Conferences and exhibitions see all sorts of different traffic on their publicly accessible networks. Most of it is benign, normal traffic that you expect to see. Sometimes though we see exceptions, in this circumstance an asset connected to the Attendee Wi-Fi network at Cisco Live Melbourne 2025 exhibited a large spike in traffic on multiple occasions. Upon investigation, the asset was found to be connecting to multiple confirmed malicious external IP addresses.
Below are my steps taken to investigate as a Tier 1 Analyst, new to the Security Operations Centre:
- Secure Firewall detected an IP address connected to the Attendee Wi-Fi network exhibiting a large spike in the amount of traffic to it, with those syslogs going to Splunk. Automatically, an Incident was created in Cisco XDR from the firewall logs in Splunk, pertaining to the asset in question.
- When the Incident was investigated, we found that the asset was communicating with numerous external IP addresses classified as malicious. This communication occurred multiple times.
- Investigating further, we saw the internal IP address communicating with a number of external IP addresses, all classed as malicious. Subsequent events saw the same asset again communicating with additional external IP addresses, also classed as malicious.
- We then pivoted from within XDR, based on the asset IP address to Endace Packet trace, so that we could view a 4-hour snapshot of what traffic was being captured from the asset in question. We found that most data was BitTorrent traffic:
As it was an unmanaged attendee device connected to the attendee Wi-Fi network, we were only able to determine the IP and MAC addresses and had no other identifiable details. We wrote a report of the ongoing incident and escalated it to the Cisco Live NOC, so that they could investigate and attempt to identify the asset.
The NOC was able to identify the access point that the asset was connected to and from there identify the asset. The asset user was spoken to about responsible use of the Cisco Live Wi-Fi network, and the IP address was confirmed.
From first alert as an Incident in Cisco XDR, the investigation only took minutes to confirm the violation of acceptable use, document it and escalate to management and our NOC partners. The NOC quickly found the individual with the detailed information we reported, showing the power of security integrated with the network.
Check out the other blogs by my colleagues in the Cisco Live APJC 2026 SOC.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Deixe o seu comentário