Darren Meyer :donor:@darrenpmeyer@infosec.exchange
Application traffic behavior for identifying supply chain attacks with Colin Estep and Dagmawi M of Netskope #BHUSA #LivePost
Darren Meyer :donor:@darrenpmeyer@infosec.exchange
Darren Meyer :donor:@darrenpmeyer@infosec.exchange
SolarWinds mentioned immediately – Estep & M #BHUSA #LivePost
Darren Meyer :donor:@darrenpmeyer@infosec.exchange
Anomalies in traffic are based on URL entropy, hosts the application isn't typically using, and how deep the path is compared to a usual e.g. API call. – Estep & M #BHUSA #LivePost
Darren Meyer :donor:@darrenpmeyer@infosec.exchange
Traffic behavior analysis becomes more addressable as a problem if you baseline profile individual applications. OSS tool being released: BEAM, starting with models for 8 common applications. – Estep & M #BHUSA #LivePost
Darren Meyer :donor:@darrenpmeyer@infosec.exchange
BEAM looked at 56 billion transactions across 2000 organizations to generate baseline models. – Estep & M #BHUSA #LivePost
Darren Meyer :donor:@darrenpmeyer@infosec.exchange
User Agent strings are valuable, but they kind of suck because there is no standard format. Using LLMs to summarize and structure the User Agent strings works with high enough accuracy to help translate to an application name and version. – Estep & M #BHUSA #LivePost
Darren Meyer :donor:@darrenpmeyer@infosec.exchange
Behaviors to look for: unusual DNS, weird repo access, large external data transfers. Over 185 signals in total, including request completion times, interval between requests, sequences and patterns, HTTP methods used and codes in responses, file types being transmitted – Estep & M #BHUSA #LivePost
Darren Meyer :donor:@darrenpmeyer@infosec.exchange
Attributions under test are fairly reliable, but not perfect. – Estep & M #BHUSA #LivePost
Darren Meyer :donor:@darrenpmeyer@infosec.exchange
Trained an XGBoost model per application, only 93 out of 500k were incorrectly attributed for worst case (Box) – Estep & M #BHUSA #LivePost