BruCON 0x0D

Quickly detecting malicious intruders in the network is a million-billion-dollar business. Unfortunately, after decades of this problem, detecting bad actors still relies on updated versions of technologically old techniques: anti-virus, log files and packet captures.

Network EDR is only effective inside the perimeter of the organization and suffers from scaling problems due to the massive amounts of network traffic generated by modern applications. Endpoint detection is limited by event verbosity, OS version and platform age. Anti-virus loses to obfuscation frameworks every day.

All of these techniques rely on software running on the endpoints, which advanced actors frequently disable to hide their activities from the administrators. Even worse, these endpoint clients are also reliant on signatures and heuristics designed by the vendor, meaning detection frequently lags behind the speed by which actors can change their tactics or obfuscate their tools.

These limitations are compounded across different OS vendors, versions and server/client platforms. And none of them can detect a supply-chain attack, or an attack against a partner whose security isn’t as robust.

In this talk I’ll describe a groundbreaking new method of leveraging network IOCs beyond how they are leveraged by existing XDR platforms. This breakthrough method provides near-real-time alerting, zero endpoint client software, with identical fidelity across all OS versions and vendors. By sitting outside the organizations perimeter, focused on what the attacker sees, and leveraging relationships with internet infrastructure providers, this technique can detect the moment a beacon is sent, malware families and spread rate. This data can observe activity from both your network and your partners, since it isn’t dependent on client software. I’ll demonstrate how this technology can augment existing EDR solutions, addressing an industry-wide gap and giving organizations extra days (or weeks) to prevent a Data Apocalypse.

I'll draw from real-world examples of how this technology was leveraged in CTI League in 2020 to provide hospitals with an 'early alert system', giving them more time to evict bad actors before a ransomware payload was deployed.