Abstract: Techniques for beacon and threat intelligence based Advanced Persistent Threat (APT) detection are disclosed. In some embodiments, a system/process/computer program product for beacon and threat intelligence based APT detection includes collecting firewall log data from monitored network traffic; analyzing the firewall log data at a cloud security service to identify beacon traffic based on a plurality of heuristics; performing a risk evaluation of the beacon traffic to detect malicious beacon traffic; and performing an action in response to detecting the malicious beacon traffic.

Abstract: Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.

Abstract: Techniques for Cobalt Strike Beacon HTTPS C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTPS C2 heuristic detection includes monitoring HyperText Transfer Protocol Secure (HTTPS) network traffic at a firewall; prefiltering the monitored HTTPS network traffic at the firewall to select a subset of the HTTPS network traffic to forward to a cloud security service; determining whether the subset of the HTTPS network traffic is associated with Cobalt Strike Beacon HTTPS C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTPS C2 traffic activity.

Abstract: Techniques for probing for Cobalt Strike TeamServer detection are disclosed. In some embodiments, a system/process/computer program product for probing for Cobalt Strike TeamServer detection includes monitoring HyperText Transfer Protocol (HTTP), HTTPS, and/or Domain Name System (DNS) network traffic at a firewall; prefiltering the monitored HTTP, HTTPS, and/or DNS network traffic at the firewall to select a subset of the HTTP, HTTPS, and/or DNS network traffic to forward to a cloud security service; performing HTTP, HTTPS, and/or DNS probing of a target to detect whether the target is a Cobalt Strike TeamServer; and performing an action in response to detecting that the target is the Cobalt Strike TeamServer.

Abstract: Techniques for sample traffic based self-learning malware detection are disclosed. In some embodiments, a system/process/computer program product for sample traffic based self-learning malware detection includes receiving a plurality of samples for malware detection analysis using a sandbox; executing each of the plurality of samples in the sandbox and monitoring network traffic during execution of each of the plurality of samples in the sandbox; detecting that one or more of the plurality of samples is malware based on automated analysis of the monitored network traffic using a command and control (C2) machine learning (ML) model if there is not a prior match with an intrusion prevention system (LPS) signature; and performing an action in response to detecting that the one or more of the plurality of samples is malware based on the automated analysis of the monitored network traffic using the C2 ML model. In some embodiments, the IPS signatures and C2 ML model are automatically generated and trained.

Abstract: Techniques for Cobalt Strike Beacon HTTP C2 heuristic detection are disclosed. In some embodiments, a system/process/computer program product for Cobalt Strike Beacon HTTP C2 heuristic detection includes monitoring HyperText Transfer Protocol (HTTP) network traffic at a firewall; prefiltering the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service; determining whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics; and performing an action in response to detecting the Cobalt Strike Beacon HTTP C2 traffic activity.

Abstract: Techniques for sample traffic based self-learning malware detection are disclosed. In some embodiments, a system/process/computer program product for sample traffic based self-learning malware detection includes receiving a plurality of samples for malware detection analysis using a sandbox; executing each of the plurality of samples in the sandbox and monitoring network traffic during execution of each of the plurality of samples in the sandbox; detecting that one or more of the plurality of samples is malware based on automated analysis of the monitored network traffic using a command and control (C2) machine learning (ML) model if there is not a prior match with an intrusion prevention system (IPS) signature; and performing an action in response to detecting that the one or more of the plurality of samples is malware based on the automated analysis of the monitored network traffic using the C2 ML model. In some embodiments, the IPS signatures and C2 ML model are automatically generated and trained.

Abstract: Techniques for providing an intelligent-interaction honeypot for IoT devices in accordance with some embodiments. In some embodiments, a system/process/computer program product for providing an intelligent-interaction honeypot for IoT devices includes receiving a request from an attacker sent to an IP address that is associated with a honeypot instance for Internet of Things (IoT) devices; determining a response to the request using a data store that stores a plurality of responses and associated IoT device information, wherein the plurality of responses and associated IoT device information is generated based on automated machine learning of active probing of physical IoT devices on the Internet; and sending the response from the honeypot instance for IoT devices to the attacker, wherein the attacker is unable to detect that the response is associated with an emulated IoT device.

Abstract: Techniques for providing an intelligent-interaction honeypot for IoT devices in accordance with some embodiments. In some embodiments, a system/process/computer program product for providing an intelligent-interaction honeypot for IoT devices includes receiving a request from an attacker sent to an IP address that is associated with a honeypot instance for Internet of Things (IoT) devices; determining a response to the request using a data store that stores a plurality of responses and associated IoT device information, wherein the plurality of responses and associated IoT device information is generated based on automated machine learning of active probing of physical IoT devices on the Internet; and sending the response from the honeypot instance for IoT devices to the attacker, wherein the attacker is unable to detect that the response is associated with an emulated IoT device.

Abstract: Techniques for providing an intelligent-interaction honeypot for IoT devices in accordance with some embodiments. In some embodiments, a system/process/computer program product for providing an intelligent-interaction honeypot for IoT devices includes receiving a request from an attacker sent to an IP address that is associated with a honeypot instance for Internet of Things (IoT) devices; determining a response to the request using a data store that stores a plurality of responses and associated IoT device information, wherein the plurality of responses and associated IoT device information is generated based on automated machine learning of active probing of physical IoT devices on the Internet; and sending the response from the honeypot instance for IoT devices to the attacker, wherein the attacker is unable to detect that the response is associated with an emulated IoT device.

Abstract: Techniques for providing an intelligent-interaction honeypot for IoT devices in accordance with some embodiments. In some embodiments, a system/process/computer program product for providing an intelligent-interaction honeypot for IoT devices includes receiving a request from an attacker sent to an IP address that is associated with a honeypot instance for Internet of Things (IoT) devices; determining a response to the request using a data store that stores a plurality of responses and associated IoT device information, wherein the plurality of responses and associated IoT device information is generated based on automated machine learning of active probing of physical IoT devices on the Internet; and sending the response from the honeypot instance for IoT devices to the attacker, wherein the attacker is unable to detect that the response is associated with an emulated IoT device.