| CPC H04L 63/0218 (2013.01) | 21 Claims |
|
1. A system, comprising:
a processor configured to:
monitor HyperText Transfer Protocol (HTTP) network traffic at a firewall;
prefilter the monitored HTTP network traffic at the firewall to select a subset of the HTTP network traffic to forward to a cloud security service, wherein prefiltering the monitored HTTP network traffic at the firewall to select the subset of the HTTP network traffic to forward to the cloud security service includes performing a heuristic analysis of the HTTP network traffic to select the subset of HTTP traffic to forward to the cloud security service for further analysis to detect potential Cobalt Strike Beacon HTTP C2 traffic, wherein the heuristic analysis of the HTTP network traffic includes determining the following to select the subset of HTTP traffic to forward to the cloud security service for further analysis to detect potential Cobalt Strike Beacon HTTP C2 traffic:
(1) whether the network traffic includes a header value or URI length check that matches a range of 171 bytes to 256 bytes; and
(2) whether the network traffic includes a header value or a URI length field with encoding that matches one of these types of encoding: base64, base64url, netbios, netbiosu, or mask;
forward the subset of the HTTP network traffic to the cloud security service, wherein the cloud security service automatically determines whether the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity based on a plurality of heuristics;
receive a response from the cloud security service that the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity; and
perform an action in response to the determination that the subset of the HTTP network traffic is associated with Cobalt Strike Beacon HTTP C2 traffic activity; and
a memory coupled to the processor and configured to provide the processor with instructions.
|