Explore the evolution of command and control (C2) capabilities in cybersecurity through this comprehensive conference talk from Derbycon 2018. Delve into the history of C2, examining various techniques such as bind shells, reverse shells, and IRC channels. Learn about advanced methods like DNS tunneling and domain fronting, as well as the increasing capabilities of red teams. Understand the key needs for reliability, concealment, and resilience in C2 operations. Examine the Hyperwave Architecture and its applications in transitivity and redundancy. Gain insights into red team operational concerns and C2 detection fundamentals. Discover various detection methods, including process-traffic correlation, unique domain activity, and payload patterns. Explore ways to detect abuse of services like Dropbox. Conclude with a discussion on blue team strategies and the importance of unit testing in cybersecurity operations.
Overview
Syllabus
Intro
Hi, I'm John
Command and Control
Capability
A Brief History of C2
Capabilities Bind Shell - Reverse Shell
Constraints Reverse Shell
Capabilities Shells - IRC
Constraints IRC Channels
Other Protocol Tunneling?
DNS Tunneling
Domain Fronting
Apps / 3rd Party Services
Increasing Red Team Capabilities
Needs - Reliability
Needs - Concealment
Needs - Resilience • Expect messages to be lost, and still operate
Design Decisions
Hyperwave Architecture
Example 1 - Transitivity
Example 2 - Redundancy
Red Team Operational Concerns
C&C Detection Fundamentals
Control Your Attack Surface
Into the App Layer
Ways To Detect...
Unused Services
Process-Traffic Correlation
Unique Domain Activity
Unique URL Path/Params
Headers
Authentication Artifacts
Behavior - API Usage
Behavior - Timing . Our transport polls at X seconds
Payload Patterns
10. General Behavior
Detecting Abuse of: Dropbox
Blue Team Questions
Unit Testing
PC2
Questions?
