As an Amazon Associate I earn from qualifying purchases from

Black Hat Asia 2022: Constructing the Community

Partly one in all this problem of our Black Hat Asia NOC weblog, you can see: 

  • From attendee to press to volunteer – coming again to Black Hat as NOC volunteer by Humphrey Cheung 
  • Meraki MR, MS, MX and Programs Supervisor by Paul Fidler 
  • Meraki Scanning API Receiver by Christian Clasen 

Cisco Meraki was requested by Black Hat Occasions to be the Official Wired and Wi-fi Community Gear, for Black Hat Asia 2022, in Singapore, 10-13 Could 2022; along with offering the Cell Gadget Administration (since Black Hat USA 2021), Malware Evaluation (since Black Hat USA 2016), & DNS (since Black Hat USA 2017) for the Community Operations Middle. We have been proud to collaborate with NOC companions Gigamon, IronNet, MyRepublic, NetWitness and Palo Alto Networks. 

To perform this enterprise in just a few weeks’ time, after the convention had a inexperienced mild with the brand new COVID protocols, Cisco Meraki and Cisco Safe management gave their full help to ship the required {hardware}, software program licenses and employees to Singapore. 13 Cisco engineers deployed to the Marina Bay Sands Conference Middle, from Singapore, Australia, United States and United Kingdom; with two further distant Cisco engineers from the USA.

From attendee to press to volunteer – coming again to Black Hat as NOC volunteer by Humphrey Cheung

Loops within the networking world are often thought of a foul factor. Spanning tree loops and routing loops occur right away and may damage your entire day, however over the 2nd week in Could, I made a special type of loop. Twenty years in the past, I first attended the Black Hat and Defcon conventions – yay Caesars Palace and Alexis Park – a wide-eyed tech beginner who barely knew what WEP hacking, Driftnet picture stealing and session hijacking meant. The group was wonderful and the friendships and data I gained, springboarded my IT profession.

In 2005, I used to be fortunate sufficient to change into a Senior Editor at Tom’s {Hardware} Information and attended Black Hat as accredited press from 2005 to 2008. From writing in regards to the newest {hardware} zero-days to studying find out how to steal cookies from the grasp himself, Robert Graham, I can say, with none doubt, Black Hat and Defcon have been my favourite occasions of the yr.

Since 2016, I’ve been a Technical Options Architect at Cisco Meraki and have labored on insanely massive Meraki installations – some with twenty thousand branches and greater than 100 thousand entry factors, so organising the Black Hat community ought to be a bit of cake proper? Heck no, that is in contrast to any community you’ve skilled!

As an attendee and press, I took the Black Hat community without any consideration. To take a phrase that we frequently hear about Cisco Meraki gear, “it simply works”. Again then, whereas I did see entry factors and switches across the present, I by no means actually dived into how the whole lot was arrange.

A critical problem was to safe the wanted {hardware} and ship it in time for the convention, given the worldwide provide chain points. Particular recognition to Jeffry Handal for finding the {hardware} and acquiring the approvals to donate to Black Hat Occasions. For Black Hat Asia, Cisco Meraki shipped:

Let’s begin with availability. iPads and iPhones are scanning QR codes to register attendees. Badge printers want entry to the registration system. Coaching rooms all have their separate wi-fi networks – in any case, Black Hat attendees get a baptism by fireplace on community protection and assault. To high all of it off, a whole lot of attendees gulped down terabytes of information by means of the principle convention wi-fi community.

All this connectivity was supplied by Cisco Meraki entry factors, switches, safety home equipment, together with integrations into SecureX, Umbrella and different merchandise. We fielded a literal military of engineers to face up the community in lower than two days… simply in time for the coaching classes on Could 10  to 13th and all through the Black Hat Briefings and Enterprise Corridor on Could 12 and 13.

Let’s speak safety and visibility. For just a few days, the Black Hat community might be some of the hostile on this planet. Attendees study new exploits, obtain new instruments and are inspired to check them out. Having the ability to drill down on attendee connection particulars and visitors was instrumental on guaranteeing attendees didn’t get too loopy.

On the wi-fi entrance, we made in depth use of our Radio Profiles to cut back interference by tuning energy and channel settings. We enabled band steering to get extra shoppers on the 5GHz bands versus 2.4GHz and watched the Location Heatmap like a hawk searching for hotspots and lifeless areas. Dealing with the barrage of wi-fi change requests – allow or disabling this SSID, shifting VLANs (Digital Native Space Networks), enabling tunneling or NAT mode, – was a snap with the Meraki Dashboard.

