WEBVTT

1
00:00:00.120 --> 00:00:03.439
<v Speaker 1>Welcome back to the deep Dive. Today we are we're

2
00:00:03.439 --> 00:00:06.480
<v Speaker 1>doing something a little different. We're putting aside that comforting

3
00:00:06.519 --> 00:00:11.199
<v Speaker 1>idea that your firewalls and your anti virus software are enough.

4
00:00:11.439 --> 00:00:13.919
<v Speaker 2>Yeah, that's a tough pill to swallow for.

5
00:00:13.919 --> 00:00:15.599
<v Speaker 1>A lot of people, it really is. I mean, we

6
00:00:15.640 --> 00:00:19.320
<v Speaker 1>are opening a source document today called hunt Pedia, and

7
00:00:19.600 --> 00:00:22.760
<v Speaker 1>the core premise right from the start is uncomfortable. It

8
00:00:22.800 --> 00:00:27.519
<v Speaker 1>basically says, the adversary is likely already inside your network. Right,

9
00:00:27.719 --> 00:00:30.039
<v Speaker 1>so the question isn't you know, how do we keep

10
00:00:30.079 --> 00:00:32.719
<v Speaker 1>them out? It's how do we find them before they

11
00:00:32.759 --> 00:00:35.600
<v Speaker 1>actually achieve whatever it is they're trying to do exactly.

12
00:00:35.640 --> 00:00:39.880
<v Speaker 2>It's a fundamental shift in philosophy because for the longest time,

13
00:00:40.479 --> 00:00:42.520
<v Speaker 2>the industry was focused on incident.

14
00:00:42.200 --> 00:00:44.439
<v Speaker 1>Response, right, which is just waiting for an alarm.

15
00:00:44.520 --> 00:00:47.359
<v Speaker 2>Yeah, incident response is essentially waiting for the fire alarm

16
00:00:47.399 --> 00:00:50.399
<v Speaker 2>to ring and then scrambling. But thread hunting, which is

17
00:00:50.399 --> 00:00:52.880
<v Speaker 2>what hunt pedia is all about, is walking the floor.

18
00:00:53.399 --> 00:00:56.960
<v Speaker 2>You're actively sniffing the air for smoke before any sensor

19
00:00:57.000 --> 00:00:58.240
<v Speaker 2>even registers a problem.

20
00:00:58.479 --> 00:01:02.439
<v Speaker 1>And this document, hunt key, it's really a fascinating collection.

21
00:01:02.640 --> 00:01:06.439
<v Speaker 1>It aggregates wisdom from some of the absolute heavy hitters

22
00:01:06.439 --> 00:01:07.159
<v Speaker 1>in the industry.

23
00:01:07.280 --> 00:01:10.760
<v Speaker 2>Oh yeah, you got Richard Batelitch, David Bianco, Chris Sanders.

24
00:01:10.599 --> 00:01:13.760
<v Speaker 1>Right, and it standardizes what used to be considered this

25
00:01:13.920 --> 00:01:16.200
<v Speaker 1>I don't know, almost a dark art in cybersecurity.

26
00:01:16.280 --> 00:01:18.760
<v Speaker 2>It really does. And it all starts with the mindset.

27
00:01:18.920 --> 00:01:22.760
<v Speaker 2>Baelitch actually traces the whole concept back to the Air Force.

28
00:01:22.560 --> 00:01:25.000
<v Speaker 1>To hunter killer missions right, exactly.

29
00:01:24.599 --> 00:01:28.719
<v Speaker 2>Friendly force projection. The idea is that you aren't just

30
00:01:29.120 --> 00:01:33.200
<v Speaker 2>sitting behind a wall defending a perimeter. You are actively

31
00:01:33.280 --> 00:01:36.560
<v Speaker 2>engaging within your own territory to flesh out the enemy.

32
00:01:36.760 --> 00:01:39.120
<v Speaker 1>And I think that distinction is key for the listener

33
00:01:39.159 --> 00:01:41.959
<v Speaker 1>because a lot of organizations out there believe they're.

34
00:01:41.799 --> 00:01:43.599
<v Speaker 2>Hunting, but they're really not right.

35
00:01:43.640 --> 00:01:46.680
<v Speaker 1>They just have a security operations center watching a dashboard

36
00:01:46.719 --> 00:01:48.480
<v Speaker 1>waiting for red lights to blink.

37
00:01:48.359 --> 00:01:53.519
<v Speaker 2>Which is entirely passive. That is monitoring. Real hunting is well,

38
00:01:53.599 --> 00:01:56.680
<v Speaker 2>it's hypothesis driven. Danny A. Kacki puts it perfectly in

39
00:01:56.760 --> 00:02:00.000
<v Speaker 2>chapter one. He defines hunting as finding ways for evil

40
00:02:00.319 --> 00:02:01.519
<v Speaker 2>to do evil things.

41
00:02:01.719 --> 00:02:02.640
<v Speaker 1>I love that phrasing.

42
00:02:03.000 --> 00:02:05.879
<v Speaker 2>It's great. You aren't waiting for a piece of software

43
00:02:05.879 --> 00:02:09.159
<v Speaker 2>to tell you something is wrong. You are operating on

44
00:02:09.199 --> 00:02:12.319
<v Speaker 2>the assumption that something is already wrong and you're actively

45
00:02:12.319 --> 00:02:13.120
<v Speaker 2>trying to prove it.

