A security architect presents the concept of transport-agnostic or protocol-hopping C2 (Command & Control) infrastructure, explaining how separating the stateful command core from transport adapters allows malware to survive protocol-level blocking. The talk demonstrates how an agent can failover from HTTP to DNS to ICMP while maintaining session state and intent, warning defenders that blocking a transport protocol is containment, not eradication. Key takeaways include the need to validate host-level persistence after transport disruption, layer network and endpoint telemetry, and shift detection focus from protocol signatures to behavioral patterns like beacon periodicity and session continuity.
•18m watch time
Sort: