CHCon ADEL KARIMI – SEEING THE INVISIBLE: FINDING FINGERPRINTS ON ENCRYPTED TRAFFIC, https://2019.chcon.nz/talks/adel/
Encryption is a warm snuggly invisibility blanket both for us and for attackers. So how can we tell if encrypted network traffic is malicious? This talk will explore techniques you can use to fingerprint encrypted network traffic including RDP, SSH and SSL/TLS, and how to use these techniques to hunt for badness! Network metadata and fingerprints can also be used to profile and cluster internet-wide scans! I will share some of the interesting activities observed by my honeypots, and show your how TLS fingerprinting and visualization helped me discover a new evasion technique!
- Relying on the unencrypted setup of most protocols
- Fingerprinting the most variant fields (JA3, HASSH etc)
- Graphing IP-to-Fingerprint reveals deviant behaviours
- There is still a role for network-based detection in the face of encryption