SANS Stormcast Thursday, February 26th, 2026: CLAIR Model; Cisco SD-WAN 0-Day; Cortex XDR Abuse; OpenSSL Vuln; - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

SANS Stormcast—February 26, 2026: Key Takeaways & Summary

Host: Johannes B. Ullrich

Main Topics: CLAIR Model for Critical Infrastructure; Cisco SD-WAN 0-Day; Cortex XDR Command & Control Abuse; Major OpenSSL Vulnerability; AI Web Scraping and Tarpitting

Episode Overview

This episode focuses on several late-breaking cybersecurity topics, including a new critical infrastructure security model, urgent vulnerabilities (notably a major Cisco SD-WAN 0-day and OpenSSL issue), attacker abuse of defensive tooling, and emerging strategies to counter AI-driven web scraping. The host, Johannes Ullrich, provides concise analysis, practical recommendations, and relevant context throughout the discussion.

Key Discussion Points & Insights

1. The CLAIR Model for Critical Infrastructure Security

(00:22–01:25)

Background: Introduction of the CLAIR Model, devised by Claire Perry (SANS graduate), as an enhancement to the longstanding Purdue Model.
Limitation of Purdue Model:

"The Purdue model...is very insular...it just considers [interdependencies] sort of as inputs to your plant." (Johannes Ullrich, 00:32)
CLAIR Model’s Value: Broadens perspective to external interdependencies, including third-party entities and regulatory policies affecting critical infrastructure security.
Stage of Development: Proposal phase; seeking industry feedback.
Call to Action:

"If you have any feedback or such, I’m sure Claire is happy to hear about it." (Johannes Ullrich, 01:13)

2. Cisco SD-WAN (Catalyst/SD WANV Smart) Zero-Day Vulnerability

(01:26–02:15)

Nature of the Flaw: Unauthenticated attackers can gain admin privileges—CVSS score: 10.0 (critical).
Exploitation Window:

"[It] has been exploited since 2023, so two, three years already out there and being exploited, now discovered and finally being patched." (Johannes Ullrich, 01:38)
Urgent Recommendations:
- Examine Cisco’s advisory and listed indicators of compromise.
- Assess potential compromise due to the long exploitation period.
Additional Resource: Cisco Talos blog post for deeper technical detail.

3. Cortex XDR Live Terminal Misuse for Command and Control

(02:16–03:00)

Threat: Attackers are leveraging the trusted “Live Terminal” feature of Cortex XDR for covert command execution.
Industry Pattern:

"Nothing really surprising here...we have seen this with so many similar defensive products in the past." (Johannes Ullrich, 02:29)
Defensive Steps:
- Audit and strictly monitor command/control channels used for system management.
- Ensure proper log review and alerting to spot and constrain potential misuse.
Action Point: Users of Cortex XDR should review the referenced Infoguard Labs post for relevance and mitigation specifics.

4. Severe OpenSSL Vulnerability (Stack-Based Buffer Overflow)

(03:01–03:53)

Details:
- Vulnerability rated high by OpenSSL.
- Concerns stack-based buffer overflow via parsing untrusted CMS or PKCS#7 data, especially with AES-GCM as cipher.
Potential Exploitation:

"It's definitely exploitable for a denial of service...but could potentially lead to code execution." (Johannes Ullrich, 03:34)
Exploitability Factors: Depends on mitigations (OS, compiler protections); less likely with modern safeguards, but notable for legacy/poorly hardened systems.
Practical Risk: High for denial of service, possible code execution if defense-in-depth is lacking.

5. Tarpitting Against AI Web Scraping

(03:54–04:44)

Current Issue: AI companies are scraping web content to train models, often bypassing copyright or opt-out mechanisms.
Defense Technique – Tarpitting:

"You're basically just throwing noise at the agent that is collecting data from your website..." (Johannes Ullrich, 04:21)
Goal: Corrupt training data sets with “noise,” making models less accurate and increasing AI firms’ cost to clean data.
Resource Mentioned: Blog post by Portspoof on tarpitting methods.

Notable Quotes & Moments

On the CLAIR Model’s significance:

"It's a proposal at this point, so if you have any feedback or such, I'm sure Claire is happy to hear about it." (01:13)
On the seriousness of the Cisco 0-day:

"It has been exploited since 2023...now discovered and finally being patched." (01:38)
Pattern of attacker abuse of security tools:

"We have seen this with so many similar defensive products in the past...much more easily flies under the radar and is not being detected." (02:29)
On tarpitting as AI defense:

"You're basically just throwing noise at the agent that is collecting data from your website, hoping that it will be built to the AI model and render it less useful." (04:21)

Segment Timestamps

| Segment | Start Time | |-----------------------------------------------|------------| | CLAIR Model Overview | 00:22 | | Cisco SD-WAN 0-Day Vulnerability | 01:26 | | Cortex XDR Abuse for Command & Control | 02:16 | | OpenSSL Vulnerability (Stack Buffer Overflow) | 03:01 | | Tarpitting vs. AI Web Scraping | 03:54 |

Conclusion

This episode delivers timely intelligence on evolving cyber threats and defenses, emphasizing the importance of vigilance and adaptability in critical infrastructure protection and enterprise security. It highlights both technical exploits (like Cisco and OpenSSL vulnerabilities) and the creative defensive tactics emerging to cope with new risks (e.g., tarpitting AI scrapers, monitoring management channels in XDR products).

Listeners are encouraged to review advisories, blog posts, and proposals referenced, and to participate in shaping the new CLAIR model for better systemic resilience.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Thursday, February 26, 2026 edition of the SANS Internet Storm Centers Stormcast. My name is Johannes Ulrich, recording today in Jacksonville, Florida and this episode is brought to you by the SANS EDU Undergraduate Certificate Program in Cybersecurity Fundamentals. Our diary today comes from Claire Perry, a graduate of our bachelor's degree program. This diary presents the Clare Model. What this is about is it's about critical infrastructure. And typically when you're dealing with critical infrastructure, one of the big security models and frameworks that's often being used is the Perdoo model. The Purdue model is well established and extremely useful to sort of talk about some of these infrastructure security threats. But as Clare Parry here points out, the model is very insular in that it's great for you, like as an operators, a utility to talk about the security of an individual plant, but it kind of ignores the interdependencies because, well, you don't control many of them, so it just considers them sort of as inputs to your plant. Well, that's sort of what this is attempting to fix here. So this model, this framework is looking very much at interdependencies like external things like all the way to policies and such that may affect the security of your cradle infrastructure systems. It's a proposal at this point, so if you have any feedback or such, I'm sure Claire is happy to hear about it. And Cisco today published an advisory regarding vulnerability affecting Catalyst SD WAN controllers, also I guess formerly known as SD WANV Smart. This vulnerability CSS score of 10 allows an attacker without authentication to gain admin privileges on the device. What makes this even worse is that apparently it has been exploited since 2023, so two, three years already out there and being exploited, now discovered and finally being patched. Cisco's advisory also lists some indicators of compromise. Definitely pay attention to them and make sure that you are not already compromised given how long this particular vulnerability has already been used. There's also an interesting tal a blog post for this vulnerability. I'll link in the show notes to both and yet another defensive product being abused by attackers. Infoguard Labs is talking about how the Live terminal, which is part of Cortex XDR can be used as a command control channel. Nothing really surprising here in that sense that we have seen this with so many similar defensive products in the past where you get command execution, PowerShell execution and the like just by using this trusted product, which of course then much more easily flies under the radar and is not being detected. As I mentioned before, you must control These command control channels that you are using defensively to manage your systems to make sure they're not being abused, which means you need the audit logs and the like to be able to review who is doing what with these systems. And well set up necessarily alerts to constrain any malicious behavior. So if you're using Cortex xdr, take a look at this particular post here to figure out how this applies to your particular installation. Well, and OpenSSL published another update fixing a vulnerability that OpenSL ranks high. It's a stack based buffer overflow that could be exploited via smime, for example, like if you have some authenticated envelope data and such, and particularly if you're using AES GCM as a cipher, which of course is not that unlikely. And essentially it happens when you are parsing untrusted CMS or PKCS 7 data. The exploitability here is a little bit more tricky. It's definitely exploitable for a denial of service, basically crashes the process that is doing the parsing, but could potentially lead to code execution. Stack based buffer overflows of course, exploitability depends a lot on what kind of like safeguards the operating system, the compilers and so put in place. So that varies depending on the system you're working on and typically is not easily exploitable these days. If modern best practices were used. Well, and the good old idea of tar pitting is back these days when it comes to AI companies spidering and collecting data from various websites. The problem right now of course is that AI companies are building their models using data that's not necessarily supposed to be used for building AI models. So they're bypassing some of the copyright protections and such that you may have applied to your site. But well, tarpetting still works and what tarpitting usually refers to is where you basically just well clock a particular attacker with more or less invalid data in this case. So you're basically just throwing noise at the agent that is collecting data from your website, hoping that it will be built to the AI model and render it less useful and essentially just create more work for the AI companies trying to figure out your data. This is a blog post by Portspoof that was published yesterday and well, if you want to look at some of their methods, definitely take a look. And yes, some websites already deployed similar ideas. Well and that's it for today. So thanks for listening, thanks for liking, thanks for subscribing to this podcast and as always, special thanks to anybody leaving a good comment in your favorite podcast platform. Thanks and talk to you again tomorrow. Bye.