Episode 17: Steve Miller
In Episode 7, Steve Miller stops in to talk to Jared and Jonny about a variety of detection topics!
Episode Transcript:
00:00.00
Jonathan Johnson
Hey Steve thanks for joining us today. Um, for those that don't know you could you introduce yourself.
00:05.90
Steve
What up. Ah yeah, so my name is Steve Miller I'm a researcher I work at this company. Really small company called stairwell cyber security company with a different name but before that I was at mandiant for. Um, about 8 years and I do kind of like a variety of things I think I focus a lot on I'm really just psyched about detection stuff and detection rules and I tend to kind of do detection stuff as it kind of intersects with. Incident response and threat Intel type of stuff. So I kind of like to ball a bunch of these things up and help out the way I know how in those in those different areas and um, yeah, that's it. That's it. That's me and a nutshell.
00:57.19
Jared Atkinson
Sweet. Yeah, ah so yeah Steve I was really excited to invite you onto the podcast because you you have a number of kind of Twitter threads or Twitter opinions or thoughts or whatever we want to call them that that have really struck me and at least like they've caused me to. Really think about certain things that maybe I've taken for granted and I think there's like there's always a ton of assumptions that are built in to something that's especially as complex as detection that is worth always exploring and 1 of the one of the things that I've seen you talk about I've seen other people talk about that. There's a lot of consternation or maybe differences of opinions about how this applies is this this concept of like what does malicious actually mean or how do you even approach detection in the first place like do you have kind of a mental model that you use for approaching the the concept of detection as a whole like maybe. Start at the broad and then we could maybe get into some more detailed perspective.
01:53.47
Steve
Yeah I mean it's also like 1 of those things I think my understanding of the d word has really changed over the years you know I don't even think I really like grasp what it was um well I like.
01:59.65
Jonathan Johnson
A.
02:00.48
Jared Atkinson
Sure.
02:10.91
Steve
When I started Mandy and I was really more of a sock analyst. So all I was really the way I understood detection was in terms of alerts right? and I think that's kind of like obviously sitting in that seat. That's where you receive you're like at the end of the line. You're the conveyor belt. Has like brought everything to you so that's kind of where I really started to think about detection and then more recently as like just the work that I did evolved over the years I start to think about it more like a radar system right? where you want dots to show up. Like the first step is that dots have to show up on the radar and then the second step is you have to know if those dot like what those dots are and if they mean something important to you so like that's been ah, it's been a long journey kind of coming coming to that kind of. Like framework where I'm really thinking about first obviously just having a data point having a dot for everything and the number 1 thing is you can't do anything else until you got a dot and that seems like such an obvious thing now. But I don't think I I realized that until quite recently.
03:09.16
Jonathan Johnson
Um, yeah.
03:18.26
Jared Atkinson
Yeah, yeah, fair, the one of the go ahead I was just going to say the an interesting thing is like what's your criteria for producing a dot because like ah I like there's this balance of like how.
03:21.14
Jonathan Johnson
Um, yeah, 1 thing. Um, oh go ahead. Gerd.
03:22.24
Steve
You know.
03:38.80
Jared Atkinson
Sensitive or specific. Do you want to be in producing those dots in the first place right? A lot of times as like a sock analyst like you mentioned the the dot production is outside of your control. But if you don't produce a dot then that that event will never be analyzed ever right? And so like there's ah, there's an issue with.
03:45.59
Steve
Right.
03:57.27
Jared Atkinson
Being too so too specific as in like suppressing dots. But then like I'm I'm relatively sensitive and so I like to produce lots of dots. But then the feedback is hey now we have tons of false positives and we're getting like alert fatigue. For instance, do you have kind of like ah what is your.
04:00.11
Steve
Right.
04:15.45
Jared Atkinson
General Criteria or thought process for producing a dot because it sounds like you you might be a little bit more open to producing more like based on what you just said I suspect or I'm starting to think that you might be open to being more sensitive as far as things that don't necessarily have to be malicious to produce a dot.
04:33.40
Steve
Yeah, um, it's a hard. It's a hard conversation because you have to have it from like so many different perspectives right? And um I think I always have existed inside. You know the vendor space.
04:34.20
Jared Atkinson
On the radar.
04:48.50
Jared Atkinson
Um, okay.
04:50.70
Steve
Where things are totally under my control. So I I you know even if I'm getting all those like good or bad or ugly dots. Um I can usually go and change those things and that's not true for a lot of people for most people who are using detection equipment is they don't have a ton of control over.
04:51.53
Jonathan Johnson
Here.
05:10.00
Steve
Aperture of like data that that they see or don't see um but for like just a lot of my time you know again like almost all my security experiences like through this through this lens of mandiant right? But when I was looking at Network alerts. Right? The way we kind of begin to think about the dots and the aperture is to like obviously just divide them into buckets right? So Even though everything kind of ended up as an alert. Um, we would kind of create detection rules that were really meant. For more like just almost like logging events right? because ah like you know a detection rule is just some logic it matches something that happens and it's not alert like it's not necessarily an alert unless you treat it like an alert.. It's just like a little line item that says something match something at this time at this place. Source desk I p Whatever so like ah just over time I started to think about how like where you want the alerts are those things that are obviously higher fidelity. And you can triage them quickly and you can go. You can take that thing and immediately pivot into an investigation that's kind of interesting and probably valid and probably worth your time and then that's like that's like this special place because you don't want to jack up. Data that kind of goes into that top tier aperture for the sock because you know that's the Job. That's the job and you just want the best and that's where you have to also achieve a lot of Balance. You're gonna in that top tier. There's always false negatives Period. There's actually a lot.
06:49.20
Jonathan Johnson
Um, yeah.
07:01.77
Steve
There's That's the most false negatives there are where you have the most um, true positives right? So then like oh that dude once you get once you get a started I'll just go to wave my hands in rant. But um, but like.
07:07.29
Jonathan Johnson
Um, yeah, oh go ahead. Sorry it frozen I and.
