2025-04-28 –, MAIN TRACK
As scanning and reconnaissance grows more diverse - from public platforms like Shodan and Censys to hidden probing by botnets and bulletproof hosting services—security teams need better ways to understand who is on the other side of their network connections. This talk will show how network fingerprinting has developed over time, starting with tools like p0f and moving up to more advanced methods like JA4, JA4+, and MuonFP. We’ll discuss how these modern fingerprints can help analysts recognize the tools and infrastructure used by attackers—whether they are fast scanners, basic banner grabbers, or connections routed through VPNs and jump servers. You’ll learn how to use these fingerprints to strengthen your defenses, protect critical infrastructure, and reduce your visibility to public scanners. We will also explain how to fit fingerprinting into security team workflows, noting both what it can and cannot do. Attendees will leave with a practical understanding of modern fingerprinting techniques and a few examples they can apply in their daily work.
Network reconnaissance is often overshadowed by other threats, like phishing, yet it remains a critical first step in the kill chain. Because edge infrastructure is typically exposed around the clock, adversaries have a 24/7 opportunity to gather information and use it for initial exploitation.
In this talk, we’ll trace the evolution of network fingerprinting, starting with traditional methods like p0f, which relied on passive TCP/IP signature analysis, and advancing to modern suits (JA4, JA4+, MuonFP). By walking through each generation of fingerprinting, I’ll show how visibility has expanded along with the trade-offs and limitations inherent in these methods.
I’ll present real-world scenarios that highlight how to spot fast scanners indexing massive numbers of hosts, how to detect covert traffic routed via jump boxes and VPNs, and how to block lower-level banner-grabbers. We’ll also discuss how these fingerprints can be integrated into SOC workflows, from building prioritized alerts to automating responses in firewalls and IDS.
Finally, we’ll wrap up with a practical checklist of tools, including Arkime and eBPF-based detection, as well as firewall rule approaches to immediately strengthen defenses. Attendees will leave with the knowledge and resources to apply modern fingerprinting for continuous monitoring, streamlined threat hunting, and reduced exposure to both mass and targeted network scans.
Vlad is the co-founder and cybersecurity expert at ELLIO and President of the Anti-Malware Testing Standards Organization (AMTSO).
A true cybersecurity enthusiast, Vlad’s passionate about network security, IoT, and cyber deception. Before ELLIO, he founded and led the Avast IoT Lab (now Gen Digital), developing security features and researching IoT threats. He has spoken at many conferences, including Web Summit and South by Southwest (SXSW), where he demonstrated IoT vulnerabilities