惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Security Affairs
N
News and Events Feed by Topic
T
Tenable Blog
P
Proofpoint News Feed
W
WeLiveSecurity
Simon Willison's Weblog
Simon Willison's Weblog
Google DeepMind News
Google DeepMind News
C
CERT Recently Published Vulnerability Notes
Help Net Security
Help Net Security
I
Intezer
T
Threat Research - Cisco Blogs
S
Secure Thoughts
C
Cyber Attacks, Cyber Crime and Cyber Security
L
Lohrmann on Cybersecurity
AWS News Blog
AWS News Blog
Google Online Security Blog
Google Online Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
Project Zero
Project Zero
The Hacker News
The Hacker News
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Tor Project blog
N
News | PayPal Newsroom
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Hacker News - Newest:
Hacker News - Newest: "LLM"
A
Arctic Wolf
Forbes - Security
Forbes - Security
O
OpenAI News
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Security Latest
Security Latest
P
Palo Alto Networks Blog
S
Schneier on Security
S
Securelist
C
Cybersecurity and Infrastructure Security Agency CISA
H
Heimdal Security Blog
V
Vulnerabilities – Threatpost
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园_首页
T
Troy Hunt's Blog
Latest news
Latest news
Recent Announcements
Recent Announcements
MyScale Blog
MyScale Blog
人人都是产品经理
人人都是产品经理
L
LINUX DO - 热门话题
M
MIT News - Artificial intelligence
N
Netflix TechBlog - Medium
V
Visual Studio Blog
H
Hacker News: Front Page

Security @ Cisco Blogs

We third-party tested our firewall built for AI-scale. The test tools hit their limit first. SharpHound Recon Attack - How AI enhanced the threat hunt Machine Speed, Human Judgement: How AI Changed the SOC in 2026 Elevating Expertise in the SOC Educate at Event Speed: Cisco Live Security Operations Center What Working the Cisco Live SOC Taught Me About AI, Detection, and Response Cable to Cloud - A Product Engineer's Journey Through the Cisco Live AMER 2026 SOC The Experience Dividend: How Better Digital Experience Protects Revenue, Trust, and Growth AIM: Building an Agentic Tier-2 SOC Analyst at Cisco Live AMER 2026 Building the Agentic SOC at Cisco Live Americas 2026 Ten Years in the SOC at RSAC: What We Learned in 2026 Uplevelling Black Hat Threat Hunters Making Workflow Runs Explain Themselves: AI-Powered Run Summaries in Cisco XDR Automate Independent Testing Confirms Secure Email Threat Defense’s Email Security Strength Defenseclaw for On-Prem AI SOC Workflow at Black Hat Asia Cisco Secure Access with MCP Infrastructure at Black Hat Asia 2026 The Essence of Black Hat – Collaboration with Partners Black Hat Asia 2026: A Decade in Singapore Black Hat Asia 2026: Threat Hunters’ Corner Security in the Post-Mythos Era Cisco SASE with Meraki: Get in the Fast Lane to SASE Extending Zero Trust Across the Agentic AI Workflow Strengthening the Foundation: A Predictable, Customer focused Response to AI-Accelerated Vulnerability Discovery Quantum Resilience Needs a Common Language. Here’s Where to Start. Security at Cisco Live: Going Shields Up for the Agentic Era Identity Elevated: A New Unified Identity Experience in Cisco Cloud Control Security Needs a New Operating Model Cisco Secure Access and Microsoft Purview Integration for Simplified Data Protection Cisco Secure Access and Island Browser Enable Zero Trust Everywhere Finding what lives between the alerts: Announcing Cisco Talos Threat Hunting From Log Flood to Threat Signal: Cisco and Splunk Bring Context to Modern Defense Cisco Secure Access and Microsoft Edge for Business Integration Why Network Segmentation Projects Fail: Four Patterns Cisco’s Risk-Based Vulnerability Disclosure in the Age of AI Enhancing Cisco Secure Email Gateway: Safer Clicks and Cleaner Files AI-generated reporting: Lessons learned from Cisco Talos Incident Response Inside the SOC: AI-powered DNS defense against ransomware Security Insights: A Threat-First View for the Platform That Enforces Access From Strategy to Architecture: How Cisco is Building a Quantum-Safe Future AI-Ready, Simpler, and More Secure WAN: Cisco SD-WAN Innovations Designing for What’s Next: Securing AI-Scale Infrastructure Without Compromise Preparing for Post-Quantum Cryptography: The Secure Firewall Roadmap Mobile World Congress 2026: AI-powered Network Security Powering MWC Barcelona – Building a Unified SOC and NOC with Splunk in Record Time AI-powered Network Security at the Mobile World Congress 2026 SNOC Inside the Mobile World Congress 2026 SOC: Detecting Shadow Traffic with Firepower 6100 Data Optimization in Security: A Splunk Architect’s Perspective Inside the Talos 2025 Year in Review: A discussion on what the data means for defenders Zero Trust for Agentic AI: Safeguarding your Digital Workforce The Agent Trust gap: What Our Research Reveals About Agentic AI Security Meet Your Incident Responders
Unveiling the Power of Integration: XDR, Splunk, Corelight, Arista and Palo Alto Networks in Action at Black Hat Asia
Cam Dunn · 2026-06-15 · via Security @ Cisco Blogs

It is important to remember that we as defenders are fighting for the same thing, and that is to protect our customers from bad adversaries. Yes, we are in competition with other security vendors day-to-day to sell our products, and we all think our products are better than everyone else’s, but we put that aside in this Black Hat environment to combine our platforms into something better than the sum of its parts.

It is refreshing to walk into a NOC environment where everyone has the same goal, and puts their company loyalty and product bias to the side to allow true collaboration across all platforms to detect and prevent threats to the Black Hat event.

The NOC leadership enabled Cisco and other partners to introduce additional pre-approved software and hardware solutions, enhancing our internal efficiency and expanding our visibility capabilities; however, Cisco is not the official provider for Extended Detection & Response, Security Event and Incident Management, Firewall, Network Detection & Response or Collaboration.

Here’s the first example.

Welcome to Black Hat, here’s your first morning’s activities!

You don’t expect to turn up on the very first morning at Black Hat, hours before the doors have even opened and find your first legitimate incident, but that is exactly what happened with this case.

The team saw a high priority incident in XDR that highlighted what appeared to be an attempt to infiltrate an externally facing Black Hat registration server and exploit a known Apache vulnerability.

Investigation Steps

1. Detection and Source Identification

  • Within the Incident’s detections tab, all contributing sources to identifying and confirming the incident were reviewed.
  • The activity was traced to an external IP address located in Zambia, flagged as malicious by Threatscore|Cyberprotect and marked Suspicious/Risky by Talos Intelligence and alphaMountain.ai.
  • Cisco XDR’s new Agentic SOC Attack Storyboard feature provided a confidence level confirming the incident as a True Positive.

2. Firewall Blocking and Vulnerability Assessment

  • Evidence was found of a Palo Alto Networks firewall blocking a CVE-2021-41773 Apache HTTP Server 2.4.49 path traversal remote code execution (RCE) attempt originating from the confirmed malicious IP address targeting the server, demonstrating correct firewall behavior.
  • The Black Hat server owners confirmed the Apache version was fully patched, ensuring no impact to Black Hat assets.

3. Vendor Collaboration and Data Correlation

  • Multiple vendors contributed data during the incident:
    • Arista provided the Wi-Fi network details for the affected user.
    • Corelight detected the incident and reported it to Splunk.
    • Palo Alto Networks observed the communication and notified Splunk.
    • Splunk collected logs and forwarded them to Cisco XDR for correlation.
    • Cisco XDR correlated events and enriched them with Talos and other third-party threat intelligence feeds, confirming the issue and assigning priority.

4. Incident Investigation and Response Automation

  • Investigation utilized multiple vendor tools including Splunk Attack Analyzer, Palo Alto Networks XSOAR AI (nicknamed ‘Trevor’), and Cisco XDR’s Attack Storyboard and Instant Attack Verification features.
  • These tools helped determine the incident’s nature and response status.
  • If the Palo Alto Networks NGFW had not already blocked the attack, the integrated tools would have enabled rapid containment actions

Here’s the second example. 

Don’t hide your passwords in plain sight!

An attendee was seen accessing a custom application hosted in their home country from the Black Hat network. Very surprisingly, the communication was in the clear with usernames and passwords being shared openly (the ones you would baulk at as default credentials!)

The same activity was seen several times over the duration of Black Hat, which led to this being escalated to the NOC leaders. The user was then identified, and an email sent to them indicating the activity observed and corrective actions they should take. XDR generated the incident based on detections and correlations from Corelight, Splunk and Palo Alto.

Investigation Steps

1. Initial Incident Identification Using Cisco XDR Attack Storyboard and Instant Attack Verification

  • Utilized the new attack storyboard and instant attack verification features of Cisco XDR to quickly determine that the activity was not an incident affecting Black Hat or its assets.
  • The AI-driven storyboard provided a clear verdict and timeline, enabling rapid validation and confidence in the assessment.

2. AI Reasoning Analysis

  • Drilled deeper into the AI reasoning behind the Cisco XDR storyboard findings.
  • Noted open unsecrued credentials used during the activity, prompting further investigation.

3. Pivot to Splunk for Behavioral Clarification

  • Leveraged Splunk to analyze the actions between the involved IP addresses.
  • Confirmed that the behavior was non-malicious, though not advisable, clarifying the nature of the activity.

4. Contextual Site Access Review via Cortex

  • Investigated the site accessed by the user back in Thailand using data provided by Cortex.
  • This information helped contextualize the user’s activity and supported the conclusion of no malicious intent.

Takeaway and Response

Why was this a bad thing (apart from it being the world’s easiest username and password combination to guess)?

Credential Theft: Attackers can easily obtain valid credentials to gain unauthorized access to user accounts.

Session Hijacking: If session tokens are transmitted over HTTP, they can also be intercepted, allowing an attacker to impersonate the user without needing the password.

Why This Matters

The XDR Attack Story Board and Instant Attack Verification features and Palo Alto Networks’ AI assistant Trevor were a great help in determining what was happening with a particular Incident. We could use either or both to talk to both Palo Alto Networks, Corelight and Splunk and stitch together what a particular IP address or addresses were doing, who they were talking to and what they were talking about. Adding that to the additional context that Splunk ES and Attack Analyzer were able to provide and you had a holistic view of every incident 

We were a little hamstrung in that we had no Endpoint data to use for correlation, and as ‘watchdogs’ of Black Hat we were also unable to perform any actions on endpoints. We relied on the firewalls to black malicious traffic or suspect addresses before any harm could be caused. And they did this very well. 

The majority of incidents that we saw were relatively benign or expected in an environment such as Black Hat where there are a lot of labs and workshops. This isn’t to say we didn’t see anything out of the ordinary (which we have covered in our other blogs). One incident that caused us to chuckle was when via Corelight, we noticed someone on the public wifi network remotely connecting to their automated cat feeder to feed their kitty at home. Not something you see every day at a conference like this! 

Check out the other blogs from our team at Black Hat Asia 2026.

About Black Hat 

Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit www.Black Hat.com.


We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram