#HITB2021SIN D2T1 - Malware Protocol Simulations In Distributed Networks - Fatih Ozavci

Discovering and identifying malicious activities in large networks is challenging as they can blend in, use commercial services or just go under radar with newer protocols. Another challenge is while defensive teams expect Red Team to assist on simulations, Red Team goes for their own objectives. Furthermore, cyber defence teams using real malware or known offensive tools would be problematic in production. It’s also way harder to simulate these activities in physically or logically distributed networks without a malware or product.

In this talk, we’ll seek solutions to these challenges to provide better Command & Control (C2) traffic and compromise simulations. Differences between the purpose of various C2 channels and their implementations in the wild will be compared. Most of the threat actors stay in the target networks more than a couple of months which may give sufficient time to identify the communication channels. So, we’ll look for the ways of simulating long game and building resiliency against these activities. We will also enrich our defensive understanding of the real-time like protocols (e.g. DNS over HTTPS, HTTP/2, HTTP/3, QUIC, Websocket) to simulate interactive C2 communications realistically.

Discussions won’t solve the challenges magically, therefore I developed Tehsat (Deception in Vulcan) to assist us. It is developed to make C2 simulations safe and easy to implement with no offensive capabilities. It can simulate various protocols (e.g. HTTP, Websocket, TCP, UDP, SMB Named Pipe, ICMP, DNS, DoH) with custom profiling. The profiles used by malware can be used to generate these profiles and design simulations. The agents generated can be served, or deployed standalone in bulk. Using this open-source defensive tool, it’s possible to create your own text or binary protocol, simulate in larger networks with cloud services, and also utilise C2 command mocking through the agents. The traffic simulated can be used to analyse efficiency of the cyber data analytics infrastructure, to plant flags for the incident response teams or to safely simulate a purple team exercise.

===

Fatih Ozavci is a multidisciplinary security manager, engineer and researcher with two decades of experience on offensive and defensive security technologies.

He has managed several international security assessment and research projects focused on various technologies including service provider networks, unified communications, application security and embedded systems. He shared his researches, tools, advisories and vulnerabilities in major security conferences such as Black Hat USA, DEF CON and HITB.

Nowadays, he combines his skillsets to perform realistic adversary simulations and defence exercises for larger organisations. Fatih is also studying Master of Cyber Security (Advanced Tradecraft) at University of New South Wales at Australian Defence Force Academy.