It is important to remember that we as defenders are fighting for the same thing, and that is to protect our customers from bad adversaries. Yes, we are in competition with other security vendors day-to-day to sell our products, and we all think our products are better than everyone else’s, but we put that aside in this Black Hat environment to combine our platforms into something better than the sum of its parts.
It is refreshing to walk into a NOC environment where everyone has the same goal, and puts their company loyalty and product bias to the side to allow true collaboration across all platforms to detect and prevent threats to the Black Hat event.
The NOC leadership enabled Cisco and other partners to introduce additional pre-approved software and hardware solutions, enhancing our internal efficiency and expanding our visibility capabilities; however, Cisco is not the official provider for Extended Detection & Response, Security Event and Incident Management, Firewall, Network Detection & Response or Collaboration.
Here’s the first example.
Welcome to Black Hat, here’s your first morning’s activities!
You don’t expect to turn up on the very first morning at Black Hat, hours before the doors have even opened and find your first legitimate incident, but that is exactly what happened with this case.
The team saw a high priority incident in XDR that highlighted what appeared to be an attempt to infiltrate an externally facing Black Hat registration server and exploit a known Apache vulnerability.
Investigation Steps
1. Detection and Source Identification
- Within the Incident’s detections tab, all contributing sources to identifying and confirming the incident were reviewed.
- The activity was traced to an external IP address located in Zambia, flagged as malicious by Threatscore|Cyberprotect and marked Suspicious/Risky by Talos Intelligence and alphaMountain.ai.
- Cisco XDR’s new Agentic SOC Attack Storyboard feature provided a confidence level confirming the incident as a True Positive.
2. Firewall Blocking and Vulnerability Assessment
- Evidence was found of a Palo Alto Networks firewall blocking a CVE-2021-41773 Apache HTTP Server 2.4.49 path traversal remote code execution (RCE) attempt originating from the confirmed malicious IP address targeting the server, demonstrating correct firewall behavior.
- The Black Hat server owners confirmed the Apache version was fully patched, ensuring no impact to Black Hat assets.
3. Vendor Collaboration and Data Correlation
- Multiple vendors contributed data during the incident:
- Arista provided the Wi-Fi network details for the affected user.
- Corelight detected the incident and reported it to Splunk.
- Palo Alto Networks observed the communication and notified Splunk.
- Splunk collected logs and forwarded them to Cisco XDR for correlation.
- Cisco XDR correlated events and enriched them with Talos and other third-party threat intelligence feeds, confirming the issue and assigning priority.
4. Incident Investigation and Response Automation
- Investigation utilized multiple vendor tools including Splunk Attack Analyzer, Palo Alto Networks XSOAR AI (nicknamed ‘Trevor’), and Cisco XDR’s Attack Storyboard and Instant Attack Verification features.
- These tools helped determine the incident’s nature and response status.
- If the Palo Alto Networks NGFW had not already blocked the attack, the integrated tools would have enabled rapid containment actions
Here’s the second example.
Don’t hide your passwords in plain sight!
An attendee was seen accessing a custom application hosted in their home country from the Black Hat network. Very surprisingly, the communication was in the clear with usernames and passwords being shared openly (the ones you would baulk at as default credentials!)
The same activity was seen several times over the duration of Black Hat, which led to this being escalated to the NOC leaders. The user was then identified, and an email sent to them indicating the activity observed and corrective actions they should take. XDR generated the incident based on detections and correlations from Corelight, Splunk and Palo Alto.
Investigation Steps
1. Initial Incident Identification Using Cisco XDR Attack Storyboard and Instant Attack Verification
- Utilized the new attack storyboard and instant attack verification features of Cisco XDR to quickly determine that the activity was not an incident affecting Black Hat or its assets.
- The AI-driven storyboard provided a clear verdict and timeline, enabling rapid validation and confidence in the assessment.
2. AI Reasoning Analysis
- Drilled deeper into the AI reasoning behind the Cisco XDR storyboard findings.
- Noted open unsecrued credentials used during the activity, prompting further investigation.
3. Pivot to Splunk for Behavioral Clarification
- Leveraged Splunk to analyze the actions between the involved IP addresses.
- Confirmed that the behavior was non-malicious, though not advisable, clarifying the nature of the activity.
4. Contextual Site Access Review via Cortex
- Investigated the site accessed by the user back in Thailand using data provided by Cortex.
- This information helped contextualize the user’s activity and supported the conclusion of no malicious intent.
Takeaway and Response
Why was this a bad thing (apart from it being the world’s easiest username and password combination to guess)?
Credential Theft: Attackers can easily obtain valid credentials to gain unauthorized access to user accounts.
Session Hijacking: If session tokens are transmitted over HTTP, they can also be intercepted, allowing an attacker to impersonate the user without needing the password.
Why This Matters
The XDR Attack Story Board and Instant Attack Verification features and Palo Alto Networks’ AI assistant Trevor were a great help in determining what was happening with a particular Incident. We could use either or both to talk to both Palo Alto Networks, Corelight and Splunk and stitch together what a particular IP address or addresses were doing, who they were talking to and what they were talking about. Adding that to the additional context that Splunk ES and Attack Analyzer were able to provide and you had a holistic view of every incident
We were a little hamstrung in that we had no Endpoint data to use for correlation, and as ‘watchdogs’ of Black Hat we were also unable to perform any actions on endpoints. We relied on the firewalls to black malicious traffic or suspect addresses before any harm could be caused. And they did this very well.
The majority of incidents that we saw were relatively benign or expected in an environment such as Black Hat where there are a lot of labs and workshops. This isn’t to say we didn’t see anything out of the ordinary (which we have covered in our other blogs). One incident that caused us to chuckle was when via Corelight, we noticed someone on the public wifi network remotely connecting to their automated cat feeder to feed their kitty at home. Not something you see every day at a conference like this!
Check out the other blogs from our team at Black Hat Asia 2026.
About Black Hat
Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit www.Black Hat.com.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
