Seeing The Invisible: Finding Fingerprints on Encrypted Traffic

by 0x4D31 (adel) | Friday, 11:30am - 11:45am

Encryption is a warm snuggly invisibility blanket both for us and for attackers. So how can we tell if encrypted network traffic is malicious?

This talk will explore techniques you can use to fingerprint encrypted traffic and how to use these techniques to hunt for badness! I’ll use Microsoft’s Remote Desktop Protocol (RDP) as an example to showcase these techniques. RDP is very commonly used as an attack vector and lateral movement technique, and this makes it more important to monitor the RDP activity in your network.

I will also share some of the interesting activities observed by my honeypots, including BlueKeep scan attempts, and discuss how I use network metadata and fingerprints to profile and cluster internet-wide scans.

About 0x4D31 (adel)

Adel is a Security Engineer on the Detection team at an unnamed search engine company! Before joining <REDACTED>, he worked as a lead detection engineer at Salesforce, hunting the bad guys! Adel is a computer detective by day and honeypot operator by night!