Malware Protocol Simulations in Distributed Networks


Discovering and identifying malicious activities in large networks is challenging as they can blend in, use commercial services or just go under radar with newer protocols. Another challenge is while defensive teams expect Red Team to assist on simulations, Red Team goes for their own objectives. Furthermore, cyber defence teams using real malware or known offensive tools would be problematic in production. It’s also way harder to simulate these activities in physically or logically distributed networks without a malware or product.

In this talk, we’ll seek solutions to these challenges to provide better Command & Control (C2) traffic and compromise simulations. Differences between the purpose of various C2 channels and their implementations in the wild will be compared. Most of the threat actors stay in the target networks more than a couple of months which may give sufficient time to identify the communication channels. So, we’ll look for the ways of simulating long game and building resiliency against these activities. We will also enrich our defensive understanding of the real-time like protocols (e.g. DNS over HTTPS, HTTP/2, HTTP/3, QUIC, Websocket) to simulate interactive C2 communications realistically.

Discussions won’t solve the challenges magically, therefore I developed Tehsat (Deception in Vulcan) to assist us. It is developed to make C2 simulations safe and easy to implement with no offensive capabilities. It can simulate various protocols (e.g. HTTP, Websocket, TCP, UDP, SMB Named Pipe, ICMP, DNS, DoH) with custom profiling. The profiles used by malware can be used to generate these profiles and design simulations. The agents generated can be served, or deployed standalone in bulk. Using this open-source defensive tool, it’s possible to create your own text or binary protocol, simulate in larger networks with cloud services, and also utilise C2 command mocking through the agents. The traffic simulated can be used to analyse efficiency of the cyber data analytics infrastructure, to plant flags for the incident response teams or to safely simulate a purple team exercise.

Location: Track 1 Date: August 27, 2021 Time: 3:00 pm - 4:00 pm Fatih Ozavci