Seeing The Invisible: Finding Fingerprints on Encrypted Traffic

Encryption is a warm snuggly invisibility blanket both for us and for attackers. So how can we tell if encrypted network traffic is malicious?

This talk will explore techniques you can use to fingerprint encrypted traffic and how to use these techniques to hunt for badness! I’ll use Microsoft’s Remote Desktop Protocol (RDP) as an example to showcase these techniques. RDP is very commonly used as an attack vector and lateral movement technique, and this makes it more important to monitor the RDP activity in your network.

I will also share some of the interesting activities observed by my honeypots, including BlueKeep scan attempts, and discuss how I use network metadata and fingerprints to profile and cluster internet-wide scans.