Except for purely destructive payloads, malicious software must initiate outbound communications for command-and-control purposes and— in cases of data theft or exposure extortion—exfiltration.
If your preventive controls fail to stop the initial exploit and if your EDR fails to detect malware, then your next best chance to limit the damage is to detect malware at the network level when the malware phones home.
The bad guys realize this and are taking increasingly sophisticated steps to disguise that traffic and fly under the radar as they egress your network.
So, in this real training for free event, we will examine how threat actors do it and explore how we can increase our chances of detecting outbound malicious traffic even when it’s been specifically tailored to our environment so as to blend in.
Here are some of the evasion methods we’ll explore:
- Hiding in SSL
- Protocol encapsulation
o HTTP
o DNS
o Et al
- Mimicking HTTP content arcane to known and trusted web applications
- Careful scheduling of network traffic
- Other traffic shaping techniques
- Steganography
We will also discuss detection techniques. My esteemed colleague and security researcher Chad Anderson from our sponsor DomainTools is joining me to discuss detection of stealthy C&C traffic and will show you some great ideas that leverage attacker’s dependence on Internet IP addresses and domain names.
We will talk about Cobalt Strike Beacon as a part of this discussion because:
- Beacon is specially designed to disguise C&C traffic and blend into the normal traffic specific to particular victim’s network
- Is increasingly being used by bad guys in malicious attacks – including in the recent SolarWinds debacle
Please join us for this real training for free event!