doesn’t wait till you’ve completed the earlier one.  

Aditya and I shared the obligations as Risk Hunters staffing the Cisco XDR, Malware Analytics and Splunk Cloud consoles, alternating between morning and afternoon shifts. Although in actuality each of us stayed on many of the day as we had a lot enjoyable writing automation workflows and constructing dashboards, in addition to finishing up our main obligations. 

An instance of a few of these workflows in motion collectively helped us search out a possible case of cryptomining within the NOC itself, through the early hours of Dec 12! Because of the Corelight and PANW firewalls integrations in XDR, we had ourselves a singular correlated incident, with detections from each companions.  

The workflows I constructed embody a examine to seek out any open incidents with the property and/or observables in query, to append the detection beneath course of. If there’s none, it will create a brand new incident. As we will see, the detection from Corelight got here in at 09:40 GMT, adopted by the detection from PANW firewalls a couple of minutes later.  

As new detections had been getting appended into the incident, I shortly up to date the automation workflows to incorporate a timestamp indicating the final seen sighting for that incident proper within the title. Whereas this may not be what you’ll do in a manufacturing surroundings, it vastly simplifies the power for our menace hunters to investigate all of the incidents as they arrive in.

As I investigated the incident, I uncovered one other detection that had are available simply earlier than, this time the supply of the detection was Umbrella and virtually went beneath the radar attributable to it bearing a decrease precedence rating. This incident got here in by the automation workflow used previously years. This offered the affirmation of the cryptomining exercise on the endpoint.  

Subsequent query – who is that this 10.X.X.X gadget? And may they be cryptomining at Black Hat? Thanks to a different automation workflow, with a click on of a Response motion of the Incident Response playbook we had attribution with bodily room title and site throughout the occasion heart from a pre-defined database for the recognized asset within the incident. 

Lo and behold – the asset was in Degree 3, Capital Suite, Room 1 linked to the NOC Wi-Fi; proper in the identical room as me! I had constructed one other automation workflow that brings in Corelight and PANW firewall menace detections into Splunk Cloud, by which we had been capable of monitor down the gadget within the room to a MacBook and an MAC handle.  

Time to faucet on somebody’s shoulder. 

Community Visibility with ThousandEyes, by Jessica Santos, MD Foysol Ferdous, Ryan MacLennan

Black Hat Europe 2024 is the sixth consecutive occasion with a ThousandEyes (TE) deployment. We unfold that visibility throughout core switching, Registration, the Enterprise Corridor, two- and four-day coaching rooms, and Keynote areas. Under is A number of the {hardware} Black Hat bought for the ThousandEyes brokers. 

We labored with Michael Spicer on the situation of the agent deployment to make sure consultant protection and the categories / frequency of scheduled testing.  

Optimizing Community Monitoring with Thousand Eyes 

We had a dashboard within the NOC, so the leaders and architect may see points in actual time, and ThousandEyes widgets within the Splunk govt dashboard, as seen earlier within the weblog.  

At Black Hat Europe 2024, we had an issue the place the ThousandEyes brokers had been exhibiting a excessive latency time to Azure. We had been receiving calls about entry to Azure being gradual, however being the proactive NOC we’re, we went forward and investigated what’s inflicting the excessive response time.  

We investigated the Azure Community path that’s recorded by ThousandEyes and located there are three locations the Azure standing portal makes use of.

Two of these locations are outdoors of the UK: one in america and one in Japan. For those who look within the screenshot above, you may see a single crimson hyperlink and it may be used for both the US or Japan Azure standing portal. That is the most probably trigger for the elevated response time we had been seeing in addition to the geographic distance. Seeing this, we SSH’ed into one the ThousandEyes brokers and used the HTTP’ing software to do an identical take a look at to Azure. Once we ran the take a look at to the Azure portal standing web page, we might see some regular response instances after which many latent response instances. This matched as much as what ThousandEyes reported. This led us to the conclusion that the Azure standing portal workload balances however doesn’t do geographic load balancing. 

With this knowledge, we determined to laborious code the IP of the UK server into the ThousandEyes take a look at to higher signify how attendees will entry Azure.   

