2026-04-07 01-22-58_Clip_Clip-01
May 31, 2026 23:18
· 26:52
· English
· Whisper Turbo
· 2 Skaļruņi
Šis transkripts zaudē spēku šodien.
Atjaunināt pastāvīgai uzglabāšanai →
Rādīt tikai
0:09
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
There's a number of different terms and definitions that
0:13
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
are very commonly used when we're talking about threat hunting,
0:17
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and it's important to know what those are.
0:19
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now, if you're already familiar,
0:21
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
if you're already in the cybersecurity industry,
0:23
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a lot of these will be terms and things you already know and have already
0:27
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
been using,
0:28
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
but it's important to just make sure we have a good understanding of these before
0:32
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
we move forward.
0:33
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So first of all,
0:34
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
what really is a threat?
0:37
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Really, a threat is any potential impact,
0:40
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
any negative impact or danger to an
0:44
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
asset.
0:45
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And an asset can be defined as really anything that is owned by
0:49
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
an individual or an organization.
0:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So a threat against an asset for an organization would be
0:55
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a vulnerability on a server that could be exploited.
0:59
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Again, the key word there for threat is it is a potential negative impact
1:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
to that asset.
1:06
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And a threat actor is basically an individual or sometimes a
1:10
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
threat actor could actually be a device also,
1:12
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
so we call it an entity here.
1:14
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
But basically it's who's taking advantage and who is trying
1:18
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
to realize that threat,
1:20
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
who's taking advantage of the risk associated with that system or
1:24
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
the vulnerability on that system.
1:26
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
That is the threat actor.
1:28
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Very commonly referred to also as attackers,
1:31
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
malicious actors,
1:33
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a lot of different terms that can be used,
1:35
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
but threat actor is the one that is on the screen right now.
1:38
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And you also have the threat vector or attack vector.
1:42
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
This is basically how the attack is
1:47
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
carried out and specifically how the initial phases of the attack
1:51
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
are carried out.
1:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
very commonly used to describe how the attack first gets into
1:56
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
the organization or into the infrastructure.
1:59
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
For example,
1:59
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
email is a very commonly used attack vector
2:03
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
or threat path,
2:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
or there's many different ways to refer to this as well,
2:07
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
especially when we're talking about things like phishing messages.
2:10
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So email is a very common one.
2:12
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Open ports are common for firewalls.
2:16
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
There's a lot of different threat vectors,
2:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
attack vectors.
2:20
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
that can be used by your threat actors to try
2:24
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
to exploit these vulnerabilities.
2:25
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
There's a lot of different types of threats as
2:29
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
well.
2:30
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Mainly,
2:31
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
we're going to be concerned with cybersecurity,
2:32
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
but natural disasters are always a threat.
2:36
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And this is a lot more specific as far as the type of disasters
2:40
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
you're looking at based on geography and location on
2:44
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
the planet.
2:46
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
But natural disasters can be considered a or definitely are considered a
2:50
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
threat. However,
2:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
for the purposes of threat hunting,
2:53
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
we're more concerned with viruses and malware,
2:57
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
data breaches,
2:58
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
denial of service attacks.
3:00
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
These are all types of threats.
3:02
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
The ones we're most concerned and most often looking for when it comes
3:06
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
to threat hunting are your APTs.
3:09
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
APTs are advanced persistent threats.
3:13
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
That is what it stands for.
3:16
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now, this term can be used to refer to either groups that carry
3:20
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
out attacks or the type of malware itself.
3:24
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
It's kind of interchangeable when we're using it.
3:28
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
A lot of the times,
3:29
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
though, it's going to be used to describe the group that's carrying out the
3:33
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
attack.
3:34
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And this is going to be an attacker group that has a significant
3:38
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
amount of resources.
3:40
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They have the infrastructure and the capabilities to carry
3:44
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
out these advanced attacks.
3:46
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They have the capabilities to evade detection for a
3:50
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
long period of time and remain on a network,
3:52
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
usually undetected.
3:54
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Again, this is where threat hunting comes in,
3:56
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
trying to find these advanced threat groups.
3:59
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
while they're on the network before they reach their end goals.
4:03
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They very frequently are capable of carrying out
4:07
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a attack that has multiple different stages to it.
4:10
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They can make very quick use of zero -day exploits,
4:15
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and they can also even develop their own custom
4:20
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
zero -day exploits as well.
4:22
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now, APTs are going to very often be
4:26
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
affiliated with a nation state,
4:30
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
or they kind of just are often nation states themselves.
4:33
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Not always,
4:35
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
but a lot of times they are because these nation states have the
4:39
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
capabilities,
4:40
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
they have these significant resources to provide to
4:44
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
these APT groups.
4:47
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now, when it comes to distinguishing
4:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
these groups and kind of referring to them,
4:54
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
there are many different ways to name these groups.
4:58
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And this can get...
5:00
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a little bit confusing sometimes. So.
5:03
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Try to explain a few of the naming conventions here.
5:06
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So starting with Mandiant,
5:07
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
now owned by Google,
5:08
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
they use a prefix followed by a number.
5:12
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So for your more typical or generic APTs,
5:15
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
they start out with APT and then a number.
5:18
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They can also use UNC,
5:20
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
which stands for Uncategorized Group,
5:23
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
or FIN or FIN to designate a threat
5:27
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
actor group that's focused mainly on financial crimes.
5:31
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So it's one of those three letters there followed by a number.
5:35
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
For example, APT29.
5:37
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Sounds pretty straightforward.
5:39
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
You get into CrowdStrike.
5:41
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They use animal names and then a descriptor before the animal
5:45
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
name to describe the threat actor groups.
5:49
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So for example,
5:50
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
they would use Cozy Bear,
5:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and this would actually describe the same threat group as APT29.
5:56
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
You have Microsoft.
5:57
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They use weather events to describe their APT
6:02
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
groups.
6:02
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So in this example,
6:03
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
you have Midnight Blizzard.
6:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Again, with a descriptor at the beginning of it,
6:07
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Midnight Blizzard refers to also Cozy Bear and
6:11
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
APT -29.
6:12
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
These are all referring to the same Russian
6:16
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
threat actor group.
6:19
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now, so CrowdStrike uses animal names and
6:23
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Microsoft uses weather events.
6:25
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
What's important here is they will use that same animal name
6:29
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
or weather event to describe threat actor groups from the
6:33
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
same nation.
6:35
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So anything that is bear for CrowdStrike or
6:39
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Blizzard for Microsoft is going to refer to a Russian -based
6:44
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
threat actor group.
6:46
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
with the descriptor referring or kind of narrowing down to
6:50
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
talk about the specific group.
6:52
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And yes,
6:53
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
these can be a bit confusing to figure out.
6:56
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
However,
6:57
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
MITRE on their site
7:00
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And we'll get into MITRE attack framework and all of that in a little bit in a different video as
7:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
well.
7:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
But they have,
7:05
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
when they're talking about,
7:07
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
when they're listing out the resources,
7:08
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
they will usually list out all the different names that a specific
7:13
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
group is referred to on their site.
7:15
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And they also have another unique way.
7:19
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They use just kind of an ID.
7:21
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So for this same group,
7:22
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
you have G0016.
7:25
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
which also which is referring to APT29 and Cozy Bear and
7:29
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Midnight Blizzard,
7:30
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
all referring to the same group.
7:33
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So just it can be a little confusing to try and kind of
7:37
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
grasp there,
7:38
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
but there are resources to be able to kind of translate that
7:42
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a little better.
7:44
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Moving on to TTPs,
7:46
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
or our tactics,
7:47
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
techniques,
7:48
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and procedures.
7:49
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
You will see this,
7:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and probably have already seen this if you've watched other videos in this course already,
7:54
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a lot.
7:56
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
You'll see this referenced a lot when we're talking about threat hunting.
8:00
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
This is a very common term to use,
8:02
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and it's a very common resource to use when threat hunting,
8:05
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
especially if you're using the MITRE ATT &CK framework.
8:09
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
These are essentially the methods and patterns that are used
8:13
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
by various different threat actors.
8:16
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So tactics.
8:17
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
These are really just a higher level description
8:22
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
of the behaviors of a threat
8:26
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
actor, kind of how they go about their planning,
8:29
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
what sort of strategies they use,
8:31
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
things like that.
8:32
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Those are the tactics.
8:34
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Techniques go a little bit deeper.
8:36
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They're more specific.
8:37
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
They describe how the tactics can be used,
8:41
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
how they can be implemented,
8:43
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
but not extremely specific.
8:46
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
That's where we get into the procedures.
8:48
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
These are essentially the kind of step -by -step,
8:51
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
the sequence of activities.
8:54
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
to for the individual specific techniques
8:58
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
that the attackers use to carry out these attacks
9:02
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and the procedures can be kind of adjusted for
9:06
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
you know the same techniques they can be a little different for different threat actors
9:10
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and different threat actor groups as well so the you know one threat actor
9:15
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
group may implement tactics and techniques in one
9:19
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
way and another may implement them in a completely different way.
9:23
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So that is your tactics,
9:25
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
techniques,
9:26
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and procedures.
9:27
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Again, this is something we'll cover many different times
9:31
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
throughout this course,
9:32
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
throughout this learning path,
9:33
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
because it is an important thing to talk about,
9:36
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
and you'll probably get tired of hearing TTPs eventually.
9:39
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
So moving on from those for now,
9:42
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
let's talk about our IOCs and our hashes.
9:46
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
IOCs stand for,
9:48
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
this is our Indicators of Compromise,
9:50
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
IOC.
9:52
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Basically,
9:53
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
some sort of indicator that there has been a compromise
9:57
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
or basically a way.
10:00
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
to show that there is potentially the presence of malicious
10:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
activity.
10:04
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Now, just because there is an IOC found doesn't
10:09
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
always mean that there is a confirmed
10:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
compromise or a confirmed malicious activity on a system.
10:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It is just an indicator that it is possible there is compromise.
10:21
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
But however, if an IOC is found,
10:24
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
it definitely warrants some additional investigation.
10:28
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Now, these artifacts,
10:29
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
these indicators can be multiple different things.
10:33
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
We're talking about things like file hashes,
10:35
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
IP addresses,
10:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
domain names,
10:38
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
file names,
10:39
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
strings,
10:39
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
basically just groups of characters in certain files.
10:44
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
There's all kinds of different things that can be used as
10:48
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
an artifact or as an indicator,
10:49
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
not just the ones in this list.
10:52
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
You can also have behavioral IOCs,
10:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
basically how an attack may be carried out without referencing something
10:59
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
like an IP address or a domain name.
11:01
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
There's many different types of IOCs.
11:05
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
These are almost always included in our threat intelligence
11:09
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
reports,
11:10
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and the IOCs are what threat hunters use to actually
11:14
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
search for when they're performing a threat hunt.
11:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
many different types of threat hunts,
11:20
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
many different ways to carry out a threat hunt.
11:23
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So you're not always going to start with searching for IOCs,
11:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
but they are very commonly used when carrying out these
11:31
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
threat hunts.
11:31
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
They are also very commonly kind of relayed
11:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
back and forth between threat hunting teams and incident response teams
11:40
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if an incident is actually discovered.
11:44
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And then finally,
11:44
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
we have our hashes.
11:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
For the purposes of threat hunting,
11:49
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
hashes are essentially unique values for files
11:54
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that basically represent the kind of a digital fingerprint
11:58
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of a file,
11:59
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if you will.
12:00
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
They're generated,
12:01
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
they're created by running what's known as a hashing algorithm.
12:06
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
on a file itself.
12:07
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
This is basically a way to generate this unique value.
12:11
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So when we say unique value,
12:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if a single character,
12:15
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
a single bit is changed in a file,
12:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that will result in a completely different hash
12:23
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
value.
12:23
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
That's important to know there.
12:26
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It is extremely uncommon for there
12:30
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
to be two different files with different contents
12:34
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that will result in the same hashing value.
12:39
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And this is known as a collision.
12:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So if you have two different files that result in the same
12:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
hash value,
12:47
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that is a collision.
12:48
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
You have an algorithm that is susceptible to having
12:53
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
hash collisions.
12:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
That algorithm is usually then referred to as being no
12:59
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
longer secure.
13:00
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So there's a number of different algorithms that can be used for hashing.
13:04
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
MD5,
13:05
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
one that has been used for a long time,
13:07
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
it is no longer considered secure.
13:10
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
You'll sometimes still see these referenced in threat
13:14
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
intelligence reports or on online resources because
13:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
they still can be used to potentially identify indicators
13:23
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of compromise.
13:24
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
However,
13:25
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
MD5 has been proven to be susceptible to collisions.
13:29
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So it's no longer considered secure.
13:31
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
One of the most common ones you're going to see,
13:33
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
though, is SHA -256.
13:35
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
That is one you'll see almost all the time when we're talking about any kind
13:39
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of hash values for threat hunting.
13:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
You'll see them very commonly on your threat intelligence reports.
13:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So just some of the terms and kind of definitions and terminology
13:50
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that are very commonly used with threat hunting.
13:53
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that it's important to be familiar with before we get into the
13:57
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
actual carrying out threat hunts.
13:59
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
In this
14:09
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
video, we're going to take a look at a tool that is very frequently
14:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
used as a visual representation for
14:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
your IOCs,
14:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
for your indicators of compromise,
14:20
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
known as the Pyramid of Pain.
14:23
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now,
14:24
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
the Pyramid of Pain is called this because as you go kind of higher up
14:28
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
in this pyramid here,
14:30
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
it becomes more difficult to be able to detect these types of IOCs.
14:34
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
But at the same time,
14:35
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if you are able to detect them,
14:37
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
you are inflicting more pain on the attackers because you're requiring
14:41
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
them to change more of what their attacks are
14:45
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and how they behave.
14:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And we'll get into the details of that here in a second.
14:49
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So the Pyramid of Pain was created by an individual named
14:53
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
David Bianco.
14:54
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
He is a threat researcher,
14:55
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
threat hunter,
14:56
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
SANS instructor.
15:00
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
He created the Pyramid of Pain while he was working at Mandiant.
15:04
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And again,
15:05
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
the point of this is to show two different things.
15:09
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
One, the difficulty in obtaining different
15:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
indicators of compromise.
15:16
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Also,
15:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if you're able to detect specific types of IOCs,
15:21
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
how difficult it is for the attacker to change
15:25
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
their use of that particular IOC or change how
15:29
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
they behave,
15:30
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
basically the level of effort required for the attacker to overcome
15:34
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
the mitigation of specific types of IOCs.
15:38
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Starting at the bottom of the pyramid,
15:41
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
we have our hash values.
15:43
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
These are usually very easy to discover,
15:45
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
very easy to block or mitigate against
15:50
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
them.
15:50
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Typically,
15:51
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if you find a malicious indicator for a hash value
15:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that kind of shows a malicious file,
15:58
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
there's very little question if there is a compromise
16:02
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
on your system.
16:03
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Now, whether it's an ongoing compromise or a previous compromise,
16:07
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
requires more investigation,
16:08
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
but these are one of your kind of most basic,
16:12
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
most fundamental types of IOCs.
16:15
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
But they are also extremely easy for an attacker
16:19
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
to change.
16:20
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Any single tiny change to a file results
16:24
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
in a completely different hash,
16:26
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and it is very trivial,
16:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
very easy for attackers to change one character in
16:32
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
a piece of malware that gives a completely different hash which means
16:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
a mitigation against the hash value is no longer valid because it's
16:40
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
completely different.
16:41
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So moving up in the pyramid we come to our
16:45
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
IP addresses.
16:47
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
These again like hash values very easy to
16:51
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
detect they are one of the most fundamental types of
16:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
indicators as well along with domain names which we'll get into in a second.
16:59
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
If there is communication with malicious IP detected on a network,
17:04
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
it is a very good indicator that there is ongoing malicious
17:08
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
activity on that system.
17:10
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So this is a very common indicator to see,
17:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and it is a very good one to be able to identify as well.
17:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And it's also very easy to block against.
17:21
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
However,
17:21
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
it's also very easy for the attacker to change,
17:25
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
especially if they're using...
17:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
domain names in malware and not hard coded IPs.
17:31
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
If an attacker is using hard coded IPs in their malware,
17:33
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
then it becomes a lot more difficult to change.
17:36
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
But honestly,
17:37
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
most threat groups don't actually use hard coded IPs.
17:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Almost all of them are going to use domain names because for this
17:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
specific reason,
17:47
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if one of the IPs are blocked,
17:49
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
then they would have to recompile and re -release the
17:53
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
malware,
17:54
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
whatever it is,
17:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
in order to get around that block.
17:57
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It's much easier just to remap a domain name.
18:01
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And a lot of attackers also use what are known as temporary IP addresses
18:05
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
for this specific purpose as well.
18:08
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
And this could be,
18:08
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
again, using domain names.
18:10
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
or proxy connections or anything like that,
18:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
where the real infrastructure is kind of hidden behind a proxy,
18:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and it's trivial for them to change and kind of get around
18:21
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
mitigation of this.
18:23
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Now, moving up on the pyramid,
18:25
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
we get two domain names.
18:26
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Very similar type of IOC as an IP address.
18:30
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Again, if you find communication with a malicious domain
18:34
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
name on the network,
18:35
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
again,
18:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
very good indicator that there is ongoing malicious activity on
18:40
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that system.
18:41
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Now,
18:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
these can also be very easy to block,
18:45
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
but they're a little more difficult for the attackers
18:49
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
to get around that.
18:52
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
The reason for that is because it does require more work.
18:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Now, they're not terribly difficult for an attacker to get around a domain name block,
18:59
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
depending on the type of malware.
19:03
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
But domain names do require registration.
19:07
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Very often they will require payment.
19:09
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
They don't always require payment.
19:11
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
There are some free registrars out there,
19:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and there are also maliciously or attacker
19:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
-controlled registrars for domain names,
19:19
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and they require some form of hosting as well.
19:24
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And again, if domain names are coded into the malware,
19:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
then it's going to perhaps require redistribution
19:31
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of that malware if you're able to successfully block domain names.
19:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So this becomes a little more tricky for the attacker to
19:40
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
get around.
19:40
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And there also can be a delay as well because domain names,
19:44
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
any changes to them do need to propagate.
19:47
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
So this can be a little trickier for the attacker and a bit of a delay
19:52
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
in the attack as well.
19:53
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Moving up,
19:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
we're starting to get into the more difficult to detect and...
20:00
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
more difficult for the attacker to evade the detection or
20:04
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
to kind of get around the mitigation,
20:05
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
excuse me.
20:06
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And this is what we're talking about,
20:07
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
our network artifacts and our host artifacts.
20:10
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And these can be things like user agent strings for browsers
20:14
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
or internet connections that are found in logs.
20:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Or, you know,
20:19
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
a network artifact,
20:20
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
good thing to find is any traffic that's on what are known as non -traditional
20:24
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
ports.
20:25
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
If you have
20:26
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
traffic on,
20:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
you know, typically higher numbered ports that are not typically seen on the network,
20:31
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
then it can be an indicator there's malicious traffic.
20:35
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It is definitely not always an indicator.
20:37
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It could be perfectly normal traffic.
20:39
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It depends on what the traffic is,
20:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
but it can be an indicator.
20:43
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And these can be a little more difficult to detect these types of artifacts.
20:48
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
because they require essentially deeper dives into
20:52
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
the logs and require a little more advanced logging capabilities as
20:56
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
well.
20:56
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
These host artifacts could also be specific files on a system
21:01
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
or perhaps specific registry keys set up on a system,
21:04
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
network traffic on port 80 or 443 that
21:08
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
is not originating from a web browser.
21:11
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
These are just a few examples.
21:15
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of your network artifacts and your host artifacts.
21:18
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And these IOCs again can be more difficult to detect,
21:22
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
but at this level you're starting to have much more of an impact
21:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
on the attacker now.
21:28
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Biggest reason for that is because adjusting these often
21:33
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
requires the attacker to reconfigure the malware or recompile
21:37
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
the malware.
21:38
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
Again,
21:38
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
this is going to depend on the type of attack.
21:41
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
If the attacker has access into
21:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
the infrastructure via command and control or remote access,
21:50
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
then it becomes a little easier for them to deploy new malware.
21:54
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
But again,
21:55
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
there's more steps they have to take.
21:57
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
There's more work they need to do to be able to get around mitigations
22:02
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
that are detecting and blocking these network and host artifacts.
22:06
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Moving up to our second to highest level we get to the
22:10
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
tools the attacker uses.
22:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
Now your APT groups are going to tend to use
22:17
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
a consistent set of tools and by this I mean one group
22:21
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
will tend to use consistent tools because that
22:25
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
is it makes their jobs easier.
22:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
That's the same with your network defenders as well.
22:30
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
This doesn't mean that all of your APT groups are all using these same sets
22:34
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of tools.
22:35
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
That's not what that means here.
22:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And this gets become very difficult
22:40
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
to detect in a network.
22:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
This requires detection of very specific artifacts
22:46
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
of unique tools,
22:48
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
which can be difficult to find.
22:50
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It does require advanced monitoring and advanced alerting as
22:54
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
well.
22:55
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
However,
22:56
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
if you are able to detect these on your network and
23:00
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
are able to mitigate against them,
23:03
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
blocking these specific tools requires the attackers to
23:07
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
either find new tools or create new tools to
23:11
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
be able to do what they were doing before,
23:13
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
which becomes a lot more difficult.
23:15
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
It is a huge investment of
23:20
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
time and resources for them to be able to
23:23
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
adjust to using new tools just like it is for anybody,
23:27
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
but you're having a much greater impact on
23:31
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
the attackers and their ability to carry out these attacks as
23:35
S…
Speaker 1 (2026-04-07 01-22-58_Clip_Clip-01)
well.
23:36
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
And at the very top of the pyramid,
23:39
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
we have our TTPs,
23:41
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
our tactics,
23:41
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
techniques,
23:42
S…
Speaker 2 (2026-04-07 01-22-58_Clip_Clip-01)
and procedures.
Šis transkripts tika ģenerēts ar AI (automātiskā runas atpazīšana). Var saturēt kļūdas — pārbaudīt pret oriģinālo audio kritiskai lietošanai. AI politika
Kopsavilkums
Noklikšķiniet uz Summarize, lai ģenerētu AI šī transkripta kopsavilkumu.
Apkopojot...
Vaicāt AI par šo transkripciju
Jautāt kaut ko par šo stenogrammu — AI atradīs attiecīgās sadaļas un atbildēs.