[Dailydave] Command And Control
Dave Aitel
dave.aitel at gmail.com
Wed Mar 25 20:10:04 UTC 2020
I just listened to a webinar on threat hunting. It's a thing you can do.
Anyways, at one point the presenter talked about how he really preferred to
threat hunt by looking at network protocols for threat hunting, and he
focused on beaconing and C2.
Every time someone says that, I flash back to this amazing post from
BitDefender, which is about how Flame did C2 over USB.
https://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/
On the other side of things, Turla's Sat-spoofing blind TCP hijacking C2
is...a work of art. There's no other way to say it.
https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/
That's the top tier, in my book, of offensive teams making cool statements
about how big their brains are by designing C2 protocols that got used in
the wild. I like to think INNUENDO's "actually use Outlook-MAPI to exit
corporate networks" is quite good as well, but I'm biased, of course.
Alex Stamos's best talk goes into some of the issues about why detecting
network C2 is hard, but I think "Protocols are increasingly complex, in the
sense that the Delta of the Delta brings pain in a way nothing else can"
sums it up nicely. (https://youtu.be/2OTRU--HtLM?t=1674 27 minutes in).
That doesn't mean that it's not worth TRYING to do massive statistical
analysis of your network data, but it may have diminishing returns (like a
401k!).
-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20200325/238b7c01/attachment.html>
More information about the Dailydave
mailing list