Today most malware and botnets use network communication for tasks such as downloading malicious files, sending stolen data, receiving commands from the C2, etc. Researchers worldwide analyze millions of network traffic streams daily to search for potential anomalies (in other words, suspicious communications). Nevertheless, hackers have long used various techniques not only to obfuscate the malware itself to make reverse engineering more difficult but also to hide C2 communication. Backdoors, bankers, botnets, loaders, spyware, stealers, and RATs… it has become more difficult to detect them in the network: some use encryption, others – custom protocols, and others – different obfuscation techniques. However, the main advantage of the network is that despite the attackers’ attempts to hide in it, their presence does not disappear, which means it can be detected. The question is – how?
During this session, you will learn: why DNS tunneling gives itself away, why symmetric encryption is not a barrier to detection, how to deal with fragmentation using rules, the main disadvantages of steganography in network traffic, and why TLS encryption will no longer save cybercriminals.
About these and other techniques, most frequently used in the current malware ecosystem, and by known APT groups, I will talk during this presentation, as well as provide various detection methods that actually work – from using the possibilities of Suricata rules to fuzzy hashes and scripting modules – to detect them all!