Shutting Down a Community Scanner

Whereas the Cisco Meraki Dashboard is extraordinarily highly effective, we fortunately supported exporting of logs and integration in main occasion collectors, such because the NetWitness SIEM and even the Palo Alto firewall. On Thursday morning, the NOC workforce discovered a probably malicious Macbook Professional performing vulnerability scans in opposition to the Black Hat administration community. It’s a steadiness, as we should enable trainings and demos hook up with malicious web sites, obtain malware and execute. Nonetheless, there’s a Code of Conduct to which all attendees are anticipated to comply with and is posted at Registration with a QR code.

The Cisco Meraki community was exporting syslog and different data to the Palo Alto firewall, and after correlating the info between the Palo Alto Dashboard and Cisco Meraki consumer particulars web page, we tracked down the laptop computer to the Enterprise Corridor.

We briefed the NOC administration, who confirmed the scanning was violation of the Code of Conduct, and the system was blocked within the Meraki Dashboard, with the instruction to return to the NOC.

The system title and site made it very straightforward to find out to whom it belonged within the convention attendees.

A delegation from the NOC went to the Enterprise Corridor, politely waited for the demo to complete on the sales space and had a considerate dialog with the particular person about scanning the community. 😊

Coming again to Black Hat as a NOC volunteer was an incredible expertise.  Whereas it made for lengthy days with little sleep, I actually can’t consider a greater option to give again to the convention that helped jumpstart my skilled profession.

Meraki MR, MS, MX and Programs Supervisor by Paul Fidler

With the invitation prolonged to Cisco Meraki to offer community entry, each from a wired and wi-fi perspective, there was a chance to indicate the worth of the Meraki platform integration capabilities of Entry Factors (AP), switches, safety home equipment and cell system administration.

The primary amongst this was using the Meraki API. We have been in a position to import the checklist of MAC addresses of the Meraki MRs, to make sure that the APs have been named appropriately and tagged, utilizing a single supply of fact doc shared with the NOC administration and companions, with the flexibility to replace en masse at any time.

Flooring Plan and Location Heatmap

On the primary day of NOC setup, the Cisco workforce walked across the venue to debate AP placements with the employees of the Marina Bay Sands. While we had a easy Powerpoint exhibiting approximate AP placements for the convention, it was famous that the venue workforce had an extremely detailed flooring plan of the venue. This was acquired in PDF and uploaded into the Meraki Dashboard; and with slightly fantastic tuning, aligned completely with the Google Map.

Meraki APs have been then positioned bodily within the venue assembly and coaching rooms, and very roughly on the ground plan. One of many workforce members then used a printout of the ground plan to mark precisely the position of the APs. Having the APs named, as talked about above, made this a straightforward activity (strolling across the venue however!). This enabled correct heatmap functionality.

The Location Heatmap was a brand new functionality for Black Hat NOC, and the consumer knowledge visualized in NOC continued to be of nice curiosity to the Black Hat administration workforce, comparable to which coaching, briefing and sponsor cubicles drew probably the most curiosity.

SSID Availability

The flexibility to make use of SSID Availability was extremely helpful. It allowed ALL of the entry factors to be positioned inside a single Meraki Community. Not solely that, due to the coaching occasions occurring in the course of the week, in addition to TWO devoted SSIDs for the Registration and lead monitoring iOS units (extra of which later), one for preliminary provisioning (which was later turned off), and one for certificated primarily based authentication, for a really safe connection.

Community Visibility

We have been in a position to monitor the variety of linked shoppers, community utilization, the individuals passing by the community and site analytics, all through the convention days. We supplied visibility entry to the Black Hat NOC administration and the expertise companions (together with full API entry), so they may combine with the community platform.


Meraki alerts are precisely that: the flexibility to be alerted to one thing that occurs within the Dashboard. Default habits is to be emailed when one thing occurs. Clearly, emails obtained misplaced within the noise, so an online hook was created in SecureX orchestration to have the ability to eat Meraki alerts and ship it to Slack (the messaging platform inside the Black Hat NOC), utilizing the native template within the Meraki Dashboard. The primary alert to be created was to be alerted if an AP went down. We have been to be alerted after 5 minutes of an AP happening, which is the smallest period of time obtainable earlier than being alerted.

The bot was prepared; nevertheless, the APs stayed up your entire time! 

Meraki Programs Supervisor

Making use of the teachings realized at Black Hat Europe 2021, for the preliminary configuration of the convention iOS units, we arrange the Registration iPads and lead retrieval iPhones with Umbrella, Safe Endpoint and WiFi config. Gadgets have been, as in London, initially configured utilizing Apple Configurator, to each supervise and enroll the units into a brand new Meraki Programs Supervisor occasion within the Dashboard.

Nonetheless, Black Hat Asia 2022 provided us a novel alternative to indicate off among the extra built-in performance.

System Apps have been hidden and varied restrictions (disallow becoming a member of of unknown networks, disallow tethering to computer systems, and so on.) have been utilized, in addition to a regular WPA2 SSID for the units that the system vendor had arrange (we gave them the title of the SSID and Password).

We additionally stood up a brand new SSID and turned-on Sentry, which lets you provision managed units with, not solely the SSID data, but additionally a dynamically generated certificates. The certificates authority and radius server wanted to do that 802.1x is included within the Meraki Dashboard mechanically! When the system makes an attempt to authenticate to the community, if it doesn’t have the certificates, it doesn’t get entry. This SSID, utilizing SSID availability, was solely obtainable to the entry factors within the Registration space.

Utilizing the Sentry allowed us to simply establish units within the consumer checklist.

One of many alerts generated with SysLog by Meraki, after which viewable and correlated within the NetWitness SIEM, was a ‘De Auth’ occasion that got here from an entry level. While we had the IP handle of the system, making it straightforward to seek out, as a result of the occasion was a de auth, which means 802.1x, it narrowed down the units to JUST the iPads and iPhones used for registration (as all different entry factors have been utilizing WPA2). This was additional enhanced by seeing the certificates title used within the de-auth:

Together with the certificates title was the title of the AP: R**

Gadget Location

One of many inherent issues with iOS system location is when units are used indoors, as GPS indicators simply aren’t sturdy sufficient to penetrate trendy buildings. Nonetheless, as a result of the correct location of the Meraki entry factors was positioned on the ground plan within the Dashboard, and since the Meraki Programs Supervisor iOS units have been in the identical Dashboard group because the entry factors, we obtained to see a way more correct map of units in comparison with Black Hat Europe 2021 in London.

When the convention Registration closed on the final day and the Enterprise Corridor Sponsors all returned their iPhones, we have been in a position to remotely wipe all the units, eradicating all attendee knowledge, previous to returning to the system contractor.

Meraki Scanning API Receiver by Christian Clasen

Leveraging the ubiquity of each WiFi and Bluetooth radios in cell units and laptops, Cisco Meraki’s wi-fi entry factors can detect and supply location analytics to report on consumer foot visitors habits. This may be helpful in retail eventualities the place prospects want location and motion knowledge to raised perceive the developments of engagement of their bodily shops.

Meraki can mixture real-time knowledge of detected WiFi and Bluetooth units and triangulate their location somewhat exactly when the floorplan and AP placement has been diligently designed and documented. On the Black Hat Asia convention, we made positive to correctly map the AP places rigorously to make sure the very best accuracy potential.

This scanning knowledge is out there for shoppers whether or not they’re related to the entry factors or not. On the convention, we have been in a position to get very detailed heatmaps and time-lapse animations representing the motion of attendees all through the day. This knowledge is effective to convention organizers in figuring out the recognition of sure talks, and the attendance at issues like keynote shows and foot visitors at cubicles.

This was nice for monitoring in the course of the occasion, however the Dashboard would solely present 24-hours of scanning knowledge, limiting what we might do when it got here to long-term knowledge evaluation. Luckily for us, Meraki provides an API service we are able to use to seize this treasure trove offline for additional evaluation. We solely wanted to construct a receiver for it.

The Receiver Stack

The Scanning API requires that the shopper rise up infrastructure to retailer the info, after which register with the Meraki cloud utilizing a verification code and secret. It’s composed of two endpoints:

  1. Validator

Returns the validator string within the response physique

[GET] https://yourserver/

This endpoint is named by Meraki to validate the receiving server. It expects to obtain a string that matches the validator outlined within the Meraki Dashboard for the respective community.

