WEBVTT 1 00:00:00.000 --> 00:00:01.679 All right, So get this. You're about to be a 2 00:00:01.679 --> 00:00:05.480 cyber detective for a day. We're diving deep into thread hunting. 3 00:00:05.599 --> 00:00:06.799 Oh wow, and. 4 00:00:07.000 --> 00:00:09.839 You've provided us with a playbook to help us out here. Okay, 5 00:00:09.919 --> 00:00:12.439 bread hunting playbooks for minor tactics, all right. 6 00:00:12.640 --> 00:00:12.919 Cool. 7 00:00:13.199 --> 00:00:16.039 Think of it like this, someone is trying to break 8 00:00:16.079 --> 00:00:19.679 into a high tech company called Digitech. Okay, We're going 9 00:00:19.760 --> 00:00:22.480 to follow along step by step and see how security 10 00:00:22.519 --> 00:00:23.679 experts try to catch them. 11 00:00:23.879 --> 00:00:26.039 It's like we have a front row seat to a 12 00:00:26.039 --> 00:00:29.399 digital crime scene. We'll be looking for those subtle clues, 13 00:00:29.440 --> 00:00:31.879 you know, those fingerprints that attackers leap. 14 00:00:31.760 --> 00:00:36.079 Behind, exactly. And this playbook uses something called I dre 15 00:00:36.719 --> 00:00:40.280 At and CK tactics, which is basically a library of 16 00:00:40.320 --> 00:00:43.920 all the sneaky things that attackers might try. Yeah, kind 17 00:00:43.920 --> 00:00:45.719 of like a hacker's encyclopedia of evil. 18 00:00:45.840 --> 00:00:48.039 Right, that's a great way to put it. It's a 19 00:00:48.119 --> 00:00:52.840 cheat sheet of adversary behavior and help security teams anticipate 20 00:00:52.880 --> 00:00:54.560 and detect potential threats. 21 00:00:54.840 --> 00:00:58.039 Okay, So let's imagine our hacker, we'll call him Shadow, 22 00:00:58.560 --> 00:01:02.479 is starting his attack. Right. The first phase is reconnaissance. 23 00:01:03.159 --> 00:01:06.439 He wants to scope out Digitech, figure out their weaknesses, 24 00:01:06.599 --> 00:01:09.239 kind of like casing the joint before robbery exactly. 25 00:01:09.280 --> 00:01:13.120 Reconnaissance is all about gathering information. In the physical world, 26 00:01:13.159 --> 00:01:17.959 it might be observing security patrols or testing door handles. 27 00:01:18.599 --> 00:01:21.840 In the digital world, it's about scanning networks, probing for 28 00:01:21.959 --> 00:01:24.760 open ports, and looking for vulnerabilities. 29 00:01:25.079 --> 00:01:28.799 So Shadow is lurking in the shadows trying to gather 30 00:01:28.959 --> 00:01:30.280 intel on digitech. 31 00:01:30.760 --> 00:01:35.359 Yeah, and you know it's interesting. Attackers are getting really 32 00:01:35.359 --> 00:01:38.959 good at blending in. They might even mimic normal user 33 00:01:39.000 --> 00:01:40.640 behavior to avoid detection. 34 00:01:41.280 --> 00:01:45.120 That's right. Wow. They might slowly gather information over time, 35 00:01:45.599 --> 00:01:49.760 making their activity appear less suspicious. Yeah, it's a constant 36 00:01:49.799 --> 00:01:53.319 cat and mouse game between attackers trying to stay hidden 37 00:01:53.640 --> 00:01:55.079 and defenders trying to spot them. 38 00:01:55.120 --> 00:01:57.879 This is already making me paranoid. How do we catch 39 00:01:57.959 --> 00:02:01.400 Shadow in the act? Do we even begin to look 40 00:02:01.439 --> 00:02:02.920 for these digital breadcrumbs? 41 00:02:03.000 --> 00:02:05.879 Well, one place to start is by examining Windows logs. 42 00:02:06.359 --> 00:02:06.640 Okay. 43 00:02:06.840 --> 00:02:09.280 These are like security cameras for your computer systems. 44 00:02:09.639 --> 00:02:13.479 They record every event from user logins to file accesses, 45 00:02:13.840 --> 00:02:16.080 giving us a detailed timeline of activity. 46 00:02:16.120 --> 00:02:18.479 Wait, so every time I log in, every file I open, 47 00:02:18.520 --> 00:02:21.639 it's all being recorded. Yes, that's kind of creepy, but 48 00:02:21.680 --> 00:02:22.560 also super helpful. 49 00:02:22.639 --> 00:02:27.840 It it is, especially if we suspect something fishy. For instance, 50 00:02:28.000 --> 00:02:31.919 imagine seeing a spike in failed log in attempts on 51 00:02:32.000 --> 00:02:35.759 a server outside of business hours. That could be Shadow 52 00:02:35.840 --> 00:02:37.479 trying to brute force this way in. 53 00:02:37.960 --> 00:02:40.639 Or maybe just an employee forgetting their password after a 54 00:02:40.680 --> 00:02:41.280 long weekend. 55 00:02:41.560 --> 00:02:44.960 Maybe. Yeah, but that's where threat hunting comes in. We 56 00:02:45.000 --> 00:02:49.560 don't just look at individual events in isolation. We analyze patterns, 57 00:02:50.000 --> 00:02:52.599 look for anomalies, try to connect the dots. 58 00:02:52.840 --> 00:02:55.599 So it's not just about finding a smoking gun, it's 59 00:02:55.639 --> 00:02:58.879 about piecing together the evidence like a digital detective. 60 00:02:59.039 --> 00:03:03.360 Precisely, one failed login might be nothing, yeah, but a 61 00:03:03.360 --> 00:03:06.919 sudden flood of them, especially from unusual IP addresses, that's 62 00:03:06.919 --> 00:03:07.759 when we dig deeper. 63 00:03:07.840 --> 00:03:10.599 Okay, let's say Shadow has finished his recon and gathered 64 00:03:10.719 --> 00:03:13.599 enough intel on Digitech. What happens next. 65 00:03:13.840 --> 00:03:16.960 That's where the developing resources stage comes in. Okay, Now 66 00:03:17.039 --> 00:03:21.080 Shadow needs tools and access points within Digitechs network to 67 00:03:21.159 --> 00:03:25.120 actually launch his attack. Think of it like smuggling weapons 68 00:03:25.199 --> 00:03:26.280 into a fortress. 69 00:03:26.479 --> 00:03:29.280 Hold on. So he's not just breaking in, right, He's 70 00:03:29.319 --> 00:03:31.120 setting up shop inside their network. 71 00:03:31.159 --> 00:03:34.960 That's scary it is. Yeah, attackers are essentially building their 72 00:03:35.120 --> 00:03:38.560 arsenal within your network. Wow, they might even use your 73 00:03:38.560 --> 00:03:39.840 own systems against you. 74 00:03:40.000 --> 00:03:43.000 Okay, now I'm really paranoid. But how would Shadow even 75 00:03:43.039 --> 00:03:44.080 get those tools in? 76 00:03:44.319 --> 00:03:44.560 Right? 77 00:03:45.120 --> 00:03:47.240 It's not like he can just upload a hacking toolkit 78 00:03:47.280 --> 00:03:48.680 to their server, right he. 79 00:03:48.719 --> 00:03:53.159 Might try, Yeah, but more often attackers exploit vulnerabilities in 80 00:03:53.240 --> 00:03:56.879 software or use social engineering tactics like phishing preaching. 81 00:03:56.879 --> 00:03:59.479 That's where those sneaky emails come in, Yes, trying to 82 00:03:59.520 --> 00:04:04.120 trick and plays into giving away passwords or downloading malware exactly. 83 00:04:03.840 --> 00:04:07.360 And this is where our playbook focuses on initial access. Okay, 84 00:04:07.439 --> 00:04:11.439 remember those urgent emails about your account being compromised or 85 00:04:11.479 --> 00:04:15.159 those important attachments you never expected? Those could be shadows 86 00:04:15.199 --> 00:04:15.520 way in. 87 00:04:16.560 --> 00:04:18.920 I've gotten so many of those, right, I was just 88 00:04:18.920 --> 00:04:19.879 delete them right away. 89 00:04:19.959 --> 00:04:20.480 That's good. 90 00:04:20.680 --> 00:04:23.680 Yeah, but what about PowerShell? Oh yeah, I've heard that 91 00:04:23.720 --> 00:04:24.600 can be dangerous too. 92 00:04:24.680 --> 00:04:27.519 It can be. It's a very powerful tool that a 93 00:04:27.560 --> 00:04:31.639 lot of system administrators use, right, but attackers can also 94 00:04:31.680 --> 00:04:32.560 take advantage of it. 95 00:04:32.759 --> 00:04:35.000 Oh, so I've got to be careful about that too. 96 00:04:34.959 --> 00:04:35.879 Yeah, definitely. 97 00:04:35.959 --> 00:04:38.920 So basically I should treat every email like it's a 98 00:04:39.000 --> 00:04:40.079 Nigerian print scam. 99 00:04:40.439 --> 00:04:43.519 Got it, It's not a bad strategy. Yeah, a healthy 100 00:04:43.560 --> 00:04:46.600 dose of skepticism can go a long way in cybersecurity. 101 00:04:46.800 --> 00:04:50.759 Okay, So let's say Shadow successfully tricks someone at Digitech 102 00:04:50.800 --> 00:04:54.360 into opening a malicious attachment. Okay, we're clicking a bad link. 103 00:04:54.959 --> 00:04:57.439 What happens then? Does he have full access? Now? 104 00:04:57.959 --> 00:05:02.120 Not necessarily, he's breached the perimeter, but he still needs 105 00:05:02.120 --> 00:05:05.399 to execute his malicious code. Think of it like this. Okay, 106 00:05:05.439 --> 00:05:07.800 he's snuck into the building, but he still needs to 107 00:05:07.839 --> 00:05:09.439 find the control room to take over. 108 00:05:09.759 --> 00:05:14.319 All right, So Shadows in, but he's not in control yet. Right. 109 00:05:14.560 --> 00:05:17.879 What does this execution phase look like? In the digital world. 110 00:05:17.720 --> 00:05:22.399 We're talking about running malicious code, basically unleashing the attack. Okay, 111 00:05:22.480 --> 00:05:25.439 and it can leave some pretty telltale signs, like what 112 00:05:25.800 --> 00:05:29.439 we might see files being executed from unusual locations like 113 00:05:29.519 --> 00:05:34.120 a temporary directory, or programs being launched with strange command 114 00:05:34.199 --> 00:05:35.079 line arguments. 115 00:05:35.199 --> 00:05:37.319 Wait, so the location of a file matters? 116 00:05:37.959 --> 00:05:38.360 It does? 117 00:05:38.439 --> 00:05:40.959 I just assumed it could run from anywhere it can. 118 00:05:40.920 --> 00:05:44.920 But it's unusual. Think of it this way. You usually 119 00:05:44.959 --> 00:05:48.680 wouldn't store your valuable jewelry in the garage, right, Yeah, 120 00:05:48.800 --> 00:05:51.319 good points, same idea with files, Okay, they usually run 121 00:05:51.360 --> 00:05:55.480 from specific authorized directories. Anything else raises a red flag. 122 00:05:55.560 --> 00:05:57.680 Okay, that makes sense. Yeah, so if we see a 123 00:05:57.680 --> 00:06:01.000 program launching from a weird spot, right, that's a signed shadow, 124 00:06:01.040 --> 00:06:02.920 might be up to no good, That's right. What else 125 00:06:02.920 --> 00:06:03.680 would tip us off? 126 00:06:04.120 --> 00:06:07.959 We'd also be looking for unauthorized use of certain file types. 127 00:06:08.079 --> 00:06:08.439 Okay. 128 00:06:08.680 --> 00:06:13.639 Imagine seeing an executable file dot ex disguised as an 129 00:06:13.680 --> 00:06:19.000 innocent document dot doc. That's a classic sign of malware 130 00:06:19.199 --> 00:06:21.079 trying to hide its true nature. 131 00:06:21.160 --> 00:06:23.560 So it's like putting a scary mask on a harmless 132 00:06:23.600 --> 00:06:25.959 teddy bear to trick people exactly, thanky. 133 00:06:26.199 --> 00:06:29.439 And of course, if we find a known malware signature, 134 00:06:29.920 --> 00:06:33.160 that's a major red flag. It's like finding shadows fingerprints 135 00:06:33.160 --> 00:06:34.120 at the scene of the crime. 136 00:06:34.720 --> 00:06:37.800 Okay, I'm starting to feel like a real cyber detective here. Yeah. 137 00:06:37.879 --> 00:06:41.439 So we've got shadows recon his sneaky entry and now 138 00:06:41.480 --> 00:06:45.279 the execution of his attack. What's next in his evil plan? 139 00:06:45.959 --> 00:06:47.800 What's he going to do now that he's gotten this far. 140 00:06:48.079 --> 00:06:50.800 Well, he's not gonna just pack up and leave now, 141 00:06:51.480 --> 00:06:54.920 you know, attackers are persistent, like a stubborn virus. Oh yeah, 142 00:06:55.000 --> 00:06:58.519 even if we detect and block shadows initial attack, he's 143 00:06:58.560 --> 00:07:01.399 going to try and stick around find ways to maintain 144 00:07:01.439 --> 00:07:02.079 his access. 145 00:07:02.759 --> 00:07:05.040 So even if we catch him red handed, he's going 146 00:07:05.120 --> 00:07:06.759 to try and slip back in and talk about a 147 00:07:06.800 --> 00:07:08.879 bad house guest. How don't even do that? 148 00:07:08.959 --> 00:07:12.120 They establish what we call persistence, a way to maintain 149 00:07:12.160 --> 00:07:14.959 a foothold even if their initial access is cut off. 150 00:07:15.600 --> 00:07:18.040 Think of it like leaving a hidden back door key 151 00:07:18.240 --> 00:07:18.879 just in case. 152 00:07:19.199 --> 00:07:23.800 Okay, that makes sense. But wouldn't our security systems notice 153 00:07:23.800 --> 00:07:24.519 something like that. 154 00:07:24.920 --> 00:07:28.920 They might. Yeah, but attackers are clever, right. They exploit 155 00:07:29.120 --> 00:07:32.959 legitimate system tools and processes to blend in. 156 00:07:33.079 --> 00:07:36.439 So they're using our own tools against us. That's sneaky, 157 00:07:36.720 --> 00:07:37.800 it is. Yeah. 158 00:07:38.000 --> 00:07:42.920 Imagine Shadow creating a hidden scheduled task okay that runs 159 00:07:43.000 --> 00:07:45.639 his malicious code every day at three am. 160 00:07:45.959 --> 00:07:46.639 Oh wow. 161 00:07:46.959 --> 00:07:50.439 Or maybe he modifies a registry key okay, to ensure 162 00:07:50.439 --> 00:07:52.959 his malware loads every time the computer starts up. 163 00:07:53.000 --> 00:07:55.879 Hold on registry keys. Those sound complicated. I make sure 164 00:07:55.920 --> 00:07:56.839 I want to know what those are. 165 00:07:56.920 --> 00:07:58.839 Don't worry. You don't need to be a tech whiz 166 00:07:58.839 --> 00:08:01.639 to understand the concept. I think of the registry as 167 00:08:01.639 --> 00:08:05.319 a giant control panel for your computer. Attackers can tweak 168 00:08:05.360 --> 00:08:07.600 those settings to do all sorts of sneaky things. 169 00:08:07.680 --> 00:08:10.839 Okay, I'm getting a mental image of Shadow fiddling with 170 00:08:10.839 --> 00:08:13.560 a bunch of dials and switches behind the scenes. But 171 00:08:13.680 --> 00:08:17.120 if he's hiding in plain sight, how do we even 172 00:08:17.319 --> 00:08:19.519 find those persistence mechanisms. 173 00:08:19.600 --> 00:08:21.279 That's where our threat hunting skills come in. 174 00:08:21.519 --> 00:08:21.920 Okay. 175 00:08:22.000 --> 00:08:25.040 We need to know what normal activity looks like so 176 00:08:25.079 --> 00:08:26.800 we can spot anything out of place. 177 00:08:27.079 --> 00:08:29.040 So it's like knowing that your neighbor always leaves for 178 00:08:29.079 --> 00:08:29.879 work at eight am. 179 00:08:30.120 --> 00:08:32.919 Exactly if you see their car leaving at three am, 180 00:08:33.440 --> 00:08:37.320 you know something's up right. Okay, we establish baselines of 181 00:08:37.399 --> 00:08:42.440 normal behavior and look for deviations. Gotcha, unexpected scheduled tasks, 182 00:08:42.840 --> 00:08:47.200 modified registry keys, changes to system files. These are all 183 00:08:47.279 --> 00:08:49.919 red flags that might indicate persistence. 