Wow the presented data is quite a few years out of date. All major CDNs block host and SNI mismatches. So while you can still theoretically put a C2 server behind a CDN, you can no longer use domain fronting to obfuscate it. Also, RITA has supported bimodal analysis for a number of years now. Its specifically designed to detect the use case described (beacon timing at idle is different than timing when active).
This feels quite offensive. If you know c2 beaconing (I'm sure you know better than me), you know the timestamp of the connection is not important, but the time delta is. - Domain fronting and malleable host header are different methods. Both are still used. - RITA introduced histogram scoring around 28 June 22. Looking at this presentation date, just one year before, NOT NUMBER OF YEARS. (commit cfd9a7e on the legacy repo) - Bimodal analysis was released around 19 December 2022, NOT even a year before this presentation. (commit d3ad434 on the legacy repo).
thanks mehmet, great info that's hard to find!
Wow the presented data is quite a few years out of date. All major CDNs block host and SNI mismatches. So while you can still theoretically put a C2 server behind a CDN, you can no longer use domain fronting to obfuscate it. Also, RITA has supported bimodal analysis for a number of years now. Its specifically designed to detect the use case described (beacon timing at idle is different than timing when active).
This feels quite offensive.
If you know c2 beaconing (I'm sure you know better than me), you know the timestamp of the connection is not important, but the time delta is.
- Domain fronting and malleable host header are different methods. Both are still used.
- RITA introduced histogram scoring around 28 June 22. Looking at this presentation date, just one year before, NOT NUMBER OF YEARS. (commit cfd9a7e on the legacy repo)
- Bimodal analysis was released around 19 December 2022, NOT even a year before this presentation. (commit d3ad434 on the legacy repo).
Great subject, keep it going man
does someone know if there is a public dataset that might be used for testing purpose (ML)