2026-04-07 01-22-58_Clip_Clip-01
May 31, 2026 23:18
· 26:52
· English
· Whisper Turbo
· 2 Locutores
Haec pagina de translatio explicat.
Despectus in Viam Permanentem →
Videtur solum
0:09
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
There's a number of different terms and definitions that
0:13
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
are very commonly used when we're talking about threat hunting,
0:17
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and it's important to know what those are.
0:19
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now, if you're already familiar,
0:21
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
if you're already in the cybersecurity industry,
0:23
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a lot of these will be terms and things you already know and have already
0:27
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
been using,
0:28
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
but it's important to just make sure we have a good understanding of these before
0:32
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
we move forward.
0:33
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So first of all,
0:34
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
what really is a threat?
0:37
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Really, a threat is any potential impact,
0:40
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
any negative impact or danger to an
0:44
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
asset.
0:45
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And an asset can be defined as really anything that is owned by
0:49
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
an individual or an organization.
0:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So a threat against an asset for an organization would be
0:55
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a vulnerability on a server that could be exploited.
0:59
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Again, the key word there for threat is it is a potential negative impact
1:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
to that asset.
1:06
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And a threat actor is basically an individual or sometimes a
1:10
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
threat actor could actually be a device also,
1:12
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
so we call it an entity here.
1:14
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
But basically it's who's taking advantage and who is trying
1:18
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
to realize that threat,
1:20
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
who's taking advantage of the risk associated with that system or
1:24
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
the vulnerability on that system.
1:26
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
That is the threat actor.
1:28
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Very commonly referred to also as attackers,
1:31
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
malicious actors,
1:33
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a lot of different terms that can be used,
1:35
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
but threat actor is the one that is on the screen right now.
1:38
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And you also have the threat vector or attack vector.
1:42
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
This is basically how the attack is
1:47
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
carried out and specifically how the initial phases of the attack
1:51
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
are carried out.
1:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
very commonly used to describe how the attack first gets into
1:56
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
the organization or into the infrastructure.
1:59
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
For example,
1:59
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
email is a very commonly used attack vector
2:03
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
or threat path,
2:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
or there's many different ways to refer to this as well,
2:07
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
especially when we're talking about things like phishing messages.
2:10
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So email is a very common one.
2:12
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Open ports are common for firewalls.
2:16
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
There's a lot of different threat vectors,
2:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
attack vectors.
2:20
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
that can be used by your threat actors to try
2:24
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
to exploit these vulnerabilities.
2:25
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
There's a lot of different types of threats as
2:29
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
well.
2:30
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Mainly,
2:31
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
we're going to be concerned with cybersecurity,
2:32
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
but natural disasters are always a threat.
2:36
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And this is a lot more specific as far as the type of disasters
2:40
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
you're looking at based on geography and location on
2:44
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
the planet.
2:46
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
But natural disasters can be considered a or definitely are considered a
2:50
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
threat. However,
2:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
for the purposes of threat hunting,
2:53
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
we're more concerned with viruses and malware,
2:57
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
data breaches,
2:58
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
denial of service attacks.
3:00
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
These are all types of threats.
3:02
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
The ones we're most concerned and most often looking for when it comes
3:06
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
to threat hunting are your APTs.
3:09
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
APTs are advanced persistent threats.
3:13
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
That is what it stands for.
3:16
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now, this term can be used to refer to either groups that carry
3:20
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
out attacks or the type of malware itself.
3:24
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
It's kind of interchangeable when we're using it.
3:28
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
A lot of the times,
3:29
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
though, it's going to be used to describe the group that's carrying out the
3:33
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
attack.
3:34
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And this is going to be an attacker group that has a significant
3:38
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
amount of resources.
3:40
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They have the infrastructure and the capabilities to carry
3:44
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
out these advanced attacks.
3:46
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They have the capabilities to evade detection for a
3:50
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
long period of time and remain on a network,
3:52
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
usually undetected.
3:54
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Again, this is where threat hunting comes in,
3:56
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
trying to find these advanced threat groups.
3:59
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
while they're on the network before they reach their end goals.
4:03
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They very frequently are capable of carrying out
4:07
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a attack that has multiple different stages to it.
4:10
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They can make very quick use of zero -day exploits,
4:15
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and they can also even develop their own custom
4:20
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
zero -day exploits as well.
4:22
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now, APTs are going to very often be
4:26
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
affiliated with a nation state,
4:30
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
or they kind of just are often nation states themselves.
