Hunting C2 Beaconing at Scale in the Modern Age
As organizations continue to adopt new applications and services, more network traffic is beginning to resemble beaconing activity. Furthermore, threat actors employ domain fronting and malleable profiles to make their C2 traffic look normal. As a result, it becomes increasingly difficult to distinguish malicious traffic from benign traffic. In this talk, I will explain the difficulties and demonstrate a new method for effectively identifying malicious beaconing traffic at scale. I will also release the Jupyter Notebook I have developed.
SANS DFIR Summit 2023
Speaker: Mehmet Ergene, Security Researcher & Data Scientist, Binalyze
View upcoming Summits: www.sans.org/u/DuS
Пікірлер: 4
thanks mehmet, great info that's hard to find!
Wow the presented data is quite a few years out of date. All major CDNs block host and SNI mismatches. So while you can still theoretically put a C2 server behind a CDN, you can no longer use domain fronting to obfuscate it. Also, RITA has supported bimodal analysis for a number of years now. Its specifically designed to detect the use case described (beacon timing at idle is different than timing when active).
Great subject, keep it going man
does someone know if there is a public dataset that might be used for testing purpose (ML)