2-2026-04-07 01-22-58_Clip_Clip-03
May 31, 2026 23:21
· 34:08
· English
· Whisper Turbo
· 2 Speakers
Transkrip iki bakal kadaluwarsa dina iki.
Ngoptimalake kanggo panyimpenan permanen →
Hanya ditampilake
0:00
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
creating a thread in another process.
0:02
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Very common,
0:04
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
a technique used by malware to inject code and hide
0:08
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
in other processes.
0:09
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So a good one to keep in mind.
0:13
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Let's see,
0:14
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
file creation is another one.
0:16
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This will log when files are created on a system.
0:19
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This can be a very good,
0:21
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
like it says here,
0:23
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
for monitoring auto start locations when new
0:27
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
scheduled tasks are created,
0:29
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
maybe when malware is installed on the system or
0:33
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
downloaded onto the system.
0:35
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
We have registry information.
0:37
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's a lot of different logs here or event IDs for registry.
0:41
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So this is a good source to include
0:45
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
in Windows systems to make sure we have the
0:50
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
additional logs we need.
0:51
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And again, this is the Microsoft Sysinternals Sysmon.
0:55
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And we will see this again repeatedly throughout this
0:59
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
course and additional courses in this learning path as
1:04
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
well.
1:12
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Log data is one of the main resources that threat hunters use
1:16
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to gather information about whether or not there is a threat
1:21
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
on the network.
1:22
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So in this video,
1:23
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
we're going to take a look at some of the common things that should be
1:27
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
logged in an infrastructure to better prepare an organization
1:31
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
for a threat hunt.
1:33
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
First of all,
1:34
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
account and group activity.
1:36
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Now, just a note before we jump into this.
1:39
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is not an exhaustive list of what should be logged.
1:43
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is just a small example.
1:45
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is the kind of standard things that should be logged
1:49
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
across the board,
1:50
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
but every organization is going to have really more specific information
1:54
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
that's going to be more geared towards their organization.
1:58
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And this is also kind of logging with the purpose
2:03
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
of threat hunting.
2:04
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is going to be a lot of these similar logs that you'll have for regular
2:09
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
security alerting or...
2:11
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
you know, infrastructure,
2:12
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
maintenance,
2:13
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
things like that,
2:14
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
but just with a kind of a different focus.
2:17
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So account and group activity.
2:19
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is going to be any account that has access,
2:22
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
a group that has access to any resources on the network.
2:26
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It's always good to log when accounts are created,
2:29
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
when accounts are modified,
2:30
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
when accounts are deleted,
2:32
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
when permissions are changed,
2:33
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
things like that as far as the actual accounts.
2:36
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
In addition to that,
2:37
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
you also want to log when accounts log on and
2:41
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
off on various endpoints across the network,
2:45
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
workstations and servers.
2:47
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And this should include information like where they're logging on and off,
2:51
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
timestamps,
2:53
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and also the source information of where the login came from.
2:57
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Was it a login from a workstation to a server?
3:01
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Was it from workstation to workstation?
3:03
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
What is the source,
3:04
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the specific?
3:05
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hostname, and IP address if both of those pieces of information are available for
3:10
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
where the login came from.
3:12
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And we're going to go through this list fairly quickly because,
3:15
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
again, this is...
3:17
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
kind of standard logging in information about what should be logged across
3:21
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any infrastructure,
3:23
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any organization,
3:24
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
but setting it up is going to be very specific to an
3:28
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
individual organization as well.
3:30
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So network traffic and network devices.
3:33
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
When we're talking about network traffic,
3:36
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the perimeter firewall and also any interior,
3:40
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
interior to the network firewall,
3:42
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the traffic should be logged both inbound and
3:46
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
outbound.
3:47
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And then maybe depending on the needs of the organization
3:51
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and the infrastructure,
3:53
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
how complicated it is and what types of devices are on the network,
3:56
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any internal traffic that's needed as well,
4:00
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
particularly between maybe high value targets or
4:04
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
kind of critical systems in the organization.
4:06
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
In addition to this,
4:08
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any management activities,
4:10
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any logins to any of the network devices themselves,
4:14
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
should be logged,
4:15
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
including any information that may come from any network
4:20
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
security devices like an intrusion detection or intrusion prevention system.
4:24
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Information from those systems should be logged as well.
4:28
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
File activity is a very good one to monitor and
4:32
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
log as well.
4:33
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And there's a lot that can fall under the category of file activity.
4:38
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
We're looking for especially any activity related
4:42
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to any sensitive information the organization may store,
4:45
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any proprietary information that may be a high value target
4:49
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
for attackers.
4:51
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
But we're also looking for files on and
4:55
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
file activities on endpoints,
4:57
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
on servers,
4:58
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
for...
5:00
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
you know, various directories and folders that target that attackers may commonly target
5:04
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
just to carry out their attacks.
5:06
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where you want to look at when new files are created,
5:10
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
when files might be deleted,
5:12
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
when files are modified,
5:14
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
especially files that don't normally get modified like Windows system files.
5:19
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Ideally,
5:20
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
you'd want to monitor these from as many locations as possible
5:24
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
on each individual workstation,
5:25
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
and perhaps with maybe some exceptions that
5:29
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
can be configured.
5:31
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is one location where the Sysmon application for
5:35
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
kind of improving the default Windows event logs,
5:39
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
this can come in handy because it really shines when it comes to logging information
5:44
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
about file activity.
5:46
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Email systems,
5:47
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
since email is one of the kind of most common ways for
5:51
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
attacks to come in,
5:52
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
it's important to log information about emails.
5:55
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Any email filtering the organization has set up,
5:58
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
important to maintain logs from those systems about any safe
6:03
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
email that came through,
6:04
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
any email that was suspicious.
6:06
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
If possible,
6:07
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
any kind of activity the users took on emails,
6:10
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and this is going to be,
6:12
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
again, dependent on the type of email filtering or email security solutions
6:16
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
that an organization might be using.
6:19
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
It's also very important to log information about all inbound and
6:23
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
outbound email.
6:25
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And the kind of information you want to make sure you have in there is the source
6:29
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
IP address for inbound email,
6:32
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
where the email is going internally.
6:34
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Were there any attachments or URLs in the email?
6:39
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Were they identified as safe or potentially malicious?
6:42
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
If possible,
6:44
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Can you log information about whether or not a user clicked
6:49
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
on a link in an email or whether they opened an attachment
6:53
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
in an email?
6:53
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Again, it's going to be very specific to the email systems the organization
6:58
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
uses, but a lot of email security programs
7:02
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
and systems will allow you to log that type of information.
7:07
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Moving on,
7:08
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
any relevant event logs on any of your
7:12
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
endpoints?
7:12
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
On your Windows systems,
7:14
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
this is going to be things like logging PowerShell events,
7:17
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
any built -in event
7:22
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
logs that are built into Windows,
7:24
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
like your system and your application logs.
7:26
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And again,
7:26
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
this is where Sysmon comes in.
7:29
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
to help kind of beef up those logs as well with some additional information
7:34
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
that is very,
7:35
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
very useful for threat hunting.
7:37
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And you'll see that when we start getting a little further into the threat hunting
7:41
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
learning path and we get hands -on with actually performing some threat hunts.
7:45
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Any applications that are capable of generating logs,
7:49
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
especially those that are critical to the organization or very
7:53
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
commonly targeted by attackers,
7:57
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
are important to log,
7:58
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
including any kind of these specific application logs that may
8:02
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
be relevant to security,
8:05
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
especially for event logs from security applications
8:09
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
or your security controls.
8:11
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
or security -based logs inside applications,
8:15
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
like when users try to access things,
8:18
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
login information from applications.
8:21
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
modifications in an application,
8:23
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
things like that.
8:24
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Again, very specific to the individual applications.
8:28
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And these,
8:29
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
again, are going to be kind of customized based on the organization's needs.
8:34
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And then very important is any public -facing interfaces.
8:38
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And by kind of public -facing interfaces,
8:40
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
we're talking about any web servers that the organization hosts themselves,
8:45
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
perhaps,
8:46
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hopefully,
8:47
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
in a DMZ.
8:48
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
That should be something that should have logging information,
8:51
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
anything exposed to the internet.
8:53
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
If the organization uses any sort of remote access to get into the network,
8:57
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
those gateways should be logged and those should be monitored
9:01
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
as well.
9:02
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
But this can be very useful information when it comes to perhaps determining
9:06
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
how an attack first got into the network.
9:10
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Any email portals like webmail or the inbound
9:14
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
ports that are used for just regular email traffic.
9:18
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Any customer -facing interfaces that customers may
9:22
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
use to log into an organization system or applications that
9:27
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
an organization hosts for customers,
9:29
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
anything like that.
9:30
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
A lot of these these days may be cloud -based and not directly connected
9:34
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
to the organization's infrastructure,
9:36
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
but still those cloud -based systems may still have sensitive information
9:41
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
that will be of value to attackers.
9:45
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And then any sort of APIs that may
9:49
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
be public that an organization may be hosting as well.
