SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Thursday, February 26th, 2026: CLAIR Model; Cisco SD-WAN 0-Day; Cortex XDR Abuse; OpenSSL Vuln;
12 snips
Feb 26, 2026 A tour of the CLAIR model for mapping critical infrastructure interdependencies. A deep dive into a critical Cisco SD-WAN authentication bypass with real-world exploitation context. Examination of how Cortex XDR live-response can be misused as a covert command channel. Coverage of an OpenSSL stack buffer overflow and how system protections affect exploitability. Discussion of tarpitting techniques to pollute AI training data.
AI Snips
Chapters
Transcript
Episode notes
CLAIR Model Maps Infrastructure Interdependencies
- The CLAIR model extends the Purdue model by mapping critical infrastructure interdependencies beyond a single plant.
- It emphasizes external influences like policies and cross-sector dependencies that operators typically treat as mere inputs.
Patch Catalyst SD WAN Controller Now
- Immediately check Catalyst SD‑WAN controllers for indicators of compromise and apply Cisco's patch for CVE‑2026‑20127.
- Treat this as urgent: the unauthenticated RCE with CVSS 10 has been exploited since 2023 per Cisco's advisory.
Defensive Tools Can Be Covert Command Channels
- Defensive tools can become covert C2 channels when they allow remote code execution features.
- Cortex XDR Live's Live Terminal can be abused to run PowerShell and hide activity under a trusted vendor process.