07:19.64
Steve
You know and that was where I started to get into creating my own detections and writing these you know quote detection rules that actually were at these lower tiers where the aperture is bigger and they were never really intended to be used as starting points right? and because we controlled. Full stack of technology in the all of the alerts that we want that we like create are all the detection rules that we're creating I could stack them up like yo. This is a methodology rule. But it's so it hits so rarely It's great. We're just gonna pop that into tier one or level one priority. 1
07:55.30
Jonathan Johnson
E.
07:58.86
Steve
Whatever, And then these ones are really great for logging other types of things that could be more interesting and then it's like that cascade from the really the really high fidelity stuff on down and those have different consumers too. And this is where I like my mind really started to change that like um detections and ah and alerts or events and whatever was coming out. They have different consumers like at the sock Level. You have to consume you know it's a different conveyor belt that comes off the detection like Factory right? And those.
08:33.44
Jonathan Johnson
Um.
08:36.53
Steve
Those items on that conveyor belt have to be really different from the ones that go to the Intel analyst the ones that go to the threat hunters or the ones that we just store for rainy day in case, some big breach happens and now we go back through all that data that helps us like create a web of activity.
08:53.90
Jonathan Johnson
Yeah, yeah, I Really like what you're mentioning there. Um, especially when it comes to different events means something different to a different consumer So a different analyst right? Um I think oftentimes when we think of data collection. We all think of it going into one funnel and essentially um.
08:54.79
Steve
You know what? I mean.
09:11.61
Jonathan Johnson
Going into the same alert logic and then eventually hitting the same analyst and then escalating that to an investigation etc goes down the pipeline but I do think there are instances where data could be pulled out. Um based off of some type of logic and then just stored somewhere for a rainy day because. It might not reach the severity that we might want it to um in terms of hey this is this is severe enough to where I want to alert somebody and actually take ah a look at it right now. But it's contextual data that's like hey if later down the road this event happens I want you to pull this for me. Add it to this. And then we start to move down so it can be added as contextual piece. Um, but then again I really like what you mentioned about how that is a scenario where all the tooling available to us is controlled by us. Um I think that's I think that's not really talked about a lot and actually makes me want to Zoom out a moment that's okay and talk about. Ah, steps it takes to actually get to detection because we often talk about detection but like this is detection um in my eyes is the centerpiece of the flow of the funnel and the sense of processes not Jared's detection um funnel but more of um, the process funnel in general. So what does it take to actually. Create a detection and then whenever the detection is created. How do we determine the severity via this data should be malicious if it happens this shouldn't be malicious but going backwards in the sense of um and I think you would have great experience on this coming from mandian of. These investigations have happened now we're deciding to create a detection off of it threat intel feeds into that because threat intel isn't talked about enough when it comes to detection I think they hold a good amount of value. Um and feeding into the detection process. So I would love to hear your thoughts about that.
11:02.20
Steve
Oh man is a can of worms isn't it because there's so many threads. Um I I guess like yeah, it's crazy so Mandian like.
11:05.27
Jonathan Johnson
Yeah.
11:05.35
Jared Atkinson
They all are all the questions.
11:18.84
Steve
And you take it back to all the ah like incident response companies that are crushing out like you know threat intelligence stuff that is used for detection and a lot of that you know a lot of that is like postmortem stuff like they're doing the autopsy. And they're saying this is how this like bad thing happens and then we're gonna use everything that we found to go find more of it right? and this has this like whole cascade of precision right? So like back in the day it was like oh guess what if we look. In the application Shim Cache App Compat We're gonna find a lot of malware persistence right? So we're gonna have that kind of we're gonna sweep an enterprise and find those things so that's like ah a very broad right? detection approach and then.
12:09.16
Jonathan Johnson
M.
12:12.75
Steve
And then it's like oh also this actor had these 5 malware families right? and these 5 malware families. We can detect with a little bit more precision because they and we're gonna give them a name so that we can organize it and track it etc and then oh.
12:21.90
Jonathan Johnson
Um, yeah.
12:30.65
Steve
You know these malware families use something so specific. It's like a network protocol or it's like an actual hash or an ip address and so there's like you know I always found just from the incident response space like you get all those things every time. Every time there's an investigation or a breach you have like things across that entire range of like precision and taking this to like when we were a Andy when we were acquired by fireey. We got access to all these products right. Huge amounts of sensor fleets and email stuff and blah blah blah and there was always this kind of like well what? What do we? What do we put into our different our different products and at what levels of precision and we had to start making choices about. You know generic detection specific named detections and and more like tradecraft or methodology stuff.
13:31.46
Jonathan Johnson
Um, yeah.
13:32.74
Jared Atkinson
I think there's there's an interesting aspect of what does detection actually mean in the first place and I think in this case like we we conflate the idea of detecting malicious behavior with detecting behavior right. So there's like a contextual element that has to be like or a contextual layer that has to be put on top and I think at first what we what we have to do is be able to detect a behavior of interest right? and that that might be ah, a file this file this specific file was was created. On on the system and that would be like a hash-based detection right? like the idea that that file happens to be malicious because we've seen it you know through threat intelligence or in a prior breach or whatever. That's a completely separate layer than the behavior layer that we're looking at and so like we might say look at all file creation. Operations where the hash is this and that just tells us this specific file you know assuming no hash collision or whatever was created on the system and then we're able to layer that kind of like threat intelligence information on top of that right? Um, and the the the interesting thing is like how do you How do you leverage the telemetry that's at your disposal or that's available to you to to be able to ask more complicated behavioral questions right? So one of the things that like Johnny Luke and I have looked into as service creation. We use it because it's a pretty simple example to discuss right? And so like there's a difference between. Understanding that a service was created a generic service and it's not that's not as simple as it sounds right? So like a lot of people might say oh there's a windows event log for that. Well I could create a service and not generate that windows event log so it's still not an easy question necessarily like there's some technical nuance to it. But then there's a completely different question that has to go on top of it of.
15:07.29
Steve
Right.