184 00:08:50.080 --> 00:08:55.200 Okay. Let's say we've managed to detect and disrupt shadows persistence, 185 00:08:55.279 --> 00:08:57.879 All right, Is he finally gone for good? Not? 186 00:08:57.960 --> 00:09:00.480 If he can help it, he might try to escalate 187 00:09:00.519 --> 00:09:04.080 his privileges next. Remember, he might have gotten in, but 188 00:09:04.200 --> 00:09:07.320 he's likely still operating with limited access. Okay, he wants 189 00:09:07.360 --> 00:09:09.799 to gain admin rights. The keys to the Kingdom. 190 00:09:09.960 --> 00:09:11.639 So he's like a thief who's snuck in through a 191 00:09:11.679 --> 00:09:13.639 window but now wants to find the master key to 192 00:09:13.759 --> 00:09:15.279 unlock every room exactly. 193 00:09:16.000 --> 00:09:19.919 And that's where privileged escalation comes in. Shadow wants to 194 00:09:19.919 --> 00:09:24.200 elevate his access, gain control over more systems, and ultimately 195 00:09:24.240 --> 00:09:25.559 inflict more damage. 196 00:09:25.679 --> 00:09:27.480 Okay, so how does he pull that off? Does he 197 00:09:27.600 --> 00:09:30.000 just like type in a magic password or something. 198 00:09:30.120 --> 00:09:32.080 I wish it were that easy. Yeah, he's going to 199 00:09:32.120 --> 00:09:37.399 exploit vulnerabilities and software misconfigurations and systems, or even try 200 00:09:37.440 --> 00:09:40.200 to steal credentials from unsuspecting users. 201 00:09:40.279 --> 00:09:43.000 Oh man, that's tricky. So he could be targeting those 202 00:09:43.000 --> 00:09:43.879 employees who use. 203 00:09:43.799 --> 00:09:48.039 Weak passwords exactly or reuse the same password for everything, right, Yeah, 204 00:09:48.120 --> 00:09:51.720 remember that your password has expired email you ignored last week. 205 00:09:53.000 --> 00:09:54.360 Shadow might be counting on that. 206 00:09:55.159 --> 00:09:58.759 This guy is relentless. But how do we spot him 207 00:09:58.759 --> 00:10:00.679 if he's constantly changing tactics. 208 00:10:01.399 --> 00:10:05.440 We look for suspicious user account activity. Imagine seeing a 209 00:10:05.480 --> 00:10:09.080 sudden change in a user's group membership, or someone logging 210 00:10:09.120 --> 00:10:11.519 in at odd hours from an unusual location. 211 00:10:11.720 --> 00:10:14.240 So anything out of the ordinary, anything that doesn't fit 212 00:10:14.320 --> 00:10:15.039 the usual. 213 00:10:14.799 --> 00:10:18.039 Pattern precisely, and we'd also be on the lookout for 214 00:10:18.200 --> 00:10:22.559 commands being executed with elevated privileges. If a regular user 215 00:10:22.639 --> 00:10:27.120 suddenly tries to access sensitive system files, that's a huge 216 00:10:27.159 --> 00:10:27.720 red flag. 217 00:10:27.840 --> 00:10:30.000 Okay, I'm starting to understand how this works. It's all 218 00:10:30.000 --> 00:10:32.440 about knowing what's normal and then looking for anything that 219 00:10:32.519 --> 00:10:35.559 deviates from that baseline. That's right, But I have to ask, 220 00:10:36.240 --> 00:10:41.399 wouldn't most companies have firewalls and anti virus software, of course, 221 00:10:41.480 --> 00:10:42.799 to block this kind of stuff. 222 00:10:42.919 --> 00:10:46.679 They do, but attackers are constantly finding new ways to 223 00:10:46.799 --> 00:10:50.759 bypass those defenses. Oh wow, they're masters of disguise, always 224 00:10:50.799 --> 00:10:54.360 evolving their techniques. So it's a never ending arms race, 225 00:10:54.559 --> 00:10:57.480 it is, and that's why defense evasion is a crucial 226 00:10:57.559 --> 00:11:01.519 tactic in Shadows. Playbook does want to be caught, so 227 00:11:01.559 --> 00:11:06.120 he'll try to disable security tools, oh god, tamper with logs, 228 00:11:06.480 --> 00:11:09.720 or even use legitimate programs for malicious purposes. 229 00:11:09.759 --> 00:11:12.039 Wait, I thought we were talking about evil PowerShell earlier 230 00:11:12.080 --> 00:11:12.480 we were. 231 00:11:12.759 --> 00:11:15.399 Is that what you mean by using legitimate programs for 232 00:11:15.480 --> 00:11:20.120 bad stuff? That's a perfect example. Okay, PowerShell is incredibly powerful, right, 233 00:11:20.440 --> 00:11:22.440 but in the wrong hands, it can be used to 234 00:11:22.559 --> 00:11:27.200 run malicious scripts, download malware, and even steal data. 235 00:11:27.279 --> 00:11:29.399 So it's like a chef's knife. Yeah, can be used 236 00:11:29.399 --> 00:11:32.360 to create a delicious meal or something much less. 237 00:11:32.159 --> 00:11:34.960 Desirable exactly, And that's why threat hunters need to be 238 00:11:35.000 --> 00:11:38.039 familiar with these tools and understand how they can be misused. 239 00:11:38.200 --> 00:11:40.320 Okay, I'm getting a picture of how sneaky this whole 240 00:11:40.320 --> 00:11:46.559 thing is. But wouldn't shadow need passwords or log in credentials? 