惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
C
CERT Recently Published Vulnerability Notes
P
Proofpoint News Feed
Y
Y Combinator Blog
T
The Blog of Author Tim Ferriss
云风的 BLOG
云风的 BLOG
H
Help Net Security
Recorded Future
Recorded Future
The Register - Security
The Register - Security
F
Full Disclosure
N
Netflix TechBlog - Medium
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hackread – Cybersecurity News, Data Breaches, AI and More
爱范儿
爱范儿
Security Archives - TechRepublic
Security Archives - TechRepublic
Simon Willison's Weblog
Simon Willison's Weblog
Cisco Talos Blog
Cisco Talos Blog
I
InfoQ
T
Tenable Blog
T
Tor Project blog
人人都是产品经理
人人都是产品经理
D
DataBreaches.Net
NISL@THU
NISL@THU
Google DeepMind News
Google DeepMind News
博客园 - 叶小钗
B
Blog
V
V2EX
Jina AI
Jina AI
L
LangChain Blog
月光博客
月光博客
W
WeLiveSecurity
U
Unit 42
AWS News Blog
AWS News Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园 - 聂微东
V
Visual Studio Blog
A
Arctic Wolf
T
Tailwind CSS Blog
The Cloudflare Blog
SecWiki News
SecWiki News
S
SegmentFault 最新的问题
Hacker News - Newest:
Hacker News - Newest: "LLM"
宝玉的分享
宝玉的分享
MyScale Blog
MyScale Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Securelist
www.infosecurity-magazine.com
www.infosecurity-magazine.com
腾讯CDC
雷峰网
雷峰网

Security @ Cisco Blogs

We third-party tested our firewall built for AI-scale. The test tools hit their limit first. SharpHound Recon Attack - How AI enhanced the threat hunt Machine Speed, Human Judgement: How AI Changed the SOC in 2026 Elevating Expertise in the SOC Educate at Event Speed: Cisco Live Security Operations Center What Working the Cisco Live SOC Taught Me About AI, Detection, and Response Cable to Cloud - A Product Engineer's Journey Through the Cisco Live AMER 2026 SOC The Experience Dividend: How Better Digital Experience Protects Revenue, Trust, and Growth AIM: Building an Agentic Tier-2 SOC Analyst at Cisco Live AMER 2026 Building the Agentic SOC at Cisco Live Americas 2026 Ten Years in the SOC at RSAC: What We Learned in 2026 Uplevelling Black Hat Threat Hunters Making Workflow Runs Explain Themselves: AI-Powered Run Summaries in Cisco XDR Automate Independent Testing Confirms Secure Email Threat Defense’s Email Security Strength Defenseclaw for On-Prem AI SOC Workflow at Black Hat Asia Cisco Secure Access with MCP Infrastructure at Black Hat Asia 2026 The Essence of Black Hat – Collaboration with Partners Black Hat Asia 2026: A Decade in Singapore Unveiling the Power of Integration: XDR, Splunk, Corelight, Arista and Palo Alto Networks in Action at Black Hat Asia Security in the Post-Mythos Era Cisco SASE with Meraki: Get in the Fast Lane to SASE Extending Zero Trust Across the Agentic AI Workflow Strengthening the Foundation: A Predictable, Customer focused Response to AI-Accelerated Vulnerability Discovery Quantum Resilience Needs a Common Language. Here’s Where to Start. Security at Cisco Live: Going Shields Up for the Agentic Era Identity Elevated: A New Unified Identity Experience in Cisco Cloud Control Security Needs a New Operating Model Cisco Secure Access and Microsoft Purview Integration for Simplified Data Protection Cisco Secure Access and Island Browser Enable Zero Trust Everywhere Finding what lives between the alerts: Announcing Cisco Talos Threat Hunting From Log Flood to Threat Signal: Cisco and Splunk Bring Context to Modern Defense Cisco Secure Access and Microsoft Edge for Business Integration Why Network Segmentation Projects Fail: Four Patterns Cisco’s Risk-Based Vulnerability Disclosure in the Age of AI Enhancing Cisco Secure Email Gateway: Safer Clicks and Cleaner Files AI-generated reporting: Lessons learned from Cisco Talos Incident Response Inside the SOC: AI-powered DNS defense against ransomware Security Insights: A Threat-First View for the Platform That Enforces Access From Strategy to Architecture: How Cisco is Building a Quantum-Safe Future AI-Ready, Simpler, and More Secure WAN: Cisco SD-WAN Innovations Designing for What’s Next: Securing AI-Scale Infrastructure Without Compromise Preparing for Post-Quantum Cryptography: The Secure Firewall Roadmap Mobile World Congress 2026: AI-powered Network Security Powering MWC Barcelona – Building a Unified SOC and NOC with Splunk in Record Time AI-powered Network Security at the Mobile World Congress 2026 SNOC Inside the Mobile World Congress 2026 SOC: Detecting Shadow Traffic with Firepower 6100 Data Optimization in Security: A Splunk Architect’s Perspective Inside the Talos 2025 Year in Review: A discussion on what the data means for defenders Zero Trust for Agentic AI: Safeguarding your Digital Workforce The Agent Trust gap: What Our Research Reveals About Agentic AI Security Meet Your Incident Responders
Black Hat Asia 2026: Threat Hunters’ Corner
Aditya Raghavan · 2026-06-15 · via Security @ Cisco Blogs

