Middle-out Network Analysis: Finding Evil with a Low Signal-to-Noise Ratio

No ratings

Presented at Bsidescanberra 2017 by

Steve Miller

Geoff Carstairs

Attackers are using increasingly clever techniques to evade detection in network traffic. The development of new backdoors that use legitimate internet services (such as Twitter, GitHub, etc) allow C2 to hide in plain sight. And SSL is a biatch. It sounds impossible to recognize evil within large volumes of legitimate and encrypted network traffic without first having a starting point. However, in applying our understanding of attackers and C2 structures, we’ve created some simple network analysis techniques that can help pull weak signals out of the noise to find compromises that are otherwise undetectable. In this presentation we will show samples of C2 traffic to legitimate services used by a whole bunch of emerging backdoors, all the while talking about what is and what is not "APT" by our definition. And pcap and decoding and maybe even some sexy IDA stuff too.