Close Menu
    Business cybersecurity strategies

    Cisco Live San Diego SOC Firewall Case Study

    HackWatchitBy No Comments4 Mins Read
    Cisco Live San Diego SOC Firewall Case Study

    Additional Post Contributor: Patrick Whyte

    A lot of our best firewall findings in the Security Operations Centers (SOCs) of recent events have come from the cutting-edge tech of the Encrypted Visibility Engine (EVE) and SnortML. Cisco Live San Diego 2025 was somewhat of a return to basics, with traditional Snort rules providing the strongest findings they’ve had in quite some time.

    Secure Firewall at Cisco Live San Diego got off with a bang as we started our first morning shift with over 1,000 events for a single rule — SERVER-WEBAPP Cisco DNA Center API default login attempt.

    Firewall events log

    A high volume of events for one rule could mean a high false positive rate that needs turning, or it could be an indication that something very serious is going down.

    So how do we investigate 1,395 events? Our first step should be to pull out our analytical knife and cut the big problem into more manageable chunks. We’ve got a video that breaks down the full investigation. Check it out and walk through it with us.

    Or, if you’d like to skip straight to the spoilers, here’s a summary of what we found and what the outcomes were.

    Investigation Steps

    1. Network Context — Most of the SOC effort is built around monitoring the Cisco Live attendee wireless network, but we also monitor other network zones, such as CiscoTV (our primary customer, as 14 million people tuned in to the keynotes and other sessions and the Marriot Hotel space for executive meetings). These events all took place in IP space for conference infrastructure.
    2. Host Context — We used a few tricks to quickly sort the 1,395 events. We found that all events had the same destination IP, and there were only three source IPs. And, of the three source IPs, the vast majority of events were from a single IP, and only a handful of events were from the other two source IPs.
    3. Event and Packet Analysis — The rare events are often the most valuable, so we focused on the two source IPs with the fewest events. We found that the first IP was issuing a reboot command, which could be a DoS attack. The second IP was trying to access an admin resource, which could be a form of privilege escalation. Both IPs were using Base64 encoded credentials, which we were able to quickly decode. When decoded, the credentials were found to be the same and matched a default login pair which we determined the rule was alerting on. Investigating the third source IP revealed it had the same profile as the second source IP — attempted access to admin resources using the same credentials.
    4. True/False Positive Analysis — At this point in the investigation, we know we have a true positive finding—either someone is illicitly attempting logins with admin credentials, or we have legitimate admin traffic that is using default credentials without encryption.
    5. What We Escalated — SOC work involves making an incident report without knowing all the facts (yet) —we didn’t know whether the destination host was a DNA Center (what the initial rule was written for), or whether the traffic was legitimate or malicious. But we did know that this was an actionable finding based on our true/false positive analysis. So, we escalated an incident with a summary of our findings alongside recommendations built around the either/or scenario of malicious admin access attempts, or default admin credentials in the clear.
    6. End Results — The events were confirmed as admin credentials in the clear for an area of the conference infrastructure, but there was an important mitigation in place—the credentials were passed in a segmented area of the network that was inaccessible to the conference at large. Isolating sensitive traffic is an accepted mitigation even in high security environments, but strong credentials and encryption are both key components of security that should be implemented wherever possible. Our findings were taken as a problem that needed to be addressed, and served as an early key finding for the Cisco Live SOC.

    See you at Black Hat USA 2025, where we will employ what we learned in the NOC/SOC.

    We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

    Cisco Security Social Media

    LinkedIn
    Facebook
    Instagram
    X

    Share:

    Share.

    Related Posts

    Comments are closed.