Black Hat USA 2024: SOC within the NOC

[ad_1]

The Black Hat Community Operations Heart (NOC) supplies a high-security, high-availability community in one of the crucial demanding environments on the planet: the Black Hat occasion.

The NOC companions are chosen by Black Hat, with Arista, Cisco, Corelight, Lumen, NetWitness and Palo Alto Networks delivering from Las Vegas this 12 months. Cisco is the official Area Identify Service, Malware Evaluation and Cellular Machine Administration supplier. The Meraki group is writing a weblog concerning the experiences in defending and managing the Black Hat cell gadgets.

The companions additionally present built-in safety, visibility and automation: a Safety Operations Heart (SOC) contained in the NOC, with Grifter ‘Niel Wyler’ and Bart Stump because the leaders.

Promotional images for the black hat Network Operations Center, in partnership with Arista, Cisco, Corelight, Lumen, Netwitness, and Palo Alto Networks

Integration is essential to success within the SOC of the NOC. At every convention, we now have a hack-a-thon to create, show, take a look at, enhance and eventually put into manufacturing new or improved integrations. To be a NOC accomplice, you have to be prepared to collaborate, share Automated Programming Interface (API) keys and documentation, and are available collectively (whilst market opponents) to safe the convention for the great of the attendees.

Promotional banner for the Black Hat Network Operations Center, showing a map of all of the Black Hat USA 2024 SOC Integrations

XDR integrations

Cisco joined the Black Hat NOC in 2016, when requested to offer automated malware evaluation with Risk Grid. The Cisco contributions to the community and safety operations advanced, with the wants of the shopper, to incorporate extra parts of the Cisco Safety Cloud:

The NOC leaders allowed Cisco (and the opposite NOC companions) to herald further software program to make our inner work extra environment friendly and have higher visibility. Nonetheless, Cisco is just not the official supplier for Prolonged Detection & Response (XDR), Community Detection & Response or Collaboration.

  • Cisco XDR: Community Visitors Visibility and Risk Detection/Risk Looking/Risk Intelligence Enrichment/Government Dashboards/Automation
  • Cisco Webex: Incident notification and group collaboration

The Cisco XDR command middle dashboard tiles made it straightforward to see the standing of every of the related Cisco Safety applied sciences, the general menace panorama and the standing of community availability as monitored by ThousandEyes brokers.

Under are the Cisco XDR integrations for Black Hat USA, empowering analysts to analyze Indicators of Compromise (IOC) in a short time, with one search. We admire alphaMountain.ai, Pulsedive and Recorded Future donating full licenses to the Black Hat USA 2024 NOC. Additionally, take a look at the weblog on XDR turning one 12 months outdated and the affect of Black Hat occasions.

One of many new integrations this 12 months was with a utility written by certainly one of our SOC group members. Each safety skilled — particularly SOC analysts and responders — have a sequence of “fast lookup” type instruments that they use to reply numerous questions on artifacts in an investigation. Shodan is a superb instance; “given an IP handle, what providers is that IP offering, and what software program are they utilizing to offer it?”. Paste the IP into Shodan, and you’ll probably get your reply. With the Shodan integration in XDR, you don’t even have to repeat and paste — simply click on the IP after which within the drop down menu, click on the Shodan hyperlink. However there are lots of of such instruments…

Screenshot of the integration server template

Ben took one of many integration server templates that Cisco Safety printed on Github and modified it to our wants. He then hosted it on his cloud supplier of alternative, added it to our XDR configuration and will add these easy pivots to XDR on the fly. A easy edit of a textual content file on the server and we may soar from any observable to any new related reference website that anybody had steered.

Cisco XDR is constructed on the beliefs of an open integration framework, with printed information fashions, API specs and pattern code obtainable to be modified or used as examples/tutorials (together with precise tutorials at DevNet). This dedication to extensibility permits for modifications such because the above with out requiring any motion from the XDR growth or product groups, permitting clients to tailor XDR to their distinctive wants.

For instance, an IP tried <AndroxGh0st> Scanning Visitors towards the Registration Server, blocked by the Palo Alto Networks firewall.

Investigation of the IP confirmed: It was identified malicious.

Screenshot of the IP that was identified as malicious

Additionally, the geo location is in RU and identified affiliated domains. With this data, the NOC management accepted the shunning of the IP.

Screenshot of the Cisco Umbrella page showing the geolocation of the IP address to be originating from RU

XDR: Asset visibility

By: Ben Greenbaum

Screenshot of insights from the Meraki Systems Manager

Because the Black Hat community evolves, totally different distributors are given alternatives to carry their merchandise into the toolbox. Because of this ongoing biking, we didn’t have entry to the depth of intelligence beforehand supplied by deployment of a Meraki wi-fi infrastructure. Nonetheless, as a result of functionality constructed into XDR Asset Insights to add a customized CSV file of property, we have been in a position to simply operationalize identified community topography into investigative and response operations.

One of many distinctive challenges of the Black Hat surroundings is how totally different it’s from a “regular” buyer’s manufacturing community. We’ve got just a few hundred gadgets whose safety is our major aim, however tens of 1000’s of unmanaged (and sometimes hostile) gadgets within the native community which we wish to defend from one another and defend the skin world from. This distinctive association very a lot drives house the worth that an EDR brings to an XDR answer. With out good endpoint visibility, the problem is much higher. The good thing about an open XDR strategy that’s not an evolution of an present EDR providing is that it may be certainly one of a number of EDRs, however “one” is preferable to none.

Malware Analytics

By: Ben Greenbaum

Cisco Malware Analytics (previously Risk Grid) was once more used because the backend file evaluation and malware detection engine. We supported our companions from CoreLight and Netwitness, with evaluation of recordsdata pulled from clear textual content (convention attendee) and choose encrypted classes (crucial infrastructure).

Screenshot of the Secure Malware Analytics dashboard

As common, the recordsdata present in clear textual content communications have been a superb indicator of what sorts of data might be anticipated to be leaked by a crowd of safety professionals, and this 12 months the end result rated a stable “much less terrible.” Probably spicy content material included numerous PII (names, employers, positions, e-mail addresses, and many others.) from Black Hat receipts and some company e-mail attachments. 

And whereas Umbrella did alert us to some wandering infections phoning house, we are able to say that at the least no malware was transferred…within the clear.

By: Aditya Sankar

Cisco XDR features a built-in automation functionality referred to as XDR automation. In case you have heard of Safety Orchestration Automation Response (SOAR), Cisco XDR has the complete suite of SOAR options. That features the flexibility to drag-and-drop prebuilt code blocks in a selected sequence to create a customized workflow, executing arbitrary API calls to function one-click response actions and creating guidelines to set off workflows primarily based off a schedule or another standards.

We’ve got been utilizing XDR Automate at Black Hat for 3 years to enhance the Cisco providers to our joint buyer, Black Hat, and have carried out quite a lot of use circumstances. Nonetheless, this has usually required fairly a little bit of time to study APIs and create a very customized workflow. With the most recent XDR Automation Change, the Change web page is used to search out, view, set up and uninstall pre-written workflows which were launched or accepted by Cisco engineers and content material suppliers. Workflows authored by the neighborhood have handed a fundamental high quality examine and are supported by the Cisco DevNet Group on a best-effort foundation. The Exchanges helps allow collaboration between workflow creators and moreover reduces the time it takes for a consumer to expertise worth from XDR automation.

Shout out to Ivan Berlinson, who wrote a workflow to tug menace logs from the Palo Alto Networks API and create Incidents in Cisco XDR. Since Ivan was variety sufficient to publish the workflow to the Change, it was extraordinarily straightforward to import the workflow and get it operational. Putting in a workflow from the alternate is actually like strolling by way of a configuration wizard. It features a description of what the workflow does, the required targets and variables, in addition to a contact individual for assist. Here’s what the workflow seems like within the Change simply earlier than set up.

Screenshot of the Palo Alto Networks Firewall incident displayed in Cisco XDR.

This workflow requires Automation distant, on-premises digital machine deployed over ESXi to make sure correct connectivity to the Palo Alto Panorama equipment. Shoutout to Matt Vander Horst who helped with the vCenter required to deploy the Automation distant equipment. The Change prompts the consumer to offer values for the required variables and choose the suitable on-premises goal.

Screenshot of the workflow installation screen

Then the workflow is put in and scheduled to run each quarter-hour by way of an automation rule.