15:22.23
Jared Atkinson
What is this a malicious service right? And how do you actually derive that malicious kind of context. Well there may be things like okay well we happen to know like we happen to know that this specific binary is used for malicious stuff. That's great, right? That's high fidelity we we could find that but then there's also something like we know that. Services are used for lateral movement. So how can we derive the behavior of a service being created remotely from the telemetry that we have available and it's not necessarily like obvious how you might do that and so then you start to kind of dig through the different telemetry that's available to you to evaluate that. And that's where those dots come from and then I think I think there's a secondary process which is how do we add context on top of those dots which so it's like the first dot in the radar is a plane is flying by but it could be a friendly plane. It could be a faux plane an adversarial plane and we need to then we kind of add that context on to it.
16:06.93
Steve
Yeah.
16:19.10
Jared Atkinson
As far as you know what? what is this doing? What's the behavior of it. Can we? you know, try to figure out something about it and I think an interesting thing about having a ah solid detection process or like overall detection and response process is you can actually add additional context as you become more certain that something ah is. Potentially interesting, right? So like if you're just looking at Raw events that are coming in you. You might not be able to correlate certain types of information because it might just be too heavy handed. But if you get down to you know 10 alerts then you can you can maybe go out and use your sore platform or whatever to go and collect some additional information that maybe wasn't Available. Enterprise Wide right? and that provides you with really valuable context that might help you make a ah better decision.
17:03.84
Steve
This is kind of where um you know like we start to you know in some ways I think like we create too many dots and in some cases right? So like the example you say like service Creation. You might have 10 dots for that. It's hard. It's hard to um, it's and it's hard to pick and choose which ones are are more representative right? yeah.
17:32.80
Jonathan Johnson
Yeah, 1 thing um I can't help but think when we think about that radar aspect um is in situations. Um, let's say in the middle of the dot we we know is somehow we know that's a for sure malicious service being created. Um.
17:32.28
Jared Atkinson
Yep, you may have 10000000 dots for that.
17:51.82
Jonathan Johnson
And we have a threshold by which our scanner goes. You know that could be our detection logic from the spectrum. Whether that's a very precise detection or abroad if a broad detection comes in then we know the dot is fairly far away from the okay yes, this is for sure malicious. So It's like the severity range. Um, but then there has to be a threshold within that radar as well and that threshold is essentially what is my and how much is my analyst able to take In. Um. And then at what point am I willing to let that dot pass the threshold and go to my analyst and not go to a secondary place for contextual information.
18:33.73
Steve
Yeah, and the and then right and then you ah add those when you do hit that point right? How much context do you offer because that amount of context changes how you proceed with with that event right? or that.
18:49.92
Jonathan Johnson
Absolutely yeah.
18:52.95
Steve
Yeah.
18:53.10
Jared Atkinson
I think there's a there's an interesting one of the things that I struggle with Steve that you talked about was this like false positive versus false negative and as you said like the more certain certainty you have that something is bad that the more false negatives there are and the problem with false negatives of course is that they're inconspicuous, right? You don't know that they're happening because there's no. Feedback mechanism besides a breach I guess um and like one of the things that's that's kind of interesting to me to like I I overly maybe I perceive that the the industry as a whole is more sensitive to false positives and as like as my my whether that's correct or not I don't know. But. My response to that is that I become overly sensitive to false negatives if that makes sense. Um and one of the reasons why I find myself really interested in false negatives or reducing false negatives is I think there's ah, there's not a 1 for 1 correlation between false like the the risk or the cost of false positives versus the risk of false negatives. So. Like let's say we're looking at this services example. Um every alert has a cost right? But it's a stat like a fixed relatively equal cost for each additional service that you put on so the the graph of cost is is linear right? So like as you add. And additional service that has to be investigated. The cost is going to be the same as the previous service so it it grows linearly right? So a hundred a hundred alerts for services is a hundred times one alert for services conceptually obviously not that perfect, but but the problem with false negative is that that that it's exponential because the risk that involved in a false negative. Is basically unlimited right? because yeah in theory ah a false negative could be the time that your company goes bust because of whatever or like you know we saw like Mas when they when they had ransomware. It cost them like ah a trillion dollars a day I'm making up that number. But yeah, it was gigantic right? And so um, you know.
20:39.14
Steve
Catastrophic right? ah.
20:43.75
Jared Atkinson
I almost look at like your willingness to accept false positives as your hedge on false negatives right? So like it's like how how much do you How much risk. Do you really accept on this if you're not willing to accept 10 false positives a day for this event then you must not be that worried about it because you know. Ah, missing missing a you know, malicious instance of this is potentially catastrophic and so if you're only willing to you know, allow 0 alerts per day that are not that are like if you're willing to allow 0 false positives then that means that you you aren't possibly that worried about about this right. It's kind of like that's how I interpret it I guess.
21:24.43
Steve
Yeah, yeah I don't disagree. Um, and I I probably share the same perception that it like people are really concerned about too many false positives. Um, and I think that's probably conflated with like this huge history. Where all alerts were the same.. There were just 10. There was just 50000 alerts an hour and they're all the same and they might as well be false positives right? If There's 50000 of them. Um, even if they're all true positives who cares because we we cannot do. We can't do.
21:44.62
Jared Atkinson
Um, yeah.
22:02.97
Steve
Anything with that number you know.
22:05.13
Jonathan Johnson
I think 1 thing that I get very conflicted with the false positive false negative conversation because I can't help to think but taking a step back again before detection and really perfecting the prevention available to us in the environment. Um, and what might be there. Sure. Eventually the data. It's it's fairly simple and fairly easy for a lot of attackers to bypass that preventive preventative piece. But I feel as if if they can bypass that preventative piece that will lessen the amount of false positives going through our chain. Um, and. I I feel like it was in detection. That's not often thought about and then or at least not talked about and then we get to the point of how do we create the detection the logic. Um, and as we know like when you get to more complex. Um detections where like say I like to talk about Rpc like I like to have our Rbc is basically every use case in this world. Um, and. There's no real good way unless you have network data to really detect on Rpc today. Um, explicitly it being Rpc and so what about organizations that don't and are are not interfaced with that type of data. Um from a day-to day or the network sensor isn't picking it up correctly and. How to join that network data to the host to really say like hey let's look at this whole picture. The lifetime here. This is what's happening analysts have to manually go in adely sings. Well now you have an alert from a hostbased cdr and now you have an alert from the network and you have to like somehow they have 2 analysts working on something and it's just. Takes a lot of time. So how do we actually go about that and then we have take another step back and say well that's in a controlled environment where I'm controlling the tooling because it might be expensive to put all that data in 1 spot and have another tool. Let's say like a jupyter notebook for example. To where I can just join all the data together and so.
24:00.64
Steve
Isn't ah isn't Xdr supposed to fix that. Ah.
24:01.47
Jared Atkinson
No jeez I I like purposely remain ignorant on like I don't even want to venture into that battle I think I think Johnny that's like ah there's a bit of a tech like that is a technical problem of like correlrelated like so your prevention perspective is like yes I think I think.
24:09.30
Jonathan Johnson
Yeah, yeah.
24:21.18
Jared Atkinson
When you can prevent you should prevent but like you should also pretend that prevention's going to fail in some some cases. Um, yeah, assume Breach I suppose is yeah but the the but then there's a there's a point of like correlating network.
24:21.40
Jonathan Johnson
Yeah, oh hundred percent yeah oh that's the whole premise behind detection right? is like prevention is going to fail at some point so we need we need a backup. Yeah.
24:41.70
Jared Atkinson
To host or like being able to say like hey was this service created remotely I think that's like there's like a that's a technical problem right? But I think when it comes to false positives false negatives. It's more of like ah ah, an abstraction problem right? So like the idea of like it.
24:46.68
Jonathan Johnson
Yeah.
24:57.49
Jared Atkinson
The the problem with a false positive is that we have an imperfect view of the thing that we're trying to detect like we we don't actually under like it's not obvious what a service is in the first place right? So like when I say a service that doesn't mean that every listener thinks of the same thing because they may think about it at a higher abstraction layer than I do. And I may think about it at a lower level than they do for instance and and then like that query that I'm creating. Let's say I'm just creating a query that says I want to know when a service is created right? So I'm not even adding on the abstraction of like maliciousness or you know whatever um that that is an imperfect query based on my understanding.
25:17.54
Jonathan Johnson
Yeah.
25:34.13
Jonathan Johnson
Um.
25:36.60
Jared Atkinson
Of the phenomenon that that's occurring right? And my my understanding is inherently limited right? and it's not perfect and so a false positive is like an anomaly whenever an anomaly happens So like an anomaly is when you perform some action and something that you don't expect to happen occurs what that tells you.
25:39.57
Jonathan Johnson
Um, yeah.
25:54.69
Jonathan Johnson
Yep.
25:55.62
Jared Atkinson
That indicates that your understanding of the phenomenon is not 100% correct and a false positive or a false negative is in fact, an anomaly right? So like if I say I wrote this query. Um I think what happens when we get this like true true positive like true positive benign or like whatever.
25:57.69
Jonathan Johnson
Um, yeah.
26:13.98
Jared Atkinson
Conversation. We're conflating 2 parts of the process right? because the first part part of the process is what is the behavior I'm interested in. That's the true positive part of true positive benign right? And that's saying like I want to know when a service was created well, there is a chance that I will produce an alert for something that is not in fact, a service right? and that'd be a false positive.
26:30.56
Jonathan Johnson
Um, yeah.
26:33.73
Jared Atkinson
Um, I would say like when you're talking about this. That's probably less likely. There's also scenarios where I can not produce an alert when a service is created that'd be a false negative right? And so like both of those are indicative of me, not understanding service creation properly right? or completely.
26:41.60
Jonathan Johnson
Yeah.
26:47.70
Jonathan Johnson
Yeah, well. Ah, yeah to that Luke. Ah one second. Ah yeah, so like to that to that point like I agree with you in my head if you were to add on other pieces of data like with more context comes more understanding. So if we like take that abstraction view of like I just want to see when. Ah, service is created I like 100 % agree with that like that's that's fine, but eventually we have to reach that threshold for our analyst to say hey like this is important enough to where I want them to actually take a look at it. That's where I think the other data applied from different contextual tools within like a logic can really push it past that threshold of.
27:19.14
Jared Atkinson
Um, yeah.
27:25.20
Jonathan Johnson
Hey like we're goingnna and kick this off to them and I think this is less likely to be a false positive and more of a false negative and then I'm going to have them spend their resources looking at it if it doesn't pass that threshold I'm willing I'm I don't know for sure. But I'm willing to accept the risk I'm willing. Yeah.
27:39.12
Jared Atkinson
You're willing to you're willing to pay the cost pay the cost. Yeah, and I think I think that's ah so yeah, my point is is that that's a completely separate question than the initial question. Um and like and it's still you're trying to say okay.
27:41.84
Jonathan Johnson
Willing to accept the risk that hey this is probably a false positive sorry Luke for.
27:50.11
Jonathan Johnson
Um, yeah.
27:56.59
Jared Atkinson
Like this is another phenomenology question right? So it's like okay I know that this is my set of all services. Let's say and like you don't want as Steve pointed out, you don't want somebody to look at every service that's created because there's ah a shit ton of them right? There's potentially millions in ah in a legit enterprise a day right? And so.
28:07.19
Jonathan Johnson
Yeah, absolutely.
28:13.61
Jared Atkinson
You need to like you don't have you literally don't have the manpower to be able to do that. Um, and so then like to your point Johnny you want to say okay, what is the threshold by which I will consider this to be worth investing additional scrutiny because like you have resources that aren't just human resources. You have you know like.
28:25.69
Jonathan Johnson
Um, yeah.
