Many/most AWS customers use ssh sessions to interact with their allocated nodes. And when it's not ssh traffic, it's often https. What good does it do to detect the bad traffic if you can't distinguish it from legitimate customer traffic?
> has to travel over wire as TCP/IP,
BTW, this is not the case. If exfil via conventional system networking is too hard to avoid detection, they'll find another channel. RF via LOS, ultrasonic, or some of a million other ideas.
> has to travel over wire as TCP/IP,
BTW, this is not the case. If exfil via conventional system networking is too hard to avoid detection, they'll find another channel. RF via LOS, ultrasonic, or some of a million other ideas.