Raymond Canzanese
Ray is the Director of Netskope Threat Labs, a globally distributed team that specializes in cloud and network-focused threat research. His research background includes malware detection and classification, cloud app security, web security, sequential detection, and machine learning. Although his current focus is cybersecurity, his research has previously spanned other domains, including software anti-tamper and electronic warfare. In addition to his extensive research experience, Ray also has a background in education, teaching multiple math and programming courses during his academic career. He holds a Ph.D. in Electrical Engineering from Drexel University.
Session
Tools like Cobalt Strike, Brute Ratel, and Mythic have become ubiquitous, forming the backbone of attacks launched by both nation-states and cybercriminals. These "malleable C2" platforms allow attackers to precisely configure network traffic—adjusting beaconing intervals, adding random jitter, and constructing URL and user agent strings that convincingly mimic legitimate web services. Not only is it hard to write effective signatures for blocking such configs, the ease at which new configs can be created makes IPS-based defenses futile.
This presentation addresses the widespread failure of legacy defenses against malleable C2. We introduce a novel, high-fidelity detection system designed to identify malleable C2 traffic that has successfully evaded traditional layers. Our methodology moves beyond signatures by combining an expert anomaly detection engine with a machine learning classifier, analyzing decrypted web (HTTP/s) transaction logs from a forward proxy. The system profiles network entities using advanced signals, including SSL/TLS fingerprints (like JA3), fine-grained analysis of network beaconing patterns over time, and heuristic flagging of unusual user agents and highly targeted domain contacts. These signals are fed into a robust machine learning model tuned to identify the subtle but persistent characteristics of C2 communications directed at non-cloud infrastructure.
Tested rigorously against a diverse set of Cobalt Strike profiles collected from the wild and created using a genetic algorithm, our approach achieved a detection rate in excess of 97%. Crucially, it maintained an exceptionally low false positive rate—less than 0.0001 alerts per user per week in real-world production environments. It has since been deployed in production environments, from which we share recent case studies of real-world implants that we have detected. Attendees will gain an in-depth understanding of why reliance on IPS-only strategies is a critical vulnerability and how to implement a powerful, non-signature-based detection strategy. This approach effectively counters the evasion tactics of Cobalt Strike, Brute Ratel, Mythic, and custom C2, significantly improving an organization's defense posture against one of today’s most elusive threats.