2024-12-14 –, Rookie track 2
Malicious domains are part of the landscape of the internet but are becoming more prevalent and more dangerous to both companies and individuals. Tracking, blocking and detecting such domains is complex, and very often involves complex allow or deny list management or SIEM integration with open-source TLS fingerprinting techniques. Many fingerprint techniques such as JARM and JA3 are used by threat hunters to determine domain classification, but with the increase in TLS similarity, particularly in CDNs, they are becoming less useful. This presentation demonstrates how we can adapt and evolve open-source TLS fingerprinting techniques with increased features to enhance granularity, and to produce a similarity mapping system that enables the tracking and detection of previously unknown malicious domains. This is done by enriching TLS fingerprints with HTTP header data and producing a fine grain similarity visualisation that represented high dimensional data using MinHash and local sensitivity hashing. Influence was taken from the Chemistry domain, where the problem of high dimensional similarity in chemical fingerprints is often encountered.
The presentation focuses on a more resilient approach to TLS fingerprinting - particularly one that handles the encrypted client hello and the granularity loss encountered when fingerprinting CDNs. The method of visualising similarities is used effectively in the chemical arena and can be used as a method for early detection of malicious domains and websites.
Yes
A recent graduate from a cyber security masters degree I have an interest in threat hunting, cryptography and future web technologies.