2-2026-04-07 01-22-58_Clip_Clip-03

May 31, 2026 23:21 · 34:08 · English · Whisper Turbo · 2 スピーカー
この成績は今日で有効期限が切れる。 永久ストレージのアップグレード →
表示のみ
0:00
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
creating a thread in another process.
0:02
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Very common,
0:04
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
a technique used by malware to inject code and hide
0:08
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
in other processes.
0:09
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So a good one to keep in mind.
0:13
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Let's see,
0:14
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
file creation is another one.
0:16
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This will log when files are created on a system.
0:19
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This can be a very good,
0:21
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
like it says here,
0:23
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
for monitoring auto start locations when new
0:27
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
scheduled tasks are created,
0:29
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
maybe when malware is installed on the system or
0:33
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
downloaded onto the system.
0:35
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
We have registry information.
0:37
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's a lot of different logs here or event IDs for registry.
0:41
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So this is a good source to include
0:45
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
in Windows systems to make sure we have the
0:50
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
additional logs we need.
0:51
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And again, this is the Microsoft Sysinternals Sysmon.
0:55
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And we will see this again repeatedly throughout this
0:59
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
course and additional courses in this learning path as
1:04
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
well.
1:12
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Log data is one of the main resources that threat hunters use
1:16
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to gather information about whether or not there is a threat
1:21
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
on the network.
1:22
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So in this video,
1:23
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
we're going to take a look at some of the common things that should be
1:27
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
logged in an infrastructure to better prepare an organization
1:31
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
for a threat hunt.
1:33
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
First of all,
1:34
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
account and group activity.
1:36
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Now, just a note before we jump into this.
1:39
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is not an exhaustive list of what should be logged.
1:43
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is just a small example.
1:45
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is the kind of standard things that should be logged
1:49
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
across the board,
1:50
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
but every organization is going to have really more specific information
1:54
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
that's going to be more geared towards their organization.
1:58
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And this is also kind of logging with the purpose
2:03
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
of threat hunting.
2:04
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is going to be a lot of these similar logs that you'll have for regular
2:09
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
security alerting or...
2:11
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
you know, infrastructure,
2:12
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
maintenance,
2:13
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
things like that,
2:14
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
but just with a kind of a different focus.
2:17
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So account and group activity.
2:19
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is going to be any account that has access,
2:22
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
a group that has access to any resources on the network.
2:26
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It's always good to log when accounts are created,
2:29
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
when accounts are modified,
2:30
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
when accounts are deleted,
2:32
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
when permissions are changed,
2:33
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
things like that as far as the actual accounts.
2:36
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
In addition to that,
2:37
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
you also want to log when accounts log on and
2:41
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
off on various endpoints across the network,
2:45
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
workstations and servers.
2:47
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And this should include information like where they're logging on and off,
2:51
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
timestamps,
2:53
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and also the source information of where the login came from.
2:57
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Was it a login from a workstation to a server?
3:01
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Was it from workstation to workstation?
3:03
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
What is the source,
3:04
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the specific?
3:05
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hostname, and IP address if both of those pieces of information are available for
3:10
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
where the login came from.
3:12
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And we're going to go through this list fairly quickly because,
3:15
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
again, this is...
3:17
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
kind of standard logging in information about what should be logged across
3:21
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any infrastructure,
3:23
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any organization,
3:24
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
but setting it up is going to be very specific to an
3:28
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
individual organization as well.
3:30
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So network traffic and network devices.
3:33
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
When we're talking about network traffic,
3:36
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the perimeter firewall and also any interior,
3:40
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
interior to the network firewall,
3:42
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the traffic should be logged both inbound and
3:46
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
outbound.
3:47
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And then maybe depending on the needs of the organization
3:51
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and the infrastructure,
3:53
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
how complicated it is and what types of devices are on the network,
3:56
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any internal traffic that's needed as well,
4:00
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
particularly between maybe high value targets or
4:04
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
kind of critical systems in the organization.
4:06
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
In addition to this,
4:08
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any management activities,
4:10
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any logins to any of the network devices themselves,
4:14
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
should be logged,
4:15
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
including any information that may come from any network
4:20
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
security devices like an intrusion detection or intrusion prevention system.
4:24
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Information from those systems should be logged as well.
4:28
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
File activity is a very good one to monitor and
4:32
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
log as well.
4:33
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And there's a lot that can fall under the category of file activity.
4:38
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
We're looking for especially any activity related
4:42
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to any sensitive information the organization may store,
4:45
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any proprietary information that may be a high value target
4:49
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
for attackers.