9:53
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
So moving on from kind of the logging information,
9:57
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
I want to talk about baselines and known good.
10:00
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
configurations here for a minute.
10:02
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
A baseline is essentially a measure of what is
10:06
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
normal.
10:06
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It is the kind of standard of what
10:10
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
everything should look like when there are no issues on either
10:15
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
endpoints or network devices or anything like that.
10:19
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And for threat hunting,
10:20
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
it's very important to know what normal should look like.
10:23
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It's important to understand the infrastructure and the environment
10:27
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
that you're performing threat hunts in.
10:30
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And the kind of things we want to look at for baselines or things like,
10:34
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
or it can be measured with baselines,
10:35
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
is file hashes.
10:36
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is a very useful one because when a file is in a known good state,
10:40
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
you have a known file hash for that file.
10:43
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
If that hash changes,
10:45
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
you know that file has been modified and there may be something to investigate
10:49
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
there.
10:49
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It's important to know what network ports are normally open,
10:53
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
both on the perimeter of the network but also on individual systems
10:58
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
if we're using any sort of host -based firewalls.
11:01
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
If you see additional ports that are listening that are not
11:05
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
part of the known baseline,
11:07
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
that may be an indication of something suspicious or
11:11
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
malicious happening.
11:12
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Any accounts on various different endpoints,
11:16
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the permissions those accounts may have as well.
11:20
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
If you see anything that doesn't fall into normal here,
11:23
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
it could be,
11:24
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
again, an indication of malicious activity.
11:26
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
But also sometimes deviations from these baselines may not be
11:30
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
malicious activity.
11:32
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It could just be someone did something they weren't supposed
11:36
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to do on a system,
11:38
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
but there was no malicious intent or no malicious activity happening
11:42
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
there.
11:43
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
File and directory permissions are a good one to monitor
11:47
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
as well for these normal baselines,
11:49
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
knowing what files should be in these directories,
11:53
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
what the permissions of the files and directories should be,
11:56
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
especially for a lot of the more targeted locations that
12:00
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
attackers use.
12:02
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
or for the critical information an organization may be hosting,
12:06
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
it's important to know what these permissions should look like
12:10
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and what files should be in there as part of what is normal
12:14
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
on the network.
12:16
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And then you,
12:17
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
throughout a threat hunt,
12:19
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
you use that information to compare,
12:22
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
use the baseline information to compare against whatever the current
12:26
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
state is as you're performing the hunt.
12:29
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
You have to know what is normal,
12:31
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
what should exist on a system,
12:33
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
what systems should exist,
12:35
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
what the configurations should look like.
12:38
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to be able to recognize if there is anything malicious.
12:42
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
If everything matches the baseline,
12:44
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the current configuration matches the baseline,
12:46
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
then everything is probably good.
12:49
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's nothing suspicious or malicious happening there.
12:52
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
However,
12:52
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
if it does not match the baseline,
12:55
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
there could be something going on there,
12:58
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and it's going to require further investigation by the incident
13:02
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
response team,
13:03
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
perhaps, or perhaps the threat hunters,
13:05
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
depending on the situation.
13:06
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
But that investigation needs to determine why the information does not
13:11
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
match the baseline.
13:12
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Was this just a change that didn't get reflected
13:16
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and didn't get updated in baselines?
13:18
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Was it a change that wasn't authorized that somebody performed?
13:21
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Or was it actual malicious activity?
13:26
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So there's a lot of information that should be logged on various
13:30
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
systems.
13:31
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And again,
13:31
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
very specific to organizations and individual infrastructures.
13:36
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
But there's a lot of standard information that should be logged.
13:39
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And the logs are one of the main sources of information for
13:43
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
threat hunters to be able to perform these threat hunts and find
13:48
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
malicious activity on an organization's network.
13:58
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It's important for organizations as they advance
14:03
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
their threat hunting program,
14:04
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
it's important for them to have ways to measure how well they're
14:08
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
doing with their threat hunting programs.
14:10
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And this is where threat hunting maturity comes in.
14:14
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So we're talking about maturity.
14:15
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is essentially just a standardized way for
14:20
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
organizations to be able to measure how well their threat hunting
14:24
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
program is going,
14:25
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
what their threat hunting abilities actually are.
14:28
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And there's multiple different factors that are used to
14:32
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
measure the abilities of a threat hunting program.
14:36
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Such as the amount of data an organization is collecting,
14:40
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
how often the data is being collected,
14:42
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the quality of the data that is being collected as well,
14:46
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and then what they are doing with that data,
14:49
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
what type of analysis they're performing.
14:51
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
How are they collecting this data?
14:54
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
What methods are they using to analyze the data
14:58
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
as well?
14:59
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Is there any...
15:00
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
automation that's being added in and what level of automation
15:04
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
is being included with the analysis as well.
15:07
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
So a few different factors here that are used to measure this,
15:10
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
especially in kind of the one of the models that's most common
15:14
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
used for measuring threat hunting abilities.
15:18
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
very aptly named hunting maturity model.
15:22
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
So let's take a look at that model here.
15:26
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Again, it's measured on a scale of zero to four,
15:29
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
with zero being kind of the entry level,
15:33
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
if you will,
15:33
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
for threat hunting programs,
15:34
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
and four being the highest level.
15:37
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
So looking at this model here,
15:39
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
again, it goes from level zero to level four.
15:43
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Level zero being the initial level.
15:45
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is a threat hunting program that is just getting started,
15:49
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
moves up through level one being kind of an established program,
15:53
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
but still minimal functionality there.
15:55
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Level two is the kind of procedural level when the organization is
15:59
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
starting to implement published procedures into their threat
16:03
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hunting program.
16:05
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And this is where most organizations lie.
16:07
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Most organizations that have established programs,
16:09
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
this is where they are,
16:10
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
level two.
16:11
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And then level three and four,
16:13
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
we're getting to more advanced levels.
16:15
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
So starting at level zero,
16:17
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
organizations here are primarily going to be relying on
16:22
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
automated alerts from locations like
16:26
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
an intrusion detection system,
16:28
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
their SIEM,
16:29
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
their logging systems,
16:31
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
their antivirus systems.
16:32
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
primarily relying on these automated alerts for any sort of malicious
16:37
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
detection.
16:37
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
They may be adding in feeds for signature
16:41
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
updates,
16:42
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
perhaps a couple of threat intelligence indicators,
16:46
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
things like that.
16:47
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
But the analysts here are primarily going to be focused on
16:51
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
alert resolution.
16:52
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's not really much threat hunting,
16:55
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
if any,
16:56
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
happening at this level.
16:58
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's not a whole lot of data that is being collected
17:02
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
that's not being used for just automated
17:07
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
alerting.
17:07
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's not a whole lot of capability for threat hunting here.
17:10
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
But again, when organizations are just starting up their threat hunting programs,
17:14
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
this is the level they are at,
17:17
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
which is why this level is just named initial.
17:20
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where everyone starts.
17:22
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Moving up to level one,
17:24
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
organizations are still relying primarily on
17:28
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
automated alerting,
17:30
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
but they're adding in some additional data collection as
17:34
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
well.
17:34
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
They're starting to perform searches for various indicators
17:39
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
in intelligence feeds and other threat intelligence locations.
17:44
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
They're beginning to get a more higher level of data
17:48
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
collection that is being used.
17:50
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where your initial level of hunting is capable,
17:54
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
kind of searching logs for basic indicators
17:58
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
of compromise.
17:59
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
That's level one.
18:01
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Level two,
18:02
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
this is the level,
18:05
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
again, that is most common to see across
18:09
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
organizations that have an active threat hunting program.
18:13
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
program.
18:14
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where threat hunters begin to have the capability
18:18
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
to learn about procedures that are developed by
18:22
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
others and then be able to implement those procedures for
18:26
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
threat hunting and data analysis in their environment.
18:31
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
and maybe even have the ability to be able to make minor changes
18:35
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
to those procedures as well.
18:37
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
They have a much higher level of data collection with
18:42
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
the purpose of using that data for threat hunting and not
18:46
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
just automated alerting.
18:49
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
So again, this is where most organizations are that have an
18:53
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
established active threat hunting program.
18:58
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
We move to level three.
19:00
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where we start getting into more of the advanced threat hunting.
19:03
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where threat hunters and the threat hunting teams
19:08
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
begin to create and publish their own threat hunting
19:12
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
and data analysis procedures.
19:14
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
They're starting to use a much more advanced
19:18
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
analytics capabilities and introducing some automation and
19:23
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
machine learning into this analysis as well.
19:27
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
They typically have a much more advanced data
19:32
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
collection.
19:32
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
At this point,
19:33
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
there's probably not a whole lot more actual data and events that
19:37
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
can be logged,
19:38
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
but the data collection itself is more advanced
19:42
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
and the analysis of that data is certainly more advanced.
19:46
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Again, with the introduction of automation and
19:50
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
machine learning into the analysis procedures.
19:53
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
At level four is going to be
19:56
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Very similar to level three, but this...
20:00
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Level four threat hunting teams are the most advanced when
20:04
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
it comes to this maturity model.
