In a resource constrained environment, the ability to detect malicious or anomalous activity can be challenging – especially when malicious actors utilize legitimate cryptographic protocols. This talk covers a simple technique to detect anomalies in X509 certificates using Bro IDS that does not rely on external data sources (ie. 3rd party vendors, custom database, ...) The talk will also cover real world examples where this technique would have been successful in detecting modern exploit kits that leverage TLS/SSL. (20 minute)
Mr. William Glodek is currently Senior Network Security Engineer at BreakPoint Labs. He previously served as a computer scientist and Network Security Branch Chief at the US Army Research Laboratory. Creator and developer of Dshell, a Python-based network forensics analysis framework. Mr. Glodek's research includes network forensics, digitial forensics and incident response, and the application of machine learning methods in the cybersecurity domain.