Attackers are increasingly abusing popular cloud applications for command and control (C2). C2 over cloud apps is less likely to be detected since abusing a popular cloud application has the advantage of blending in with everyday traffic and evading traditional C2 defences. Techniques like domain and URL blocklists that detect attacker-controlled servers aren’t effective because there is no attacker-controlled infrastructure to identify. Then how do you defend against cloud C2? In this talk, we will explore this new threat landscape and outline a set of detections that use behavioural patterns and anomalies to identify malicious C2 communication from otherwise benign servers. The approach uses novel strategies like unusual cloud entity detection as well as established approaches like JA3 to identify unusual and malicious communication to a cloud application. We will ground all of these concepts in a demo of a Python-based application that uses these signals to identify cloud C2 communication from compromised machines, and thus, equip the listener with the information to spot these attacks.

About the speaker

Dagmawi Mulugeta

Threat Researcher at Netskope

Dagmawi Mulugeta is currently a threat researcher at Netskope focused on user behaviour analysis. He has previously worked at Cyrisk (subsidiary of 4A Security), Sift Security (Acquired by Netskope), and ECFMG as a researcher, security engineer, and developer. Dagmawi has innate interests in public CTFs, exploit development, and abuse of cloud apps. He has his MSc in Cybersecurity from Drexel University.
Read more …