Screenshot of the Palo Alto Networks Firewall incident in Cisco XDR

This workflow makes use of the PAN-OS XML API to question for menace logs at this path <?sort=log&log-type=menace&nlogs=50>. This kicks off a search job. As soon as the search job is finished, the workflow retrieves the outcomes and begins parsing the menace logs. A Cisco Risk Intelligence Mannequin (CTIM) sighting is created for every particular person menace log and grouped collectively by inner host IP. Subsequent, a CTIM indicator with the outline of the menace log and a relationship to the corresponding sighting are each created. Lastly, an incident bundle is created with the sighting, relationship and indicator entities and posted to the XDR API. The workflow has logic in-built to examine for duplicate incidents and present indicators.

Screenshot of the Palo Alto Firewall search query

Here’s what one of many incidents that was created from this automation workflow seems like in Cisco XDR. This gave us as analysts within the SOC an amazing start line for an investigation.

Screenshot of the HTTP Director Traversal Vulnerability in Cisco XDR

These Palo Alto Community menace logs point out a listing traversal assault that goals to entry recordsdata and directories which can be saved outdoors the net root folder. PAN Firewall alerts on listing traversal and accessing </and many others/passwd> from supply IP 192.168.130.86 on basic attendee Wi-Fi to vacation spot IP <104[.]198.XXX.2XX>, which resolves to < yXXXXis[.]celebration>. This area is marked as suspicious by a number of menace intelligence sources and has a medium threat rating of 72 in Cisco Umbrella. The host then proceeded to obtain recordsdata from <file://var/run/secrets and techniques/> host with fundamental authentication within the HTTP POST header. This exercise was then correlated to comparable classroom exercise, however the host MAC handle was not seen in any school rooms.

Screenshot of the location data and host MAC address in Cisco Umbrella
Screenshot of the risk score

The vacation spot IP reveals unknown with XDR menace intelligence, however the area it resolves to appears to be suspicious and it’s hosted within the Russian Federation, as seen within the Umbrella console. Listed here are further particulars supplied by the Corelight group in our energetic Risk Looking Slack chanel: HTTP POST exercise to the vacation spot in query reveals a fundamental authentication token that decodes to <admin:p034BHUSA43op> which does appear like it’s getting used for Black Hat coaching because it says BHUSA within the password. Nonetheless, this supply host’s MAC handle was not seen in any school rooms, solely on the final Wi-Fi.

Screenshot of the MAC information
Screenshot of the results served

We did discover the host making comparable queries like <uri = /token$/ uri=/kubernetes/>, which have been seen within the Superior Infrastructure Hacking class, however it isn’t sufficient to attribute this exercise to a category. Anyhow, this habits usually shouldn’t be seen on the final Wi-Fi. On this state of affairs, we didn’t take any motion of blocking the vacation spot IP or forcing a captive portal for host IP for the reason that Black Hat community goals to watch for assault and abuse, however not block malicious site visitors.

Ivan Berlison additionally supplied one other workflow to supply an XDR Incident when a file is convicted in Cisco Safe Malware analytics. Corelight, in addition to NetWitness, carve recordsdata off the community and submit them to be detonated in Safe Malware Analytics. Here’s what the XDR incident seems like when a file with a menace rating above 90 is seen:

Screenshot of Secure Malware Analytics: Malicious Detection as displayed in Cisco XDR

We had an exquisite time innovating and investigating at Black Hat USA 2024! The XDR automation alternate was an enormous help in including extra automation capabilities with very minimal customized work. Try AJ Shipley’s weblog on how utilizing Cisco XDR at Black Hat has accelerated our open ecosystem. We’ll be again once more subsequent 12 months, so lengthy Black Hat!

Splunk Assault Analyzer (SAA)

By: Ryan MacLennan

Splunk Assault Analyzer (SAA) is a brand new addition to our deployment. As it’s possible you’ll know, Cisco acquired Splunk this 12 months. Due to this new acquisition we labored with our counterparts in Splunk to get their SAA product provisioned for our use at Black Hat. SAA is a file and URL evaluation platform much like Safe Malware Analytics. SAA makes use of a classy set of standards to find out which engine could be finest suited to evaluation — like internet analyzer, static file evaluation, e-mail analyzer, signature engines and/or the sandbox. Whereas the product is able to dynamic and static evaluation, we selected to do solely static evaluation for our use at Black Hat.

What is really highly effective concerning the evaluation of SAA is its assault chain following functionality: The flexibility to intelligently decide how a human would click on on gadgets in a webpage. It’ll observe hyperlinks, obtain recordsdata and analyze further indicators from community connections, identified malicious recordsdata, an unknown malicious file that’s analyzed on the fly, phishing domains and extra. It’ll observe a logical circulate like a human to find out the trail to compromise. This was attention-grabbing to see in our surroundings because it confirmed the trail from a file, the hyperlinks present in it, to totally different web sites, and every step of the trail had a screenshot for us to observe alongside.

For example, we now have a PDF that was submitted to SAA. It discovered hyperlinks within the file and adopted them to see if they might result in one thing malicious. I’ve blocked out a lot of the URLs, however we are able to see the way it went by way of the PDF information and clicked on the hyperlinks to search out out the place it could go.

Screenshot from the SAA Attack Analyzer

After SAA did its factor, we may have a look at the file in query and the screenshots that it took. We discovered that this file was the information utilized in a coaching room and every hyperlink was a reference to an article, a coaching useful resource (self-hosted and official), or different informational sources a scholar might have.

We have been ready so as to add this integration with the assistance of our accomplice Corelight. We talked to them on day one they usually have been excited to get a brand new integration developed with SAA. A number of hours later, we had an integration with them. This was a tremendous instance of how all of us come collectively to make the NOC higher at Black Hat yearly.

Umbrella DNS

By: Christian Clasen and Justin Murphy

In case you have learn the earlier Black Hat NOC/SOC reviews, that in 2023, we made a change to the DNS design. In prior conferences, we assigned inner forwarders to shoppers by way of DHCP, however didn’t power their use. Primarily, attendees may use any DNS resolvers they selected, and we didn’t intrude. The change we carried out was to start forcibly redirecting DNS site visitors to the on-premises DNS forwarders. You’ll be able to see within the statistics above that this modification prompted a big soar in queries processed by Cisco Umbrella — from 54.4 million to 79.3 million.

The steep improve in question depend was not sudden. What was sudden, nevertheless, was a lower in question depend between 2023 and 2024. Whereas we don’t know the exact reason for this drop, we do have some theories and methods we are able to take a look at them going ahead.

One doable rationalization is the prevalence of encrypted DNS protocols. In recent times, the business has turned its consideration to the privateness, integrity and authenticity issues inherent within the plain-text DNS protocol. To unravel a few of these points, “last-mile” encryption has develop into a favourite of OS and browser distributors. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are solely a few the most well-liked methods to encrypt DNS between the shopper and the recursive resolver.

Detecting all encrypted DNS might be tough and counting the queries not possible. It is because TCP is the chosen transport for DoH and DoT, and this enables the shopper to pipeline a number of queries over one long-lived TCP and TLS session. However what we are able to typically discover are the “bootstrap” plain-text DNS queries that allow to shopper to search out the encrypted DNS server. By working a report in Umbrella for the class “DoH and DoT”, we are able to get a deal with on the most well-liked of those providers:

Screenshot of the most popular DoH and DoT services

The entry for <dns.google> is almost definitely indicative of Android cell gadgets who use this DoT resolver by default. The depend of queries for that individual service is prone to be greater as a result of the classes on these gadgets are identified to be short-lived if queries will not be frequent sufficient.

On this report, we additionally see “canary” domains similar to <canary.masks.icloud.com> and <use-application-dns.web>. The latter area is utilized by Firefox to detect when it ought to fall again to unencrypted DNS on the community. Extra particulars on how Umbrella interacts with these is written up within the Umbrella assist article for internet browsers and DoH default.

Going ahead, we are going to monitor the statistics of those protocols on the convention networks and see what different data we are able to collect utilizing the complete packet seize capabilities of our companions and the menace looking capabilities of Cisco XDR. You’ll be able to count on this matter to be expanded on within the subsequent convention report.

One of many major causes to at the least monitor DNS is to grasp developments and the way the community at Black Hat is getting used from a excessive degree. There are a lot of insights that may be gained from forcing DNS by way of a centralized service with intelligence. DNS queries exist for locations that host every part from Malware, Crypto Mining and Phishing to content material classes like Social Media, Finance and Unlawful Actions. Moreover, these domains might be categorized into particular purposes as effectively. With the App Discovery report in Umbrella, these domains are grouped by software, figuring out the potential use of 1000’s of purposes. This might be internet apps or different desktop/cell apps.