46
00:02:13.120 --> 00:02:16.759
<v Speaker 1>Which brings up this whole man versus machine debate that

47
00:02:16.840 --> 00:02:18.280
<v Speaker 1>runs through the entire text.

48
00:02:18.360 --> 00:02:19.560
<v Speaker 2>Yeah, it's everywhere in the book.

49
00:02:19.599 --> 00:02:21.919
<v Speaker 1>There's this great quote in the intro from the old

50
00:02:22.000 --> 00:02:23.280
<v Speaker 1>TV show Airwolf.

51
00:02:23.400 --> 00:02:25.080
<v Speaker 2>Oh I remember that show. Yeah.

52
00:02:25.199 --> 00:02:28.120
<v Speaker 1>The quote is they haven't built a machine yet that

53
00:02:28.159 --> 00:02:31.840
<v Speaker 1>could replace a good pilot, and Betglitch uses that to

54
00:02:31.960 --> 00:02:35.240
<v Speaker 1>argue that attackers they can test their malware against all

55
00:02:35.240 --> 00:02:36.680
<v Speaker 1>your automated tool Absolutely.

56
00:02:36.719 --> 00:02:40.560
<v Speaker 2>They literally buy the exact same endpoint detection software.

57
00:02:40.159 --> 00:02:41.879
<v Speaker 1>That you use, right, and they run it in their

58
00:02:41.879 --> 00:02:43.919
<v Speaker 1>own labs until they figure out how to bypass it.

59
00:02:44.240 --> 00:02:47.960
<v Speaker 2>Exactly, if you're relying solely on automation, you're fighting a

60
00:02:48.039 --> 00:02:52.960
<v Speaker 2>completely static defense. The attacker replicates your defense, beats it,

61
00:02:53.319 --> 00:02:56.680
<v Speaker 2>and then attacks. But the one thing they cannot test

62
00:02:56.719 --> 00:03:00.800
<v Speaker 2>against in a lab is you. Is you not test against?

63
00:03:00.800 --> 00:03:04.879
<v Speaker 2>A creative human analyst who I don't know wakes up

64
00:03:04.879 --> 00:03:08.159
<v Speaker 2>one morning and decides to look for some highly specific,

65
00:03:08.360 --> 00:03:10.400
<v Speaker 2>weird anomaly in the DNS.

66
00:03:10.199 --> 00:03:13.639
<v Speaker 1>Logs that unpredictability is the ultimate defense.

67
00:03:13.840 --> 00:03:18.360
<v Speaker 2>It is human creativity is the variable they can account.

68
00:03:18.000 --> 00:03:20.199
<v Speaker 1>For But you know, we can't just rely on a

69
00:03:20.199 --> 00:03:21.919
<v Speaker 1>gut feeling, right, We can't just wake up with a

70
00:03:22.000 --> 00:03:25.400
<v Speaker 1>hunch every day. We need a framework to actually direct

71
00:03:25.520 --> 00:03:26.400
<v Speaker 1>that creativity.

72
00:03:26.560 --> 00:03:27.280
<v Speaker 2>You need structure.

73
00:03:27.520 --> 00:03:31.240
<v Speaker 1>And that leads us to probably the most famous mental

74
00:03:31.280 --> 00:03:34.919
<v Speaker 1>model in this entire document, the Pyramid.

75
00:03:34.520 --> 00:03:37.400
<v Speaker 2>Of Pain, Ah David Bianco's masterpiece.

76
00:03:37.560 --> 00:03:38.199
<v Speaker 1>It really is.

77
00:03:38.439 --> 00:03:41.599
<v Speaker 2>It is absolutely essential for understanding modern defense.

78
00:03:41.280 --> 00:03:44.000
<v Speaker 1>And I think people often misunderstand it at first glance,

79
00:03:44.080 --> 00:03:46.919
<v Speaker 1>Like they see a pyramid and they automatically think it's

80
00:03:46.960 --> 00:03:49.080
<v Speaker 1>a ranking of how bad the malware is.

81
00:03:49.280 --> 00:03:51.800
<v Speaker 2>Yeah, that's a common misconception. Yeah, but it's actually a

82
00:03:51.879 --> 00:03:54.919
<v Speaker 2>ranking of how much pain we cause the adversary when

83
00:03:54.919 --> 00:03:56.319
<v Speaker 2>we detect them at different levels.

84
00:03:56.360 --> 00:03:58.439
<v Speaker 1>It's an economic model, really exactly.

85
00:03:58.520 --> 00:04:00.680
<v Speaker 2>It's an economic model for the attack. So at the

86
00:04:00.680 --> 00:04:04.199
<v Speaker 2>bottom of pyramid, the wide base, you have things like

87
00:04:04.240 --> 00:04:07.560
<v Speaker 2>hash values and IP addresses, the easy stuff, very easy

88
00:04:07.560 --> 00:04:10.360
<v Speaker 2>for us to detect, but also incredibly easy for the

89
00:04:10.400 --> 00:04:11.919
<v Speaker 2>attacker to change.

90
00:04:11.800 --> 00:04:14.599
<v Speaker 1>Right because if I block a malicious IP address, they

91
00:04:14.599 --> 00:04:16.839
<v Speaker 1>don't care. They don't they probably have a botnet of

92
00:04:16.920 --> 00:04:20.639
<v Speaker 1>ten thousand other ips. They burn one and move to

93
00:04:20.680 --> 00:04:23.720
<v Speaker 1>the next. In the literal milliseconds.

94
00:04:23.199 --> 00:04:25.959
<v Speaker 2>It costs them absolutely nothing. It's a minor nuisance. You

95
00:04:25.959 --> 00:04:29.040
<v Speaker 2>haven't disrupted their operation. You've just made a computer change

96
00:04:29.040 --> 00:04:29.560
<v Speaker 2>a variable.

97
00:04:29.600 --> 00:04:32.120
<v Speaker 1>But then you move up the pyramid, right, you.

98
00:04:32.120 --> 00:04:35.439
<v Speaker 2>Move up through domain names, the network, artifacts than tools,

99
00:04:36.079 --> 00:04:38.920
<v Speaker 2>and it gets progressively harder and more expensive for them

100
00:04:38.959 --> 00:04:41.800
<v Speaker 2>to change those things until you hit the peak, the pinnacle.

101
00:04:42.040 --> 00:04:46.639
<v Speaker 1>Yeah, TTPs, tactics, techniques and procedures. And this is behavior.

102
00:04:46.720 --> 00:04:49.160
<v Speaker 1>This isn't what the malicious file is named or what

103
00:04:49.240 --> 00:04:52.959
<v Speaker 1>IP it came from. This is how the attacker actually operates.

104
00:04:53.120 --> 00:04:57.000
<v Speaker 2>Precisely. Let's say you detect that an attacker is using

105
00:04:57.319 --> 00:05:00.759
<v Speaker 2>a technique like past the hash to move laterally through

106
00:05:00.800 --> 00:05:04.040
<v Speaker 2>your network. Okay, if you can detect that specific behavior

107
00:05:04.079 --> 00:05:07.480
<v Speaker 2>and block that technique, you haven't just burned a cheap

108
00:05:07.519 --> 00:05:11.680
<v Speaker 2>IP address. You've burned their education. You've burned the entire

109
00:05:11.720 --> 00:05:14.720
<v Speaker 2>methodology they might have spent six months developing and practicing.

110
00:05:14.879 --> 00:05:17.519
<v Speaker 1>You force them to completely go back to the drawing board.

111
00:05:17.560 --> 00:05:19.040
<v Speaker 1>You're taxing their resources.

112
00:05:19.399 --> 00:05:21.959
<v Speaker 2>That is the pain in the pyramid of pain. It

113
00:05:22.040 --> 00:05:24.560
<v Speaker 2>costs them real time and real money. And that is

114
00:05:24.600 --> 00:05:27.600
<v Speaker 2>why the hunter's mindset has to focus on the top

115
00:05:27.600 --> 00:05:28.199
<v Speaker 2>of the pyramid.

116
00:05:28.279 --> 00:05:32.319
<v Speaker 1>We want behaviors, not just giant lists of bad IP

117
00:05:32.519 --> 00:05:37.160
<v Speaker 1>addresses exactly. So okay, effective hunting is about understanding the

118
00:05:37.199 --> 00:05:41.360
<v Speaker 1>behavior of the enemy. But to find that behavior you

119
00:05:41.439 --> 00:05:43.959
<v Speaker 1>need a method. I mean, you can't just scroll through

120
00:05:44.319 --> 00:05:46.800
<v Speaker 1>millions of log lines hoping to see the word evil.

121
00:05:47.000 --> 00:05:49.600
<v Speaker 2>No, you go crazy. And that's what Jack Crook and

122
00:05:49.639 --> 00:05:53.120
<v Speaker 2>sergiokel Tajerone argue in chapters three and four. They call

123
00:05:53.160 --> 00:05:57.439
<v Speaker 2>that wandering wandering. To actually hunt, you need the scientific method.

124
00:05:57.480 --> 00:05:59.639
<v Speaker 2>You need to start with a solid hypothesis.

125
00:06:00.319 --> 00:06:01.399
<v Speaker 1>Have to think like the thief.

126
00:06:01.519 --> 00:06:04.199
<v Speaker 2>To catch the thief, specifically, you have to think about

127
00:06:04.240 --> 00:06:05.480
<v Speaker 2>the thief's needs.

128
00:06:05.480 --> 00:06:07.600
<v Speaker 1>Right, because they have a job to do on your network.

129
00:06:07.639 --> 00:06:10.240
<v Speaker 2>They do they need to execute code, they need to

130
00:06:10.399 --> 00:06:13.240
<v Speaker 2>escalate their privileges, they need to package and move data.

131
00:06:13.879 --> 00:06:16.199
<v Speaker 2>So a good hunter sits down and asks, if I

132
00:06:16.240 --> 00:06:19.079
<v Speaker 2>were an attacker and I needed to steal the CEO's password,

133
00:06:19.319 --> 00:06:20.120
<v Speaker 2>how would I do it?

134
00:06:20.160 --> 00:06:23.319
<v Speaker 1>And that question becomes the hypothesis. So, for example, you

135
00:06:23.399 --> 00:06:26.639
<v Speaker 1>might say, if an attacker is staging data to exfiltrate it,

136
00:06:26.680 --> 00:06:29.839
<v Speaker 1>they might be compressing large files in a temporary directory.

