Detections in this case influenced by time taken and size of data in transactions. Even though attacker was attempting to be cautious and conservative. – Estep & M #BHUSA #LivePost

Red Team verification: attack Spotify with a GitHub Codespaces C2 setup. Basic network traffic looks normal (user communicates with both services routinely). Attacker starts remote shell and interacts. POC version of BEAM flagged the communications as an anomaly with 94% confidence. – Estep & M #BHUSA #LivePost

Trained an XGBoost model per application, only 93 out of 500k were incorrectly attributed for worst case (Box) – Estep & M #BHUSA #LivePost

Attributions under test are fairly reliable, but not perfect. – Estep & M #BHUSA #LivePost

Behaviors to look for: unusual DNS, weird repo access, large external data transfers. Over 185 signals in total, including request completion times, interval between requests, sequences and patterns, HTTP methods used and codes in responses, file types being transmitted – Estep & M #BHUSA #LivePost

User Agent strings are valuable, but they kind of suck because there is no standard format. Using LLMs to summarize and structure the User Agent strings works with high enough accuracy to help translate to an application name and version. – Estep & M #BHUSA #LivePost

BEAM looked at 56 billion transactions across 2000 organizations to generate baseline models. – Estep & M #BHUSA #LivePost

Traffic behavior analysis becomes more addressable as a problem if you baseline profile individual applications. OSS tool being released: BEAM, starting with models for 8 common applications. – Estep & M #BHUSA #LivePost

Anomalies in traffic are based on URL entropy, hosts the application isn't typically using, and how deep the path is compared to a usual e.g. API call. – Estep & M #BHUSA #LivePost

SolarWinds mentioned immediately – Estep & M #BHUSA #LivePost