20:06
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
But again,
20:07
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
very similar to level three,
20:08
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
but with a very high level of automation in
20:13
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
their threat hunting process,
20:14
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
in their data analysis process,
20:16
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
very high level of automation.
20:20
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
These threat hunting teams are very effective at being
20:24
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
able to resist actions that the adversaries
20:28
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
may take.
20:29
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to kind of evade some of their hunting or incident response
20:33
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
procedures.
20:34
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
Again,
20:35
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the use of automation here introduces much more advanced
20:39
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
analysis,
20:40
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and these teams are very effective at resisting the attackers.
20:44
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Automation here allows the focus
20:48
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to be on creating new processes.
20:52
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
which can then be used to continue to advance and
20:56
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
improve the collection.
20:58
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And again, a very high level of data collection here.
21:02
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
That's kind of similar from level two on up.
21:05
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
It's just the difference here is how is that data then
21:09
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
used?
21:10
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
What does the analysis of this data look like?
21:13
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
How much automation is being introduced into the analysis?
21:17
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
How much machine learning is being introduced?
21:20
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to try and get more information and kind of build a better story
21:24
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
about what this data is saying to be able to kind of counter
21:28
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the actions of their adversaries.
21:31
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This threat hunting maturity level is a good way for organizations to
21:36
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
be able to measure where they are on their threat
21:40
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hunting teams and their threat hunting programs to see how well they're
21:44
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
doing and where they may need to be going as they continue to
21:48
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
advance their threat hunting programs.
21:59
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
There are several different ways that threat hunters can
22:03
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
go about thinking about how to start their threat hunts and how
22:07
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to carry out those threat hunts.
22:09
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
In this video, we're going to talk about these threat hunting mindsets.
22:13
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Now,
22:14
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
keep in mind,
22:14
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
these mindsets are very subjective,
22:17
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and these are just a few examples of ways that
22:21
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
threat hunters can think about their threat hunts.
22:24
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's no real wrong way to do it.
22:27
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
And a lot of times,
22:28
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
the way you think about a threat hunt is going to take kind of aspects from
22:32
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
each of these types of ways and kind of combine them into one threat
22:36
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hunt. And it's also not uncommon to think about threat
22:40
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hunts in many different ways as the threat hunt progresses.
22:44
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So to start off,
22:46
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
let's talk about intelligence -based threat hunting.
22:49
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is a type of threat hunt where your hypothesis
22:52
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
to begin your threat hunt kind of starts out with information
22:57
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
based on intelligence.
22:59
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And your intelligence can be any number of IOCs,
23:02
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
your IPs,
23:03
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
your domains,
23:04
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
hashes,
23:05
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
email addresses,
23:06
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
file names,
23:07
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
any sort of indicator of compromise that comes from or
23:11
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
can be included in intelligence information can
23:15
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
contribute to this kind of intelligence -based way of thinking.
23:20
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
There's a few different ways to categorize intelligence
23:24
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
information,
23:24
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
if you will.
23:25
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
First is strategic.
23:27
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And each of these types kind of tries to answer a question
23:31
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
about what the attack may be.
23:34
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So the strategic type of intelligence starts with asking
23:39
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
the who,
23:39
S…
Speaker 2 (2-2026-04-07 01-22-58_Clip_Clip-03)
why,
23:41
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and where questions.
23:43
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Who being who is the adversary?
23:47
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Why are they targeting or potentially targeting
23:51
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
or in the process of attacking this organization?
23:55
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
So who are they and why are they doing what they do?
23:59
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And where have they attacked before?
24:03
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Answering all these questions can kind of give you some information
24:07
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
about what to look for as far as far as
24:11
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
those indicators go and can kind of help give some insight into
24:15
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
how the attackers are thinking as well.
24:19
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
Next up,
24:19
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
we have tactical type of intelligence.
24:22
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
And this tries to answer the what and the when questions.
24:27
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
What is in their tool set?
24:29
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
What are their tactics,
24:31
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
techniques,
24:32
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
and procedures?
24:34
S…
Speaker 1 (2-2026-04-07 01-22-58_Clip_Clip-03)
This is where a lot of the various different types of
Transkripsi ieu dihasilkeun ku AI (ngartos basa otomatis). Bisa aya kasalahan - verifikasi kana audio asli pikeun kaperluan kritis. Kebijakan AI
Ringkasan
Klik Ringkasan kanggo nyipta ringkasan AI saka transkripsi iki.
Mengumpulkan...
Tanya AI Ngendi iki Transkrip
Saben wangun wangun bisa digolongake dadi: wangun umum wangun khusus