137
00:06:29.920 --> 00:06:32.920
<v Speaker 2>Perfect, that is a hunt. Now you go look for

138
00:06:33.040 --> 00:06:36.560
<v Speaker 2>rare dot x or seven zip running in the seed

139
00:06:36.639 --> 00:06:37.920
<v Speaker 2>drive Windows temp folder.

140
00:06:38.040 --> 00:06:39.759
<v Speaker 1>You aren't looking for a virus signature.

141
00:06:39.959 --> 00:06:43.199
<v Speaker 2>No, you're looking for the behavior of staging data.

142
00:06:44.000 --> 00:06:47.040
<v Speaker 1>To help structure this, the text brings up the diamond model.

143
00:06:47.199 --> 00:06:52.199
<v Speaker 1>It connects four points adversary capability, infrastructure, and victim.

144
00:06:52.439 --> 00:06:55.720
<v Speaker 2>It seems simple on the surface, but the power is

145
00:06:55.759 --> 00:06:57.040
<v Speaker 2>in how it lets you pivot right.

146
00:06:57.079 --> 00:06:59.959
<v Speaker 1>It turns a single isolated data point into a whole

147
00:07:00.199 --> 00:07:01.120
<v Speaker 1>web of intelligence.

148
00:07:01.439 --> 00:07:04.120
<v Speaker 2>Because if you find a capability that's say, a specific

149
00:07:04.199 --> 00:07:06.800
<v Speaker 2>piece of malware, you don't just delete it and stop there.

150
00:07:07.160 --> 00:07:10.079
<v Speaker 2>You trace the line to infrastructure, where's this malware calling

151
00:07:10.120 --> 00:07:10.439
<v Speaker 2>home to?

152
00:07:10.600 --> 00:07:12.759
<v Speaker 1>And then you trace the line to victim. Who else

153
00:07:12.800 --> 00:07:14.120
<v Speaker 1>in our network has this file?

154
00:07:14.240 --> 00:07:17.120
<v Speaker 2>Exactly? It forces you to map the entire campaign.

155
00:07:17.319 --> 00:07:19.360
<v Speaker 1>Let's get practical here, because the theory is great, but

156
00:07:19.480 --> 00:07:23.560
<v Speaker 1>huntpedia is absolutely full of these specific technical hunts that

157
00:07:23.720 --> 00:07:25.319
<v Speaker 1>really bring this mindset to life.

158
00:07:25.360 --> 00:07:27.360
<v Speaker 2>Well, the real world examples are the best part.

159
00:07:27.600 --> 00:07:29.160
<v Speaker 1>I want to break down three of them that really

160
00:07:29.199 --> 00:07:32.000
<v Speaker 1>stood out to me. The first one is from Tyler Hudak,

161
00:07:32.079 --> 00:07:34.319
<v Speaker 1>and it's all about DNS collisions.

162
00:07:34.480 --> 00:07:38.759
<v Speaker 2>Ah. Yes, this is a classic OOPS vulnerability that attackers

163
00:07:38.879 --> 00:07:40.360
<v Speaker 2>just absolutely love to exploit.

164
00:07:40.519 --> 00:07:43.000
<v Speaker 1>So it starts with a configuration issue known as split

165
00:07:43.040 --> 00:07:47.480
<v Speaker 1>brain DNS. Let's say, inside my company, internally we use

166
00:07:47.519 --> 00:07:52.120
<v Speaker 1>the domaincorp dot example dot org. Okay, my work laptop

167
00:07:52.160 --> 00:07:55.439
<v Speaker 1>knows that internet dot corp dot example dot org is

168
00:07:55.480 --> 00:07:58.000
<v Speaker 1>a private internal server right down the.

169
00:07:57.920 --> 00:08:00.240
<v Speaker 2>Hall, right. But then you take that laptop back to

170
00:08:00.240 --> 00:08:02.959
<v Speaker 2>a coffee shop. Yep, you connect to the public Wi Fi,

171
00:08:03.199 --> 00:08:06.199
<v Speaker 2>and your laptop, just trying to be helpful, shouts out

172
00:08:06.199 --> 00:08:09.399
<v Speaker 2>to the local coffeeshop DNS server, Hey, where's interrnet dot

173
00:08:09.439 --> 00:08:11.040
<v Speaker 2>corp dot example dot org.

174
00:08:11.120 --> 00:08:13.720
<v Speaker 1>Because it's constantly looking for in the background, and since

175
00:08:13.759 --> 00:08:15.720
<v Speaker 1>I'm not on the corporate network, that query goes out

176
00:08:15.759 --> 00:08:16.600
<v Speaker 1>to the public Internet.

177
00:08:16.639 --> 00:08:19.720
<v Speaker 2>Now here is a real danger if your company doesn't

178
00:08:19.759 --> 00:08:23.639
<v Speaker 2>actually own the public registration for example dot org dot org,

179
00:08:24.120 --> 00:08:26.480
<v Speaker 2>or if using an internal suffix that overlaps with a

180
00:08:26.680 --> 00:08:30.319
<v Speaker 2>real public top level domain, an attacker can just register

181
00:08:30.399 --> 00:08:30.959
<v Speaker 2>that domain.

182
00:08:31.279 --> 00:08:33.960
<v Speaker 1>So the attacker sets up a server on the public

183
00:08:33.960 --> 00:08:37.480
<v Speaker 1>Internet that simply says hey, I'm right here, and your.

184
00:08:37.440 --> 00:08:42.159
<v Speaker 2>Laptop fully believes them. Hohodec specifically points out the danger

185
00:08:42.320 --> 00:08:44.200
<v Speaker 2>of thewpad dot dot.

186
00:08:43.960 --> 00:08:48.480
<v Speaker 1>File here WPAD the web proxy autodiscovery file. That's the

187
00:08:48.519 --> 00:08:51.159
<v Speaker 1>file that basically tells the browser how to connect.

188
00:08:50.840 --> 00:08:54.000
<v Speaker 2>To the Internet right exactly, it configures your proxysettings. So

189
00:08:54.120 --> 00:08:58.159
<v Speaker 2>if the attacker serves their malicious WPAD file to your

190
00:08:58.240 --> 00:09:00.360
<v Speaker 2>laptop because of this DNS collision.

191
00:09:00.200 --> 00:09:02.480
<v Speaker 1>They designate themselves as your proxy.

192
00:09:02.240 --> 00:09:06.919
<v Speaker 2>Yep, and suddenly every single bank password, every email, every

193
00:09:06.960 --> 00:09:10.600
<v Speaker 2>session cookie you send flows directly through their server before

194
00:09:10.600 --> 00:09:11.799
<v Speaker 2>it goes to the real Internet.

195
00:09:11.919 --> 00:09:14.480
<v Speaker 1>That is terrifying efficiency. They don't even need to break

196
00:09:14.480 --> 00:09:16.720
<v Speaker 1>into your laptop. They just raise their hand when your

197
00:09:16.879 --> 00:09:18.440
<v Speaker 1>laptop asked for directions.

198
00:09:18.480 --> 00:09:20.960
<v Speaker 2>It's a man in the middle attack handed to them

199
00:09:21.000 --> 00:09:21.879
<v Speaker 2>on a silver platter.

200
00:09:22.279 --> 00:09:25.320
<v Speaker 1>So the hunt here, bringing it back to the hunter mindset,

201
00:09:25.600 --> 00:09:29.159
<v Speaker 1>isn't looking for malware. It's looking for your own internal assets,

202
00:09:29.200 --> 00:09:31.600
<v Speaker 1>trying to authenticate to things that shouldn't exist on the

203
00:09:31.600 --> 00:09:32.159
<v Speaker 1>public web.

204
00:09:32.360 --> 00:09:36.720
<v Speaker 2>Precisely, you are hunting for the misconfiguration before the attacker

205
00:09:36.759 --> 00:09:40.080
<v Speaker 2>finds it. You're looking for internal host names resolving to

206
00:09:40.120 --> 00:09:40.840
<v Speaker 2>public eyeps.

207
00:09:41.120 --> 00:09:44.919
<v Speaker 1>That's brilliant, okay. Hunt number two comes from Chris Sanders,

208
00:09:45.320 --> 00:09:48.679
<v Speaker 1>and this one deals with proxy logs. Right now, Normally

209
00:09:48.840 --> 00:09:52.039
<v Speaker 1>we rely on our security vendors to categorize the web

210
00:09:52.080 --> 00:09:54.559
<v Speaker 1>for us. They tell us this site is sports, this

211
00:09:54.679 --> 00:09:56.799
<v Speaker 1>site is gambling, this one is malicious.

212
00:09:56.879 --> 00:09:59.399
<v Speaker 2>But the Internet is just too big. I mean, millions

213
00:09:59.399 --> 00:10:02.360
<v Speaker 2>of new domain are registered every single day. The vendors

214
00:10:02.399 --> 00:10:04.879
<v Speaker 2>simply can't categorize everything instantly, and.

215
00:10:04.840 --> 00:10:08.080
<v Speaker 1>Attackers know this. They're registering fresh domains for their command

216
00:10:08.120 --> 00:10:11.960
<v Speaker 1>and control servers, their C two's constantly, just to avoid

217
00:10:12.000 --> 00:10:13.279
<v Speaker 1>those vendor blacklists.

218
00:10:13.399 --> 00:10:15.559
<v Speaker 2>Right, So when an attacker spins up a brand new

219
00:10:15.600 --> 00:10:18.559
<v Speaker 2>domain for a campaign today, the proxy vendor hasn't seen

220
00:10:18.600 --> 00:10:20.720
<v Speaker 2>it yet, it has zero reputation, so.

221
00:10:20.679 --> 00:10:24.480
<v Speaker 1>It just gets labeled uncategorized or unknown exactly. So Sanders

222
00:10:24.480 --> 00:10:27.559
<v Speaker 1>says the hunt should focus on that uncategorized bucket. But

223
00:10:27.679 --> 00:10:31.159
<v Speaker 1>isn't that incredibly noisy? I mean, legitimate news sites launch

224
00:10:31.279 --> 00:10:34.080
<v Speaker 1>all the time, small blogs, local pop up shops.

225
00:10:34.240 --> 00:10:36.799
<v Speaker 2>Oh, it could be very noisy. You definitely can't just

226
00:10:36.879 --> 00:10:40.720
<v Speaker 2>block all uncategorized traffic, or you'll completely break the Internet

227
00:10:40.799 --> 00:10:45.679
<v Speaker 2>for your users. But Sanders suggests correlating that uncategorized traffic

228
00:10:45.720 --> 00:10:47.879
<v Speaker 2>with frequency or beaconing behavior.

229
00:10:48.000 --> 00:10:51.679
<v Speaker 1>Ah right, because normal human web browsing is entirely sporadic.

230
00:10:51.960 --> 00:10:54.000
<v Speaker 1>I read a page, I click a link, I walk

231
00:10:54.039 --> 00:10:55.440
<v Speaker 1>away to get coffee exactly.

232
00:10:55.519 --> 00:11:00.279
<v Speaker 2>Humans are random, but malware beacons a rhythmic where it

233
00:11:00.279 --> 00:11:02.120
<v Speaker 2>needs to check in with the C two server for

234
00:11:02.159 --> 00:11:06.000
<v Speaker 2>instructions automated right. So if you see a machine inside

235
00:11:06.000 --> 00:11:09.679
<v Speaker 2>your network reaching out to an uncategorized domain every five

236
00:11:09.759 --> 00:11:11.799
<v Speaker 2>minutes exactly, twenty four hours.

237
00:11:11.600 --> 00:11:12.840
<v Speaker 1>A day, that's a heartbeat.

238
00:11:12.960 --> 00:11:15.679
<v Speaker 2>That's C two traffic. That is the signal hidden in

239
00:11:15.720 --> 00:11:18.679
<v Speaker 2>the noise. It's hiding in the blind spot of the

240
00:11:18.679 --> 00:11:23.440
<v Speaker 2>categorization engine. But the behavior, the rhythm, gives it away completely.

241
00:11:24.039 --> 00:11:26.639
<v Speaker 1>Okay, Hunt number three. This one is honestly my favorite

242
00:11:26.639 --> 00:11:28.840
<v Speaker 1>because it feels exactly like running a spell checker. Because

243
00:11:28.840 --> 00:11:31.000
<v Speaker 1>this is from David Bianco on process impersonation.

244
00:11:31.200 --> 00:11:32.080
<v Speaker 2>It's so clever.

245
00:11:32.360 --> 00:11:35.720
<v Speaker 1>You know the standard Windows processes right, like Airy Coast.

246
00:11:35.480 --> 00:11:38.039
<v Speaker 2>Dot xa right or LSAs dot xe.

247
00:11:38.240 --> 00:11:42.919
<v Speaker 1>Exactly, And attackers know that Sissigmand's just scan process lists visually.

248
00:11:43.080 --> 00:11:44.440
<v Speaker 2>We read by pattern recognition.

249
00:11:44.799 --> 00:11:47.679
<v Speaker 1>We just scan. So if an attacker names their malware

250
00:11:48.159 --> 00:11:51.879
<v Speaker 1>SCVHOSD swapping the C in the V, yeah, your brain

251
00:11:52.039 --> 00:11:55.600
<v Speaker 1>just instinctively autocorrect sit to system in. You skip right

252
00:11:55.639 --> 00:11:55.960
<v Speaker 1>over it.

253
00:11:56.000 --> 00:11:56.960
<v Speaker 2>You don't even notice.

254
00:11:57.000 --> 00:11:59.320
<v Speaker 1>So how do you catch that without reading every single

255
00:11:59.360 --> 00:12:02.519
<v Speaker 1>line of a us log like a lawyer proofreading a contract.

256
00:12:03.039 --> 00:12:06.480
<v Speaker 1>Bianco suggests using the Levenstein distance algorithm.

257
00:12:06.600 --> 00:12:10.000
<v Speaker 2>It's a brilliant application of a string metric. The Levenstein

258
00:12:10.039 --> 00:12:14.559
<v Speaker 2>distance simply counts the number of edits, meaning insertions, deletions,

259
00:12:14.679 --> 00:12:18.080
<v Speaker 2>or substitutions required to change one word into another word.

260
00:12:18.360 --> 00:12:21.519
<v Speaker 1>So changing syspein to swistem is just swapping two letters, right.

261
00:12:21.559 --> 00:12:24.440
<v Speaker 2>And depending on the specific variant of the algorithm you use,

262
00:12:24.600 --> 00:12:28.039
<v Speaker 2>like the Damro Levenstein one, a swap of adjacent characters

263
00:12:28.080 --> 00:12:30.039
<v Speaker 2>counts as a distance of exactly one.

264
00:12:30.200 --> 00:12:33.000
<v Speaker 1>So if the distance is zero, it's a perfect match.

265
00:12:33.000 --> 00:12:34.720
<v Speaker 1>It's the legitimate Windows file.

266
00:12:35.080 --> 00:12:38.480
<v Speaker 2>And if the distance is say ten, it's a totally

267
00:12:38.480 --> 00:12:41.559
<v Speaker 2>different word, entirely not suspicious in this context.

268
00:12:41.600 --> 00:12:43.000
<v Speaker 1>But if the distance is one or two.

269
00:12:43.399 --> 00:12:46.600
<v Speaker 2>That's the danger zone. That means someone is actively trying

270
00:12:46.639 --> 00:12:47.200
<v Speaker 2>to trick.

271
00:12:47.000 --> 00:12:49.840
<v Speaker 1>Your eyes exactly. So you just run a script that says,

272
00:12:50.120 --> 00:12:52.879
<v Speaker 1>show me every process name running in my environment that

273
00:12:52.960 --> 00:12:56.720
<v Speaker 1>has a Levenstein distance of one from a known system binary.

274
00:12:56.960 --> 00:13:00.320
<v Speaker 2>It's mathematically identifying deception. Yeah, you don't have to rely

275
00:13:00.399 --> 00:13:02.919
<v Speaker 2>on your tired eyes at two am. You let the

276
00:13:02.960 --> 00:13:04.559
<v Speaker 2>math find the camouflage.

