 This next talk is presented by the Packard Hacking Village. And it is absolutely my pleasure to introduce to you, well, I'm not sure what, don't clap yet, Mr. Pete Hay. Pete Hay is principal security strategist, oh, I'm sorry, strategist at SimSpace. Yeah, he's also the founder of the cyber report. Got it, okay. And Pete's presentation is on the importance of arts and craft. By the way, I will have to say arts and craft is becoming a lost art. I would imagine you're gonna be mentioning that. Sadly. Absolutely the truth, yes. In threat ops. And it is now my absolute pleasure to introduce to you, Pete Hay. Thank you very much. I will be your guide on this next exploration of arts and crafts and threat ops. The topic comes from my personal experience, my background, I have to do the about me. I don't think I get paid all of that nothing that I get paid for doing this if I don't show you this. So my background is I am a recovering Navy sailor. That's going perfectly, excellent. The live demo, gods are angry. So, and then I spent a bunch of time teaching after that. I taught JKAC a couple of other places like that. And one of the things that struck me and this concept of arts and crafts started resonating as I was teaching because one of the things that's so important for learning something is having a visual medium for delivering your concepts. And to be completely honest, I am terrible at drawing and my student, I draw something up there. We're like, yeah, that's a laptop over there. And they'd say it is. And I say, yes, I promise, but look, they didn't hire me for my arts and crafts skills. And I said that for years kind of as a joke. And what I realized is getting better at arts and crafts is something I desperately needed because it's such an information dense medium. So on top of that, I'm like I said, a teacher, I'm neurodivergent and you're probably going to see a little bit of that come into play as I'm mentally up here saying, slow down, slow down. And also I really like the visual medium for that reason because not everybody learns the same way. When you're neurodivergent, you're increasingly aware that other people might also diverge from the, I don't want to think too hard about that. But other people may not interact with the world the same way that you do. And so for that reason, I want to teach audibly as I'm speaking, I want to demonstrate visually, I want to give people repetition, hands-on. And the combination of those mediums means that there's going to be a greater throughput or a greater baud rate of data transfer and more success along the way. So that's where this concept of arts and crafts and then because you're all captive, so I'm going to show you pictures of my cute family. And tough, you got to deal with it. So there we go. All right, so Arthur Brisbane said, a picture is worth a thousand words. And I think that's the core concept that we're talking about today is the density of information that you can put in a visual medium. And so my follow on is, well, how many words then is a good diagram actually worth? The reality is, what I'm going to try and show you today is we can do, we can convey a great deal of information in a good diagram. And I'm going to be using the medium of threat intelligence and incident response and incident reports as a way of conveying that we can condense that information down and make it more accessible to people. And what I really like about it, and again, this kind of goes back to both the teaching and the neurodivergence, is not everyone is an expert in everything. And you'll be shocked to hear that I am also not an expert in everything. And so when you get a great picture, a great diagram, a great analogy, that helps lower the barrier of entry. And it's one of the things that I've really enjoyed watching change over the time that I've been in cyber. There was a time where there was a lot of elitism and kind of not invented here, we're red teamers or whatever, whatever, whatever. And I feel like that's changing for the better. And so I'm really excited to share this with you. So my concept is, first of all, diagrams. Diagrams are an essential part of cybersecurity knowledge management. Most diagrams focus on a single domain, though. So I have some examples up here that I've taken out of Cisco reports, and one of them's from a Mandiant report. And what you have is Cisco has this great timeline. Like what's the history of the APT that we might be looking at there? The one that I really like from Mandiant, it is actually useful, but what I love about it is, the second one there, is that is the history of the different tooling that APT 43 has used historically. And if I didn't explain that to you, there would be essentially no way to glean that from the image. And it's there, it's useful, it needs words surrounding it. And if that's what you're looking for, it can be very useful and very informative, but one of the things that bothers me about this a lot, and if somebody, I know Mandiant's down there, so don't rat me out. But the X and Y axis don't mean anything in that diagram, and that bothers me to a great deal because there's nothing to contextualize the visual medium to help me understand what I'm looking at. And then finally, we have an example of what I think is a very good diagram from a Taylor's report on, and I'm actually a new unknown actor that's attacking Ukrainian and Polish government entities. And what they're