4:51
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
But we're also looking for files on and
4:55
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
file activities on endpoints,
4:57
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
on servers,
4:58
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
for...
5:00
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
you know, various directories and folders that target that attackers may commonly target
5:04
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
just to carry out their attacks.
5:06
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where you want to look at when new files are created,
5:10
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
when files might be deleted,
5:12
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
when files are modified,
5:14
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
especially files that don't normally get modified like Windows system files.
5:19
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Ideally,
5:20
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
you'd want to monitor these from as many locations as possible
5:24
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
on each individual workstation,
5:25
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
and perhaps with maybe some exceptions that
5:29
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
can be configured.
5:31
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is one location where the Sysmon application for
5:35
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
kind of improving the default Windows event logs,
5:39
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
this can come in handy because it really shines when it comes to logging information
5:44
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
about file activity.
5:46
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Email systems,
5:47
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
since email is one of the kind of most common ways for
5:51
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
attacks to come in,
5:52
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
it's important to log information about emails.
5:55
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Any email filtering the organization has set up,
5:58
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
important to maintain logs from those systems about any safe
6:03
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
email that came through,
6:04
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
any email that was suspicious.
6:06
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
If possible,
6:07
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
any kind of activity the users took on emails,
6:10
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and this is going to be,
6:12
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
again, dependent on the type of email filtering or email security solutions
6:16
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
that an organization might be using.
6:19
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
It's also very important to log information about all inbound and
6:23
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
outbound email.
6:25
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And the kind of information you want to make sure you have in there is the source
6:29
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
IP address for inbound email,
6:32
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
where the email is going internally.
6:34
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Were there any attachments or URLs in the email?
6:39
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Were they identified as safe or potentially malicious?
6:42
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
If possible,
6:44
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Can you log information about whether or not a user clicked
6:49
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
on a link in an email or whether they opened an attachment
6:53
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
in an email?
6:53
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Again, it's going to be very specific to the email systems the organization
6:58
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
uses, but a lot of email security programs
7:02
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
and systems will allow you to log that type of information.
7:07
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Moving on,
7:08
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
any relevant event logs on any of your
7:12
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
endpoints?
7:12
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
On your Windows systems,
7:14
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
this is going to be things like logging PowerShell events,
7:17
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
any built -in event
7:22
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
logs that are built into Windows,
7:24
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
like your system and your application logs.
7:26
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And again,
7:26
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
this is where Sysmon comes in.
7:29
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
to help kind of beef up those logs as well with some additional information
7:34
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
that is very,
7:35
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
very useful for threat hunting.
7:37
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And you'll see that when we start getting a little further into the threat hunting
7:41
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
learning path and we get hands -on with actually performing some threat hunts.
7:45
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Any applications that are capable of generating logs,
7:49
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
especially those that are critical to the organization or very
7:53
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
commonly targeted by attackers,
7:57
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
are important to log,
7:58
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
including any kind of these specific application logs that may
8:02
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
be relevant to security,
8:05
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
especially for event logs from security applications
8:09
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
or your security controls.
8:11
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
or security -based logs inside applications,
8:15
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
like when users try to access things,
8:18
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
login information from applications.
8:21
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
modifications in an application,
8:23
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
things like that.
8:24
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Again, very specific to the individual applications.
8:28
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And these,
8:29
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
again, are going to be kind of customized based on the organization's needs.
8:34
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And then very important is any public -facing interfaces.
8:38
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And by kind of public -facing interfaces,
8:40
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
we're talking about any web servers that the organization hosts themselves,
8:45
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
perhaps,
8:46
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hopefully,
8:47
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
in a DMZ.
8:48
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
That should be something that should have logging information,
8:51
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
anything exposed to the internet.
8:53
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
If the organization uses any sort of remote access to get into the network,
8:57
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
those gateways should be logged and those should be monitored
9:01
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
as well.
9:02
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
But this can be very useful information when it comes to perhaps determining
9:06
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
how an attack first got into the network.
9:10
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Any email portals like webmail or the inbound
9:14
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
ports that are used for just regular email traffic.
9:18
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Any customer -facing interfaces that customers may
9:22
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
use to log into an organization system or applications that
9:27
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
an organization hosts for customers,
9:29
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
anything like that.
9:30
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
A lot of these these days may be cloud -based and not directly connected
9:34
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
to the organization's infrastructure,
9:36
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
but still those cloud -based systems may still have sensitive information
9:41
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
that will be of value to attackers.
9:45
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And then any sort of APIs that may
9:49
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
be public that an organization may be hosting as well.
9:53
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
So moving on from kind of the logging information,
9:57
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
I want to talk about baselines and known good.
10:00
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
configurations here for a minute.
10:02
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
A baseline is essentially a measure of what is
10:06
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
normal.
10:06
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It is the kind of standard of what
10:10
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
everything should look like when there are no issues on either
10:15
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
endpoints or network devices or anything like that.
10:19
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And for threat hunting,
10:20
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
it's very important to know what normal should look like.
10:23
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It's important to understand the infrastructure and the environment
10:27
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
that you're performing threat hunts in.
10:30
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And the kind of things we want to look at for baselines or things like,
10:34
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
or it can be measured with baselines,
10:35
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
is file hashes.
10:36
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is a very useful one because when a file is in a known good state,
10:40
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
you have a known file hash for that file.
10:43
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
If that hash changes,
10:45
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
you know that file has been modified and there may be something to investigate
10:49
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
there.
10:49
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It's important to know what network ports are normally open,
10:53
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
both on the perimeter of the network but also on individual systems
10:58
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
if we're using any sort of host -based firewalls.
11:01
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
If you see additional ports that are listening that are not
11:05
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
part of the known baseline,
11:07
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
that may be an indication of something suspicious or
11:11
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
malicious happening.
11:12
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Any accounts on various different endpoints,
11:16
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the permissions those accounts may have as well.
11:20
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
If you see anything that doesn't fall into normal here,
11:23
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
it could be,
11:24
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
again, an indication of malicious activity.
11:26
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
But also sometimes deviations from these baselines may not be
11:30
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
malicious activity.
11:32
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It could just be someone did something they weren't supposed
11:36
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to do on a system,
11:38
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
but there was no malicious intent or no malicious activity happening
11:42
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
there.
11:43
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
File and directory permissions are a good one to monitor
11:47
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
as well for these normal baselines,
11:49
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
knowing what files should be in these directories,
11:53
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
what the permissions of the files and directories should be,
11:56
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
especially for a lot of the more targeted locations that
12:00
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
attackers use.
12:02
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
or for the critical information an organization may be hosting,
12:06
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
it's important to know what these permissions should look like
12:10
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and what files should be in there as part of what is normal
12:14
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
on the network.
12:16
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And then you,
12:17
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
throughout a threat hunt,
12:19
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
you use that information to compare,
12:22
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
use the baseline information to compare against whatever the current
12:26
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
state is as you're performing the hunt.
12:29
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
You have to know what is normal,
12:31
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
what should exist on a system,
12:33
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
what systems should exist,
12:35
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
what the configurations should look like.
12:38
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to be able to recognize if there is anything malicious.
12:42
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
If everything matches the baseline,
12:44
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the current configuration matches the baseline,
12:46
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
then everything is probably good.
12:49
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's nothing suspicious or malicious happening there.
12:52
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
However,
12:52
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
if it does not match the baseline,
12:55
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
there could be something going on there,
12:58
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and it's going to require further investigation by the incident
13:02
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
response team,
13:03
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
perhaps, or perhaps the threat hunters,
13:05
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
depending on the situation.
13:06
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
But that investigation needs to determine why the information does not
13:11
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
match the baseline.
13:12
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Was this just a change that didn't get reflected
13:16
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and didn't get updated in baselines?
13:18
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Was it a change that wasn't authorized that somebody performed?
13:21
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Or was it actual malicious activity?
13:26
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So there's a lot of information that should be logged on various
13:30
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
systems.
13:31
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And again,
13:31
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
very specific to organizations and individual infrastructures.
13:36
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
But there's a lot of standard information that should be logged.
13:39
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And the logs are one of the main sources of information for
13:43
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
threat hunters to be able to perform these threat hunts and find
13:48
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
malicious activity on an organization's network.
13:58
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It's important for organizations as they advance
14:03
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
their threat hunting program,
14:04
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
it's important for them to have ways to measure how well they're
14:08
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
doing with their threat hunting programs.
14:10
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And this is where threat hunting maturity comes in.
14:14
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So we're talking about maturity.
14:15
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is essentially just a standardized way for
14:20
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
organizations to be able to measure how well their threat hunting
14:24
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
program is going,
14:25
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
what their threat hunting abilities actually are.
14:28
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And there's multiple different factors that are used to
14:32
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
measure the abilities of a threat hunting program.
14:36
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Such as the amount of data an organization is collecting,
14:40
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
how often the data is being collected,
14:42
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the quality of the data that is being collected as well,
14:46
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and then what they are doing with that data,
14:49
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
what type of analysis they're performing.
14:51
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
How are they collecting this data?
14:54
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
What methods are they using to analyze the data
14:58
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
as well?
14:59
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Is there any...
15:00
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
automation that's being added in and what level of automation
15:04
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
is being included with the analysis as well.
15:07
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
So a few different factors here that are used to measure this,
15:10
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
especially in kind of the one of the models that's most common
15:14
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
used for measuring threat hunting abilities.
15:18
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
very aptly named hunting maturity model.
15:22
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
So let's take a look at that model here.
15:26
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Again, it's measured on a scale of zero to four,
15:29
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
with zero being kind of the entry level,
15:33
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
if you will,
15:33
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
for threat hunting programs,
15:34
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
and four being the highest level.
15:37
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
So looking at this model here,
15:39
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
again, it goes from level zero to level four.
15:43
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Level zero being the initial level.
15:45
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is a threat hunting program that is just getting started,
15:49
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
moves up through level one being kind of an established program,
15:53
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
but still minimal functionality there.
15:55
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Level two is the kind of procedural level when the organization is
15:59
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
starting to implement published procedures into their threat
16:03
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hunting program.
16:05
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And this is where most organizations lie.
16:07
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Most organizations that have established programs,
16:09
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
this is where they are,
16:10
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
level two.
16:11
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And then level three and four,
16:13
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
we're getting to more advanced levels.
16:15
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
So starting at level zero,
16:17
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
organizations here are primarily going to be relying on
16:22
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
automated alerts from locations like
16:26
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
an intrusion detection system,
16:28
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
their SIEM,
16:29
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
their logging systems,
16:31
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
their antivirus systems.
16:32
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
primarily relying on these automated alerts for any sort of malicious
16:37
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
detection.
16:37
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
They may be adding in feeds for signature
16:41
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
updates,
16:42
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
perhaps a couple of threat intelligence indicators,
16:46
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
things like that.
16:47
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
But the analysts here are primarily going to be focused on
16:51
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
alert resolution.
16:52
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's not really much threat hunting,
16:55
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
if any,
16:56
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
happening at this level.
16:58
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's not a whole lot of data that is being collected
17:02
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
that's not being used for just automated
17:07
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
alerting.
17:07
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's not a whole lot of capability for threat hunting here.
17:10
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
But again, when organizations are just starting up their threat hunting programs,
17:14
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
this is the level they are at,
17:17
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
which is why this level is just named initial.
17:20
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where everyone starts.
17:22
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Moving up to level one,
17:24
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
organizations are still relying primarily on
17:28
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
automated alerting,
17:30
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
but they're adding in some additional data collection as
17:34
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
well.
17:34
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
They're starting to perform searches for various indicators
17:39
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
in intelligence feeds and other threat intelligence locations.
17:44
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
They're beginning to get a more higher level of data
17:48
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
collection that is being used.
17:50
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where your initial level of hunting is capable,
17:54
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
kind of searching logs for basic indicators
17:58
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
of compromise.
17:59
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
That's level one.
18:01
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Level two,
18:02
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
this is the level,
18:05
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
again, that is most common to see across
18:09
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
organizations that have an active threat hunting program.
18:13
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
program.
18:14
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where threat hunters begin to have the capability
18:18
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
to learn about procedures that are developed by
18:22
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
others and then be able to implement those procedures for
18:26
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
threat hunting and data analysis in their environment.
18:31
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
and maybe even have the ability to be able to make minor changes
18:35
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
to those procedures as well.
18:37
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
They have a much higher level of data collection with
18:42
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
the purpose of using that data for threat hunting and not
18:46
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
just automated alerting.
18:49
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
So again, this is where most organizations are that have an
18:53
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
established active threat hunting program.
18:58
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
We move to level three.
19:00
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where we start getting into more of the advanced threat hunting.
19:03
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where threat hunters and the threat hunting teams
19:08
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
begin to create and publish their own threat hunting
19:12
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
and data analysis procedures.
19:14
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
They're starting to use a much more advanced
19:18
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
analytics capabilities and introducing some automation and
19:23
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
machine learning into this analysis as well.
19:27
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
They typically have a much more advanced data
19:32
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
collection.
19:32
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
At this point,
19:33
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
there's probably not a whole lot more actual data and events that
19:37
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
can be logged,
19:38
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
but the data collection itself is more advanced
19:42
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
and the analysis of that data is certainly more advanced.
19:46
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Again, with the introduction of automation and
19:50
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
machine learning into the analysis procedures.