One of the first things we notice walking into the Black Hat NOC/SOC to help setup was that no one cared about who you worked for. No one was talking about how their product was better than others. There were no egos, and everyone was there with one goal in mind. That goal being to discover and protect Black Hat from attacks both internally and externally. Whatever tools were needed to accomplish this goal were used, irrespective of who built or sold them. This was really refreshing, as day-to-day we are competitors, but we put that aside to create an environment that allows us to leverage all partners’ capabilities to achieve our goal.

The NOC leadership enabled Cisco and other partners to introduce additional pre-approved software and hardware solutions, enhancing our internal efficiency and expanding our visibility capabilities; however, Cisco is not the official provider for Extended Detection & Response, Security Event and Incident Management, Firewall, Network Detection & Response or Collaboration.

Welcome to Black Hat, here’s your first morning’s activities!

You don’t expect to turn up on the very first morning at Black Hat, hours before the doors have even opened and find your first legitimate incident, but that is exactly what happened with this case.

The team saw a high priority incident in Cisco XDR that highlighted an attempt to infiltrate an externally facing Black Hat registration server and exploit a known Apache vulnerability.

BH Asia 2026 THC Welcome To Black Hat

https://www.cve.org/CVERecord?id=CVE-2021-41773 Check out the video below on how the team investigated this and validated the preventive controls applied to the crown jewels of the Black Hat network. 

High Score, Low Threat: A 60-Second Triage Story 

The new agentic capabilities in Cisco XDR were enabled in our Black Hat tenant – and they didn’t disappoint. 

You don’t ignore a high priority incident with detections from:

  • Corelight flagged traffic with an empty user-agent
  • Cisco Secure Firewall detected SQL insert injection attempts
BH Asia2026 THC HighScoreLowThreat
BHAsia2026 THC HighScore Low Threat

Check out how what initially looked like a high-risk incident was quickly identified as a false positive. Confident decision. No second-guessing.

Total time: ~60 seconds.

This is exactly where Cisco XDR delivers:

  • Less time investigating false positives
  • Faster decision-making
  • More focus on real threats 

Because sometimes, the biggest win isn’t catching an attack – 

It’s knowing when there isn’t one.

Not One, Two C2 Channels!

Well, this is an interesting story that touched all the partners at Black Hat – Corelight, Palo Alto Networks, Cisco and Arista. Together, they told a complete story. Different vantage points – one investigation.

When you see an incident pop-up with detections from different tools and the same endpoint, it is time to pay attention.

BHAsia2026 THC NotOneTwoC2

In this scenario, there was no evidence of data exfiltration though.

BHAsia2026 THC NotOneTwoC2

Check out how the team uncovered two beacons from two separate RAT families on a single endpoint belonging to a journalist A Black Hat positive as Pope calls it.

Threat Context 

NetSupport RAT C2 (185.163.47[.]225:443): 

  • Average interval: 59.9 seconds (highly consistent)
  • HTTP POST -> /fakeurl.htm
  • NetSupport Manager is a legitimate remote administration tool that is frequently abused by threat actors.

SecTopRAT C2 (98.142.252[.]140:9000):

  • Average interval: 626.3 seconds (~10 minutes)
  • HTTP GET -> /wbinjget?q=0600300E297F1E310580508009E11BEA
  • SecTopRAT is an information-stealing RAT that has been active since 2019.

Check out the other blogs from our team at Black Hat Asia 2026. 

About Black Hat

Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit www.Black Hat.com.


We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram