Security Automation at BlackHat Europe 2022: Part 2
In part 2 of this double-header, we look at the operations side of the conference infrastructure. If you missed part one, it’s here.
Automating Security Operations Use Cases with Cortex XSOAR
To reiterate from the previous post, on the Black Hat conference network we are likely to see malicious activity, in fact it is expected. As the Black Hat leadership team say, occasionally we find a “needle in a needlestack”, someone with true malicious intent. But how do you go about finding malicious activity with real intent within a sea of offensive security demonstrations and training exercises?
Without being able to proactively block the majority of malicious activity (in case we disrupt training exercises, or break someone’s exploitation demo in the Arsenal), we hunt. To hunt more efficiently we automate. It’s a multi-vendor approach, with hunters from Palo Alto Networks, Cisco, RSA Netwitness and Ironnet all on-site and collaborating. Cortex XSOAR provides the glue between all the deployed inline and out-of-band security tooling, as well as being the conduit into Slack for the analysts to collaborate and communicate.
An investigation may start from various angles and different indicators, and being able to quickly classify if the source of the incident is a training class is a great start. Without leaving Slack, an Cortex XSOAR chatbot is able to provide an automated lookup of a machine’s MAC address, and tell the analyst: the IP address, the vendor assigned to that MAC address where applicable, the wireless access point the host is connected to (thanks to the Cortex XSOAR integration with Cisco Meraki, docs here), and crucially the firewall zone where the machine is located. In the example below, the “tr_digi_forens_ir” zone tells us this machine is in a training class, specifically the digital forensics and incident response class:
That’s really useful information when examining internal hosts, but how about a lookup for IP addresses which are sending traffic towards the Black Hat conference infrastructure in a suspicious way from the outside, from the Internet? To see if any of the variety of available Threat Intelligence sources have specific information available, and the level of confidence. There’s a Slack chatbot query for that too, powered by Cortex XSOAR:
Or checking Threat Intellignce sources for information about a domain being contacted by a machine in the visitor wireless network which is potentially compromised, and analysing it in a sandbox too?
The chatbot has many features, all available to any analyst from any vendor working in the NOC, with no requirement to learn any product’s user interface, just a simple Slack chatbot:
Other ways of automating our operations included ingestion of the data from other deployed toolsets, like the Palo Alto Networks IoT platform, which below is shown creating incidents in Cortex XSOAR based on the passive device and application profiling it does on the network traffic:
The data from the IoT platform enriches the incident, providing the analyst wish a page of information to quickly understand the context of the incident and what action would be appropriate:
As well as integrating Cortex XSOAR with Cisco Meraki, we also integrated Cortex XSOAR with RSA Netwitness, and were able to use alerts from Netwitness to generate and work through any incidents that looked like potentially malicious behaviour.
We also utilised Cortex XSOAR for some more network-focused use cases. For instance, by leveraging the intelligence data maintained within the PAN-OS NGFWs, we were interested to see if there was any traffic approaching the Black Hat infrastructure’s public facing services from TOR exit nodes, and we weren’t disappointed:
We also leveraged Cortex XSOAR playbooks to provide an OSINT news into a dedicated Slack channel, so analysts could see breaking stories as they happen:
And we even used a Cortex XSOAR playbook to proactively monitor device uptime, which would alert into Slack if a critical device stopped responding and was suspected to be “down”:
It’s an infrastructure full of malicious activity, on purpose. It gets built, rapidly, to a bespoke set of requirements for each conference. It is then operated by a collaboration of Black Hat staff and multiple security vendors’ staff.
That can only happen successfully with high levels of automation, in both the build and the operation phases of the conference. With the automation capabilities of the PAN-OS network security platform, the orchestration from Cortex XSOAR, and the collaboration across vendors, the Black Hat conference was once again a safe and reliable environment for all who attended.
Palo Alto Networks would like to once again thank Black Hat for choosing us to provide network security, as well as the automation and orchestration platform, for the operations centres of the conferences this year in Singapore, Las Vegas and London ♥
Thank you Jessica Stafford, Bart Stump, Steve Fink, Neil R. Wyler and ᴘᴏᴘᴇ for your leadership and guidance. Thank you Jessica Bair Oppenheimer, Evan Basta, Dave Glover, Peter Rydzynski and Muhammad Durrani for all the cross-vendor collaboration along with your teams including Rossi Rosario, Paul Fidler, Panagiotis (Otis) Ioannou, Paul Mulvihill, Iain Davison, and (sorry) everyone else who may be lurking on other social media platforms where I couldn’t find them!
And of course, thanks so much to the amazing folks representing Palo Alto Networks in London, great job team; Matt Ford, Ayman Mahmoud, Matt Smith, Simeon Maggioni and Doug Tooth. Also Scott Brumley for his work on the Cortex XSOAR Slack chatbot during the USA conference earlier this year.