  1. Receiver

Accepts an statement payload from the Meraki cloud

[POST] https://yourserver/

This endpoint is answerable for receiving the statement knowledge supplied by Meraki. The URL path ought to match that of the [GET] request, used for validation.

The response physique will encompass an array of JSON objects containing the observations at an mixture per community degree. The JSON will likely be decided primarily based on WiFi or BLE system observations as indicated within the sort parameter.

What we would have liked was a easy expertise stack that will comprise (at minimal) a publicly accessible net server able to TLS. Ultimately, the best implementation was an online server written utilizing Python Flask, in a Docker container, deployed in AWS, linked by means of ngrok.

In fewer than 50 strains of Python, we might settle for the inbound connection from Meraki and reply with the chosen verification code. We might then pay attention for the incoming POST knowledge and dump it into an area knowledge retailer for future evaluation. Since this was to be a short lived resolution (the length of the four-day convention), the considered registering a public area and configuring TLS certificates wasn’t significantly interesting. A superb resolution for a lot of these API integrations is ngrok ( And a useful Python wrapper was obtainable for easy integration into the script (

We needed to simply re-use this stack subsequent time round, so it solely made sense to containerize it in Docker. This manner, the entire thing may very well be stood up on the subsequent convention, with one easy command. The picture we ended up with would mount an area quantity, in order that the ingested knowledge would stay persistent throughout container restarts.

Ngrok allowed us to create a safe tunnel from the container that may very well be linked within the cloud to a publicly resolvable area with a trusted TLS certificates generated for us. Including that URL to the Meraki Dashboard is all we would have liked to do begin ingesting the huge treasure trove of location knowledge from the Aps – practically 1GB of JSON over 24 hours.

This “fast and soiled” resolution illustrated the significance of interoperability and openness within the expertise house when enabling safety operations to assemble and analyze the info they require to watch and safe occasions like Black Hat, and their enterprise networks as properly. It served us properly in the course of the convention and will definitely be used once more going ahead.

Take a look at half two of the weblog, Black Hat Asia 2022 Continued: Cisco Safe Integrations, the place we’ll focus on integrating NOC operations and making your Cisco Safe deployment simpler:

  • SecureX: Bringing Menace Intelligence Collectively by Ian Redden
  • Gadget sort spoofing occasion by Jonny Noble
  • Self Service with SecureX Orchestration and Slack by Matt Vander Horst
  • Utilizing SecureX sign-on to streamline entry to the Cisco Stack at Black Hat by Adi Sankar
  • Future Menace Vectors to Contemplate – Cloud App Discovery by Alejo Calaoagan
  • Malware Menace Intelligence made straightforward and obtainable, with Cisco Safe Malware Analytics and SecureX by Ben Greenbaum

Acknowledgements: Particular because of the Cisco Meraki and Cisco Safe Black Hat NOC workforce: Aditya Sankar, Aldous Yeung, Alejo Calaoagan, Ben Greenbaum, Christian Clasen, Felix H Y Lam, George Dorsey, Humphrey Cheung, Ian Redden, Jeffrey Chua, Jeffry Handal, Jonny Noble, Matt Vander Horst, Paul Fidler and Steven Fan.

Additionally, to our NOC companions NetWitness (particularly David Glover), Palo Alto Networks (particularly James Holland), Gigamon, IronNet (particularly Invoice Swearington), and your entire Black Hat / Informa Tech employees (particularly Grifter ‘Neil Wyler’, Bart Stump, James Pope, Steve Fink and Steve Oldenbourg).

About Black Hat

For greater than 20 years, Black Hat has supplied attendees with the very newest in data safety analysis, improvement, and developments. These high-profile world occasions and trainings are pushed by the wants of the safety group, striving to deliver collectively one of the best minds within the trade. Black Hat evokes professionals in any respect profession ranges, encouraging development and collaboration amongst academia, world-class researchers, and leaders in the private and non-private sectors. Black Hat Briefings and Trainings are held yearly in the USA, Europe and Asia. Extra data is out there at: Black Hat is delivered to you by Informa Tech.

We’d love to listen to what you suppose. Ask a Query, Remark Under, and Keep Related with Cisco Safe on social!

Cisco Safe Social Channels



We will be happy to hear your thoughts

Leave a reply

Enable registration in settings - general
Compare items
  • Total (0)
Shopping cart