Safety Cloud — Cisco Weblog

The view within the XDR Integrations consumer interface: 

Unleashing the Energy of Cisco XDR Automate at Black Hat Europe

With the ever-evolving technological panorama, automation stands as a cornerstone in attaining XDR outcomes. It’s certainly a testomony to the prowess of Cisco XDR that it boasts a completely built-in, strong automation engine.

Cisco XDR Automation embodies a user-friendly, no-to-low code platform with a drag-and-drop workflow editor. This revolutionary function empowers your SOC to hurry up its investigative and response capabilities. You’ll be able to faucet into this potential by importing workflows throughout the XDR Automate Change from Cisco, or by flexing your artistic muscle mass and crafting your individual.

Bear in mind from our previous blogs, we used automation for incident notifications into Webex, in addition to ‘Creating an Incident’ in XDR for Umbrella class blocks. Each these workflows have been spruced up and used extensively at Black Hat Europe 2024. We now see the final replace timestamp proper within the incident title itself and the Webex message, which tremendously simplifies the understanding of a detection for our menace hunters.

The next automation workflows have been constructed particularly for Black Hat use instances: 

1. Cisco SMA Malicious submission – XDR incident and notification 
2. Cisco SMA – Monitor Non-Malicious paperwork submission 
3. Palo Alto Networks Firewall – Create Cisco XDR incident – V2 
4. Splunk – Corelight – Create Cisco XDR incident V2 
5. Splunk – ThousandEyes – Create XDR create incident V2 
6. Incident Enrichment – Add Room and Goal 
7. Palo Alto Menace Logs to Splunk 

Moreover #1 and #3, the remainder of these workflows have been premiered at Black Hat Europe 2024, due to the work and inspiration of Ivan. 

Splunk Enterprise Safety Cloud, by Ivan Berlinson, Aditya Raghavan and Ryan Maclennan

To make our menace hunters’ lives richer with extra context from ours and our companions’ instruments, we introduced in Splunk Enterprise Safety Cloud at this Black Hat occasion to ingest detections from Cisco XDR, Safe Malware Analytics, Umbrella, ThousandEyes, Corelight and Palo Alto Networks and visualize them into practical dashboards for government reporting. The Splunk Cloud occasion was configured with the next integrations:

1. Cisco XDR and Cisco Safe Malware Analytics, utilizing the Cisco Safety Cloud app
2. Cisco Umbrella, utilizing the Cisco Cloud Safety App for Splunk 
3. ThousandEyes, utilizing the Splunk HTTP Occasion Collector (HEC) 
4. Corelight, utilizing Splunk HTTP Occasion Collector (HEC) 
5. Palo Alto Networks, utilizing the Splunk HTTP Occasion Collector (HEC) 

The ingested information for every built-in platform was deposited into their respective indexes. That made information searches for our menace hunters cleaner. Trying to find information is the place Splunk shines! You start by merely navigating to Apps > Search and Reporting and typing your search question. You do have to know the Splunk Question Language (SQL) to construct your queries however that’s only a fast tutorial away.  

We discovered our method by wanting on the information and iterating. An instance of a easy seek for acquiring the depend of all alerts from the Suricata engine of Corelight logs is beneath.

The Visualization tab means that you can rapidly convert this information into a visible format for previewing. And now, off we went to construct search queries throughout all of the datasets we ingested. These search queries have been then aggregated and visualized into an government view utilizing Splunk Dashboard Studio. Since we ended up with extra widgets than can slot in a single Government display screen, we utilized the tabbed dashboard function. The next two screenshots present the ultimate dashboards together with callouts for the sources of the varied widgets. 

With the constitution for us at Black Hat being a ‘SOC inside a NOC’, the chief dashboards have been reflective of bringing networking and safety reporting collectively. That is fairly highly effective and shall be expanded in future Black Hat occasions, so as to add extra performance and develop its utilization as one of many major consoles for our menace hunters in addition to reporting dashboards on the big screens within the NOC. 

Menace Hunters’ Story, by Ivan Berlinson

In the course of the Black Hat occasion, the NOC opens early earlier than the occasion Registration and closes after the trainings and briefings full for the day. Which means that each menace hunter’s place should be coated by bodily, uninterrupted presence for about 11 hours per day. Even with the utmost dedication to your function, generally you want a break, and a brand new potential incident doesn’t wait till you’ve completed the earlier one.  

Aditya and I shared the obligations as Menace Hunters staffing the Cisco XDR, Malware Analytics and Splunk Cloud consoles, alternating between morning and afternoon shifts. Although in actuality each of us stayed on a lot of the day as we had a lot enjoyable writing automation workflows and constructing dashboards, in addition to finishing up our major obligations. 

An instance of a few of these workflows in motion collectively helped us seek out a possible case of cryptomining within the NOC itself, throughout the early hours of Dec 12! Due to the Corelight and PANW firewalls integrations in XDR, we had ourselves a singular correlated incident, with detections from each companions.  

The workflows I constructed embody a verify to search out any open incidents with the belongings and/or observables in query, to append the detection underneath course of. If there’s none, it could create a brand new incident. As we are able to see, the detection from Corelight got here in at 09:40 GMT, adopted by the detection from PANW firewalls a couple of minutes later.  

As new detections have been getting appended into the incident, I rapidly up to date the automation workflows to incorporate a timestamp indicating the final seen sighting for that incident proper within the title. Whereas this won’t be what you’ll do in a manufacturing atmosphere, it tremendously simplifies the flexibility for our menace hunters to research all of the incidents as they arrive in.

As I investigated the incident, I uncovered one other detection that had are available in simply earlier than, this time the supply of the detection was Umbrella and nearly went underneath the radar as a result of it bearing a decrease precedence rating. This incident got here in by the automation workflow used up to now years. This offered the affirmation of the cryptomining exercise on the endpoint.  

Subsequent query – who is that this 10.X.X.X system? And may they be cryptomining at Black Hat? Thanks to a different automation workflow, with a click on of a Response motion of the Incident Response playbook we had attribution with bodily room title and placement throughout the occasion middle from a pre-defined database for the recognized asset within the incident. 

Lo and behold – the asset was in Degree 3, Capital Suite, Room 1 linked to the NOC Wi-Fi; proper in the identical room as me! I had constructed one other automation workflow that brings in Corelight and PANW firewall menace detections into Splunk Cloud, by which we have been in a position to monitor down the system within the room to a MacBook and an MAC deal with.  

Time to faucet on somebody’s shoulder. 

Community Visibility with ThousandEyes, by Jessica Santos, MD Foysol Ferdous, Ryan MacLennan

Black Hat Europe 2024 is the sixth consecutive occasion with a ThousandEyes (TE) deployment. We unfold that visibility throughout core switching, Registration, the Enterprise Corridor, two- and four-day coaching rooms, and Keynote areas. Under is Among the {hardware} Black Hat bought for the ThousandEyes brokers. 

We labored with Michael Spicer on the situation of the agent deployment to make sure consultant protection and the kinds / frequency of scheduled testing.  

Optimizing Community Monitoring with Thousand Eyes 

We had a dashboard within the NOC, so the leaders and architect might see points in actual time, and ThousandEyes widgets within the Splunk government dashboard, as seen earlier within the weblog.  

At Black Hat Europe 2024, we had an issue the place the ThousandEyes brokers have been displaying a excessive latency time to Azure. We have been receiving calls about entry to Azure being gradual, however being the proactive NOC we’re, we went forward and investigated what’s inflicting the excessive response time.  

We investigated the Azure Community path that’s recorded by ThousandEyes and located there are three locations the Azure standing portal makes use of.

Two of these locations are outdoors of the UK: one in america and one in Japan. When you look within the screenshot above, you’ll be able to see a single pink hyperlink and it may be used for both the US or Japan Azure standing portal. That is the probably trigger for the elevated response time we have been seeing in addition to the geographic distance. Seeing this, we SSH’ed into one the ThousandEyes brokers and used the HTTP’ing device to do an identical check to Azure. After we ran the check to the Azure portal standing web page, we’d see some regular response occasions after which many latent response occasions. This matched as much as what ThousandEyes reported. This led us to the conclusion that the Azure standing portal workload balances however doesn’t do geographic load balancing. 

With this information, we determined to onerous code the IP of the UK server into the ThousandEyes check to raised signify how attendees will entry Azure.   

ThousandEyes is a really highly effective device, and it is ready to decide whether or not the problem resides contained in the community or outdoors the place we can’t management it. Under is a screenshot of what number of totally different community paths can take to a single useful resource. This reveals the significance of with the ability to pinpoint precisely the place a difficulty is going down. 

Meraki Methods Supervisor, by Paul Fidler and Connor Loughlin

Our fourth yr of deploying Meraki Methods Supervisor at Black Hat Europe, because the official Cell Units Administration platform, went very easily. We launched a brand new caching operation to replace iOS gadgets on the native community, for pace and effectivity. Going into the occasion, we deliberate for the next variety of gadgets and functions: 

• iPhone Lead Scanning Units: 68 
• iPads for Registration: 9 
• iPads for Session Scanning: 12 
• Variety of gadgets deliberate in whole: 89

We registered the gadgets upfront of the occasion. Upon arrival, we turned every system on.  

The Wi-Fi profile that we’d like for the Black Hat iOS gadgets was not put in. Nevertheless, I introduced a Meraki Z3C, with mobile and Wi-Fi functionality. I’d introduced this as a result of it usually takes a few days to get Wi-Fi down in Registration, the place we arrange the gadgets earlier than deployment. So, inside actually 15 seconds, I’d spun up a brand new SSID, prefixed it with a full cease in order that it appeared on the prime of the accessible Wi-Fi networks, and earlier than the primary iOS system had powered on, the Z3C was broadcasting this. So, with only a handful of seconds toil on every system, we’d acquired them connecting again to Meraki Dashboard to get the right Wi-Fi profile. 

Extra ache: Location companies

Location companies is a ache level for cell system administration. Firstly, you could be certain that Location is NOT skipped on the time of system supervision utilizing Apple Configurator. Which means that it’s an additional step on the time of enrollment (that means half a second of toil), fairly than having to open settings, scroll all the way down to Privateness, then Location, then flick the toggle. Sadly, this was skipped for the occasion preparation by the contractor, so we needed to allow manually this for every system. 

Location of gadgets is vital for theft retrieval or if the system is misplaced. Location is enabled by opening the System Supervisor app and tapping Location, then Allow, then “While utilizing the appliance.” You’ll be able to then faucet it once more and click on “At all times enable” which permits for location when the app is within the background. Due to (and that is the place you could possibly find yourself in a heated dialogue) Apple’s stance on privateness, it’s such a disgrace that this may’t be managed. 

Under is a fast screenshot of the Z3C shopper dashboard after an hour of the gadgets being turned on. 

Attention-grabbing to see the place the system is asking out to, within the screenshot beneath. 

Software Updates 

Having functions up to date in the midst of an occasion can have disastrous penalties. While there isn’t an general setting or restriction to forestall this, it’s attainable to do it on the utility layer. And, after all, Meraki Methods Supervisor allowed us to do that for all apps on the similar time. 

OS Updates 

I feel this goes with out saying, however the capability to remotely replace gadgets within the occasion of an pressing vulnerability repair is invaluable, like we had final yr in Las Vegas with Apple. 

Firewall Guidelines 

The safety of the Registration community is paramount as there’s Private Figuring out Data information on this community. So, we’ve got some fairly strict inbound and outbound guidelines. 

Managing Apple gadgets requires that 17.0.0.0/8 be saved open for port 80 and 443 site visitors. Moreover, Meraki means that you can obtain a dynamically created listing of servers that it must be open to in order that endpoints might be managed. However, as we’re utilizing Cisco Umbrella and AMP (Safe Endpoint), there’s an entire host of different endpoints that should be opened. These are listed right here.  

Content material Caching 

One of many largest issues affecting the iOS gadgets at previous Black Hat occasions was the fast have to each replace the iOS system’s OS as a result of a patch to repair a zero-day vulnerability and to replace the Black Hat iOS app on the gadgets. On the USA occasions, there are a whole lot of gadgets, so this was a problem for every to obtain and set up. So, I took the initiative into wanting into Apple’s Content material Caching service constructed into macOS. 

Now, simply to be clear, this wasn’t caching EVERYTHING… Simply Apple App retailer updates and OS updates. 

That is turned on withing System Setting and begins working instantly.  

I’m not going to get into the weeds of setting this up, as a result of there’s a lot to plan for. However I’d counsel that you just begin right here. The setting I did change was: 

I checked to see that we had one level of egress from Black Hat to the Web. Apple doesn’t go into an excessive amount of element as to how this all works, however I’m assuming that the caching server registers with Apple and when gadgets verify in for App retailer / OS replace queries, they’re then instructed the place to look on the community for the caching server. 

Instantly after turning this on, you’ll be able to see the default settings and metrics: 

% AssetCacheManagerUtil settings
Content material caching settings:

AllowPersonalCaching: true
AllowSharedCaching: true
AllowTetheredCaching: true
CacheLimit: 150 GB
DataPath: /Library/Software Help/Apple/AssetCache/Information
ListenRangesOnly: false
LocalSubnetsOnly: true
ParentSelectionPolicy: round-robin
PeerLocalSubnetsOnly: true

And after having this run for a while: 

% AssetCacheManagerUtil settings
Content material caching standing

Activated: true
Energetic: true
ActualCacheUsed: 528.2 MB
CacheDetails: (1)

Different: 528.2 MB

CacheFree: 149.47 GB
CacheLimit: 150 GB
CacheStatus: OK
CacheUsed: 528.2 MB
MaxCachePressureLast1Hour: 0%
Mother and father: (none)
Friends: (none)
PersonalCacheFree: 150 GB
PersonalCacheLimit: 150 GB
PersonalCacheUsed: Zero KB
Port: 49180
PrivateAddresses: (1)

x.x.x.x

PublicAddress: x.x.x.x
RegistrationStatus: 1
RestrictedMedia: false
ServerGUID: xxxxxxxxxxxxxxxxxx
StartupStatus: OK
TetheratorStatus: 1
TotalBytesAreSince: 2023-12-01 13:35:10
TotalBytesDropped: Zero KB

TotalBytesImported: Zero KB
TotalBytesReturnedToClients: 528.2 MB
TotalBytesStoredFromOrigin: 528.2 MB

Now, helpfully, Apple additionally pop this information periodically right into a database situated at:  

Library/Software Help/Apple/AssetCache/Metrics/Metrics.db in a desk referred to as ZMETRICS. 

That is additionally accessible in Exercise Monitor. 

And with a small variety of gadgets, you’ll be able to see how rapidly the server begins lowering the influence on the WAN. Now, given the above, getting the information from the command line often is painful, particularly within the format that it’s offered.  

Apple, helpfully, enable to append a –j to the tip of the standing command to current the knowledge in JSON: 

{"title":"standing","outcome":{"Activated":true,"Energetic":true,"ActualCacheUsed":2327774501,"CacheDetails":{"iCloud":109949295,"iOS Software program":20800617,"Mac Software program":11984379,"Different":2226505758},"CacheFree":247630759951,"CacheLimit":250000000000,"CacheStatus":"OK","CacheUsed":2369240049,"MaxCachePressureLast1Hour":0,"Mother and father":[],"Friends":[],"PersonalCacheFree":249890050705,"PersonalCacheLimit":250000000000,"PersonalCacheUsed":109949295,"Port":49181,"PrivateAddresses":["10.10.10.10"],"PublicAddress":"X.X.X.X","RegistrationStatus":1,"RestrictedMedia":false,"ServerGUID":"FDE578EE-XXXX-XXXX-XXXX-102B60869501","StartupStatus":"OK","TetheratorStatus":0,"TotalBytesAreSince":"2024-12-12 11:58:04 +0000","TotalBytesDropped":0,"TotalBytesImported":0,"TotalBytesReturnedToChildren":0,"TotalBytesReturnedToClients":11482694,"TotalBytesReturnedToPeers":0,"TotalBytesStoredFromOrigin":1164874,"TotalBytesStoredFromParents":0,"TotalBytesStoredFromPeers":0}}

ThousandEyes Agent for the Caching Server 

On condition that we’ve got an Apple MacMini on the Registration community, it was a easy determination to put in the ThousandEyes macOS agent on it systematically utilizing Meraki Methods Supervisor. 

This may be downloaded from Endpoint Brokers > Agent Settings > Add new Endpoint Agent.

Nevertheless, as I discovered to my detriment, there’s not but a Common installer, so be sure you get your processor structure proper (ARM vs x86!) 

In Meraki Methods Supervisor, we configure the app like this: 

Now, we talked earlier about firewall settings. A System Supervisor customized app might be hosted in two methods: 

• Hosted by yourself Infra or 
• Meraki will host it 

When you’re selecting the latter, simply be aware that Meraki really hosts it on AWS. Particulars right here. 

So, just remember to have the suitable AWS occasion open in your firewalls, or host packages your self.  

Checking with the PANW firewall workforce, we decided the caching server saved 5% of the site visitors for the week, liberating up bandwidth for coaching and demos. For Black Hat Asia 2025, we plan to discover tips on how to host Home windows Updates, a big shopper of bandwidth, on the primary day of coaching and briefings. 

Maintaining with Encrypted DNS, by Christian Clasen and Justin Murphy 

For the previous couple of years, we’ve got been using the PANW edge firewalls to redirect outbound DNS queries in the direction of our inside resolvers. This closed a niche in coverage and visibility that existed for attendees on the Black Hat occasion. As evidenced by the DNS Statistics charts later within the weblog, the technique paid off with a noticeable soar in noticed queries. However because it so typically goes in know-how (and safety in particular), a majority of these methods can result in an arms race of types. 

In those self same years, browser and working system builders have expanded the deployment of encrypted DNS protocols. Along with wrapping DNS in uncooked TLS and HTTPS, extra unique applied sciences are actually within the combine. Chief amongst them is Apple’s implementation of Oblivious DNS over HTTPS (ODoT). The aim of ODoT is to forestall the snooping of DNS queries –not simply on the native LAN, but in addition by the DNS suppliers themselves. I offered an summary of this know-how in my “Historical past of DNS Safety” Cisco Dwell speak. 

The gist of the ODoH is as follows:  

• The “first hop” recursive DNS resolver accepts receives the shopper lookup, however the shopper has performed one thing sneaky to forestall this preliminary resolver from figuring out what the area title is that the shopper is searching for. It has wrapped the unique question in an encrypted blob and added a bogus title to the “outer” message.
• When the recursive resolver sends the question upstream to the authoritative title server for the “bogus” area, the message might be decrypted as a result of that title server is an ODoH-aware server that expects this encrypted message! 
• The server sees the question data and might recurse the DNS for the reply as regular however is rarely made conscious of the unique shopper IP…it is just servicing the primary recursive resolver as its shopper.

This separation of duties ensures that, within the absence of collusion between the primary and second DNS suppliers, a shopper and its queries can by no means be correlated, and helpful monitoring is rendered inconceivable. 

Apple implements this structure in its Personal Relay function. Along with all of the privateness options detailed above, Personal Relay makes use of QUIC to move packets to Apple making the communication much more opaque to community operators like us within the Black Hat NOC. The large deployment of Personal Relay has led to a drop in DNS queries evaluated and logged by Umbrella.  

We offered our observations and suggestion to the NOC Leaders, who determined it could be finest to try to block these protocols (DoT, DoH and Personal Relay) for higher visibility. The morning of final day, we added the coverage to Umbrella. 

We instantly noticed blocks for domains related to Apple’s MASQUE proxies within the exercise search, in addition to these utilized by Android telephones for DoT. The top consumer expertise was not impacted.  

Over 129k of those blocks occurred from 11:05am to the shutdown at 6pm on the final day, 12 December. 

We are going to proceed this coverage going ahead at different Black Hat occasions and monitor the statistics as standard. 

DNS Statistics, by Christian Clasen and Justin Murphy 

We will see the soar in queries as a result of pressured DNS redirection on the edge, and the drop because of the growth of Apple Personal Relay (see earlier weblog part for detailed evaluation). 

The highest classes for 2024 (and 2023) are beneath.  

Umbrella tracks the distinctive apps connecting to community. We noticed a marked enhance in GenAI. If wanted, we are able to block apps that display a menace to the convention. 

2021: 2,162 apps 

2022: 4,159 apps  

2023: 4,340 apps 

2024: 4,902 apps 

All in all, we’re very pleased with the collaborative efforts made right here at Black Hat Europe by each the Cisco workforce and our companions within the NOC. Nice work all people! 

Black Hat Asia shall be in April 2025, on the Marina Bay Sands, Singapore…hope to see you there! 

Acknowledgments 

Thanks to the Cisco NOC workforce: 

• Cisco Safety: Ivan Berlinson, Aditya Raghavan, Christian Clasen, Justin Murphy and Ryan Maclennan 
• Meraki Methods Supervisor: Paul Fidler and Connor Loughlin
• ThousandEyes: MD Foysol Ferdous and Jessica Santos
• Further Help and Experience: Tony Iacobelli and Abhishek Sha

Additionally, to our NOC companions Palo Alto Networks (particularly James Holland and Jason Reverri), Corelight (particularly Dustin Lee and Mark Overholser), Arista Networks (particularly Jonathan Smith), and your entire Black Hat / Informa Tech employees (particularly Grifter ‘Neil Wyler’, Bart Stump, Steve Fink, James Pope, Michael Spicer, Jess Stafford and Steve Oldenbourg). 

About Black Hat 

Black Hat is the cybersecurity trade’s most established and in-depth safety occasion collection. Based in 1997, these annual, multi-day occasions present attendees with the most recent in cybersecurity analysis, growth, and developments. Pushed by the wants of the group, Black Hat occasions showcase content material immediately from the group by Briefings displays, Trainings programs, Summits, and extra. Because the occasion collection the place all profession ranges and educational disciplines convene to collaborate, community, and focus on the cybersecurity matters that matter most to them, attendees can discover Black Hat occasions in america, Canada, Europe, Center East and Africa and Asia at: Black Hat.com. Black Hat is dropped at you by Informa Tech. 

We’d love to listen to what you assume. Ask a Query, Remark Under, and Keep Related with Cisco Safe on social!

Cisco Safety Social Channels

Instagram
Fb
Twitter
LinkedIn

Share: