FloCon 2017 has ended
Back To Schedule
Thursday, January 12 • 8:30am - 9:00am
Uncovering Beacons Using Behavioral Analytics and Information Theory

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

A beacon, or a heartbeat, is machine-generated traffic leaving the network to confirm availability to or seek new instructions from an external system. Beacons may be used for innocuous purposes (such as checking for Microsoft updates) or for malicious purposes (such as registering an infected host to a C2 server). In this presentation, we will demonstrate how to detect beacons using a combination of packet count entropy, producer-consumer ratios, and dynamically generated hostname detection across a Bro dataset. Packet count entropy is used to measure variance in the number of packets transmitted in a set of connections, with the assumption being that human driven traffic will exhibit a wide distribution of different packet counts across connections and beaconing traffic will exhibit a comparably low distribution of different packet counts. Producer-consumer ratios compare the number of bytes leaving a client with the number of bytes returning to a client to detect clients regularly transmitting data outward without receiving data in return. Dynamically generated hostname detection looks for hosts with machine-generated hostnames to root out hosts that may attempt to escape detection by constantly changing hostnames. We combine these three independent signals to detect potential hosts that are attracting beacon connections from inside our network. We can then crossreference this data against open-source and proprietary threat intelligence to detect possible C2 servers.

In this presentation, we will demonstrate that these tasks can be accomplished using a small number of SQL scripts that can be easily parameterized, with results aggregated by a Python or shell script. As such, they can easily be automated to run on a set frequency or when new batches of data are available.


Eric Dull

Specialist Leader, Deloitte & Touche, LLP
Eric Dull is a Specialist Leader at Deloitte, leading large-scale data science and cyber security applications for a variety of United States Government and commercial clients. He is an expert in applied graph theory, data mining, and anomaly detection.  His work includes machine... Read More →

Brian Sacash

Specialist Senior, Deloitte & Touche, LLP
Brian Sacash is a Specialist Senior at Deloitte, focusing on data science and software development in the cyber security sector. He has experience employing natural language processing, statistical analysis, and machine learning, using big data technologies, for analytic-based decision... Read More →

Thursday January 12, 2017 8:30am - 9:00am PST
Great Room V-VIII 7450 Hazard Center Dr.