BruCON 0x0D has ended
Back To Schedule
Thursday, October 7 • 16:00 - 17:00
Visibility beyond perimeters: Detecting C2 at time of execution.

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Quickly detecting malicious intruders in the network is a million-billion-dollar business. Unfortunately, after decades of this problem, detecting bad actors still relies on updated versions of technologically old techniques: anti-virus, log files and packet captures.

Network EDR is only effective inside the perimeter of the organization and suffers from scaling problems due to the massive amounts of network traffic generated by modern applications. Endpoint detection is limited by event verbosity, OS version and platform age. Anti-virus loses to obfuscation frameworks every day.

All of these techniques rely on software running on the endpoints, which advanced actors frequently disable to hide their activities from the administrators. Even worse, these endpoint clients are also reliant on signatures and heuristics designed by the vendor, meaning detection frequently lags behind the speed by which actors can change their tactics or obfuscate their tools.

These limitations are compounded across different OS vendors, versions and server/client platforms. And none of them can detect a supply-chain attack, or an attack against a partner whose security isn’t as robust.

In this talk I’ll describe a groundbreaking new method of leveraging network IOCs beyond how they are leveraged by existing XDR platforms. This breakthrough method provides near-real-time alerting, zero endpoint client software, with identical fidelity across all OS versions and vendors. By sitting outside the organizations perimeter, focused on what the attacker sees, and leveraging relationships with internet infrastructure providers, this technique can detect the moment a beacon is sent, malware families and spread rate. This data can observe activity from both your network and your partners, since it isn’t dependent on client software. I’ll demonstrate how this technology can augment existing EDR solutions, addressing an industry-wide gap and giving organizations extra days (or weeks) to prevent a Data Apocalypse.

I'll draw from real-world examples of how this technology was leveraged in CTI League in 2020 to provide hospitals with an 'early alert system', giving them more time to evict bad actors before a ransomware payload was deployed.

avatar for Nate Warfield

Nate Warfield

Nate has been a hacker since he first laid hands on a 2400 baud modem. After his first hack of a dial-up BBS at 12, he was hooked and over the following 25 years he sharpened his skills through jobs in network engineering, vulnerability response, endpoint research and side projects... Read More →

Thursday October 7, 2021 16:00 - 17:00 CEST
01. Westvleteren University