domingo, julio 14, 2024
InicioHealth CareBlack Hat Europe 2022 NOC: When planning meets execution

Black Hat Europe 2022 NOC: When planning meets execution

On this weblog concerning the design, deployment and automation of the Black Hat community, we’ve got the next sections:

  • Designing the Black Hat Community, by Evan Basta
  • AP Placement Planning, by Sandro Fasser
  • Wi-Fi Air Marshal, by Jérémy Couture, Head of SOC, Paris 2024 Olympic Video games
  • Meraki Dashboards, by Rossi Rosario Burgos
  • Meraki Programs Supervisor, by Paul Fidler
  • A Higher Solution to Design Coaching SSIDs/VLANs, by Paul Fidler

Cisco is honored to be a Premium Companion of the Black Hat NOC, and is the Official Community Platform, Cellular System Administration, Malware Evaluation and DNS (Area Identify Service) Supplier of Black Hat.

2022 was Cisco’s sixth yr as a NOC accomplice for Black Hat Europe. Nonetheless, it was our first time constructing the community for Black Hat Europe. We used experiences of Black Hat Asia 2022 and Black Hat USA 2022 to refine the planning for community topology design and tools. Beneath are our fellow NOC companions offering {hardware}, to construct and safe the community, for our joint buyer: Black Hat.

Designing the Black Hat Community, by Evan Basta

We’re grateful to share that Black Hat Europe 2022 was the smoothest expertise we’ve had within the years at Black Hat. That is because of the 15 Cisco Meraki and Cisco Safe engineers on web site (plus nearly supporting engineers) to construct, function and safe the community; and nice NOC management and collaborative companions.

To plan, configure, deploy (in two days), preserve resilience, and recuperate (in 4 hours) an enterprise class community, took a number of coordination. We admire the Black Hat NOC management, Informa and the NOC companions; assembly every week to debate the very best design, staffing, gear choice and deployment, to satisfy the distinctive wants of the convention. Take a look at the “Meraki Unboxed” podcast – Episode 94: Learnings from the Black Hat Europe 2022 Cybersecurity Occasion

We should permit actual malware on the Black Hat community: for coaching, demonstrations, and briefing classes; whereas defending the attendees from assault inside the community from their fellow attendees, and stop dangerous actors from utilizing the community to assault the Web. It’s a important steadiness to make sure everybody has a secure expertise, whereas nonetheless having the ability to be taught from actual world malware, vulnerabilities, and malicious web sites.

Along with the weekly conferences with Black Hat and the opposite companions, the Cisco Meraki engineering staff of Sandro Fasser, Rossi Rosario Burgos, Otis Ioannou, Asmae Boutkhil, Jeffry Handal and I met each Friday for 2 months. We additionally mentioned the challenges in a Webex house with different engineers who labored on previous Black Hat occasions.

The mission:

Division of labor is crucial to cut back errors and keep laser targeted on safety scope. Otis took the lead engaged on community topology design with Companions. Asmae dealt with the port assignments for the switches. Rossi ensured each AP and Swap was tracked, and the MAC addresses have been supplied to Palo Alto Networks for DCHP assignments. Otis and Rossi spent two days within the server room with the NOC companions, making certain each change was working and configured accurately. Rossi additionally deployed and configured a distant Registration change for Black Hat.

AP Placement Planning, by Sandro Fasser

Within the weeks earlier than deployment, our digital Meraki staff member, Aleksandar Dimitrov Vladimirov, and I targeted on planning and making a digital Wi-Fi web site survey. A number of necessities and restrictions needed to be considered. The report was based mostly on the ExCel centre ground plans, the house allocation necessities from Black Hat and the variety of APs we had obtainable to us. Though difficult to create, with some uncertainties and sometimes altering necessities as a result of variety of stakeholders concerned, the surveys AP placement for finest protection ended up being pivotal on the occasion.

Beneath is the Sign Energy plan for the Expo Corridor Flooring on the 5 GHz band. The unique plan to go along with a dual-Band deployment was adjusted onsite and the two.4 GHz band was disabled to reinforce efficiency and throughput. This was a choice made through the community setup, in coordination with the NOC Management and based mostly on expertise from previous conferences.

Upon arrival on the ExCel Centre, we performed a walkthrough of the house that the majority of us had solely seen as a ground plan and on some pictures. Because of good planning, we may begin deploying the 100+ APs instantly, with solely a small variety of adjustments to optimize the deployment on-site. Because the APs had been pre-staged and added to the Meraki dashboard, together with their location on the ground maps, the primary work was inserting and cabling them bodily. Throughout operation, the ground plans within the Meraki Dashboard have been a visible assist to simply spot an issue and navigate the staff on the bottom to the suitable spot, if one thing needed to be adjusted.

Because the sponsors and attendees stuffed every house, within the Meraki dashboard, we have been in a position to see in real-time the variety of shoppers linked to every AP, at present and over the time of the convention. This enabled fast response if challenges have been recognized, or APs might be redeployed to different zones. Beneath is the ExCel Centre Capital Corridor and London Suites, Stage 0. We may change between the 4 ranges with a single click on on the Flooring Plans, and drill into any AP, as wanted.

The Location heatmaps additionally supplied important visibility into convention visitors, each on the community and footfalls of attendees. Bodily safety can be an vital side of cybersecurity; we have to understand how gadgets transfer in house, know the place invaluable property are positioned and monitor their security.

Beneath is the Enterprise Corridor at lunchtime, on the opening day of the convention. You may see no reside APs within the backside proper nook of the Location heatmap. That is an instance of adapting the plan to actuality onsite. In previous Black Hat Europe conferences, the Foyer in that space was the primary entrance. Development in 2022 closed this entrance. So, these APs have been reallocated to the Stage 1 Foyer, the place attendees would naturally circulation from Registration.

The ground plans and heatmaps additionally helped with the Coaching, Briefings and Keynote community resilience. Capability was simple so as to add briefly, and we have been in a position to take away it and relocate it after an area emptied.

Meraki API Integration for computerized system blocking

Throughout our time within the NOC, we had the prospect to work with different vendor engineers and a few use circumstances that got here up led to attention-grabbing collaborations. One particular use case was that we wished to dam wi-fi shoppers, that present some malicious or dangerous conduct, mechanically after they’ve been recognized by one of many SOC analysts on the completely different safety platforms, as well as we wished to indicate them a pleasant warning web page that guides them to the SOC for a pleasant dialog.

The answer was a script that may be triggered via the interfaces of the opposite safety merchandise and attaches a bunch coverage via the Meraki Dashboard, together with a quarantine VLAN and a splash web page, through the Meraki APIs. This integration was simply one of many many collaboration bits that we labored on.

Wi-Fi Air Marshal, by Jérémy Couture, Head of SOC, Paris 2024 Olympic Video games

Throughout the first day of coaching, within the Meraki dashboard Air Marshal, I noticed packet flood assaults, towards we have been in a position to adapt and stay resilient.

I additionally noticed an AP spoofing and broadcast de-authentication assault. I used to be in a position to shortly determine the placement of the assault, which was on the Foyer outdoors the Enterprise Corridor.  Ought to the assaults proceed, bodily safety had the data to intervene. We additionally had the flexibility to trace the MAC tackle all through the venue, as mentioned in Christian Clasen’s part partly two.

From our experiences at Black Hat USA 2022, we had encrypted frames enabled, blunting the assault.

Meraki Dashboards, by Rossi Rosario Burgos

The Meraki dashboards made it very simple to watch the well being of the community APs and Switches, with the flexibility to combination knowledge, and shortly pivot into any change, AP or shoppers.

By the phases of the convention, from two days of pre-conference setup, to targeted and intense coaching the primary two days, and transition to the briefings and Enterprise Corridor, we have been in a position to visualize the community visitors.

As well as, we may see the variety of attendees who handed by way of the lined space of the convention, with or with out connecting to the community. Christian Clasen takes this obtainable knowledge to a brand new degree in Half 2 of the weblog.

Because the particular person with core tasks for the change configuration and uptime, the Meraki dashboard made it quite simple to shortly change the community topology, in keeping with the wants of the Black Hat buyer.

Meraki Programs Supervisor, by Paul Fidler

In case you refer again to Black Hat USA 2022, you’d have seen that we had over 1,000 iOS gadgets to deploy, with which we had a number of difficulties. For context, the corporate that leases the gadgets to Black Hat doesn’t use a Cellular System Administration (MDM) platform for any of their different exhibits…Black Hat is the one one which does. So, as an alternative of utilizing a mass deployment know-how, like Apple’s Automated System Enrollment, the iOS gadgets are “ready” utilizing Apple Configurator. This consists of importing a Wi-Fi profile to the gadgets as a part of that course of. In Las Vegas, this Wi-Fi profile wasn’t set to auto be part of the Wi-Fi, leading to the necessity to manually change this on 1,000 gadgets. Moreover, 200 gadgets weren’t reset or ready, so we had these to reimage as nicely.

Black Hat Europe 2022 was completely different. We took the teachings from US and coordinated with the contractor to arrange the gadgets. Now, if you happen to’ve ever used Apple Configurator, there’s a number of steps wanted to arrange a tool. Nonetheless, all of those will be actions will be mixed right into a Blueprint:

As an alternative of there being a number of steps to arrange a tool, there may be now only one! Making use of the Blueprint!

For Black Hat Europe, this included:

  • Wi-Fi profile
  • Enrollment, together with supervision
  • Whether or not to permit USB pairing
  • Setup Assistant pane skipping

There’s a lot of different issues that may be achieved as nicely, however this leads to the time taken to enroll and arrange a tool to round 30 seconds. Since gadgets will be arrange in parallel (you’re solely restricted by the variety of USB cables / ports you’ve gotten), this actually streamlines the enrollment and arrange course of.

Now, for the long run, while you’ll be able to’t Export these blueprints, they’re transportable. In case you open Terminal on a Mac and kind:
cd /Customers/<YOUR USER NAME>/Library/Group Containers/ Help/

You’ll see a file / bundle referred to as one thing.blueprint This may be zipped up and emailed to some else so, they’ll then use the very same Blueprint! Chances are you’ll have to reboot your pc for the Blueprint to look in Apple Configurator.

System Naming / Lock Display Messages

As talked about, the registration / lead seize / session scanning gadgets are supplied by the contractor. Clearly, these are all catalogued and have a singular system code / QR code on the again of them. Nonetheless, throughout setup, any system title provisioned on the system will get misplaced.

So, there’s three issues we do to know, with out having to resort to utilizing the unwieldy serial quantity, what gadgets is what.

  • The very first thing that we do is to make use of the Meraki API to rename Programs Supervisor Units. The script created has another performance too, similar to error dealing with, however it’s potential to do that with out a script. You could find it right here. This ensures that the system has a reputation: iOS gadgets default to being referred to as iPhone or iPad in Programs Supervisor after they first enroll, so, already, that is extremely useful.
  • The second factor we do is to make use of a easy Restrictions profile for iOS, which retains the bodily system’s title in sync with that within the dashboard
  • Lastly, we then use a Lock Display payload to format the message on the system when it’s locked:

Within the footnote, you’ll see System Identify and System Serial in blue. This denotes that the values are literally dynamic and alter per system. They embody:

  • Group title
  • Community title
  • System title
  • System serial
  • System mannequin
  • System OS model
  • System notes
  • Proprietor title
  • Proprietor electronic mail
  • Proprietor username
  • SM system ID

On the Lock Display, it’s now potential to see the system’s title and serial quantity, with out having to flip the system over (An issue for the registration gadgets that are locked in a safe case) or open programs preferences.

We additionally had integration with SecureX system insights, to see the safety standing of every iOS system.

With the flexibility to shortly test on system well being from the SecureX dashboard.


Information Safety

This goes with out saying, however the iOS gadgets (Registration, Lead Seize and Session Scanning) do have entry to private info. To make sure the safety of the information, gadgets are wiped on the finish of the convention. That is extremely satisfying, hitting the Erase Units button in Meraki Programs Supervisor, and watching the 100+ gadgets reset!

A Higher Solution to Design Coaching SSIDs/VLANs, by Paul Fidler

Deploying a community like Black Hat takes a number of work, and repetitive configuration. A lot of this has been lined in earlier blogs. Nonetheless, to make issues simpler for this occasion, as an alternative of the 60 coaching SSIDs we had in Black Hat US 2022, the Meraki staff mentioned the advantages of transferring to iPSKs with Black Hat NOC Management, which accepted the plan.

For context, as an alternative of getting a single pre shared key for an SSID, iPSK performance means that you can have 1000+. Every of those iPSKs will be assigned its personal group coverage / VLAN. So, we created a script:

  • That consumed networkID, SSID, Coaching title, iPSK and VLAN from a CSV
  • Created a bunch coverage for that VLAN with the title of the coaching
  • Created an iPSK for the given SSID that referred to the coaching title

This solely includes 5 API calls:

  • For a given community title, get the community ID
  • Get Group Insurance policies
  • If the group coverage exists, use that, else create a bunch coverage, retaining the group coverage ID
  • Get the SSIDs (to get the ID of the SSID)
  • Create an iPSK for the given SSID ID

The majority of the script is error dealing with (The SSID or community doesn’t exist, for instance) and logic!

The end result was one SSID for all of coaching: BHTraining, and every classroom had their very own password. This diminished the coaching SSIDs from over a dozen and helped clear the airwaves.


Thanks to the Cisco NOC staff:

  • Meraki Community: Evan Basta, Sandro Fasser, Rossi Rosario Burgos, Otis Ioannou, Asmae Boutkhil, Jeffry Handal and Aleksandar Dimitrov Vladimirov
  • Meraki Programs Supervisor: Paul Fidler
  • Cisco Safe: Ian Redden, Christian Clasen, Aditya Sankar, Ryan MacLennan, Guillaume Buisson, Jerome Schneider, Robert Taylor, Piotr Jarzynka, Tim Wadhwa-Brown and Matthieu Sprunck
  • Risk Hunter / Paris 2024 Olympics SOC: Jérémy Couture

Additionally, to our NOC companions NetWitness (particularly David Glover, Iain Davidson, Alessandro Contini and Alessandro Zatti), Palo Alto Networks (particularly James Holland, Matt Ford, Matt Smith and Mathew Chase), Gigamon, IronNet, and your entire Black Hat / Informa Tech workers (particularly Grifter ‘Neil Wyler’, Bart Stump, Steve Fink, James Pope, Jess Stafford and Steve Oldenbourg).

About Black Hat

For 25 years, Black Hat has supplied attendees with the very newest in info safety analysis, growth, and traits. These high-profile world occasions and trainings are pushed by the wants of the safety group, striving to carry collectively the very best minds within the trade. Black Hat evokes professionals in any respect profession ranges, encouraging development and collaboration amongst academia, world-class researchers, and leaders in the private and non-private sectors. Black Hat Briefings and Trainings are held yearly in the USA, Europe and USA. Extra info is offered at: Black Hat is dropped at you by Informa Tech.

We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safe on social!

Cisco Safe Social Channels





Por favor ingrese su comentario!
Por favor ingrese su nombre aquí

Most Popular

Recent Comments

Esta web utiliza cookies propias para su correcto funcionamiento. Al hacer clic en el botón Aceptar, acepta el uso de estas tecnologías y el procesamiento de tus datos para estos propósitos. Más información