User Agent strings are valuable, but they kind of suck because there is no standard format. Using LLMs to summarize and structure the User Agent strings works with high enough accuracy to help translate to an application name and version. – Estep & M #BHUSA #LivePost
Behaviors to look for: unusual DNS, weird repo access, large external data transfers. Over 185 signals in total, including request completion times, interval between requests, sequences and patterns, HTTP methods used and codes in responses, file types being transmitted – Estep & M #BHUSA #LivePost
BEAM looked at 56 billion transactions across 2000 organizations to generate baseline models. – Estep & M #BHUSA #LivePost
User Agent strings are valuable, but they kind of suck because there is no standard format. Using LLMs to summarize and structure the User Agent strings works with high enough accuracy to help translate to an application name and version. – Estep & M #BHUSA #LivePost
Traffic behavior analysis becomes more addressable as a problem if you baseline profile individual applications. OSS tool being released: BEAM, starting with models for 8 common applications. – Estep & M #BHUSA #LivePost
BEAM looked at 56 billion transactions across 2000 organizations to generate baseline models. – Estep & M #BHUSA #LivePost
Anomalies in traffic are based on URL entropy, hosts the application isn't typically using, and how deep the path is compared to a usual e.g. API call. – Estep & M #BHUSA #LivePost
Traffic behavior analysis becomes more addressable as a problem if you baseline profile individual applications. OSS tool being released: BEAM, starting with models for 8 common applications. – Estep & M #BHUSA #LivePost
SolarWinds mentioned immediately – Estep & M #BHUSA #LivePost
Anomalies in traffic are based on URL entropy, hosts the application isn't typically using, and how deep the path is compared to a usual e.g. API call. – Estep & M #BHUSA #LivePost
Application traffic behavior for identifying supply chain attacks with Colin Estep and Dagmawi M of Netskope #BHUSA #LivePost
SolarWinds mentioned immediately – Estep & M #BHUSA #LivePost
Application traffic behavior for identifying supply chain attacks with Colin Estep and Dagmawi M of Netskope #BHUSA #LivePost
Defenses are mostly expensive, but removing the charger unit from all networks, disabling radios, and physically securing against walk-up attacks are often easy and effective.. But device manufacturers should have hardware-based protections, not relying only on software-based. Could be as simple as a fuse – Anderson & Kaliyanackis #BHUSA #LivePost
There are outcomes that involve "theft" of power/charging service, but obviously the biggest problem is the safety risk an attacker could introduce (either accidentally or deliberately) – Anderson & Kaliyanackis #BHUSA #LivePost
"Reminding everyone that 'fire goes up'": don't mount your cable holder below anything flammable. Also don't leave it coiled while the vehicle is charging, especially not tightly coiled – Anderson & Kaliyanackis #BHUSA #LivePost
Defenses are mostly expensive, but removing the charger unit from all networks, disabling radios, and physically securing against walk-up attacks are often easy and effective.. But device manufacturers should have hardware-based protections, not relying only on software-based. Could be as simple as a fuse – Anderson & Kaliyanackis #BHUSA #LivePost
cables were heated to over 177°C before failure, which is dangerous on its own (severe burns and worse). – Anderson & Kaliyanackis #BHUSA #LivePost
"Reminding everyone that 'fire goes up'": don't mount your cable holder below anything flammable. Also don't leave it coiled while the vehicle is charging, especially not tightly coiled – Anderson & Kaliyanackis #BHUSA #LivePost
Darren Meyer :donor: