HITB LAB: Identifying Threats in Raw Data Events: A Practical Approach for Enterprises (PART 1)


With proliferation of custom, targeted attacks it is essential for any CIRT team to be able to detect and rapidly respond to evolving network threats. In this workshop session Fyodor, Vitaly and Vladimir will demonstrate a practical approach of mining and identifying malicious activity patterns from raw network data, empowering machine learning algorithms and a number of hacks the authors will demonstrate practically usable platform for detecting on-going network exploitation activity (exploit kit sequence detection), time series analysis applied to compromised machines C2 calls.

In part 1 of this four hour workshop will cover following areas of advanced practical intrusion detection:

  • Identifying botnet activity and other anomalous activity by inspecting DNS traffic for presence of dynamically generated domain name queries, typical to botnet C2 control channels, DNS covert channels, DNS vpn and anonymizer traffic and more. A tool will be released as opensource software to aid in such detection
  • Inspecting HTTP traffic through raw traffic analysis and proxy logs and identifying targeted client fingerprinting attempts, web browser explotation sequences, remote execution and executable transfer, covert channels.

 All the tools used in this workshop are to be shared and publicly released under Open Source (GPL) license.

Location: Track 3 / HITB Labs Date: October 16, 2014 Time: 10:30 am - 12:30 pm Vladimir Kropotov Fyodor Yarochkin Vitaly Chetvertakov