277
00:13:04.600 --> 00:13:07.399
<v Speaker 1>It's using the attacker's desire to blend in against them.

278
00:13:07.559 --> 00:13:08.200
<v Speaker 2>It really is.

279
00:13:08.519 --> 00:13:11.240
<v Speaker 1>But let's play this out. Let's assume we use these methods.

280
00:13:11.399 --> 00:13:14.600
<v Speaker 1>We found the typosquadded process where we found the beaconing

281
00:13:14.639 --> 00:13:17.320
<v Speaker 1>proxy log. We actually found that the bad guy on

282
00:13:17.399 --> 00:13:17.840
<v Speaker 1>the network.

283
00:13:17.960 --> 00:13:18.279
<v Speaker 2>Okay.

284
00:13:18.480 --> 00:13:20.960
<v Speaker 1>Segment four of our Deep Dive covers the strategy of

285
00:13:21.000 --> 00:13:25.440
<v Speaker 1>the kill, and Scott Roberts introduces a genuinely controversial idea.

286
00:13:25.159 --> 00:13:26.399
<v Speaker 2>Here, the Hamilton dilemma.

287
00:13:26.519 --> 00:13:30.320
<v Speaker 1>Yes, he quotes the musical Hamilton regarding erinberr, I am

288
00:13:30.360 --> 00:13:32.200
<v Speaker 1>not standing still. I am lying in wait.

289
00:13:32.399 --> 00:13:36.200
<v Speaker 2>Because the natural instinct of every single security and certainly

290
00:13:36.279 --> 00:13:40.480
<v Speaker 2>every manager is kill it right now, get them out right.

291
00:13:40.759 --> 00:13:42.879
<v Speaker 2>You see a bad EP, you block it. You see

292
00:13:42.919 --> 00:13:46.720
<v Speaker 2>an infected machine, you isolated and reimage it immediately. But

293
00:13:46.879 --> 00:13:49.840
<v Speaker 2>Roberts argues that while that might be a tactical win,

294
00:13:50.279 --> 00:13:51.960
<v Speaker 2>it's often a strategic.

295
00:13:51.440 --> 00:13:54.679
<v Speaker 1>Loss because if you kill it immediately, you show your hand, you.

296
00:13:54.639 --> 00:13:55.919
<v Speaker 2>Tell the attacker I see you.

297
00:13:56.200 --> 00:13:56.440
<v Speaker 1>Yeah.

298
00:13:56.480 --> 00:13:59.120
<v Speaker 2>What do they do? They disappear, they patch their tool,

299
00:13:59.159 --> 00:14:01.919
<v Speaker 2>they change their EYEP, and they come back next week.

300
00:14:02.200 --> 00:14:03.799
<v Speaker 2>Using a method, you don't know about.

301
00:14:04.440 --> 00:14:07.919
<v Speaker 1>You've stopped the immediate bleeding, sure, but you've lost the intelligence.

302
00:14:08.000 --> 00:14:10.039
<v Speaker 1>You have no idea who they actually are or what

303
00:14:10.039 --> 00:14:12.720
<v Speaker 1>they were trying to steal exactly. But keeping them alive

304
00:14:12.960 --> 00:14:17.480
<v Speaker 1>that's incredibly risky. You're knowingly letting a thread actor operate

305
00:14:17.559 --> 00:14:20.759
<v Speaker 1>on your live network. How do you possibly justify that

306
00:14:20.840 --> 00:14:21.519
<v Speaker 1>to the business.

307
00:14:21.600 --> 00:14:25.000
<v Speaker 2>It's a highly calculated risk, and Roberts gives a checklist

308
00:14:25.039 --> 00:14:28.639
<v Speaker 2>for it. The first, absolutely most important question is is

309
00:14:28.679 --> 00:14:29.559
<v Speaker 2>the victim safe?

310
00:14:29.919 --> 00:14:30.159
<v Speaker 1>Right?

311
00:14:30.399 --> 00:14:34.000
<v Speaker 2>If the attacker is about to exfiltrate your entire customer database,

312
00:14:34.360 --> 00:14:37.240
<v Speaker 2>or if they're staging ransomware to encrypt your servers, you

313
00:14:37.360 --> 00:14:39.639
<v Speaker 2>kill it, yeah, immediately, game over.

314
00:14:39.840 --> 00:14:42.639
<v Speaker 1>But if they're just doing reconnaissance, if they're just looking

315
00:14:42.720 --> 00:14:44.320
<v Speaker 1>around the network.

316
00:14:44.039 --> 00:14:47.039
<v Speaker 2>Then you watch, You lie and wait. You sit back,

317
00:14:47.039 --> 00:14:49.279
<v Speaker 2>and you see what commands they type, You see what

318
00:14:49.320 --> 00:14:52.600
<v Speaker 2>other internal ips they try to connect to. You map

319
00:14:52.639 --> 00:14:54.279
<v Speaker 2>out their entire infrastructure.

320
00:14:54.399 --> 00:14:57.200
<v Speaker 1>You wait until you can burn their entire operation to

321
00:14:57.279 --> 00:14:59.360
<v Speaker 1>the ground, not just chop off one tentacle.

322
00:14:59.440 --> 00:15:03.440
<v Speaker 2>Precisely, it fundamentally changes your role from being a digital

323
00:15:03.519 --> 00:15:08.879
<v Speaker 2>janitor just constantly cleaning up messes to doing actual counterintelligence.

324
00:15:09.080 --> 00:15:10.879
<v Speaker 1>You want to understand the human on the other side

325
00:15:10.879 --> 00:15:13.039
<v Speaker 1>of the keyboard. If you kick them out too early,

326
00:15:13.200 --> 00:15:14.720
<v Speaker 1>you never learn their objectives.

327
00:15:14.960 --> 00:15:17.120
<v Speaker 2>And that really brings us full circle, doesn't it. We

328
00:15:17.159 --> 00:15:20.159
<v Speaker 2>started with man versus machine. We talked about algorithms like

329
00:15:20.240 --> 00:15:24.919
<v Speaker 2>Levenstein distance and automated tools like proxies, but ultimately Hunt

330
00:15:24.960 --> 00:15:26.960
<v Speaker 2>PDIA keeps coming back to the fact that this is

331
00:15:27.000 --> 00:15:28.360
<v Speaker 2>a human on human fight.

332
00:15:28.720 --> 00:15:32.559
<v Speaker 1>It really is. Automation handles the known threats. It clears

333
00:15:32.600 --> 00:15:34.679
<v Speaker 1>out that low hanging fruit at the bottom of the

334
00:15:34.679 --> 00:15:37.840
<v Speaker 1>pyramid of pain. It blocks the bad EPs and the

335
00:15:37.840 --> 00:15:38.639
<v Speaker 1>known hashes.

336
00:15:38.960 --> 00:15:41.440
<v Speaker 2>But the top of the pyramid is creative. It's novel,

337
00:15:42.000 --> 00:15:44.799
<v Speaker 2>and it takes a human mind to spot the anomaly

338
00:15:45.000 --> 00:15:47.440
<v Speaker 2>that an algorithm simply ignores because it hasn't.

339
00:15:47.200 --> 00:15:50.600
<v Speaker 1>Seen it before a machine sees data. A hunter Season.

340
00:15:50.320 --> 00:15:54.559
<v Speaker 2>Ten well put the sources heavily emphasized that while AI

341
00:15:54.679 --> 00:15:57.879
<v Speaker 2>and machine learning are great, they are not a replacement

342
00:15:58.120 --> 00:16:02.080
<v Speaker 2>for human intuition. Is a human being, they will make mistakes,

343
00:16:02.279 --> 00:16:04.320
<v Speaker 2>they will have observable patterns. Right.

344
00:16:04.519 --> 00:16:06.919
<v Speaker 1>A machine might miss the typo in the process name

345
00:16:06.960 --> 00:16:10.000
<v Speaker 1>because it doesn't understand the intent to deceive, But a

346
00:16:10.039 --> 00:16:13.639
<v Speaker 1>human hunter, armed with the right hypothesis will catch it

347
00:16:13.840 --> 00:16:17.039
<v Speaker 1>every time exactly, which brings me to a final thought

348
00:16:17.039 --> 00:16:19.320
<v Speaker 1>for you to chew on. We talked a lot today

349
00:16:19.360 --> 00:16:22.559
<v Speaker 1>about how automation handles the bottom of the pyramid for us,

350
00:16:22.639 --> 00:16:26.559
<v Speaker 1>the defenders. But what happens when the attackers start using

351
00:16:26.639 --> 00:16:28.919
<v Speaker 1>AI to automate the top of the pyramid?

352
00:16:29.360 --> 00:16:30.879
<v Speaker 2>Ooh, that's a scary thought, right.

353
00:16:31.240 --> 00:16:34.759
<v Speaker 1>What happens when they use large language models to dynamically

354
00:16:34.799 --> 00:16:37.399
<v Speaker 1>rewrite their TTPs on the fly, so there is no

355
00:16:37.480 --> 00:16:40.720
<v Speaker 1>consistent behavioral pattern for us to track. The top of

356
00:16:40.759 --> 00:16:43.960
<v Speaker 1>the pyramid becomes completely fluid. That is the next frontier

357
00:16:43.960 --> 00:16:46.600
<v Speaker 1>of hunting, and it's going to require even more human

358
00:16:46.639 --> 00:16:47.919
<v Speaker 1>creativity to solve it.

359
00:16:48.000 --> 00:16:49.720
<v Speaker 2>Absolutely will, So for.

360
00:16:49.720 --> 00:16:52.480
<v Speaker 1>Everyone listening, don't just sit there waiting for the red

361
00:16:52.559 --> 00:16:55.080
<v Speaker 1>light on your dashboard to blink. That's the old way.

362
00:16:55.440 --> 00:16:57.480
<v Speaker 1>The challenge that hunt Pedia leaves us with is to

363
00:16:57.519 --> 00:17:01.159
<v Speaker 1>be proactive. Ask yourself today, if I were trying to

364
00:17:01.240 --> 00:17:03.039
<v Speaker 1>hide in my own network, where would I go?

365
00:17:03.159 --> 00:17:05.240
<v Speaker 2>And then go? Look there? Happy hunting.

366
00:17:05.480 --> 00:17:07.240
<v Speaker 1>Thanks for joining us. We'll catch you on the next

367
00:17:07.240 --> 00:17:07.720
<v Speaker 1>deep dive.