How to Threat Hunt for C2 Traffic Regardless of Protocol or Port

On-Demand Webcast

Going Beyond Pattern Matching to Hunt for Attacker Communications Using Zeek Logs and RITA

camera_cyber_short

Presented by Corelight & Active CounterMeasures

Adversary C2 communications constantly evolve and security analysts that try to tackle C2 discovery using only blacklists and simple pattern-based detection methods leave themselves open to evasion since attackers can quickly swap out domains or change their basic patterns.

A more resilient approach to C2 traffic discovery involves comprehensive network security monitoring with a network traffic analysis tool like Zeek, which transforms traffic into rich, protocol-comprehensive logs and enables the analysis of more durable C2 communication characteristics such as communication timing and size via analysis tools like Real Intelligence Threat Analytics (RITA).

Watch this webcast to learn from two threat hunting instructors who will show you:

  • How to use Zeek-generated network logs to instrument C2 detection analytics in RITA
  • How to find C2 communications in encrypted channels
  • How to spot DNS-based C2 beaconing
  • And more...

chris_brenton

Chris Brenton, COO, Active CounterMeasures

Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.

alex-kirk

Alex Kirk, Security Engineer, Corelight

Alex is a veteran open source security evangelist with a deep engineering background. In 10 years with Sourcefire Research (VRT), he wrote the team’s first malware sandbox and established its global customer outreach and intelligence sharing program. He has spoken at conferences across the globe on topics from “Malware Mythbusting” to “Using Bro/Zeek Data for IR and Threat Hunting”, and was a contributing author for “Practical Intrusion Analysis”, and oft-used textbook for university courses on IDS. His security engineering background also includes time at Cisco and Tenable.