Adel Karimishiraz
Adel Karimi is a Lead Threat Detection Engineer at Salesforce.

He has been an active member and chapter lead at the Honeynet Project since 2010, and has spoken at several conferences such as BSides Canberra and Honeynet Workshops. He is the developer of honeyλ, honeybits, and a couple more open-source projects. He has recently co-developed a new SSH profiling method, HASSH!

Adel enjoys playing with honeypots and hunting the bad guys!

Profiling and Clustering Internet-Wide Scans with FATT
Technical Level (3 being the highest score): 2

Network fingerprinting methods such as JA3 and HASSH are useful techniques that can be used to profile the attackers and tools. This talk will introduce FATT (Fingerprinting All the Things), a tool for profiling client/server applications using different network protocols like TLS and SSH.

One of the main honeypot use-cases is to learn about the attackers and their tools. But most, if not all, of the honeypots don't log the protocol fields or messages you need for fingerprinting. In this talk, I will explore how I use FATT as a simple ‘fingerprinting’ honeypot to cluster internet-wide scans and discover possible connections between the attackers!

This includes some interesting observations like the attempts to avoid TLS client fingerprinting by randomising the clientHello fields. You will see how these actors make themselves easier to detect by attempting to avoid fingerprinting!

Presentation slides can be found HERE

Presentation video can be found HERE