28:32.91
Jared Atkinson
Computing resources right? And so like you've already spent resources to even identify that the service was created in the first place right? And that's potentially a more rich resource pool. But then as you go and provide like spend more time on it. You are. More constrained resources as you as you go and so you want to do that in a smart way. But there's also yeah, the the next phenomenon is what makes a service malicious and like our understanding of that is even worse than our understanding of what is a service in the first place right? because there's tons of things that can make a service malicious and we haven't seen every iteration of them.
29:01.38
Jonathan Johnson
M.
29:06.88
Jonathan Johnson
Um, absolutely.
29:08.37
Jared Atkinson
Right? And so like yeah and so but that's where like correlation I think correlation is valuable ah like the service example is potentially a really simple phenomenon to identify. But there's even there's some phenomenons that are require correlation just to identify that they occurred in the first place.
29:17.10
Jonathan Johnson
Yeah.
29:23.63
Jonathan Johnson
Um, absolutely.
29:26.28
Jared Atkinson
Like a service being created remotely for instance is 1 example of that like that might be a better starting point than just pure services but you have to correlate things in order to get that information.
29:36.52
Jonathan Johnson
Yep Luke what were you.
29:37.96
dcppodcast
Oh my thing is it may not be strictly relevant anymore. It was just a small comment on when you were talking about prevention and the fact that you should attempt to prevent first and it's something we've talked about before but I think it bears repeating that even if you do successfully prevent it that doesn't mean that you might not. To know that somebody tried so you know if you're if you're out there and you're sending this and getting a a detection engineering program just because someone in your enterprise tells you that that thing that you wanted to detect is not physically poor.
29:58.19
Jonathan Johnson
Um, oh yeah I agree.
30:13.94
dcppodcast
Theoretically possible in the organization doesn't mean that you might want to wrap something around it just to figure out if someone gave it a shot. Regardless.
30:15.83
Jonathan Johnson
Um, yeah, yeah, like I'm a big fan of like I'm a big fan of like asr rules. Um attack service rules or things that are called by Microsoft and like with those if something is blocked. There is a log that happens and you can actually like leverage those.
30:16.60
Jared Atkinson
Um, and we've not to mention we've seen go ahead. John.
30:35.18
Jonathan Johnson
I'm a huge fan of that for like being more proactive in the detection. Um field.
30:39.32
dcppodcast
I Mean the big example that everyone does was fail logins. So if they're like why would we care if if something doesn't work like well you log when someone's password doesn't work. Well yeah, okay so you're doing it. But there's some other things that you might want to expand on that you know Beyond just password.
30:40.36
Steve
Yeah.
30:43.58
Jonathan Johnson
Um, oh yeah, absolutely.
30:55.55
Jared Atkinson
Well I think the idea is is that just because you blocked this attempt doesn't mean that they're not. They're just gonna be like well I guess it's not going to work So I'm not going to do anything else and like you might not have a detection for the next attack path so you probably want to take what you could get.
31:06.53
Jonathan Johnson
Um, if.
31:07.19
dcppodcast
Right? I mean in the example of your house you may lock the door but you probably still have an alarm on it just in case, the lock doesn't work or.
31:16.28
Jared Atkinson
And in your case you have cameras and everything else right? yeah.
31:19.31
Jonathan Johnson
Ah, we also lives in Texas there's a lot of other things out there that he's using. Ah.
31:19.53
dcppodcast
Remote remote remote controlled like Fort Knox with the guns coming on the ground you after people.
31:25.95
Jared Atkinson
Yeah.
31:29.61
Steve
Um, do you remember end of 2017 there was this malor family called Triton which came out. Yeah, so this was an attack on a petrochemical plant. Um, and it was one of the like.
31:38.56
Jared Atkinson
Ah, yet generically.
31:49.34
Steve
Kind of notable at the time because there's not that many examples of malware and intrusions in the like ics or operational technology space like factories and real heavy industry stuff but during that intrusion one of the things that kind of came out was that. The organization that was affected had a lot of like blocked mimicats on their a V stuff and this was past their Enterprise environment more into their like ics ot environments and of course like there were there were logs right? and so and the stuff was blocked. But was not action the same way I Always think about that as like it's like damn yo that prevention stuff is good. It's good, but like there is something happening there for sure.
32:35.30
Jared Atkinson
Yes.
32:35.84
Jonathan Johnson
Um, yeah, we we need to be prepared whenever that something happens and prevention just wasn't a wasn't the answer.
32:47.39
Jared Atkinson
If you have a bunch of blocked Mimi cats in your logs that should sound the alarms that like you might not, you might not know what to do but you should be doing something. Yeah.
32:51.71
Steve
Yeah, you should be doing something you should be just doing something right right? And this this was in like a not internet accessible zone either right? So they.
32:51.71
Jonathan Johnson
Ah, yeah, yeah, oh no.
32:52.80
dcppodcast
Ah I'm I'm glad mimi cads didn't run but how the hell did it get there in the first place.
33:00.18
Jared Atkinson
Um.
33:06.75
dcppodcast
Oh yeah, it's it's the Flash drives Israelis with Flash Drives man.
33:09.70
Steve
They had major problems. Um, yeah, but.
33:12.18
Jonathan Johnson
Yeah, Steve fun fact what you mentioned this in 2017 I was still in college in 2017 so I do not remember this attack now.
33:19.15
Steve
Nice, nice.
33:19.86
Jared Atkinson
I was I was gonna make a comment about Johnny still being in diapers when that happened but I I mean he might still might might still be in diapers.
33:25.82
Steve
Ah, it's.
33:26.67
dcppodcast
I love hearing these jokes about Johnny I'm older than him.
33:27.68
Jonathan Johnson
Luke wasn't even born yet.
33:32.80
Steve
It's weird because Twenty seventeen seems so like so close to me that seems like last year um yeah you did I forget what we were talking about obviously f p.
33:36.76
Jonathan Johnson
A.
33:37.43
Jared Atkinson
Ah, it's like time shrinks as ah as you get older right.
33:48.17
Steve
And f and it does seem to me like we have such a ah fundamental problem with this conversation because we're using FP and fn and true positive and true negative to represent 2 different layers in.
34:04.99
Jared Atkinson
Yep I don't think that we I don't think we as an industry even acknowledge that there are multiple layers.
34:05.26
Steve
And the whole thing right. Yeah, and yeah, and so like is it a true positive. Um, you know the services example right? It's a false negative if we don't see it is it Also a false negative if the next step if we make the wrong decision that it's evil.
34:08.71
Jonathan Johnson
Yeah I agree.
34:23.32
Jonathan Johnson
Um, and then.
34:25.21
Jared Atkinson
I I have an opinion on this and you guys tell me what you think but so Steve before we start, you kind of mentioned that you are at least passingly familiar with my funnel of fidelity concept and I know the other two are so I break it up and I'm not convinced that these are all of the all of the.
34:25.92
Steve
If that it's not evil.
34:44.20
Jared Atkinson
Phases that you should go through in detection but you should at least be doing these phases I think so there's collection which is how do you know What's going to happen or what what is? How do you even have a perspective of what is happening um the next one is detection which is like how do I I look at it as how do I identify the ah the behavior of interest right. Next one is triage which is how do I quickly identify the things that are most likely to have some security relevance and that's where you start to look at like a little bit of like the is this you know, potentially malicious investigation which is like a deeper dive into that question and then remediation right? And if you don't you have to do all of those things and if you don't do if you fail at 1 of them then you. Failed at kind of stopping the problem. But I think there is a false positive false negative there. There is a classification question at each one of those phases right? So like collection right? you you may be you may have ah Sys money even id one which collects process creation events but the question is is. Is it possible to generate a process that does not trigger a sy money even id 1 right? If if it is possible which I'm personally not ah, knowledgeable of of that possibility but you shouldn't act as if it's not possible I think if it is possible. The generated process and not trigger a cis mon even id one then that would be a false negative. Right? And that's at the collection phase right? and then like and like then you start to go down the down the path. But I think that there's some level and this is where we get into like quality control and quality assurance. There should be some sort of quality quality control at each phase right? which is quality assurance. Just my understanding of it anyway is how do I create a process that is likely to achieve the result that I that I'm going for right? So like um, how do I like I want to collect process creation events while I'm going to use some technical means to be able to generate events for when a process is created right? That's the. Quality assurance and I've defined that technically and then quality control is the process of trying of evaluating whether or not that process actually works in practice and like a red team would be an example of a quality control extra There's tons of different ways that you could do quality control but that would be 1 and I think you know conceptually and like this is a lot of investment if you wanted to do this. Literally, but conceptually there's an opportunity for quality control and quality assurance at each phase and there's potentially false positives false negatives true positive true negatives at each phase and you have to you have to look at them separately and so just saying that this is a this is a true positive or this is a false positive is ah.
37:07.36
Jonathan Johnson
Um, yeah.
37:17.47
Jared Atkinson
Lacks the sufficient clarity to be able to actually like mean anything useful I think.
37:23.17
Jonathan Johnson
Yeah I think um I really like the what I really agree with that Jared I like the way you've um, articulated that as well. Um, another piece I want to add on to that is I think like at each layer we have to be sensitive to how we're classifying the dataset moving across being false positive or false negative. However, I do think there is one end of the funnel where we have to be more sensitive in doing so because um and I I would say um at the data collection level is probably the most sensitive um and then moving into the analytical logic. The reason why I say that is. Obviously without the data. We can't see anything um and then without the correct logic. Um, we want the and will never get into the analysts lap essentially um, but at the triage. Yeah, go ahead.
38:09.80
Jared Atkinson
Can I ask a question just for clarification. Okay, so when you say sensitive like from a technical classification perspective sensitive means ah more open to false positives like you're casting a broader like a wider net.
38:21.71
Jonathan Johnson
Ah, Ah what I mean sensitive is I mean um, better at the process we need to be like if we're looking at each layer I Want to be better at catching false negatives at the data collection layer. Um. Then I am the triage later layer essentially is what I'm saying because the triage layer can be taught that an analyst can teach that or be taught that um and that can be learned. However, if we're not getting the data. Um, that is the biggest issue we move into logic and this is what's quite interesting as well is. How to make an analytical logic. Um,, there's obviously we've talked about on the spectrum. Um, there's precise and broad. But how to make a logic.. There's wheat that can be learned from an analyst or a de whoever's creating that detection.
39:06.50
Jared Atkinson
Um, yep.
39:16.31
Jonathan Johnson
However, I would say it's harder because there's less ah either classes or courses out there on how to be effective in what you're looking for within an environment giving you know the behavior by which you're targeting. Um.
39:26.28
Jared Atkinson
Is it is it safe to say that ah earlier and and this may not be a truism across time but it's a truism for now I think that earlier in the the earlier phases are more static meaning like you kind of like set up your Edr agent which has some.
39:45.59
Jonathan Johnson
Um, yeah.
39:46.35
Jared Atkinson
Static collection capability for the types of events it generates and like you don't have the ability to adjust that as you as you move forward but like during investigation you can almost adjust it on a alert by Alert basis to thin degree.
39:55.54
Jonathan Johnson
Yeah, yeah I would agree with that. Yeah.
39:58.36
Steve
Yeah, one one of the things that both you kind of I think have your finger on the pulse of is I really like thinking Jared about um the funnel right? And how all everything is like a ah data reduction.
40:15.11
Jared Atkinson
Um, yeah, it is.
40:16.42
Jonathan Johnson
Yeah.
40:16.92
Steve
Problem right? and at at every step at at every step along the way. It's a data reduction problem and then Johnny more to your point. It's like um at that first phase right? That's where um, it's obviously worst. Maybe worse to fail there because because then there's everything else past that is you get more reduced data is like a backup like or or not not a backup but like additional layers of more more chances to catch the thing right.
40:36.90
Jonathan Johnson
Um, yeah.
40:46.69
Jonathan Johnson
Um, absolutely yes yeah.
40:50.82
Jared Atkinson
I Think there's ah so I think of I was a eagle scout so you know fun fact I guess but like yeah I think of I think of like an orient orienteing like using a compass right? Um you you would like the way that the little like.
40:57.85
Jonathan Johnson
Flex.
41:06.72
Jared Atkinson
Event would go as you would be given a heading right? So like go two hundred and seventy degrees and then a distance and it would be like three hundred meters and so like if you're going ten meters being off by one degree wasn't that big of a deal right? because you don't have you don't have as much time to make it like for that mistake to compound. But if you're going ten miles
41:17.19
Steve
Move.
41:25.82
Jared Atkinson
You would have like a huge one degree is going to make a huge difference right? And so I think of like a mistake in the collection this is going towards Johnny's point I think a mistake in the collection ends up being magnified ah because it's basically being compounded upon right? So like because the the interesting thing about the funnel. Is when you exclude when you choose not to forward something to the next phase right? So like collection in and of itself generating an event would be forwarding it to the next phase. Um, as an input right? So you'd be outputting to the next phase if whenever you choose to not forward to the next phase that ceases like for all intents and purposes it ceases to exist unless you have some. Additional process that is able to like reconcile it I guess but yeah, so if you don't collect that an event happened in the first place you almost can't outside of like forensics methods which you're not going to use at an enterprise level. Anyway, you can't recover that it's it's just gone forever as opposed to.
42:17.56
Jonathan Johnson
Um, yeah.
42:22.67
Jared Atkinson
Making that decision later on um, which obviously has more cost and you have to be able to bear that cost but which you make the decision later on when you have more information. Ideally, you're making a more informed kind of decision I guess.
42:34.48
Jonathan Johnson
Yeah I think you know I think when most people talk about the funnel it. It seems quite obvious that um collection should be um and when I say sensitive It should be the most like focused on imperfecting that art. Um, it seems quite obvious. However, there's. Pieces to collection I don't feel like is often talk about? Yes, We want an event but I want attributes to that event that I can piece together to other event sources to contextualize the the lifecycle or the timeline that's going on and. What the question is what attributes are valuable in that contextual piece and that's when we start to move within the detection flow and then the triage flow because reality is a detection logic might not use the same attributes within that within that data format or that schema that the person doing triage or um, investigating the alert. Would be Using. Um, however, the even and that's whenever we're talking about the different use cases for events. That's where my mind went it split off is they might use the same events but they're utilizing different attributes. So allowing those attributes to be there. So each one can do the best they can do and classifying that event or that behavior. Is where I think um, can really be applied because I feel like that's often forgot. Okay, we have data in our environment. Great. We're done with data collection. Um, and then let's just go detection and then triage and investigation. Well, it's almost like a to I think of it. It is almost think of as like you drop a ball and it bounces and it's like. Sure as further you go data reduction happens and they might utilize less attributes within that collection or that event but they still need that and so the question is what attributes are most important to each um to each phase I guess.
44:20.82
Jared Atkinson
Is there like a could like okay so I acknowledge I agree with you in general about the like you you need to? There's at least some minimum number of attributes that you need to make the first decision if that makes sense. Um, and so like i.
44:33.65
Jonathan Johnson
Um, yeah.
44:39.94
Jared Atkinson
Like technically speaking I don't know from a practical perspective. How manageable this would be but from a technical Perspective. You may not need all of the attributes from the collection phase because each phase gives you an opportunity to potentially collect like. So for instance investigation. Well investigation you could go and potentially like ah. Grab the mft so that you could do file system analysis which you you can't you can't for all intensive Purposes. You can't do that at the detection phase for instance because it's just that'd be way too much data I don't I don't know anybody that has any practical way to to manage that right I know well hey if they do.
45:12.58
Jonathan Johnson
Someone's going to ride a driver this week now Jared after hearing you say that and ship it off this.
45:14.74
Steve
Ah, it can't be done. They say it can't be done.
45:15.97
Jared Atkinson
If they do then like your mission accomplished. Yeah I'm not saying it can't be done I'm just saying It's not done. Um, but yeah, so like okay so so I think that like the premise that I'm going at is that you can You can add context later on.
45:23.54
Jonathan Johnson
Ah.
45:34.21
Jared Atkinson
However, if you don't have enough context to make the like if you collect and then you don't during that collection. You don't get enough context to make a detection decision then you might as well have not collected in the first place. It's kind of I think your point Joanie.
45:45.69
Jonathan Johnson
Um, yeah, yeah, and go ahead. Sorry.
45:49.44
Steve
Do you think? do you do you think that? um you know again now I'm thinking back before you before you were born. But do you think back in. Do you think like the whole collection thing has changed in the last five years just as things have gotten a lot cheaper like.
45:59.85
Jonathan Johnson
Ah.
46:09.26
Steve
Because yo seriously ten years ago. People could not collect Htp Logs right? period.
46:11.98
Jared Atkinson
Yeah, yeah, back in the day I used to run Powershell scripts across the entire enterprise to collect like running processes because like.
46:12.15
Jonathan Johnson
Um, yeah I.
46:18.39
Jonathan Johnson
Back back in the day people actually use floppy Diss I just use them as Bookmarks um, like yeah so I think like to that point. Yeah I think I I from a price perspective. Um I would say yeah that I would probably say that's pretty accurate. Um. I would also think from a visibility perspective I think there's been a lot more eyes on what data can do for the analyst now than back in the day and there's been a lot of people out in industry that have like been great at um, kind of showcasing that data. Um, you know like olaf Artonng Roberto um all those guys have done a tremendous job on saying hey guys like if we're looking for a behavior we have to look at these data the data we have to look at the attributes we have to standardize the data and I think that's really been a good push for analysts in general. Um and understand what the data means and how it can be useful at each step. Um, which I think is.
47:12.62
Jared Atkinson
Hey you've been pretty good at helping to enlighten us on the assumptions that are being made when the data is generated as well. So you have like the api documentation for sysmon. For instance that you did which I think people take for granted because there's tons of assumptions built into the data that were like the collection mechanism.
47:13.55
Jonathan Johnson
Crazy and packful.