showing is the timeline of the behavior of a piece of malware that initially, at the first stage, it is some kind of lure, whether it be PowerPoint or Excel, and then from there you get different outputs, and the idea is they're showing you a flow, a logical flow of what takes place. I like some of these things, I dislike some of these things, and so what I've tried to do is put it together in a way where we can use the X and Y axis effectively, and here's the thing, there's a risk with that. And as we know, there's a rule that there must be an XKCD that covers this concept. There is. There are 14 competing standards, I think I've shown you three of them. So obviously, I'm the guy to create the new one, the one standard to rule them all, and what's the outcome of that? 15 competing standards. So my goal is not actually, I've had this in mind from the beginning, so my goal is not to create the one perfect standard. What I wanna do is like so many things, I wanna give you a tool that you can put in your repertoire and break it out at the correct time. I think you'll find that what I'm showing you is really, really good for things like executive summaries, maybe if you're familiar with the term bottom line up front, that sort of thing, this visualization is gonna do that, and then the beauty of it is, depending on how you present it, you can actually put a lot more information for people to zoom in closer and get more detail, so we'll go over that in just a moment. Everybody ready? Loose? Good? Me too. All right, so how do we organize the data? First of all, great question, very glad you asked, appreciate it, you all are really on top of it, and I appreciate your engagement. So what I'm doing, I call this a threat matrix, mostly because it sounds cool, and because I'm gonna use a lot of geometry, not geography, that would be different, geometry related terms, and it kinda seemed to go together, so deal with it, I've spent some time in marketing, I'm sorry, I apologize. So the matrix idea is we have two axes, and on the first one I'm going to use, excuse me, on the x-axis, a timeline, why a timeline? Because shockingly, it's not there on lots of things, so we kind of have it in threat intelligence in terms of fate-like-mandient threat-attack lifecycle, we have, I see a lot of people looking like this, I apologize, there's a better view coming soon. Save your necks. The, but we have this idea of maybe, we wanna say tactics, right, the columns in the MITRE attack framework, and there is kind of a sequencing, kind of a timeline, but it's not guaranteed to be accurate, and when we wanna understand actual behaviors, actual TTPs associated with a threat actor, we need sequencing, and time is the method that I chose for sequencing the behaviors of a threat actor in this case. So first of all, the x-axis timeline, like I said, and I have a couple of examples, this is what an attacks timeline looks like in a Taylor's report, there's another example of a timeline in terms of looking at a single binary, and I think I mentioned earlier that they tend to be domain focused, so in this case the domain is history, in this case the domain is the behavior of a given binary, and over here you have a completely illegible layer of the MITRE attack framework, which is both the strength and the weakness of the framework, it can cover a lot of things, on the other hand it also covers a lot of things, so it takes up a lot of space, right? So there are at times, I gotta, apparently I need to just stop pacing, I don't know. I'm gonna generate some kind of tick as I try and figure out what I have to do to make that not turn black. So the idea being that there is a lot of information conveyed there, but there's not a, you'll notice in the MITRE attack layers there is no, the hip bone is connected to the thigh bone. Technique A leads directly into technique B, and so when we're talking about detection engineering, or designing TTP related detections or responses, though the techniques are valuable and important, it is difficult to put them together and have them coalesce into a response action or a detection that one can employ. And so again, I'm proposing using time or sequencing, however you prefer to think of it, as a manner of conveying that visually. And then of course, yep, timeline, there we go. The other thing I have is the Y axis, which I'm calling artifact planes. The idea being I wanna cluster things based on where you find them. So I started with host, network in terms of the planes. You can subdivide them to your heart's content. I'm not gonna stop you, there's no artifact plane police, I promise. But my thought is I've divided them into places where I commonly find things, internal and external network artifacts. On a host, you might have things that are resident in memory and have other things that are resident on disk, so I subdivide that way. You could do cloud, you could have network, compute, store, all locations that you would have logs or artifacts indicating behaviors, because that's the core. We wanna get the artifacts related to the behaviors and visually represent all of the above. All right, so then we break those down into nodes. What are the nodes? Well, it's the thing that relates to it. The really important thing is commonly, when you have a log, it relates to a thing. And you have, so for instance, I'll use sysmon, like we have lots of different event IDs that indicate the behavior of a process. But we don't coalesce that down into the process. The process did this, the process did that, the process did that. The process related was something in this way. And that's what I'm proposing. We actually graphically represent up there, I promise. See? So what sorts of nodes do we have? Well, you see, there's an email up there and I used an email picture for this. You could draw boxes as well. And if I were drawing, I assure you I would. Sometimes I'll do circles. They kind of even look like circles when I draw them. So whatever it is you want to represent, there's a medium, there's a manner that you can represent it. So examples, file servers, hosts, end point, infrastructure, email, attachments, links, web servers, domains, those are all things you might find in the network. And in the host, you might find a host, by the way. Those exist. We should know stuff about them, addressing, domain names, et cetera. IP addresses max. Then on that host, there may be processes, user context, registry files, name pipes, et cetera. Fair enough? Following along? Cool, cool, cool. I'll find stuff soon, I promise. All right. Network plane. Another couple of things that I've done here is one of the things I realized is I was looking at this in terms of artifacts. There are certain places where you get a lot of artifacts. And I don't really want to draw a line for every single artifact. That's where I drew these triangles. I'm trying to represent the relationship. So in one being a C2 session, essentially over time, sorry my hands got big there, over time that process communicated with a single endpoint. So there's many connections to one endpoint. That's what that shape of the triangle is trying to represent. On the other hand, we're talking about enumeration on the local network. So again, you'll notice that's all combined in the internal network artifact plane that's finding multiple hosts. And it's one host scanning multiple endpoints, multiple IPs, et cetera. Different shape triangle. Fair enough. I love how you're all coming along with me, because you basically have no choice. All right, host plane. Same kind of idea. I subdivided it into memory and file system artifacts. You notice I put the registry on the line between the two because sometimes it's in memory. Sometimes it's on disk. That made sense to me. Do what you want. You can represent these things however you wish, right? No artifact police here. And again, we have processes, files being written to disk and you can see the rights, reeds, loads, et cetera, being the lines connecting them. All right, how do I use it? Again, y'all are really on top of things. I appreciate it, great question. I really appreciate you being here with me for this. So I've actually got a couple of use cases and I'm gonna stop pacing now and sit down and walk through them with you. I just so you know, I'm gonna use Miro for a lot of this because again, you remember the part where I covered I'm bad at drawing, so we're gonna let the computer draw for me. So what I'm gonna do is I'm gonna sit down, I'm gonna swipe over to Miro and I'm gonna walk through Royal Ransomware and that one we're gonna actually dive a little bit into the weeds. It's gonna be literally function level, there'll be assembly on there and the beauty of it is I don't have to memorize all of it. So I'm gonna show you how to use in comments and things like that to make it really, really easy to operationalize that threat intelligence. Let's show the flow of the program, the binary in that case. For Telos, the Telos report is Euro Trooper and we're gonna examine how it is that Euro Trooper conducts themselves. We're actually gonna visually see their behaviors and we're actually gonna talk about a use case where with Euro Trooper they have a single dependency, though they have multiple lures and fishing techniques, they have a single central point when it comes to they're getting from stage one to stage two and if I were designing detections and response actions, this is what I would target and then I think it becomes very visually obvious and it's funny because sometimes I think operationalizing threat intel and designing behavior-based hunts and response actions is viewed as difficult and in this case you're gonna see identifying what needs to be hunted on or responded to becomes pretty easy visually. And then finally, I've got two more things and we'll kinda see how we're doing on time on that but there's a new attacker against Ukraine and Poland. That report came out from Telos last week and I wanted to do something really, really fresh mostly because I was doing it anyway and I thought it'd be fun to share with you and show you how the visualization comes together and the thing that's interesting about this one is Telos hasn't really finished their report. They did kind of an initial report and we can show you what we know up to that point and then we see the dropper in the second stage and then they're kind of like, we haven't really done all the analysis beyond this but we get the ability to defend because again, there's that chain of dependency and if you could break that chain of dependency then you have a viable technique kind of irrespective of what follows in stage three and four of this attack. There's also something that really bothers me. You hear this phrase commonly that the defender has to be right all the time and the attacker only has to be right once and my good friend Bobby is sitting right over there and he's a red teamer and I've heard him cuss a lot at certain times and that's because it's not that easy for red team. They don't have to just be right once. There are a lot of things that have to go right in order for an exploit operation to be successful and so really what we're gonna do is we're gonna try and identify those connections that are vulnerable to a defense action and kind of like kick the chair out from underneath them and make Bobby start cussing again which is a good thing anytime I can make it happen. So, and then we have the, if we may be able to get into examining using this for incident response we'll just see how that goes with time. All right, buckle up. So with Royal ransomware what I've done here is, and again I wanna make sure that nobody is thinking I'm telling you, oh I have done this research for myself. This is not, this came from a Taylor's report. The link is in the attachments on this. What I am doing is I am standing on the backs of giants in this and I'm just trying to make it more accessible to others. So first thing I do is I add a comment that has the link to the content. This is where you can find the original research. You're more than welcome to look it up yourself and again that's gonna kind of back up everything that I have to say about this going on. So you'll notice we have three planes here, local network, host memory artifacts and host file system artifacts. And it's kind of quiet outside of the host memory artifacts until we get to the point where the ransomware starts encrypting and then it gets real busy real quick. So we'll start. What is the method? Well it's phishing. We don't have a lot of detail on how it happens because there are a lot of different royal campaigns and so I'm not gonna belabor the point on how that might get there. We're gonna start with an executable, getting written to disk, getting clicked on. You'll notice the parent process here is explorer.exe. That means one of you people clicked on it. Somebody did. And then we have royal ransomware running on the system, right? Because again it doesn't really matter how it got there. In this case when we're looking at this point we are trying to look at the function level how this ransomware actually behaves. Not as important to know how it got there when that's what we're examining. So the first thing we have, we start exploring functions and you'll notice I put, there's a lot of detail here. So I put it in comments. Why? Because if I wanted to do an overview I can zoom out right here and say, all right it does a couple of things and then it tries to delete the shadow file. That's what's happening down here. One of the really interesting things that happens is this function calls command.exe tries to delete the shadow file. The command line is very specific, very signatable, very defendable and by the way, Royal isn't the only malware family that tries to delete the shadow file in the exact same way. So if you were to use this technique, if you were to build a defense against an executable running command, trying to delete the shadow file with this exact set of switch options, which is probably a little hard for you all to read down there, but that's Windows system32vsadmin.exe delete shadows all quiet. You would not only successfully defend against Royal ransomware but other ransomware families as well. This is one of those points of coalescence. Why? Because ransomware has to delete shadow files in order to be successful in preventing restoration, right? So, shockingly there are finite number of ways to do that and this is an excellent place to identify and focus defenses around. Next, we could get into this and talk about every single aspect of what each function is doing and I'm not gonna do this for this talk because the talk is not about Royal ransomware as excited as I would get about diving into that because again, it's not my research. What I'm doing here is showing you how you can convey what is taking place. So first of all, at one point, it splits into an encryption slash network thread and then it starts scanning the network for other vulnerable machines, other machines that it could potentially encrypt. I think we can all agree that's pretty bad and we would like to prevent that. The other thing that happens is it spins up separate multi-threaded note writing and has to write its ransom notes and it multi-threads that as well. And then finally, it actually starts enumerating SMB shares which again is an identifiable behavior. You could build time-based detections on SMB enumeration. You could take a look at how many SMB requests are on individual processes doing it at a given time. It almost doesn't matter. The point is we know it does this. It's something that it probably shouldn't be doing especially in that limited user context and we could build a detection around this pretty simply. The next thing it does is when it finds those machines that have SMB shares that it can do encryption of, and we're shocked to hear this, but it starts encrypting both local files and remote files. You'll notice it's multi-threaded. None of that is surprising. And again, I have details broken out on exactly what you can find for every single function that's present and what it's doing. If you wanna go to that depth, you absolutely can. If you wanna talk over it from a broad level, you can do that as well. And then finally, we get to the tail end and what do you see? You'll notice those, again, those triangles. I put them in red because they're very bad here. So again, a highly effective communication medium, right? Red equals bad. So here what we see is locally lots of read rights. Is that something we could do from a detection standpoint? Like read rights, using crypto libraries, those sorts of things over and over again? Yes, absolutely. And it's funny, I was talking to some guys from Halcyon.ai and that's one of the many things that they do to prevent ransomware as the bread and butter of their business. Same thing, those remote read, write, with crypto involved, probably a bad thing as well. So again, the point being that if I needed to explain in general what Royal Ransomware does, whether it be at a function level, I can do this function level. If I wanted to, I could collapse each of these functions down into a descriptor like, hey, this is what's happening. This binary is reaching out and touching the network. It's doing some SMB enumeration. It's doing some local file writing and encryption. All of those aspects can be communicated effectively with the method. That's the whole point. So next, I'm gonna take a look at the Euro Trooper. And I apparently zoomed way, way in on Euro Trooper. I really like Euro Trooper because we're now talking about a campaign. What's the campaign look like? Well, what I've tried to do here is give you that 1,000 foot view. Enough details to understand what's going on, not so much detail that people start nodding off. So far, so good. All right, so in this, the campaign starts with a phishing email. And in this case, there is something very specific. They call it nota.rar. This campaign, use that over and over again. We'll pause now for a word from our sponsor, Panasonic. All right. And now, so what happens, nota.rar gets downloaded. I put Outlook here. Does it really matter? No, it could be anybody. Don't care. Email, email client, nota.rar gets written. You notice I've drawn this very long. The reason I've drawn it very long is things are happening sequentially. That file is being accessed. And what you actually see is a write. You see a read. And then much later on, you see a delete. So I made the file long because again, I'm just trying to show sequencing and who's doing what and when. So we have again, seven zip with the parent process of Explorer, that means that again, Phyllis clicked on it and poor Phyllis, she didn't know any better. She's just trying to do her job out there. And now a link file's been downloaded. And because of the lure, and this one is again, targeting, if I recall correctly, targeting largely Ukraine and Poland and no idea who it might be. But some people have been targeting them with a number of different rats in recent days, shockingly. And this has a commonality in all of their campaigns and it is a link file. That they use a link file, that link file is gonna launch Mishita. And Mishita is going to once again, and you'll notice parent process of Explorer yet again. So again, a click on the link file. Mishita's gonna reach out to the internet and download and you'll notice I do have the actual domain here because this is from the actual threat intelligence. That they're going to that particular domain, I see laptops opening, I might not, but your call. That's the domain they'll go to and from there they download an HTA file which is gonna provide instructions for Mishita for what it's going to do next. Then it's going to follow those and execute those instructions. And those instructions include downloading file spawning a PowerShell process that's gonna download file.pdf, this particular campaign downloaded from the same place. The next thing that's gonna happen is another separate PowerShell process is gonna launch and it's gonna download this lsax.exe and then another PowerShell executable will launch and that will delete the nota.rar. So here's my point about points of congruence and about things coalescing. There is a dependency for everything right of this on essentially that link file and Mishita and in particular, Mishita touching the internet. So if I were a defender, I might look at whoever's running my enterprise IT and say, hey, y'all use Mishita to touch the internet for any reason? No? Good and we're gonna deploy a response action that's gonna disallow it. Lots of different ways of doing that. Lot, feel haunted, I'm gonna be honest with you. So there are lots of different ways of doing that. The point being that the entire Euro Trooper campaign is dependent upon that one thing. Kick out that leg of the milk stool and the whole thing comes crashing down. Plus it's funny. All right, so what else happens? What else happens? Well, the PowerShell is gonna download and execute that lsax and lsax is going to reach out and download a service host .exe and spawn that as a child process and it's that, excuse me, spoolserv.exe and spoolserv is gonna launch and spoolserv is gonna do some C2 and that's where you actually get to your final stage of your implant and you get actual APT-like behavior with C2, Xfill, et cetera. Point being, there's a incredible dependency in this particular campaign on one thing and that one thing being link files and Mishita and between those two, you can do a combination of network defenses, host defenses saying, hey, Mishita.exe is not allowed to touch the internet. You could say we're not allowing link files to launch Mishita. There are all kinds of different ways that one could go about defending against this particular campaign and I wanna emphasize this that doesn't involve copying and pasting the IOCs that I have in this report into various tools. Fair enough? Cool. I see some nodding. It's always good. And it wasn't off this time. It's excellent. All right, and then the last thing I wanna talk to you about, like I mentioned, is this new report that I saw. Again, I use comments pretty heavily to show where the original source was. This is another Cisco Talos blog that was out, I think the 7th of August. In this, there is, there are actually, what I really like about this one is there are a couple of different ways this can go. And so what I'm gonna show you is multiple campaigns with minimal difference in actual overall behavior, despite having different hashes, different files, different lures, et cetera. So in this case, their lure is this is targeting Ukraine and Poland and they've got PPTs targeting Ukraine, military orgs specifically, and then there are Excel lures from the Ukraine State Treasury. So two different lures, different behaviors kind of, but if you actually look at how it executes, pretty similar. So we have now a mail client downloading and writing the file, doesn't really matter which file it is, it's written to disk, and both of them contain VBA script. So that VBA is going to, it actually contains a lot of information. So as PowerPoint or Excel, doesn't really matter which one again, whichever one it is, it's gonna start running that VBA unless of course y'all have policies in place to prohibit those sorts of things. Good talk. So then that runs and it does two rights. There's no download in this case. By the way, here's another use of a link file. Again, targeted against Ukraine. Would we maybe say maybe there's some familiarity there, maybe there's some commonality? Who knows, it might just be people not wanting to rob from the poor. If it's link files are being successful and Will Ferrell's saying so hot right now, then we jump in on that action and go with what works. That was my meme reference, I promised one. So link file and then the other thing that is again contained within that VBA in a data blob, it's actually broken up so that, so you won't find the binary if they're scanning for the binary, it's a couple of different blobs to make up the binary, which is an executable or DLL. That is, they then use redsurf32.exe or run DLL32.exe to launch that and whichever one it is downloads an image. By the way, I'm gonna zoom in right here. This is the actual image that on the end of that image, and I, it's not steganography guys. I know some of us are excited because we were like finally it's here, it's just data on the end of the image, it's not encapsulated in the image, it's just extra data on the end of the JPEG. But it contains a binary. That binary is gonna download, decrypt, and run, sorry, back to our sponsor. It's gonna download, decrypt, and run in memory. And here's the really interesting part. Cisco's like, anyway, we're kind of done with our analysis at this point and if you read their blog they're like, that's because our decryptor broke on this. So we know from some other reporting and some callbacks, we're pretty sure that what follows up is either cobalt strike or agent Tesla, but we can't prove that. So they actually stopped their, they stopped their kind of early threat bulletin at that point until they could prove more, which I, A, respect, and B, I'm very grateful they didn't wait until they had it perfect to spit this out because people have to defend. And guess what? We've got enough here to do some defense because what's our point of congruence? It's the VBA running in PowerShell or Excel. It doesn't really matter which one it is. Or you could say it's that is register 32 or run DLL32 downloading from the internet. Another thing that's highly signatable and highly preventable. So this is at the core of my concept and it looks like I do have enough time so I'll go actually take a look at this from an incident response standpoint. It means I was talking faster and that means that the neurodivergence was in full effect. So I'm glad that everybody's still here with me. So let's go ahead and take a look at what this looks like in an incident response. So first of all, you may be asking, what happens if there are multiple hosts compromised? Great question. Could be handled a bunch of different ways. This is one example where I showed on the timeline multiple hosts being compromised. There's actually a third host down below but I couldn't figure out a good way to make it even slightly legible and on a single pane. And you'll notice that the timeline still continues. The hosts can continue their behavior but there are multiple hosts compromised. The other thing from an incident response and you may be thinking it's odd that I'm tying incident response and threat intel together but what I would point out is that threat intel is just somebody else's incident response, right? That's just not yours. Which is ideal, is a great place to learn from. In fact, I think many would argue it's better to learn from others mistakes than their own. That's not my method but many people employ that. So in this case, we start from the initial alert. So in this case, an initial alert might would be process injection taking place. From in this case, I've got really good example names so I'm just calling it trojan.exe. It's just a placeholder for trojan and we've got a services.exe being injected into. From this point, we now need to figure out what has happened, right? So bear with me and imagine that not everything is populated here right now. We're actually conducting an incident response. So you basically have two directions you can move. Left and right from that alert. Am I moving back to source to try and figure out where it is? I'm moving forward and trying to scope the effects that I experienced. Either one's fine with me. They both have their benefits. If you go backwards, you can kick off threat hunts that may be more effective in defending your business continuity operations from the risk and prevent it from spreading and one of my favorite things is like, if this is sitting in an inbox and we're part of a campaign, I get that in this case, poor Phyllis, I hope nobody here is named Phyllis. It's not them, it's other Phyllis, different Phyllis. But this poor person has clicked on this link and we now have an incident going on. But I'd sure like to know if it's sitting in 30 more inboxes and I've got 30 more potential incidents sitting in my email. So we might prioritize going backwards to origin and finding artifacts that we can remove to protect our business more effectively. Conversely, you may be concerned about what is the scope of this and we need to triage what's happening right now. I've seen playbooks that emphasize both. I've seen playbooks that emphasize one over the other. I've seen playbooks that say you should have one analyst go one direction and one analyst go the other way and meet in the middle, right? All of those, I think they're good arguments in favor of and that's not my talk today. So what we're gonna do is we're just gonna walk through what it looks like to go backwards first and then I'll go forward second. So going backwards, I'm gonna say, listen, I've got a process. I know it's doing something that we find suspicious. I need to scope it and I wanna know where it came from which means I'm looking for the create process. Whether that be Sysmon event at event ID one or CrowdStrike or whatever, it doesn't really matter. I need to know where it came from. Who's its parent process? In this case, we find that it's Explorer. All right, great. Now where'd the file come from? The image load. Well, that's trojan.exe sitting on disk. What do you think I'm gonna follow up next? All right, where did it come from on disk? What is it doing? And we're gonna look at, what are we gonna do? We now have a file name and a path in a location. We now have a file name and a path in a location and so we have a new query that we can run and say where's the file right? What is the parent process on the file right? What's the command line on that, et cetera? In this case, we're blaming it on Outlook again and that's where it came from. Now I have the ability to, am I gonna go into email logs? Are we gonna look at this in network traffic? Am I gonna say no, I'm a host analyst. Then I'm gonna call a grownup and have them do that on the email side of things. All of those are again viable based on whatever your organization does and how you implement it. So the diagram, but the diagram still gets populated and the beauty is when we have the file, we now have something discreet and huntable to determine if we've got, again, 20 more incipient incidents sitting in our enterprise that we don't know about. I think one of the big challenges facing, it is a personal opinion so you can take it, it's worth the paper it's written on but I think one of the big challenges we have is much too much of cybersecurity is linear. We're waiting for a full report before a threat hunt gets kicked off. We're waiting for IOCs to be generated before detection engineering occurs. One of the things I really like about if you are capturing your artifacts in a diagram like that, it means that when your SOC supervisor who has, in my opinion, the hardest job I can think of because you've got all these people, all these different things going on and you're trying to figure out what's in a person's head, knowledge management's extremely difficult in this industry. You now have a method for looking over their shoulder and getting an understanding of where they are currently looking at this incident, how well scoped it is, maybe even how far along they are, can you task another person to help them out and say, hey, you know what, ignore that network stuff, I've got a guy, we'll hook that up. These are the sorts of ways that it can be beneficial to an enterprise in live, in use. You'll notice they have run key persistence. That's one of those things that we might want to look at in general, just we know that Trojan.exe, what all did it do? Look for event ID three, network connections, where was anything downloaded, a second stage, et cetera. These are all actions we can take and the cool thing is, if we find that second stage download, now we've got yet another IOC, we can pass over to detection engineering and we can go ahead and again, if there are 30 more of these sitting in 30 more inboxes, if we do nothing more than deny list secondary infection, secondary.infection.com, I hope you already have that blocked. But we can deny list that and so even if somebody does click on that in an inbox, now there's no second stage, hopefully, and you should be able to, again, lower the risk profile of your organization. So now let's talk about going forward. As we go forward, I think one of the more challenging parts of an investigation is when you do move forward because there is, when you go backwards, it's like a Sudoku. There are only so many artifacts and everything has to happen and everything has to mean something. So you're kind of filling in the blanks in the Sudoku saying, well, I know this and so the hip bone's connected to the thigh bone so where's the thigh bone? What does it look like? I know how to write my query for that. When you talk about what's coming next, there are kind of an infinite number of things that a binary can do, but we know certain things are higher risk factors, higher risk thresholds than others. So we're gonna look for network connection. Why? Because C2 is likely. We're gonna look for Xfill because it's likely. We're gonna look, excuse me, we're gonna look for file rights. We're gonna look for, like I said, multiple file rights, read rights, close and encryption, right? So this is where I think the analytic art very much comes in and the beauty is as you start populating this, you now have the ability to say, oh, I've looked for this. Somebody can come look over your shoulder and be like, hey man, did you look for network connections? Like, oh, you know what? No, I'm a host guy. I didn't think about that network-y stuff. I could probably look into that. Let me do that. It gives you again a visual medium to communicate. I think in cybersecurity where a lot of the challenge lies is in that coordination, collaboration, delegation and prioritization. And this gives you an information dense medium to convey your status and to seek out help from that SME when you need it to enable collaboration. As somebody says, no, no, no, you know what? I'll take the network stuff. He's gonna take the email stuff. She's gonna do the forward triage and you're gonna run it back to source. That's the purpose of how I would use this in an instant response. And again, I just wanna point out that the beauty of it is when you find those connections and if you see an exploit being thrown across the wire, let's say for lateral movement, that's something that takes place. I have it here in the internal network as an IOC. The CVE is something that you could track and document. And then the beauty is you can say, all right, now I do need to help. I'm gonna break glass, pull lever and say, you know what, we've got lateral movement. I'm gonna keep running this one to ground because we wanna stop this from spreading any further. But I'm gonna need Josh to jump in and Jamie to jump in to hunt on these machines to do the incident investigation on those machines while we task other people to do further hunting and work better to collaborate and coordinate as we defend our enterprise. So that is at the core of how I use it. I added a couple of acknowledgements. First of all, like I said, this is not my research. This comes from Threat Intel. One of the things that I wanna point out and part of the reason why I like doing it this way is I actually have open on another tab some of these reports and they are not short. Some of them are very, very long. And especially like this Euro Trooper one, there are very few pretty, pretty pictures and I like those. And so I can scroll and scroll and scroll or you can do what most people do. I believe that when you use Threat Intel you do one of three things. The first thing is you pop it open and you read the executive summary and you say, oh, not what I'm interested in and move on. Or you got enough out of it and you move on. The second thing you do is what I do which is scroll down and look for the picture. So I'm gonna scroll down and this is the one I particularly like and I'll jump in and be like, is that interesting enough? Good, I didn't have to read that boring executive summary. I see nodding, that's always a good sign. Anyone who agrees with me I of course think is brilliant so you can nod and I'll be like, man, sharp crowd. And then the final thing is perhaps the most common thing and what's that gonna be? There it is. Go to the bottom and look for the IOCs, right? And let's see. Oh look, there's a GitHub repository right there. I'm gonna jump in, copy and paste like a gentleman and move on with my day. This is really long but it only took me about 25 minutes to turn this report into the visual that I showed you of Euro Trooper which is this one right here. I really like being able to consume Intel this way. In terms of teaching an executive or briefing an executive committee or senior leadership or a new person saying, you know what, this is what we saw, this happened to us, rough day. And now we've got a repository of information for that new person and make sure and like I said, knowledge management, we have a very strong verbal history in terms of oral tradition, in terms of how we pass on knowledge. And this gives us an opportunity to move it into another medium so that we can convey it to, and as people come in, they can learn. We can kind of train up the next generation of defenders. And as we all know, a generation in cyber is like 45 minutes, right? So anyway, I'm gonna stop here and take questions. If anybody wants to jump in, there's a microphone right there, thank you. And I'll feel it. Now comes my favorite part which is stump the chump. So I'm in.