As all the time, we proceed to see an increase in app utilization at Black Hat:

  • BHUSA 2019: ~3,600
  • BHUSA 2021: ~2,600
  • BHUSA 2022: ~6,300
  • BHUSA 2023: ~7,500
  • BHUSA 2024: ~9,300
Screenshot of a graph showing app category and risk at Black Hat USA
General Most Widespread App Classes

This 12 months there was one stand out Software Class that has been rising in reputation: Generative AI. It’ll probably be no shock that there are extra attendees and their instruments utilizing Generative AI. We’ve got gone from seeing it as a footnote in logs to reporting it at RSAC 2024, as we noticed 80 totally different Generative AI instruments getting used.

Evaluate this to Black Hat 2024, only a few months later, the place the full quantity has jumped to 194.

Black Hat USA 2024

This doesn’t seem like only a distinction in conferences, however relatively a rising pattern and acceptance of those instruments.

Community Assurance

By: Adam Kilgore, Shimei Cridlig, Shannon Wellington and Justin Murphy

The ThousandEyes deployment launched at Black Hat USA 2023 one 12 months in the past. At that convention, we spent many lengthy shifts growing the configurations, design, and procedures that fashioned the premise for our convention protection. The deployment was additional improved and streamlined at Black Hat London and Black Hat Asia. At this 12 months’s Black Hat USA 2024, we have been able to increase our protection considerably whereas persevering with to refine our procedures.

New {hardware}

We added 20 Orange Pi gadgets at Black Hat 2024, along with the 8 Raspberry Pi gadgets we deployed in 2023. We’re nonetheless effectively wanting the proverbial thousand eyes, however 28 is much more than 8. We deployed our new fleet of Orange Pi gadgets to watch the wi-fi community, whereas the outdated Raspberry Pi gadgets have been used for wired monitoring of Registration, the NOC and core community gadgets.

Orange Pi configuration

Man working at a table in a conference room; the table is completely covered in cords and power strips.
Our setup desk for preliminary deployment

Mike Spicer put in lots of time to develop new configuration and deployment procedures for the Orange Pi gadgets earlier than the convention. We have been ready to make use of a script and a small native community to configure every Orange Pi with a particular SSID and PSK. As soon as the Pi gadgets have been configured and the goal entry factors have been deployed, every Pi was walked to its goal coaching room the place it could routinely connect with the entry level (AP) on bootup and start working its scheduled monitoring exams.

Even with the scripting and automation, the configuration stage nonetheless resulted in a mass of wires (pictured above). Deploying the Pi gadgets resulted in additional strolling than the typical attendee would expertise in a convention (not pictured).

Expanded wi-fi protection

Screenshot of the dashboard showing monitored agents during briefings
A dashboard of monitored brokers throughout briefings

With the extra brokers, we have been in a position to deploy to extra Black Hat coaching rooms. The expanded visibility allowed us to catch extra issues earlier than the coaching rooms went dwell, together with a misconfigured PSK, an SSID that wasn’t broadcasting and an SSID that broadcast however didn’t have web connectivity. We’d like to have an agent for every coaching room for full visibility and validation heading into the convention, however we’re pleased with what we caught and the extra confidence the brokers supplied heading into the coaching days.

Because the convention shifted from trainings to the briefing days, we shifted our protection from the biggest coaching classes to giant briefing rooms and heavy-traffic areas like the doorway and Enterprise Corridor. Whereas we nonetheless needed to make robust strategic selections about what to cowl and what to not cowl, we have been nonetheless in a position to unfold brokers throughout every flooring for basic visibility.

Troubleshooting

Our experiences over the previous three conferences had produced well-established troubleshooting procedures and paperwork for the Raspberry Pi gadgets, however the Orange Pi devicess offered recent challenges. We had round 25% of our deployed Orange Pi gadgets require troubleshooting in the course of the first 24 hours after deployment, a regarding charge. Log evaluation revealed the wi-fi NIC changing into disconnected and the USB getting into a disconnect loop (the wi-fi NIC is related by way of USB on the Orange Pi gadgets). The issues with the wi-fi NIC and USB result in a recurring ThousandEyes agent core recordsdata — a tough set of issues.