ThousandEyes is a really highly effective software, and it is ready to decide whether or not the difficulty resides contained in the community or outdoors the place we can’t management it. Under is a screenshot of what number of totally different community paths can take to a single useful resource. This reveals the significance of with the ability to pinpoint precisely the place a problem is happening. 

Meraki Methods Supervisor, by Paul Fidler and Connor Loughlin

Our fourth 12 months of deploying Meraki Methods Supervisor at Black Hat Europe, because the official Cellular Units Administration platform, went very easily. We launched a brand new caching operation to replace iOS gadgets on the native community, for pace and effectivity. Going into the occasion, we deliberate for the next variety of gadgets and functions: 

• iPhone Lead Scanning Units: 68 
• iPads for Registration: 9 
• iPads for Session Scanning: 12 
• Variety of gadgets deliberate in whole: 89

We registered the gadgets upfront of the occasion. Upon arrival, we turned every gadget on.  

The Wi-Fi profile that we’d like for the Black Hat iOS gadgets was not put in. Nonetheless, I introduced a Meraki Z3C, with mobile and Wi-Fi functionality. I’d introduced this as a result of it usually takes a few days to get Wi-Fi down in Registration, the place we arrange the gadgets earlier than deployment. So, inside actually 15 seconds, I’d spun up a brand new SSID, prefixed it with a full cease in order that it appeared on the prime of the out there Wi-Fi networks, and earlier than the primary iOS gadget had powered on, the Z3C was broadcasting this. So, with only a handful of seconds toil on every gadget, we’d bought them connecting again to Meraki Dashboard to get the proper Wi-Fi profile. 

Extra ache: Location companies

Location companies is a ache level for cell gadget administration. Firstly, you need to make sure that Location is NOT skipped on the time of gadget supervision utilizing Apple Configurator. Which means it’s an additional step on the time of enrollment (that means half a second of toil), relatively than having to open settings, scroll right down to Privateness, then Location, then flick the toggle. Sadly, this was skipped for the occasion preparation by the contractor, so we needed to allow manually this for every gadget. 

Location of gadgets is essential for theft retrieval or if the gadget is misplaced. Location is enabled by opening the System Supervisor app and tapping Location, then Allow, then “While utilizing the appliance.” You’ll be able to then faucet it once more and click on “At all times enable” which permits for location when the app is within the background. Due to (and that is the place you could possibly find yourself in a heated dialogue) Apple’s stance on privateness, it’s such a disgrace that this will’t be managed. 

Under is a fast screenshot of the Z3C shopper dashboard after an hour of the gadgets being turned on. 

Fascinating to see the place the gadget is asking out to, within the screenshot beneath. 

Utility Updates 

Having functions up to date in the course of an occasion can have disastrous penalties. While there isn’t an total setting or restriction to stop this, it’s potential to do it on the software layer. And, after all, Meraki Methods Supervisor allowed us to do that for all apps on the identical time. 

OS Updates 

I feel this goes with out saying, however the skill to remotely replace gadgets within the occasion of an pressing vulnerability repair is invaluable, like we had final 12 months in Las Vegas with Apple. 

Firewall Guidelines 

The safety of the Registration community is paramount as there’s Private Figuring out Data knowledge on this community. So, we’ve some fairly strict inbound and outbound guidelines. 

Managing Apple gadgets requires that 17.0.0.0/8 be stored open for port 80 and 443 visitors. Moreover, Meraki means that you can obtain a dynamically created listing of servers that it must be open to in order that endpoints might be managed. However, as we’re utilizing Cisco Umbrella and AMP (Safe Endpoint), there’s an entire host of different endpoints that must be opened. These are listed right here.  

Content material Caching 

One of many largest issues affecting the iOS gadgets at previous Black Hat occasions was the rapid have to each replace the iOS gadget’s OS attributable to a patch to repair a zero-day vulnerability and to replace the Black Hat iOS app on the gadgets. On the USA occasions, there are tons of of gadgets, so this was a problem for every to obtain and set up. So, I took the initiative into wanting into Apple’s Content material Caching service constructed into macOS. 

Now, simply to be clear, this wasn’t caching EVERYTHING… Simply Apple App retailer updates and OS updates. 

That is turned on withing System Setting and begins working instantly.  