241 00:11:46.840 --> 00:11:50.120 He would to really gain control? How does he get 242 00:11:50.159 --> 00:11:50.840 his hands on those? 243 00:11:51.200 --> 00:11:52.960 That's where credential access comes in. 244 00:11:53.320 --> 00:11:53.679 Okay. 245 00:11:53.919 --> 00:11:56.200 Think of it as shatter trying to steal the keys 246 00:11:56.200 --> 00:11:58.600 to the kingdom, right. He wants those user names and 247 00:11:58.600 --> 00:11:59.879 passwords that unlock all the. 248 00:12:00.399 --> 00:12:01.759 And I bet he's got a few tricks up his 249 00:12:01.840 --> 00:12:02.840 sleeve to do just that. 250 00:12:03.000 --> 00:12:06.600 Oh he does. Yeah, we're talking brute force attacks okay, 251 00:12:06.639 --> 00:12:10.960 where he tries to guess passwords by trying every possible combination. 252 00:12:11.279 --> 00:12:12.600 Wouldn't that take forever? 253 00:12:12.840 --> 00:12:17.120 It can, which is why attackers often target weak passwords 254 00:12:17.639 --> 00:12:22.279 or use sophisticated techniques like dictionary attacks, which use lists 255 00:12:22.320 --> 00:12:23.879 of commonly used passwords. 256 00:12:23.879 --> 00:12:26.120 So this is why we're always told to use strong, 257 00:12:26.279 --> 00:12:27.159 unique passwords. 258 00:12:27.279 --> 00:12:30.240 Yeah makes sense, now, it's absolutely crucial. Yeah, and don't 259 00:12:30.279 --> 00:12:31.200 forget about fishing. 260 00:12:31.759 --> 00:12:32.600 Oh right. 261 00:12:32.639 --> 00:12:35.200 Shadow might try to trick employees into giving away their 262 00:12:35.200 --> 00:12:39.360 credentials okay, through fake login pages or malicious emails. 263 00:12:39.399 --> 00:12:42.960 Okay, fishing again. This guy loves to fish, he does. Yeah, 264 00:12:42.960 --> 00:12:46.159 but what if those passwords are encrypted or protected? Somehow 265 00:12:46.440 --> 00:12:47.440 can he still get them? 266 00:12:47.600 --> 00:12:51.080 He might try to use keyloggers what are those which 267 00:12:51.120 --> 00:12:52.639 record every keystroke you make? 268 00:12:52.759 --> 00:12:52.879 Oh? 269 00:12:52.960 --> 00:12:57.039 Wow, including passwords. Or he might attempt to dump passwords 270 00:12:57.039 --> 00:13:00.000 from memory, essentially capturing them while they're being used. 271 00:13:00.240 --> 00:13:03.840 Wow, that's some next level hacking. It's like he's reading minds. 272 00:13:05.000 --> 00:13:06.360 It is pretty sophisticated. 273 00:13:06.440 --> 00:13:10.279 Yeah, okay, let's say Shadow has managed to gain access, 274 00:13:11.120 --> 00:13:14.600 escalate his privileges, and even snag some credentials. Okay, what 275 00:13:14.639 --> 00:13:15.879 does he do with all that power? 276 00:13:16.200 --> 00:13:20.200 He moves into the discovery phase, which is all about 277 00:13:20.480 --> 00:13:24.720 mapping out the network okay, identifying valuable assets and figuring 278 00:13:24.799 --> 00:13:25.799 out his next move. 279 00:13:25.919 --> 00:13:29.480 So he's like a burglar who's finally broken into the vault. Yes, 280 00:13:29.519 --> 00:13:31.279 but now needs to figure out which jewels are the 281 00:13:31.320 --> 00:13:32.039 most valuable. 282 00:13:32.120 --> 00:13:35.080 That's a great analogy. Yeah, he's going to use network 283 00:13:35.159 --> 00:13:39.519 scanning tools to see what systems are connected, what software 284 00:13:39.519 --> 00:13:42.039 they're running, and what vulnerabilities he can exploit. 285 00:13:42.200 --> 00:13:45.840 So he's essentially creating a treasure map of Digitech's network 286 00:13:46.039 --> 00:13:48.240 exactly highlighting all the valuable targets. 287 00:13:48.279 --> 00:13:52.799 He might also try to gather system configuration information, look 288 00:13:52.879 --> 00:13:56.679 for sensitive files, and even map out the network topology 289 00:13:56.720 --> 00:13:58.279 to see how everything is connected. 290 00:13:58.320 --> 00:14:03.759 Okay, so Shadow's done his reco established persistence, escalated his privileges, 291 00:14:04.519 --> 00:14:07.200 and now he's got a map of all the juicy targets. Yes, 292 00:14:07.559 --> 00:14:08.200 what's next. 293 00:14:08.559 --> 00:14:10.240 That's where lateral movement comes in. 294 00:14:10.360 --> 00:14:10.679 Okay. 295 00:14:10.919 --> 00:14:14.399 Shadow is rarely content to stay in one place. He 296 00:14:14.480 --> 00:14:18.360 wants to move around the network, expand his access and 297 00:14:18.480 --> 00:14:21.639 reach those high value targets he identified during discovery. 298 00:14:21.960 --> 00:14:24.879 So he's like a spider weaving his web across the 299 00:14:25.039 --> 00:14:25.879 entire network. 300 00:14:26.080 --> 00:14:27.879 That's a great way to put it. Yeah, he's going 301 00:14:27.960 --> 00:14:30.879 to use a variety of techniques to move laterally. 302 00:14:30.679 --> 00:14:34.399 Hold on, what exactly does lateral movement mean? Is he 303 00:14:34.480 --> 00:14:35.759 physically moving around? 304 00:14:36.000 --> 00:14:40.440 Not physically, No, it's about hopping from one system to another, 305 00:14:41.000 --> 00:14:45.120 usually by exploiting vulnerabilities or using stolen credentials. Think of 306 00:14:45.159 --> 00:14:47.799 it like this. He starts in the mail room, then 307 00:14:48.000 --> 00:14:52.399 uses someone's stolen login to access the accounting department. Then 308 00:14:52.399 --> 00:14:53.960 it hops over to the research lab. 309 00:14:54.120 --> 00:14:58.120 Okay, that makes sense. Yeah, but wouldn't those systems be protected? 310 00:14:58.279 --> 00:14:59.799 How can he just jump from one. 311 00:14:59.720 --> 00:15:03.320 To the That's where exploits and vulnerabilities come in. 312 00:15:03.440 --> 00:15:04.039 Oh okay. 313 00:15:04.120 --> 00:15:08.360 Software often has flaws, and attackers like Shadow are constantly 314 00:15:08.440 --> 00:15:10.840 looking for ways to exploit those weaknesses. 315 00:15:10.960 --> 00:15:13.519 So it's like finding a loose brick in a wall, exact, 316 00:15:13.600 --> 00:15:15.080 and using it to pry your way in. 317 00:15:15.360 --> 00:15:19.639 And one Shadow gains access to one system, he can 318 00:15:19.720 --> 00:15:22.879 use that as a launching point to attack others. Right, 319 00:15:23.200 --> 00:15:25.960 it's a chain reaction. Oh wow, and it can be 320 00:15:26.159 --> 00:15:27.240 very difficult to contain. 321 00:15:27.320 --> 00:15:31.080 Okay, this is getting intensity. Yeah, so Shadows moving laterally, 322 00:15:31.519 --> 00:15:36.080 spreading his reach across the network. What's he aiming for? 323 00:15:36.200 --> 00:15:37.600 What's the ultimate goal of all this? 324 00:15:37.879 --> 00:15:41.559 The ultimate goal is often collection, where Shadow gathers the 325 00:15:41.639 --> 00:15:44.519 data he wants to steal. Right, this could be anything 326 00:15:44.600 --> 00:15:49.159 from customer information to financial records to intellectual property. 327 00:15:49.279 --> 00:15:51.440 So he's finally going for the crown Jewels. 328 00:15:51.159 --> 00:15:53.360 Exact, the real treasure, and he's going to use a 329 00:15:53.440 --> 00:15:55.440 variety of techniques to get his hands. 330 00:15:55.200 --> 00:15:58.720 On it, Like, what, how does he actually steal the data? 331 00:15:59.519 --> 00:16:03.440 He might try to access sensitive files directly, copy them 332 00:16:03.440 --> 00:16:07.080 to an external location, or even compress and encrypt the 333 00:16:07.200 --> 00:16:09.480 data to make it easier to xfiltrate. 334 00:16:09.759 --> 00:16:12.279 Xfiltree sounds fancy. What does that mean. 335 00:16:12.759 --> 00:16:16.000 It's just a fancy word for getting the data out. Okay, 336 00:16:16.320 --> 00:16:18.879 think of it like a digital heist. Right, Shadows got 337 00:16:18.879 --> 00:16:20.759 the goods Now he needs to sneak them out of 338 00:16:20.759 --> 00:16:21.159 the building. 339 00:16:21.440 --> 00:16:24.120 Okay, so he's got to find a way to smuggle 340 00:16:24.159 --> 00:16:27.039 the data out without getting caught. Right, how does he 341 00:16:27.120 --> 00:16:27.399 do that? 342 00:16:27.840 --> 00:16:31.639 He might use a variety of channels, from hidden network 343 00:16:31.679 --> 00:16:37.360 connections to seemingly innocent email attachments. Right. He might even 344 00:16:37.440 --> 00:16:40.720 hide the data within other files like images or videos. 345 00:16:40.799 --> 00:16:43.120 Oh wow, a technique called stiganography. 346 00:16:43.320 --> 00:16:47.720 Stiganography, I'm adding that to my list of cool cybersecurity terms. 347 00:16:47.799 --> 00:16:48.440 A good one. 348 00:16:48.600 --> 00:16:52.159 But wouldn't our security systems notice all this suspicious activity? 349 00:16:52.320 --> 00:16:55.679 They might? Yeah, but Shadow is a master of command 350 00:16:55.720 --> 00:16:59.399 and control, a tactic that allows him to remotely control 351 00:16:59.480 --> 00:17:02.799 his compum systems and evade detection. 352 00:17:03.120 --> 00:17:05.000 So he's like a puppet master pulling. 353 00:17:04.759 --> 00:17:08.559 The strings from afar exactly. He establishes a secret communication 354 00:17:08.680 --> 00:17:13.240 channel back to his own systems, allowing him to send commands, 355 00:17:13.759 --> 00:17:18.039 receive data, and even update his malware without ever setting 356 00:17:18.039 --> 00:17:20.200 foot inside Digitex network. 357 00:17:20.319 --> 00:17:23.119 This is getting seriously scary, it can be. So he's 358 00:17:23.160 --> 00:17:26.759 got the data, he's controlling everything remotely, what's left for 359 00:17:26.839 --> 00:17:27.640 him to do well? 360 00:17:27.759 --> 00:17:31.960 The final act in Shadows playbook is exfiltration, the grand 361 00:17:32.039 --> 00:17:35.119 finale where he makes his escape with the stolen data. 362 00:17:35.160 --> 00:17:38.440 It's like the getaway scene in a heist movie, alarms blaring, 363 00:17:38.599 --> 00:17:42.400 tires screeching, except it's all happening in the digital world. 364 00:17:42.279 --> 00:17:46.400 Exactly, and it's the stage where threat hunters are most vigilant. 365 00:17:46.920 --> 00:17:52.160 We're looking for any signs of large data transfers, unusual 366 00:17:52.240 --> 00:17:56.480 network activity, or suspicious email attachments leaving the network. 367 00:17:57.039 --> 00:18:00.359 So it's like guarding all the exits, watching for anyone 368 00:18:00.359 --> 00:18:02.000 trying to sneak out with a bag. 369 00:18:01.759 --> 00:18:04.880 Full of loot, exactly, and if we can catch Shadow 370 00:18:05.000 --> 00:18:07.759 in the act of exfiltrating the data, we might be 371 00:18:07.839 --> 00:18:10.000 able to stop him before he gets away with it. 372 00:18:10.680 --> 00:18:13.359 Okay, this has been a wild ride. It has I 373 00:18:13.359 --> 00:18:17.039 feel like I've learned so much about how attackers operate 374 00:18:17.519 --> 00:18:20.880 and what threat hunters do to catch them. Good, But 375 00:18:21.160 --> 00:18:25.119 what happens if despite all our best efforts, Shadow gets 376 00:18:25.160 --> 00:18:27.400 away with the data? What then? 377 00:18:28.039 --> 00:18:30.400 Yeah, it's definitely disheartening to think that even with all 378 00:18:30.440 --> 00:18:33.039 those layers of defense, an attacker could still succeed. 379 00:18:33.359 --> 00:18:33.559 Yeah. 380 00:18:35.200 --> 00:18:39.160 So if Shadow does manage to escape with Digitech's data, 381 00:18:39.920 --> 00:18:40.920 what's the fallout? 382 00:18:41.000 --> 00:18:44.279 Yeah, what happens then? What's the impact on Digitech? 383 00:18:44.440 --> 00:18:47.079 Well that's where the impact tactic comes into play. It's 384 00:18:47.119 --> 00:18:50.920 not just about the theft itself, but the potential consequences. 385 00:18:51.279 --> 00:18:53.960 Think of it like assessing the damage after a storm. 386 00:18:54.000 --> 00:18:56.880 So it's like a damage control phase, figuring out what's 387 00:18:56.920 --> 00:19:00.559 been lost, what's been compromised, and how bad the situation 388 00:19:00.680 --> 00:19:01.160 really is. 389 00:19:01.240 --> 00:19:04.319 We need to understand the scope of the breach. What 390 00:19:04.400 --> 00:19:08.279 kind of data was stolen? Was it customer information, financial records, 391 00:19:08.519 --> 00:19:12.680 trade secrets. The impacts will vary greatly depending on the 392 00:19:12.759 --> 00:19:14.240 nature of the data, and. 393 00:19:14.240 --> 00:19:17.400 I imagine the consequences for Digitech could be pretty severe. 394 00:19:17.519 --> 00:19:24.240 Absolutely, they could face legal repercussions, regulatory fines, reputational damage, 395 00:19:24.599 --> 00:19:26.319 and even financial losses. 396 00:19:26.480 --> 00:19:28.359 It can be a pr nightmare for a company. 397 00:19:28.480 --> 00:19:29.079 Absolutely. 398 00:19:29.279 --> 00:19:31.640 Yeah, this is really eye opening it is it makes 399 00:19:31.640 --> 00:19:34.599 you think twice about every email you open or every 400 00:19:34.640 --> 00:19:35.359 link you click. 401 00:19:35.640 --> 00:19:40.279 It's a good reminder that cybersecurity is everyone's responsibility. Yeah, 402 00:19:40.319 --> 00:19:43.480 for sure, we all play a role in protecting ourselves 403 00:19:43.839 --> 00:19:45.359 and the organizations we work with. 404 00:19:45.680 --> 00:19:49.960 So what can Digitech do to recover from this attack? Right? 405 00:19:50.160 --> 00:19:52.880 Is it even possible to bounce back after something like this? 406 00:19:53.240 --> 00:19:58.799 It's definitely challenging, but recovery is possible, Okay. It starts 407 00:19:58.799 --> 00:20:03.519 with a thorough investigation to understand exactly what happened, how 408 00:20:03.640 --> 00:20:07.039 Shadow got in, and what systems were affected. 409 00:20:06.640 --> 00:20:08.759 So that a post mortem trying to piece together the 410 00:20:08.799 --> 00:20:11.160 clues right and learn from the mistakes. 411 00:20:11.240 --> 00:20:14.160 And from there, Digitech needs to take steps to contain 412 00:20:14.279 --> 00:20:20.279 the damage, patch vulnerabilities, strengthen their defenses, and restore any 413 00:20:20.400 --> 00:20:22.200 lost or compromised data. 414 00:20:22.480 --> 00:20:24.839 It sounds like a long and complicated process. 415 00:20:25.039 --> 00:20:30.720 It can be, but it's essential for regaining trust, rebuilding 416 00:20:30.759 --> 00:20:34.400 their security posture, and preventing future attacks. 417 00:20:34.640 --> 00:20:37.960 You know, I'm curious about something. Our source material focuses 418 00:20:38.039 --> 00:20:42.240 on Windows systems, but what about other environments? 419 00:20:42.319 --> 00:20:43.079 That's a great question. 420 00:20:43.400 --> 00:20:48.240 What unique challenges might threat hunters face in cloud environments 421 00:20:48.559 --> 00:20:50.319 or with mobile devices. 422 00:20:49.799 --> 00:20:54.000 Cloud environments introduce a whole new set of complexities. The 423 00:20:54.119 --> 00:20:57.799 dynamic nature of the cloud, with its shared resources and 424 00:20:57.880 --> 00:21:02.599 constantly changing infrastructure, makes it more challenging to establish baselines 425 00:21:02.599 --> 00:21:04.240 and identify anomalies. 426 00:21:04.400 --> 00:21:05.839 So it's like trying to find a needle in a 427 00:21:05.839 --> 00:21:08.640 haystack exactly. It's constantly shifting shape. 428 00:21:08.359 --> 00:21:13.319 And size, and you've got multiple tenants sharing the same infrastructure. 429 00:21:13.680 --> 00:21:18.079 So separating legitimate activity from malicious activity it can be tricky, yeah, 430 00:21:18.799 --> 00:21:22.960 for sure. And mobile devices they definitely present unique challenges. 431 00:21:23.039 --> 00:21:23.720 Oh yeah, I got. 432 00:21:23.880 --> 00:21:27.799 Their portability and diverse operating systems make them a prime 433 00:21:27.880 --> 00:21:33.000 target for attackers. Plus, people are constantly downloading apps and 434 00:21:33.039 --> 00:21:36.640 connecting to public Wi Fi networks, which can expose them 435 00:21:36.680 --> 00:21:37.920 to all sorts of threats. 436 00:21:38.839 --> 00:21:41.519 So it sounds like thread hunting in these environments require 437 00:21:41.599 --> 00:21:43.559 specialized tools and expertise. 438 00:21:44.000 --> 00:21:46.559 It certainly does, and it's an area where we're seeing 439 00:21:46.720 --> 00:21:49.119 a lot of innovation and development. 440 00:21:49.480 --> 00:21:51.599 Well, this has been a fascinating deep dive into the 441 00:21:51.599 --> 00:21:54.000 world of thread hunting. It has been We've covered a 442 00:21:54.039 --> 00:21:58.000 lot of ground, from the initial reconnaissance phase all the 443 00:21:58.039 --> 00:22:01.839 way to the potential impact of a successful attack. Yeah, 444 00:22:01.920 --> 00:22:04.599 I have to say I'm feeling a lot more informed. Yeah, 445 00:22:04.640 --> 00:22:06.200 but also a little bit more paranoid. 446 00:22:06.680 --> 00:22:09.039 A healthy dose of paranoia can be a good thing 447 00:22:09.079 --> 00:22:10.079 in cybersecurity. 448 00:22:10.319 --> 00:22:11.039 Yeah, that's true. 449 00:22:11.079 --> 00:22:15.160 It encourages us to be vigilant, question what we see 450 00:22:15.160 --> 00:22:17.680 online and take steps to protect ourselves. 451 00:22:17.799 --> 00:22:20.240 So what's the one key takeaway you want our listeners 452 00:22:20.279 --> 00:22:22.200 to remember about threat hunting. 453 00:22:22.960 --> 00:22:26.799 Threat hunting is not just for security professionals. It's a mindset, 454 00:22:27.079 --> 00:22:31.839 a way of thinking about cybersecurity proactively. It's about being curious, 455 00:22:32.039 --> 00:22:36.160 asking questions and looking for those subtle clues that might 456 00:22:36.279 --> 00:22:37.960 indicate something is a miss. 457 00:22:38.039 --> 00:22:40.920 It's like being a digital detective constantly on the lookout 458 00:22:41.000 --> 00:22:42.880 for suspicious activity exactly. 459 00:22:43.200 --> 00:22:46.559 And the more we understand about attacker tactics and techniques, 460 00:22:46.839 --> 00:22:49.960 the better equipped will be to defend ourselves and our organizations. 461 00:22:50.000 --> 00:22:53.200 Well said, I think we've successfully navigated this deep dive 462 00:22:53.240 --> 00:22:56.240 into threat hunting. We have, so if our listeners are 463 00:22:56.240 --> 00:22:58.240 interested in learning more, where should they go? 464 00:22:59.160 --> 00:23:03.359 I mitr o E ATTNCK framework is a great place 465 00:23:03.400 --> 00:23:03.759 to start. 466 00:23:04.079 --> 00:23:05.640 It's a free, awesome. 467 00:23:05.279 --> 00:23:09.920 Publicly available knowledge base of adversary tactics and techniques. There 468 00:23:09.920 --> 00:23:15.079 are also lots of informative blogs, podcasts, and online courses 469 00:23:15.079 --> 00:23:16.400 dedicated to threat hunting. 470 00:23:16.480 --> 00:23:18.880 And don't forget about the power of community. Yes, there 471 00:23:18.880 --> 00:23:22.279 are tons of online forums and groups where you can 472 00:23:22.279 --> 00:23:25.839 connect with other security professionals. Yeah, share knowledge and learn 473 00:23:25.920 --> 00:23:27.200 from each other's experiences. 474 00:23:27.440 --> 00:23:32.519 Absolutely, the cybersecurity community is incredibly collaborative and supportive. Awesome, 475 00:23:32.640 --> 00:23:33.680 we're all in this together. 476 00:23:34.920 --> 00:23:37.759 Well, on that note, i think it's time to wrap 477 00:23:37.880 --> 00:23:42.319 up this deep dive into threat hunting playbooks for Miter tactics. 478 00:23:43.160 --> 00:23:45.559 It is Thanks for joining us and we'll see you 479 00:23:45.559 --> 00:23:46.000 next time.