Nonetheless, these points turned out to be remoted relatively than widespread, and by the tip of the convention we had a full wi-fi deployment that was staying up all day and in a single day as effectively. For what turned out to be remoted wi-fi issues, we developed troubleshooting procedures and documentation.

Automated ticketing

A brand new ticketing system was rolled out at this convention that may create tickets in Slack primarily based on ThousandEyes information or reported points. Under is a ticket created primarily based on TE alerts for a particular convention room in the course of the first morning of briefings.

Screenshot of a ticket generated from latency reporting
A ticket generated from ThousandEyes latency reporting

The dashboards in ThousandEyes allowed us to offer fast visible data that confirmed which convention rooms have been experiencing the worst latency, alongside a comparability of latency throughout reporting rooms.

Screenshot from the ticket showing high latency
A screenshot uploaded to the ticket, exhibiting latency within the reported room

The automated reviews behind every dashboard entry supplied extra granular data, together with site visitors path and the latency alongside every leg within the site visitors path.

Screenshot showing latency in the default gateway
A screenshot uploaded to the ticket that reveals thelatency to the default gateway

The brand new ticketing system allowed screenshots like those above to be aggregated within the ticket for group communication and document conserving.

Troubleshooting WorkflowOn 08/06/2024 at 15:00, we noticed excessive latency to our Inner Umbrella DNS take a look at from the South Seas D Hallway and Enterprise Corridor Brokers. Word that the hyperlinks to the investigation views are supplied as hyperlinks.

Screenshot of the ThousandEyes Latency Dashboard

To slim down the view, we used a dashboard filter to deal with the 2 Brokers.

Screenshot of the cloud and enterprise agents

This confirmed the excessive latency noticed by the 2 Brokers prolonged throughout a number of exams.

Screenshot of the different agents suffering latency

From right here, we drilled down on every take a look at to examine the person take a look at outcomes.

Inside this view, we chosen a number of exams working on each Brokers and in contrast the outcomes.

Screenshot of selecting multiple test running on both agents

We noticed that there was a latency spike reported by each Brokers.

Screenshot of the latency spikes reported by both agents

To grasp the reason for the excessive latency, we drilled all the way down to Path Visualization.

Screenshot of the path visualization

We seen the excessive hyperlink delay between the Agent to its gateway. This means a problem both between the shopper and AP or between the AP and the server room with the router.

Screenshot of the link delay between the agent and its gateway

To verify the reason for the latency, we visited South Seas D. We ran further exams to substantiate that the connection expertise match with the outcomes reported by the Agent. Reviewing the room and topology diagrams additional, we discovered that the AP protecting South Seas D was positioned in an adjoining room, and was broadcasting two SSIDs — one for the room it was positioned in, and the opposite for South Seas D. The mixture of the AP placement, the AP servicing two rooms, and the attendee quantity in South Seas D mixed to supply the latency noticed by the Agent. These findings have been shared with the wi-fi group.

Cellular system administration at Black Hat: The position of Meraki Programs Supervisor

By: Dalton Ross

The Black Hat cybersecurity occasion in Las Vegas is famend for its cutting-edge know-how and seamless attendee expertise. A crucial part of this success lies in efficient cell system administration (MDM). Since Black Hat USA 2021, we leveraged Cisco Meraki Programs Supervisor (SM) to deal with quite a lot of duties essential to the occasion’s operations. Under is an in depth have a look at how the Meraki SM was deployed and the challenges confronted alongside the way in which.

Important roles of cell gadgets at Black Hat

Cellular gadgets have been pivotal in a number of key areas:

  1. Registration Kiosk iPad Units (~50 Units): Used at registration kiosks to streamline the attendee check-in course of, the place attendees scan a QR code for immediate badge printing
  2. Session Scanning iPad Units (~75 Units): Deployed throughout Black Hat classes to scan registered attendees into every session
  3. Lead Retrieval Units (~800 Units): A considerable variety of gadgets have been utilized on the present flooring cubicles to swiftly gather sales space customer contact information
Man working on a collection of iPhones at a table

Deliberate deployment for Meraki Programs Supervisor

To make sure a easy deployment, our technique included a number of key steps:

  1. Pre-State with Apple Automated Machine Enrollment (ADE): Earlier than cargo to the occasion location, all gadgets have been pre-staged utilizing ADE. This allowed gadgets to be configured with a identified SSID for sooner deployment on website.
  2. Segregated Transport: Units have been to be shipped in three distinct groupings, every similar to one of many roles. This aimed to facilitate swift deployment upon arrival.
  3. Dashboard Script for Position Affiliation: A customized dashboard script was ready to leverage the Meraki Dashboard API and simply affiliate enrolled gadgets with their respective roles.
  4. Automated Configuration Obtain: As soon as powered up, gadgets have been anticipated to routinely obtain any obligatory configurations or apps associated to their position, making them prepared for fast deployment.
  5. Well being Monitoring with Cisco ThousandEyes: ThousandEyes brokers have been to be deployed all through the venue to log SM well being at totally different occasion places.
  6. Put up-Occasion Manufacturing facility Reset: After the occasion, all gadgets have been to be manufacturing unit erased earlier than being returned.
Screenshot of a group of people in a conference room configuring devices

Challenges and workarounds

As in life, challenges arose that required fast pondering and adaptation:

  • Software Record Modifications: A final-minute change to the appliance checklist for session scanning gadgets was required. Though we initially deliberate to have all configurations prepared beforehand, this sudden change was effectively managed utilizing the Programs Supervisor with only a few clicks.
  • ThousandEyes Agent Limitations: Since ThousandEyes brokers have been beta SM shoppers, they couldn’t precisely collect connectivity information. This was an anticipated habits, but it surely posed a problem for efficient monitoring. To beat this, NOC members from Cisco ThousandEyes and Cisco Meraki collaborated to hack collectively a proof of idea. By means of arduous work and several other iterations, we configured the ThousandEyes brokers to simulate system check-in site visitors, mimicking legitimate SM shoppers.
Black Hat checkin stations

Deploying Meraki Programs Supervisor at Black Hat was an intricate however rewarding endeavor. Regardless of going through challenges, our group demonstrated agility and innovation, guaranteeing the occasion’s operations ran easily. The expertise underscored the significance of flexibility and fast drawback fixing in managing large-scale occasions.

By leveraging superior MDM options like Meraki Programs Supervisor, we have been in a position to present a seamless expertise for attendees and exhibitors alike, showcasing the facility of know-how in occasion administration.


We’re pleased with the collaboration of the Cisco group and the NOC companions. Black Hat Europe will likely be December 9-12, 2024 on the London eXcel Centre.

The Black Hat team poses together in the conference center lobby

Acknowledgements

Thanks to the Cisco NOC group:

  • Cisco Safe: Christian Clasen, Matt Vander Horst, Aditya Sankar, Ben Greenbaum, Ryan Maclennan, Adam Kilgore, Shimei Cridlig, Shannon Wellington and Justin Murphy, with distant assist by Jessica (Bair) Oppenheimer
  • Meraki Programs Supervisor: Dalton Ross, with distant assist by Paul Fidler and Connor Laughlin. Search for their report on The Meraki Weblog.

Additionally, to our NOC companions:

  • NetWitness (particularly Alessandro Zatti)
  • Palo Alto Networks (particularly Jason Reverri and James Holland)
  • Corelight (particularly Dustin Lee)
  • Arista (particularly Jonathan Smith)
  • Lumen and your complete Black Hat/Informa Tech workers (particularly Grifter ‘Neil Wyler,’ Bart Stump, Steve Fink, James Pope, Mike Spicer, Sandy Wenzel, Heather Williams, Jess Stafford and Steve Oldenbourg)

About Black Hat

Black Hat is the cybersecurity business’s most established and in-depth safety occasion sequence. Based in 1997, these annual, multi-day occasions present attendees with the most recent in cybersecurity analysis, growth, and developments. Pushed by the wants of the neighborhood, Black Hat occasions showcase content material immediately from the neighborhood by way of Briefings displays, Trainings programs, Summits, and extra. Because the occasion sequence the place all profession ranges and tutorial disciplines convene to collaborate, community, and focus on the cybersecurity matters that matter most to them, attendees can discover Black Hat occasions in america, Canada, Europe, Center East and Africa and Asia.

Share:

[ad_2]


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *