Brutkey

Darren Meyer :donor:
@darrenpmeyer@infosec.exchange

Anomalies in traffic are based on URL entropy, hosts the application isn't typically using, and how deep the path is compared to a usual e.g. API call. – Estep & M #BHUSA #LivePost

Darren Meyer :donor:
@darrenpmeyer@infosec.exchange

Traffic behavior analysis becomes more addressable as a problem if you baseline profile individual applications. OSS tool being released: BEAM, starting with models for 8 common applications. – Estep & M #BHUSA #LivePost

Darren Meyer :donor:
@darrenpmeyer@infosec.exchange

BEAM looked at 56 billion transactions across 2000 organizations to generate baseline models. – Estep & M #BHUSA #LivePost

Darren Meyer :donor:
@darrenpmeyer@infosec.exchange

User Agent strings are valuable, but they kind of suck because there is no standard format. Using LLMs to summarize and structure the User Agent strings works with high enough accuracy to help translate to an application name and version. – Estep & M #BHUSA #LivePost

Darren Meyer :donor:
@darrenpmeyer@infosec.exchange

Behaviors to look for: unusual DNS, weird repo access, large external data transfers. Over 185 signals in total, including request completion times, interval between requests, sequences and patterns, HTTP methods used and codes in responses, file types being transmitted – Estep & M #BHUSA #LivePost

Darren Meyer :donor:
@darrenpmeyer@infosec.exchange

Attributions under test are fairly reliable, but not perfect. – Estep & M #BHUSA #LivePost

Darren Meyer :donor:
@darrenpmeyer@infosec.exchange

Trained an XGBoost model per application, only 93 out of 500k were incorrectly attributed for worst case (Box) – Estep & M #BHUSA #LivePost