4:33
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Not always,
4:35
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
but a lot of times they are because these nation states have the
4:39
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
capabilities,
4:40
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
they have these significant resources to provide to
4:44
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
these APT groups.
4:47
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now, when it comes to distinguishing
4:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
these groups and kind of referring to them,
4:54
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
there are many different ways to name these groups.
4:58
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And this can get...
5:00
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a little bit confusing sometimes. So.
5:03
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Try to explain a few of the naming conventions here.
5:06
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So starting with Mandiant,
5:07
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
now owned by Google,
5:08
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
they use a prefix followed by a number.
5:12
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So for your more typical or generic APTs,
5:15
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
they start out with APT and then a number.
5:18
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They can also use UNC,
5:20
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
which stands for Uncategorized Group,
5:23
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
or FIN or FIN to designate a threat
5:27
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
actor group that's focused mainly on financial crimes.
5:31
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So it's one of those three letters there followed by a number.
5:35
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
For example, APT29.
5:37
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Sounds pretty straightforward.
5:39
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
You get into CrowdStrike.
5:41
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They use animal names and then a descriptor before the animal
5:45
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
name to describe the threat actor groups.
5:49
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So for example,
5:50
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
they would use Cozy Bear,
5:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and this would actually describe the same threat group as APT29.
5:56
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
You have Microsoft.
5:57
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They use weather events to describe their APT
6:02
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
groups.
6:02
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So in this example,
6:03
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
you have Midnight Blizzard.
6:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Again, with a descriptor at the beginning of it,
6:07
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Midnight Blizzard refers to also Cozy Bear and
6:11
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
APT -29.
6:12
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
These are all referring to the same Russian
6:16
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
threat actor group.
6:19
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now, so CrowdStrike uses animal names and
6:23
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Microsoft uses weather events.
6:25
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
What's important here is they will use that same animal name
6:29
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
or weather event to describe threat actor groups from the
6:33
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
same nation.
6:35
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So anything that is bear for CrowdStrike or
6:39
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Blizzard for Microsoft is going to refer to a Russian -based
6:44
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
threat actor group.
6:46
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
with the descriptor referring or kind of narrowing down to
6:50
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
talk about the specific group.
6:52
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And yes,
6:53
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
these can be a bit confusing to figure out.
6:56
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
However,
6:57
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
MITRE on their site
7:00
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And we'll get into MITRE attack framework and all of that in a little bit in a different video as
7:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
well.
7:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
But they have,
7:05
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
when they're talking about,
7:07
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
when they're listing out the resources,
7:08
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
they will usually list out all the different names that a specific
7:13
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
group is referred to on their site.
7:15
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And they also have another unique way.
7:19
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They use just kind of an ID.
7:21
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So for this same group,
7:22
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
you have G0016.
7:25
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
which also which is referring to APT29 and Cozy Bear and
7:29
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Midnight Blizzard,
7:30
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
all referring to the same group.
7:33
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So just it can be a little confusing to try and kind of
7:37
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
grasp there,
7:38
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
but there are resources to be able to kind of translate that
7:42
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a little better.
7:44
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Moving on to TTPs,
7:46
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
or our tactics,
7:47
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
techniques,
7:48
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and procedures.
7:49
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
You will see this,
7:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and probably have already seen this if you've watched other videos in this course already,
7:54
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a lot.
7:56
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
You'll see this referenced a lot when we're talking about threat hunting.
8:00
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
This is a very common term to use,
8:02
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and it's a very common resource to use when threat hunting,
8:05
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
especially if you're using the MITRE ATT &CK framework.
8:09
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
These are essentially the methods and patterns that are used
8:13
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
by various different threat actors.
8:16
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So tactics.
8:17
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
These are really just a higher level description
8:22
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
of the behaviors of a threat
8:26
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
actor, kind of how they go about their planning,
8:29
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
what sort of strategies they use,
8:31
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
things like that.
8:32
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Those are the tactics.
8:34
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Techniques go a little bit deeper.
8:36
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They're more specific.
8:37
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They describe how the tactics can be used,
8:41
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
how they can be implemented,
8:43
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
but not extremely specific.
8:46
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
That's where we get into the procedures.
8:48
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
These are essentially the kind of step -by -step,
8:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
the sequence of activities.
8:54
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
to for the individual specific techniques
8:58
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
that the attackers use to carry out these attacks
9:02
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and the procedures can be kind of adjusted for
9:06
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
you know the same techniques they can be a little different for different threat actors
9:10
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and different threat actor groups as well so the you know one threat actor
9:15
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
group may implement tactics and techniques in one
9:19
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
way and another may implement them in a completely different way.
9:23
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So that is your tactics,
9:25
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
techniques,
9:26
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and procedures.
9:27
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Again, this is something we'll cover many different times
9:31
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
throughout this course,
9:32
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
throughout this learning path,
9:33
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
because it is an important thing to talk about,
9:36
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and you'll probably get tired of hearing TTPs eventually.
9:39
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So moving on from those for now,
9:42
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
let's talk about our IOCs and our hashes.
9:46
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
IOCs stand for,
9:48
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
this is our Indicators of Compromise,
9:50
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
IOC.
9:52
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Basically,
9:53
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
some sort of indicator that there has been a compromise
9:57
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
or basically a way.
10:00
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
to show that there is potentially the presence of malicious
10:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
activity.
10:04
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Now, just because there is an IOC found doesn't
10:09
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
always mean that there is a confirmed
10:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
compromise or a confirmed malicious activity on a system.
10:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It is just an indicator that it is possible there is compromise.
10:21
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
But however, if an IOC is found,
10:24
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
it definitely warrants some additional investigation.
10:28
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Now, these artifacts,
10:29
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
these indicators can be multiple different things.
10:33
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
We're talking about things like file hashes,
10:35
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
IP addresses,
10:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
domain names,
10:38
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
file names,
10:39
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
strings,
10:39
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
basically just groups of characters in certain files.
10:44
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
There's all kinds of different things that can be used as
10:48
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
an artifact or as an indicator,
10:49
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
not just the ones in this list.
10:52
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
You can also have behavioral IOCs,
10:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
basically how an attack may be carried out without referencing something
10:59
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
like an IP address or a domain name.
11:01
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
There's many different types of IOCs.
11:05
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
These are almost always included in our threat intelligence
11:09
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
reports,
11:10
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and the IOCs are what threat hunters use to actually
11:14
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
search for when they're performing a threat hunt.
11:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
many different types of threat hunts,
11:20
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
many different ways to carry out a threat hunt.
11:23
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So you're not always going to start with searching for IOCs,
11:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
but they are very commonly used when carrying out these
11:31
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
threat hunts.
11:31
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
They are also very commonly kind of relayed
11:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
back and forth between threat hunting teams and incident response teams
11:40
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if an incident is actually discovered.
11:44
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And then finally,
11:44
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
we have our hashes.
11:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
For the purposes of threat hunting,
11:49
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
hashes are essentially unique values for files
11:54
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that basically represent the kind of a digital fingerprint
11:58
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of a file,
11:59
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if you will.
12:00
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
They're generated,
12:01
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
they're created by running what's known as a hashing algorithm.
12:06
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
on a file itself.
12:07
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
This is basically a way to generate this unique value.
12:11
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So when we say unique value,
12:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if a single character,
12:15
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
a single bit is changed in a file,
12:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that will result in a completely different hash
12:23
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
value.
12:23
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
That's important to know there.
12:26
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It is extremely uncommon for there
12:30
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
to be two different files with different contents
12:34
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that will result in the same hashing value.
12:39
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And this is known as a collision.
12:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So if you have two different files that result in the same
12:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
hash value,
12:47
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that is a collision.
12:48
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
You have an algorithm that is susceptible to having
12:53
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
hash collisions.
12:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
That algorithm is usually then referred to as being no
12:59
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
longer secure.
13:00
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So there's a number of different algorithms that can be used for hashing.
13:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
MD5,
13:05
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
one that has been used for a long time,
13:07
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
it is no longer considered secure.
13:10
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
You'll sometimes still see these referenced in threat
13:14
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
intelligence reports or on online resources because
13:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
they still can be used to potentially identify indicators
13:23
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of compromise.
13:24
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
However,
13:25
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
MD5 has been proven to be susceptible to collisions.
13:29
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So it's no longer considered secure.
13:31
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
One of the most common ones you're going to see,
13:33
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
though, is SHA -256.
13:35
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
That is one you'll see almost all the time when we're talking about any kind
13:39
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of hash values for threat hunting.
13:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
You'll see them very commonly on your threat intelligence reports.
13:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So just some of the terms and kind of definitions and terminology
13:50
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that are very commonly used with threat hunting.
13:53
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that it's important to be familiar with before we get into the
13:57
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
actual carrying out threat hunts.
13:59
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
In this
14:09
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
video, we're going to take a look at a tool that is very frequently
14:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
used as a visual representation for
14:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
your IOCs,
14:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
for your indicators of compromise,
14:20
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
known as the Pyramid of Pain.
14:23
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now,
14:24
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
the Pyramid of Pain is called this because as you go kind of higher up
14:28
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
in this pyramid here,
14:30
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
it becomes more difficult to be able to detect these types of IOCs.
14:34
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
But at the same time,
14:35
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if you are able to detect them,
14:37
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
you are inflicting more pain on the attackers because you're requiring
14:41
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
them to change more of what their attacks are
14:45
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and how they behave.
14:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And we'll get into the details of that here in a second.
14:49
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So the Pyramid of Pain was created by an individual named
14:53
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
David Bianco.
14:54
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
He is a threat researcher,
14:55
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
threat hunter,
14:56
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
SANS instructor.
15:00
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
He created the Pyramid of Pain while he was working at Mandiant.
15:04
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And again,
15:05
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
the point of this is to show two different things.
15:09
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
One, the difficulty in obtaining different
15:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
indicators of compromise.
15:16
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Also,
15:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if you're able to detect specific types of IOCs,
15:21
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
how difficult it is for the attacker to change
15:25
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
their use of that particular IOC or change how
15:29
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
they behave,
15:30
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
basically the level of effort required for the attacker to overcome
15:34
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
the mitigation of specific types of IOCs.
15:38
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Starting at the bottom of the pyramid,
15:41
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
we have our hash values.
15:43
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
These are usually very easy to discover,
15:45
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
very easy to block or mitigate against
15:50
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
them.
15:50
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Typically,
15:51
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if you find a malicious indicator for a hash value
15:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that kind of shows a malicious file,
15:58
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
there's very little question if there is a compromise
16:02
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
on your system.
16:03
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Now, whether it's an ongoing compromise or a previous compromise,
16:07
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
requires more investigation,
16:08
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
but these are one of your kind of most basic,
16:12
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
most fundamental types of IOCs.
16:15
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
But they are also extremely easy for an attacker
16:19
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
to change.
16:20
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Any single tiny change to a file results
16:24
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
in a completely different hash,
16:26
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and it is very trivial,
16:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
very easy for attackers to change one character in
16:32
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
a piece of malware that gives a completely different hash which means
16:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
a mitigation against the hash value is no longer valid because it's
16:40
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
completely different.
16:41
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So moving up in the pyramid we come to our
16:45
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
IP addresses.
16:47
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
These again like hash values very easy to
16:51
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
detect they are one of the most fundamental types of
16:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
indicators as well along with domain names which we'll get into in a second.
16:59
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
If there is communication with malicious IP detected on a network,
17:04
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
it is a very good indicator that there is ongoing malicious
17:08
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
activity on that system.
17:10
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So this is a very common indicator to see,
17:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and it is a very good one to be able to identify as well.
17:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And it's also very easy to block against.
17:21
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
However,
17:21
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
it's also very easy for the attacker to change,
17:25
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
especially if they're using...
17:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
domain names in malware and not hard coded IPs.
17:31
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
If an attacker is using hard coded IPs in their malware,
17:33
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
then it becomes a lot more difficult to change.
17:36
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
But honestly,
17:37
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
most threat groups don't actually use hard coded IPs.
17:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Almost all of them are going to use domain names because for this
17:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
specific reason,
17:47
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if one of the IPs are blocked,
17:49
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
then they would have to recompile and re -release the
17:53
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
malware,
17:54
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
whatever it is,
17:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
in order to get around that block.
17:57
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It's much easier just to remap a domain name.
18:01
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And a lot of attackers also use what are known as temporary IP addresses
18:05
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
for this specific purpose as well.
18:08
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And this could be,
18:08
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
again, using domain names.
18:10
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
or proxy connections or anything like that,
18:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
where the real infrastructure is kind of hidden behind a proxy,
18:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and it's trivial for them to change and kind of get around
18:21
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
mitigation of this.
18:23
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Now, moving up on the pyramid,
18:25
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
we get two domain names.
18:26
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Very similar type of IOC as an IP address.
18:30
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Again, if you find communication with a malicious domain
18:34
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
name on the network,
18:35
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
again,
18:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
very good indicator that there is ongoing malicious activity on
18:40
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that system.
18:41
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now,
18:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
these can also be very easy to block,
18:45
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
but they're a little more difficult for the attackers
18:49
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
to get around that.
18:52
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
The reason for that is because it does require more work.
18:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Now, they're not terribly difficult for an attacker to get around a domain name block,
18:59
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
depending on the type of malware.
19:03
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
But domain names do require registration.
19:07
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Very often they will require payment.
19:09
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
They don't always require payment.
19:11
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
There are some free registrars out there,
19:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and there are also maliciously or attacker
19:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
-controlled registrars for domain names,
19:19
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and they require some form of hosting as well.
19:24
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And again, if domain names are coded into the malware,
19:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
then it's going to perhaps require redistribution
19:31
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of that malware if you're able to successfully block domain names.
19:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So this becomes a little more tricky for the attacker to
19:40
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
get around.
19:40
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And there also can be a delay as well because domain names,
19:44
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
any changes to them do need to propagate.
19:47
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So this can be a little trickier for the attacker and a bit of a delay
19:52
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
in the attack as well.
19:53
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Moving up,
19:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
we're starting to get into the more difficult to detect and...
20:00
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
more difficult for the attacker to evade the detection or
20:04
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
to kind of get around the mitigation,
20:05
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
excuse me.
20:06
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And this is what we're talking about,
20:07
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
our network artifacts and our host artifacts.
20:10
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And these can be things like user agent strings for browsers
20:14
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
or internet connections that are found in logs.
20:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Or, you know,
20:19
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a network artifact,
20:20
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
good thing to find is any traffic that's on what are known as non -traditional
20:24
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
ports.
20:25
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
If you have
20:26
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
traffic on,
20:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
you know, typically higher numbered ports that are not typically seen on the network,
20:31
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
then it can be an indicator there's malicious traffic.
20:35
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It is definitely not always an indicator.
20:37
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It could be perfectly normal traffic.
20:39
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It depends on what the traffic is,
20:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
but it can be an indicator.
20:43
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And these can be a little more difficult to detect these types of artifacts.
20:48
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
because they require essentially deeper dives into
20:52
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
the logs and require a little more advanced logging capabilities as
20:56
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
well.
20:56
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
These host artifacts could also be specific files on a system
21:01
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
or perhaps specific registry keys set up on a system,
21:04
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
network traffic on port 80 or 443 that
21:08
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
is not originating from a web browser.
21:11
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
These are just a few examples.
21:15
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of your network artifacts and your host artifacts.
21:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And these IOCs again can be more difficult to detect,
21:22
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
but at this level you're starting to have much more of an impact
21:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
on the attacker now.
21:28
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Biggest reason for that is because adjusting these often
21:33
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
requires the attacker to reconfigure the malware or recompile
21:37
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
the malware.
21:38
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Again,
21:38
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
this is going to depend on the type of attack.
21:41
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
If the attacker has access into
21:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
the infrastructure via command and control or remote access,
21:50
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
then it becomes a little easier for them to deploy new malware.
21:54
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
But again,
21:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
there's more steps they have to take.
21:57
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
There's more work they need to do to be able to get around mitigations
22:02
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that are detecting and blocking these network and host artifacts.
22:06
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Moving up to our second to highest level we get to the
22:10
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
tools the attacker uses.
22:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Now your APT groups are going to tend to use
22:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
a consistent set of tools and by this I mean one group
22:21
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
will tend to use consistent tools because that
22:25
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
is it makes their jobs easier.
22:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
That's the same with your network defenders as well.
22:30
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
This doesn't mean that all of your APT groups are all using these same sets
22:34
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of tools.
22:35
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
That's not what that means here.
22:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And this gets become very difficult
22:40
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
to detect in a network.
22:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
This requires detection of very specific artifacts
22:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of unique tools,
22:48
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
which can be difficult to find.
22:50
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It does require advanced monitoring and advanced alerting as
22:54
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
well.
22:55
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
However,
22:56
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if you are able to detect these on your network and
23:00
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
are able to mitigate against them,
23:03
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
blocking these specific tools requires the attackers to
23:07
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
either find new tools or create new tools to
23:11
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
be able to do what they were doing before,
23:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
which becomes a lot more difficult.
23:15
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It is a huge investment of
23:20
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
time and resources for them to be able to
23:23
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
adjust to using new tools just like it is for anybody,
23:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
but you're having a much greater impact on
23:31
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
the attackers and their ability to carry out these attacks as
23:35
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
well.
23:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And at the very top of the pyramid,
23:39
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
we have our TTPs,
23:41
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
our tactics,
23:41
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
techniques,
23:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and procedures.
Haec transcriptio a AI (recognitione automatica loci) generata est. Errores continere potest - contra audio originalem verificare ut criticum utentur. Politicae
Summa
Haec pagina de scriptura explicat, quae ad scripturam translativam pertinet.
Summa...
De hoc translatio scripsit.
Quod ad hoc adscriptum est, quod ad hoc adscriptum est, et adscriptum est.