My key takeaways
- Modern threats are almost impossible to detect by signatures or heuristics
- command and control channels (C2) now are often using common encryption like https so content analysis is not an option either
- Well known and legit websites are abused as C2 channels like Google Mail or O365
- Even CDNs are used as C2 channels and they can’t filter out beacons due to the amount of traffic in the network
- Monitoring network anomalies with tools like Passer or RITA might show C2 beacons
- the MITRE framework has elements to test for data exfiltration
Env
- Provided by Active Countermeasures
- Presenter: John Strand