I’m not going to get into the weeds of setting this up, as a result of there’s a lot to plan for. However I’d recommend that you simply begin right here. The setting I did change was: 

I checked to see that we had one level of egress from Black Hat to the Web. Apple doesn’t go into an excessive amount of element as to how this all works, however I’m assuming that the caching server registers with Apple and when gadgets examine in for App retailer / OS replace queries, they’re then advised the place to look on the community for the caching server. 

Instantly after turning this on, you may see the default settings and metrics: 

And after having this run for a while: 

Now, helpfully, Apple additionally pop this knowledge periodically right into a database positioned at:  

Library/Utility Help/Apple/AssetCache/Metrics/Metrics.db in a desk referred to as ZMETRICS. 

That is additionally out there in Exercise Monitor. 

And with a small variety of gadgets, you may see how shortly the server begins decreasing the affect on the WAN. Now, given the above, getting the info from the command line often is painful, particularly within the format that it’s introduced.  

Apple, helpfully, enable to append a –j to the top of the standing command to current the knowledge in JSON: 

{"title":"standing","end result":{"Activated":true,"Energetic":true,"ActualCacheUsed":2327774501,"CacheDetails":{"iCloud":109949295,"iOS Software program":20800617,"Mac Software program":11984379,"Different":2226505758},"CacheFree":247630759951,"CacheLimit":250000000000,"CacheStatus":"OK","CacheUsed":2369240049,"MaxCachePressureLast1Hour":0,"Dad and mom":[],"Friends":[],"PersonalCacheFree":249890050705,"PersonalCacheLimit":250000000000,"PersonalCacheUsed":109949295,"Port":49181,"PrivateAddresses":["10.10.10.10"],"PublicAddress":"X.X.X.X","RegistrationStatus":1,"RestrictedMedia":false,"ServerGUID":"FDE578EE-XXXX-XXXX-XXXX-102B60869501","StartupStatus":"OK","TetheratorStatus":0,"TotalBytesAreSince":"2024-12-12 11:58:04 +0000","TotalBytesDropped":0,"TotalBytesImported":0,"TotalBytesReturnedToChildren":0,"TotalBytesReturnedToClients":11482694,"TotalBytesReturnedToPeers":0,"TotalBytesStoredFromOrigin":1164874,"TotalBytesStoredFromParents":0,"TotalBytesStoredFromPeers":0}}

ThousandEyes Agent for the Caching Server 

On condition that we’ve an Apple MacMini on the Registration community, it was a easy choice to put in the ThousandEyes macOS agent on it systematically utilizing Meraki Methods Supervisor. 

This may be downloaded from Endpoint Brokers > Agent Settings > Add new Endpoint Agent.

Nonetheless, as I discovered to my detriment, there’s not but a Common installer, so be sure you get your processor structure proper (ARM vs x86!) 

In Meraki Methods Supervisor, we configure the app like this: 

Now, we talked earlier about firewall settings. A System Supervisor customized app might be hosted in two methods: 

• Hosted by yourself Infra or 
• Meraki will host it 

For those who’re selecting the latter, simply be aware that Meraki really hosts it on AWS. Particulars right here. 

So, just remember to have the suitable AWS occasion open in your firewalls, or host packages your self.  

Checking with the PANW firewall staff, we decided the caching server saved 5% of the visitors for the week, releasing up bandwidth for coaching and demos. For Black Hat Asia 2025, we plan to discover learn how to host Home windows Updates, a big client of bandwidth, on the primary day of coaching and briefings. 

Maintaining with Encrypted DNS, by Christian Clasen and Justin Murphy 

For the previous couple of years, we’ve been using the PANW edge firewalls to redirect outbound DNS queries in direction of our inner resolvers. This closed a spot in coverage and visibility that existed for attendees on the Black Hat occasion. As evidenced by the DNS Statistics charts later within the weblog, the technique paid off with a noticeable bounce in noticed queries. However because it so typically goes in expertise (and safety in particular), a majority of these methods can result in an arms race of types. 

In those self same years, browser and working system builders have expanded the deployment of encrypted DNS protocols. Along with wrapping DNS in uncooked TLS and HTTPS, extra unique applied sciences at the moment are within the combine. Chief amongst them is Apple’s implementation of Oblivious DNS over HTTPS (ODoT). The aim of ODoT is to stop the snooping of DNS queries –not simply on the native LAN, but in addition by the DNS suppliers themselves. I offered an summary of this expertise in my “Historical past of DNS Safety” Cisco Reside discuss. 

The gist of the ODoH is as follows:  

• The “first hop” recursive DNS resolver accepts receives the shopper lookup, however the shopper has accomplished one thing sneaky to stop this preliminary resolver from figuring out what the area title is that the shopper is on the lookout for. It has wrapped the unique question in an encrypted blob and added a bogus title to the “outer” message.
• When the recursive resolver sends the question upstream to the authoritative title server for the “bogus” area, the message might be decrypted as a result of that title server is an ODoH-aware server that expects this encrypted message! 
• The server sees the question data and might recurse the DNS for the reply as regular however isn’t made conscious of the unique shopper IP…it is just servicing the primary recursive resolver as its shopper.

This separation of duties ensures that, within the absence of collusion between the primary and second DNS suppliers, a shopper and its queries can by no means be correlated, and helpful monitoring is rendered unattainable. 

Apple implements this structure in its Non-public Relay function. Along with all of the privateness options detailed above, Non-public Relay makes use of QUIC to move packets to Apple making the communication much more opaque to community operators like us within the Black Hat NOC. The vast deployment of Non-public Relay has led to a drop in DNS queries evaluated and logged by Umbrella.  

We introduced our observations and advice to the NOC Leaders, who determined it will be greatest to attempt to block these protocols (DoT, DoH and Non-public Relay) for higher visibility. The morning of final day, we added the coverage to Umbrella. 

We instantly noticed blocks for domains related to Apple’s MASQUE proxies within the exercise search, in addition to these utilized by Android telephones for DoT. The tip person expertise was not impacted.  

Over 129k of those blocks occurred from 11:05am to the shutdown at 6pm on the final day, 12 December. 

We’ll proceed this coverage going ahead at different Black Hat occasions and monitor the statistics as traditional. 

DNS Statistics, by Christian Clasen and Justin Murphy 

We will see the bounce in queries attributable to compelled DNS redirection on the edge, and the drop as a result of growth of Apple Non-public Relay (see earlier weblog part for detailed evaluation). 

The highest classes for 2024 (and 2023) are beneath.  

Umbrella tracks the distinctive apps connecting to community. We noticed a marked improve in GenAI. If wanted, we will block apps that display a menace to the convention. 

2021: 2,162 apps 

2022: 4,159 apps  

2023: 4,340 apps 

2024: 4,902 apps 

All in all, we’re very pleased with the collaborative efforts made right here at Black Hat Europe by each the Cisco staff and our companions within the NOC. Nice work everyone! 

Black Hat Asia will likely be in April 2025, on the Marina Bay Sands, Singapore…hope to see you there! 

Acknowledgments 

Thanks to the Cisco NOC staff: 

• Cisco Safety: Ivan Berlinson, Aditya Raghavan, Christian Clasen, Justin Murphy and Ryan Maclennan 
• Meraki Methods Supervisor: Paul Fidler and Connor Loughlin
• ThousandEyes: MD Foysol Ferdous and Jessica Santos
• Extra Help and Experience: Tony Iacobelli and Abhishek Sha

Additionally, to our NOC companions Palo Alto Networks (particularly James Holland and Jason Reverri), Corelight (particularly Dustin Lee and Mark Overholser), Arista Networks (particularly Jonathan Smith), and the whole Black Hat / Informa Tech workers (particularly Grifter ‘Neil Wyler’, Bart Stump, Steve Fink, James Pope, Michael Spicer, Jess Stafford and Steve Oldenbourg). 

About Black Hat 

Black Hat is the cybersecurity business’s most established and in-depth safety occasion sequence. Based in 1997, these annual, multi-day occasions present attendees with the most recent in cybersecurity analysis, improvement, and tendencies. Pushed by the wants of the group, Black Hat occasions showcase content material straight from the group by Briefings displays, Trainings programs, Summits, and extra. Because the occasion sequence the place all profession ranges and educational disciplines convene to collaborate, community, and talk about the cybersecurity matters that matter most to them, attendees can discover Black Hat occasions in america, Canada, Europe, Center East and Africa and Asia at: Black Hat.com. Black Hat is delivered to you by Informa Tech. 

Share: