Thursday, May 26, 2022
HomeHealthBlack Hat Asia 2022: Constructing the Community

Black Hat Asia 2022: Constructing the Community

Partly one among this concern of our Black Hat Asia NOC weblog, you can see: 

  • From attendee to press to volunteer – coming again to Black Hat as NOC volunteer by Humphrey Cheung 
  • Meraki MR, MS, MX and Techniques Supervisor by Paul Fidler 
  • Meraki Scanning API Receiver by Christian Clasen 

Cisco Meraki was requested by Black Hat Occasions to be the Official Wired and Wi-fi Community Tools, for Black Hat Asia 2022, in Singapore, 10-13 Might 2022; along with offering the Cell Gadget Administration (since Black Hat USA 2021), Malware Evaluation (since Black Hat USA 2016), & DNS (since Black Hat USA 2017) for the Community Operations Heart. We had been proud to collaborate with NOC companions Gigamon, IronNet, MyRepublic, NetWitness and Palo Alto Networks. 

To perform this enterprise in just a few weeks’ time, after the convention had a inexperienced mild with the brand new COVID protocols, Cisco Meraki and Cisco Safe management gave their full help to ship the mandatory {hardware}, software program licenses and employees to Singapore. 13 Cisco engineers deployed to the Marina Bay Sands Conference Heart, from Singapore, Australia, United States and United Kingdom; with two extra distant Cisco engineers from america.

From attendee to press to volunteer – coming again to Black Hat as NOC volunteer by Humphrey Cheung

Loops within the networking world are often thought-about a foul factor. Spanning tree loops and routing loops occur right away and may wreck your entire day, however over the 2nd week in Might, I made a distinct sort of loop. Twenty years in the past, I first attended the Black Hat and Defcon conventions – yay Caesars Palace and Alexis Park – a wide-eyed tech beginner who barely knew what WEP hacking, Driftnet picture stealing and session hijacking meant. The group was wonderful and the friendships and data I gained, springboarded my IT profession.

In 2005, I used to be fortunate sufficient to turn into a Senior Editor at Tom’s {Hardware} Information and attended Black Hat as accredited press from 2005 to 2008. From writing concerning the newest {hardware} zero-days to studying methods to steal cookies from the grasp himself, Robert Graham, I can say, with none doubt, Black Hat and Defcon had been my favourite occasions of the yr.

Since 2016, I’ve been a Technical Options Architect at Cisco Meraki and have labored on insanely massive Meraki installations – some with twenty thousand branches and greater than 100 thousand entry factors, so establishing the Black Hat community must be a chunk of cake proper? Heck no, that is in contrast to any community you’ve skilled!

As an attendee and press, I took the Black Hat community without any consideration. To take a phrase that we frequently hear about Cisco Meraki gear, “it simply works”. Again then, whereas I did see entry factors and switches across the present, I by no means actually dived into how every part was arrange.

A severe problem was to safe the wanted {hardware} and ship it in time for the convention, given the worldwide provide chain points. Particular recognition to Jeffry Handal for finding the {hardware} and acquiring the approvals to donate to Black Hat Occasions. For Black Hat Asia, Cisco Meraki shipped:

Let’s begin with availability. iPads and iPhones are scanning QR codes to register attendees. Badge printers want entry to the registration system. Coaching rooms all have their separate wi-fi networks – in any case, Black Hat attendees get a baptism by hearth on community protection and assault. To high all of it off, a whole bunch of attendees gulped down terabytes of information by means of the principle convention wi-fi community.

All this connectivity was offered by Cisco Meraki entry factors, switches, safety home equipment, together with integrations into SecureX, Umbrella and different merchandise. We fielded a literal military of engineers to face up the community in lower than two days… simply in time for the coaching periods on Might 10  to 13th and all through the Black Hat Briefings and Enterprise Corridor on Might 12 and 13.

Let’s discuss safety and visibility. For just a few days, the Black Hat community might be probably the most hostile on the planet. Attendees study new exploits, obtain new instruments and are inspired to check them out. With the ability to drill down on attendee connection particulars and site visitors was instrumental on making certain attendees didn’t get too loopy.

On the wi-fi entrance, we made in depth use of our Radio Profiles to cut back interference by tuning energy and channel settings. We enabled band steering to get extra purchasers on the 5GHz bands versus 2.4GHz and watched the Location Heatmap like a hawk searching for hotspots and useless areas. Dealing with the barrage of wi-fi change requests – allow or disabling this SSID, transferring VLANs (Digital Native Space Networks), enabling tunneling or NAT mode, – was a snap with the Meraki Dashboard.

Shutting Down a Community Scanner

Whereas the Cisco Meraki Dashboard is extraordinarily highly effective, we fortunately supported exporting of logs and integration in main occasion collectors, such because the NetWitness SIEM and even the Palo Alto firewall. On Thursday morning, the NOC crew discovered a probably malicious Macbook Professional performing vulnerability scans in opposition to the Black Hat administration community. It’s a steadiness, as we should permit trainings and demos connect with malicious web sites, obtain malware and execute. Nevertheless, there’s a Code of Conduct to which all attendees are anticipated to observe and is posted at Registration with a QR code.

The Cisco Meraki community was exporting syslog and different info to the Palo Alto firewall, and after correlating the info between the Palo Alto Dashboard and Cisco Meraki consumer particulars web page, we tracked down the laptop computer to the Enterprise Corridor.

We briefed the NOC administration, who confirmed the scanning was violation of the Code of Conduct, and the gadget was blocked within the Meraki Dashboard, with the instruction to return to the NOC.

The gadget title and site made it very simple to find out to whom it belonged within the convention attendees.

A delegation from the NOC went to the Enterprise Corridor, politely waited for the demo to complete on the sales space and had a considerate dialog with the particular person about scanning the community. 😊

Coming again to Black Hat as a NOC volunteer was an incredible expertise.  Whereas it made for lengthy days with little sleep, I actually can’t consider a greater strategy to give again to the convention that helped jumpstart my skilled profession.

Meraki MR, MS, MX and Techniques Supervisor by Paul Fidler

With the invitation prolonged to Cisco Meraki to offer community entry, each from a wired and wi-fi perspective, there was a possibility to point out the worth of the Meraki platform integration capabilities of Entry Factors (AP), switches, safety home equipment and cellular gadget administration.

The primary amongst this was using the Meraki API. We had been capable of import the listing of MAC addresses of the Meraki MRs, to make sure that the APs had been named appropriately and tagged, utilizing a single supply of fact doc shared with the NOC administration and companions, with the flexibility to replace en masse at any time.

Ground Plan and Location Heatmap

On the primary day of NOC setup, the Cisco crew walked across the venue to debate AP placements with the employees of the Marina Bay Sands. While we had a easy Powerpoint exhibiting approximate AP placements for the convention, it was famous that the venue crew had an extremely detailed flooring plan of the venue. This was acquired in PDF and uploaded into the Meraki Dashboard; and with a bit of wonderful tuning, aligned completely with the Google Map.

Meraki APs had been then positioned bodily within the venue assembly and coaching rooms, and very roughly on the ground plan. One of many crew members then used a printout of the ground plan to mark precisely the location of the APs. Having the APs named, as talked about above, made this a straightforward job (strolling across the venue however!). This enabled correct heatmap functionality.

The Location Heatmap was a brand new functionality for Black Hat NOC, and the consumer information visualized in NOC continued to be of nice curiosity to the Black Hat administration crew, reminiscent of which coaching, briefing and sponsor cubicles drew probably the most curiosity.

SSID Availability

The power to make use of SSID Availability was extremely helpful. It allowed ALL of the entry factors to be positioned inside a single Meraki Community. Not solely that, due to the coaching occasions occurring throughout the week, in addition to TWO devoted SSIDs for the Registration and lead monitoring iOS units (extra of which later), one for preliminary provisioning (which was later turned off), and one for certificated based mostly authentication, for a really safe connection.

Community Visibility

We had been capable of monitor the variety of linked purchasers, community utilization, the individuals passing by the community and site analytics, all through the convention days. We offered visibility entry to the Black Hat NOC administration and the expertise companions (together with full API entry), so they might combine with the community platform.


Meraki alerts are precisely that: the flexibility to be alerted to one thing that occurs within the Dashboard. Default habits is to be emailed when one thing occurs. Clearly, emails acquired misplaced within the noise, so an online hook was created in SecureX orchestration to have the ability to devour Meraki alerts and ship it to Slack (the messaging platform inside the Black Hat NOC), utilizing the native template within the Meraki Dashboard. The primary alert to be created was to be alerted if an AP went down. We had been to be alerted after 5 minutes of an AP happening, which is the smallest period of time obtainable earlier than being alerted.

The bot was prepared; nonetheless, the APs stayed up all the time! 

Meraki Techniques Supervisor

Making use of the teachings discovered at Black Hat Europe 2021, for the preliminary configuration of the convention iOS units, we arrange the Registration iPads and lead retrieval iPhones with Umbrella, Safe Endpoint and WiFi config. Units had been, as in London, initially configured utilizing Apple Configurator, to each supervise and enroll the units into a brand new Meraki Techniques Supervisor occasion within the Dashboard.

Nevertheless, Black Hat Asia 2022 supplied us a singular alternative to point out off among the extra built-in performance.

System Apps had been hidden and numerous restrictions (disallow becoming a member of of unknown networks, disallow tethering to computer systems, and many others.) had been utilized, in addition to a typical WPA2 SSID for the units that the gadget vendor had arrange (we gave them the title of the SSID and Password).

We additionally stood up a brand new SSID and turned-on Sentry, which lets you provision managed units with, not solely the SSID info, but additionally a dynamically generated certificates. The certificates authority and radius server wanted to do that 802.1x is included within the Meraki Dashboard routinely! When the gadget makes an attempt to authenticate to the community, if it doesn’t have the certificates, it doesn’t get entry. This SSID, utilizing SSID availability, was solely obtainable to the entry factors within the Registration space.

Utilizing the Sentry allowed us to simply establish units within the consumer listing.

One of many alerts generated with SysLog by Meraki, after which viewable and correlated within the NetWitness SIEM, was a ‘De Auth’ occasion that got here from an entry level. While we had the IP deal with of the gadget, making it simple to search out, as a result of the occasion was a de auth, that means 802.1x, it narrowed down the units to JUST the iPads and iPhones used for registration (as all different entry factors had been utilizing WPA2). This was additional enhanced by seeing the certificates title used within the de-auth:

Together with the certificates title was the title of the AP: R**

Gadget Location

One of many inherent issues with iOS gadget location is when units are used indoors, as GPS alerts simply aren’t sturdy sufficient to penetrate fashionable buildings. Nevertheless, as a result of the correct location of the Meraki entry factors was positioned on the ground plan within the Dashboard, and since the Meraki Techniques Supervisor iOS units had been in the identical Dashboard group because the entry factors, we acquired to see a way more correct map of units in comparison with Black Hat Europe 2021 in London.

When the convention Registration closed on the final day and the Enterprise Corridor Sponsors all returned their iPhones, we had been capable of remotely wipe the entire units, eradicating all attendee information, previous to returning to the gadget contractor.

Meraki Scanning API Receiver by Christian Clasen

Leveraging the ubiquity of each WiFi and Bluetooth radios in cellular units and laptops, Cisco Meraki’s wi-fi entry factors can detect and supply location analytics to report on consumer foot site visitors habits. This may be helpful in retail eventualities the place prospects need location and motion information to higher perceive the traits of engagement of their bodily shops.

Meraki can mixture real-time information of detected WiFi and Bluetooth units and triangulate their location quite exactly when the floorplan and AP placement has been diligently designed and documented. On the Black Hat Asia convention, we made certain to correctly map the AP places fastidiously to make sure the very best accuracy potential.

This scanning information is obtainable for purchasers whether or not they’re related to the entry factors or not. On the convention, we had been capable of get very detailed heatmaps and time-lapse animations representing the motion of attendees all through the day. This information is efficacious to convention organizers in figuring out the recognition of sure talks, and the attendance at issues like keynote displays and foot site visitors at cubicles.

This was nice for monitoring throughout the occasion, however the Dashboard would solely present 24-hours of scanning information, limiting what we may do when it got here to long-term information evaluation. Thankfully for us, Meraki affords an API service we will use to seize this treasure trove offline for additional evaluation. We solely wanted to construct a receiver for it.

The Receiver Stack

The Scanning API requires that the client get up infrastructure to retailer the info, after which register with the Meraki cloud utilizing a verification code and secret. It’s composed of two endpoints:

  1. Validator

Returns the validator string within the response physique

[GET] https://yourserver/

This endpoint is named by Meraki to validate the receiving server. It expects to obtain a string that matches the validator outlined within the Meraki Dashboard for the respective community.

  1. Receiver

Accepts an statement payload from the Meraki cloud

[POST] https://yourserver/

This endpoint is chargeable for receiving the statement information offered by Meraki. The URL path ought to match that of the [GET] request, used for validation.

The response physique will encompass an array of JSON objects containing the observations at an mixture per community stage. The JSON shall be decided based mostly on WiFi or BLE gadget observations as indicated within the kind parameter.

What we would have liked was a easy expertise stack that will comprise (at minimal) a publicly accessible internet server able to TLS. In the long run, the best implementation was an online server written utilizing Python Flask, in a Docker container, deployed in AWS, linked by means of ngrok.

In fewer than 50 traces of Python, we may settle for the inbound connection from Meraki and reply with the chosen verification code. We might then pay attention for the incoming POST information and dump it into a neighborhood information retailer for future evaluation. Since this was to be a short lived resolution (the period of the four-day convention), the considered registering a public area and configuring TLS certificates wasn’t notably interesting. A superb resolution for most of these API integrations is ngrok ( And a helpful Python wrapper was obtainable for easy integration into the script (

We needed to simply re-use this stack subsequent time round, so it solely made sense to containerize it in Docker. This manner, the entire thing might be stood up on the subsequent convention, with one easy command. The picture we ended up with would mount a neighborhood quantity, in order that the ingested information would stay persistent throughout container restarts.

Ngrok allowed us to create a safe tunnel from the container that might be linked within the cloud to a publicly resolvable area with a trusted TLS certificates generated for us. Including that URL to the Meraki Dashboard is all we would have liked to do begin ingesting the large treasure trove of location information from the Aps – practically 1GB of JSON over 24 hours.

This “fast and soiled” resolution illustrated the significance of interoperability and openness within the expertise area when enabling safety operations to assemble and analyze the info they require to observe and safe occasions like Black Hat, and their enterprise networks as effectively. It served us effectively throughout the convention and will definitely be used once more going ahead.

Try half two of the weblog, Black Hat Asia 2022 Continued: Cisco Safe Integrations, the place we’ll talk about integrating NOC operations and making your Cisco Safe deployment simpler:

  • SecureX: Bringing Menace Intelligence Collectively by Ian Redden
  • Gadget kind spoofing occasion by Jonny Noble
  • Self Service with SecureX Orchestration and Slack by Matt Vander Horst
  • Utilizing SecureX sign-on to streamline entry to the Cisco Stack at Black Hat by Adi Sankar
  • Future Menace Vectors to Think about – Cloud App Discovery by Alejo Calaoagan
  • Malware Menace Intelligence made simple and obtainable, with Cisco Safe Malware Analytics and SecureX by Ben Greenbaum

Acknowledgements: Particular due to the Cisco Meraki and Cisco Safe Black Hat NOC crew: Aditya Sankar, Aldous Yeung, Alejo Calaoagan, Ben Greenbaum, Christian Clasen, Felix H Y Lam, George Dorsey, Humphrey Cheung, Ian Redden, Jeffrey Chua, Jeffry Handal, Jonny Noble, Matt Vander Horst, Paul Fidler and Steven Fan.

Additionally, to our NOC companions NetWitness (particularly David Glover), Palo Alto Networks (particularly James Holland), Gigamon, IronNet (particularly Invoice Swearington), and all the Black Hat / Informa Tech employees (particularly Grifter ‘Neil Wyler’, Bart Stump, James Pope, Steve Fink and Steve Oldenbourg).

About Black Hat

For greater than 20 years, Black Hat has offered attendees with the very newest in info safety analysis, improvement, and traits. These high-profile international occasions and trainings are pushed by the wants of the safety group, striving to deliver collectively the most effective minds within the trade. Black Hat conjures up professionals in any respect profession ranges, encouraging development and collaboration amongst academia, world-class researchers, and leaders in the private and non-private sectors. Black Hat Briefings and Trainings are held yearly in america, Europe and Asia. Extra info is obtainable at: Black Hat is dropped at you by Informa Tech.

We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safe on social!

Cisco Safe Social Channels





Please enter your comment!
Please enter your name here

Most Popular

Recent Comments