19:53
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
At level four is going to be
19:56
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Very similar to level three, but this...
20:00
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Level four threat hunting teams are the most advanced when
20:04
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
it comes to this maturity model.
20:06
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
But again,
20:07
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
very similar to level three,
20:08
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
but with a very high level of automation in
20:13
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
their threat hunting process,
20:14
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
in their data analysis process,
20:16
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
very high level of automation.
20:20
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
These threat hunting teams are very effective at being
20:24
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
able to resist actions that the adversaries
20:28
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
may take.
20:29
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to kind of evade some of their hunting or incident response
20:33
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
procedures.
20:34
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Again,
20:35
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the use of automation here introduces much more advanced
20:39
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
analysis,
20:40
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and these teams are very effective at resisting the attackers.
20:44
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Automation here allows the focus
20:48
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to be on creating new processes.
20:52
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
which can then be used to continue to advance and
20:56
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
improve the collection.
20:58
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And again, a very high level of data collection here.
21:02
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
That's kind of similar from level two on up.
21:05
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It's just the difference here is how is that data then
21:09
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
used?
21:10
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
What does the analysis of this data look like?
21:13
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
How much automation is being introduced into the analysis?
21:17
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
How much machine learning is being introduced?
21:20
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to try and get more information and kind of build a better story
21:24
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
about what this data is saying to be able to kind of counter
21:28
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the actions of their adversaries.
21:31
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This threat hunting maturity level is a good way for organizations to
21:36
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
be able to measure where they are on their threat
21:40
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hunting teams and their threat hunting programs to see how well they're
21:44
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
doing and where they may need to be going as they continue to
21:48
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
advance their threat hunting programs.
21:59
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
There are several different ways that threat hunters can
22:03
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
go about thinking about how to start their threat hunts and how
22:07
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to carry out those threat hunts.
22:09
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
In this video, we're going to talk about these threat hunting mindsets.
22:13
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Now,
22:14
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
keep in mind,
22:14
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
these mindsets are very subjective,
22:17
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and these are just a few examples of ways that
22:21
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
threat hunters can think about their threat hunts.
22:24
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's no real wrong way to do it.
22:27
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And a lot of times,
22:28
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the way you think about a threat hunt is going to take kind of aspects from
22:32
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
each of these types of ways and kind of combine them into one threat
22:36
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hunt. And it's also not uncommon to think about threat
22:40
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hunts in many different ways as the threat hunt progresses.
22:44
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So to start off,
22:46
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
let's talk about intelligence -based threat hunting.
22:49
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is a type of threat hunt where your hypothesis
22:52
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to begin your threat hunt kind of starts out with information
22:57
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
based on intelligence.
22:59
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And your intelligence can be any number of IOCs,
23:02
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
your IPs,
23:03
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
your domains,
23:04
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hashes,
23:05
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
email addresses,
23:06
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
file names,
23:07
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any sort of indicator of compromise that comes from or
23:11
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
can be included in intelligence information can
23:15
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
contribute to this kind of intelligence -based way of thinking.
23:20
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's a few different ways to categorize intelligence
23:24
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
information,
23:24
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
if you will.
23:25
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
First is strategic.
23:27
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And each of these types kind of tries to answer a question
23:31
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
about what the attack may be.
23:34
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So the strategic type of intelligence starts with asking
23:39
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
the who,
23:39
S… Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
why,
23:41
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and where questions.
23:43
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Who being who is the adversary?
23:47
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Why are they targeting or potentially targeting
23:51
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
or in the process of attacking this organization?
23:55
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So who are they and why are they doing what they do?
23:59
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And where have they attacked before?
24:03
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Answering all these questions can kind of give you some information
24:07
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
about what to look for as far as far as
24:11
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
those indicators go and can kind of help give some insight into
24:15
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
how the attackers are thinking as well.
24:19
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Next up,
24:19
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
we have tactical type of intelligence.
24:22
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And this tries to answer the what and the when questions.
24:27
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
What is in their tool set?
24:29
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
What are their tactics,
24:31
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
techniques,
24:32
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and procedures?
24:34
S… Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where a lot of the various different types of

この転写は AI (自動音声認識) で生成されました。エラーが含まれている可能性があります。重要な場合はオリジナルのオーディオと比較してください。 AI政策

❤️ STT.aiが好きですか? 友達に教えてあげましょう!
要約
この転写の AI 要約を生成するには 要約をクリックしてください。
要約中...
この転写についてAIに尋ねる
これらの記録に関して何か質問があれば、AIは関連する部分を見つけて答えます。