47:32.39
Jared Atkinson
Being used and we need to be more aware of what the what the mechanism is and what the like ramifications of a particular mechanism are if that makes sense and you've done a good job with that I think.
47:40.19
Jonathan Johnson
Yeah I think Thanks man I appreciate that? Yeah, it's a very you're gonna mean this rabbit hole I appreciate it. Buddy Um, it's that's a very big rabbit hole for me because I've been very intrigued recently with.
47:45.65
Jared Atkinson
You You skipped over yourself. So I just wanted to make sure you gave you got a little credit. Yeah, no for all.
48:00.18
Jonathan Johnson
What data is available to us. How do we optimize that data first and foremost because as we move through everybody wants to talk about e tw e tw is that a mug rootpeer by the way. Dude I haven't seen one of those since hang I respect that man keep the diet trimmed. Okay, sorry um.
48:07.55
Jared Atkinson
Yeah mug root beer bro little baby baby size. No caffeine seven and a half fluid ounces I don't know if I don't know if it's diet for it's no caffeine that I don't know if that is to be with a diet.
48:18.86
Jonathan Johnson
I been variing just cut just bro new year new you just go with it bro just go with it. Um, how to optimize data especially because I think it's very easy for us to run across something and say if I had etw logs. This would be a game changer. It's like um, well I don't know if you're. The majority of event sources that are exposed to us are coming from etw from a windows native perspective. Um first and foremost second off, um, etw sourcing is coming all from the same way. A lot of the ways as drivers right? There's ob register callbacks that are used um and so the event sourcing mechanisms. Can typically line up down the road where an edr sensor can do something fairly so ah, similar. Um, but the question that I have is how do we optimize the data and then instead of um, sitting there saying I want more more and more and more which is ultimately just going to drive our price range up. How do we utilize this data to be more impactful to our environment. And then start to collect what we truly need um and ah ah I think that's good for now. Yeah.
49:18.36
Jared Atkinson
so as I'll go ahead sorry okay yeah so I was just going to comment on your like if I only had etw having been that when I was in the air force like I said we used powershell to just collect things right? and like obviously that is a very inefficient process but the Edr didn't exist at.
49:31.48
Jonathan Johnson
Um, yeah.
49:37.41
Jared Atkinson
Time so you got to do what you gotta do but ah, having been guilty of being the person that was like man if I only had like you know information about the ticket cash we would We would do everything or if I only had information about access tokens or if I only had this I find that that approach to be a crutch because almost.
49:52.85
Jonathan Johnson
Um I agree.
49:57.11
Jared Atkinson
Everyone has more data than they're using like I don't I've I've never run into a situation where somebody is using the data that they have available to them to the fullest extent possible that doesn't mean that they wouldn't benefit more from getting new data. But they're not Ah, they're not fully leveraging what they have available if that makes sense.
50:05.27
Jonathan Johnson
I agree.
50:13.19
Jonathan Johnson
Um, yeah, yeah.
50:13.85
Steve
Most people can't query their data like they have tons. They can't query it effectively. They can't count things like and it's it's I think it's harder than a lot of folks think and then. You know Johnny to your point. You're always like just I want to smash it together in the cloud but like it's harder to do than and yeah, it's all so disparate right.
50:31.56
Jonathan Johnson
Um, yes.
50:37.92
Jonathan Johnson
Yeah, and I think that that goes back to the point of like um at each layer. How do we? Um, effectively teach our analysts to I guess work in the full capacity that they can right like be the best analyst they can be in that specific layer. Um and querying querying data is one of those issues right? Um, and I think it's I mean.
50:38.50
Jared Atkinson
Um, yeah.
50:57.74
Jonathan Johnson
It's when those things were I think just playing with the data and then seeing what you can string together over time is really going to be the best experience. But um, there's not a lot of great courses out there I'm ah I'm a big Learner. So I like to look at horses and like take different things to get better perspective but I can't think of a lot of great ones. Besides The. You know I'm not chilling the spectro drops the detect course but that's a really good one for actually like getting hand on Keyboard and querying um data I believe olaf has one as Well. Um, and I think um databricks has one.. There's probably other more.. There's probably more out there. But I can't really think of a lot those are the ones that I would look into but. Um, I think that's where we can really start to I Guess be the best Analyst I can be um and be the best detection Engineers I can be yeah, but yeah, and so um, the data aspects Interesting. So Then we take a step further So's like if say we're optimizing the data right? and we want we we're doing.
51:38.11
Jared Atkinson
Oh man, what are you joining the joining the army or what.
51:53.26
Jonathan Johnson
Everything we can. The next piece is understanding. Why data isn't available to us. Um, so you know and not everybody has the skill set nor wants to dive into this piece. Um, but like I often ran into I kind of have like a perception change one day when I was like man if only I had this one attribute I've been looking into token stuff quite recently and um, I'm like if only I had this piece of information like it would be game changing and then I was like well let me figure out why this is this isn't here and then. Got strung into all these embedded structures in the kernel and what it would take resource wise for a driver to actually go through those in like okay like an action triggers and now I want to pull that information you have to go through all these embedded structures you get this one attribute is it really realistic.
52:42.29
Jared Atkinson
Are you looking for like when a thread is created the token that's associated with it or yeah, oh man. Yeah, that'd be so nice. Oh intent.
52:44.16
Jonathan Johnson
All the time. Yeah, the impersonation. Yeah block coming soon. Um, and so and so like um, that's been quite interesting to me. But it's also been a perception change. So. As a researcher when I'm looking at these behaviors and I'm like man I really wish this is there asking myself a why is it there and then b is it realistic to even like fundamentally ask the edr vendor to start collecting that telemetry. Um. Because that goes back to the other aspect just like um would I rather like this kind of is like kind of the premise behind oof and I are doing a talk at attack con it like this kind of like the premise behind that is like would I rather have a couple pieces of telemetry to help me with 1 attack or would I rather have 3 pieces of telemetry to help me.
53:37.10
Jared Atkinson
Oh man. Okay shoot I had something I wanted to go back to. But now you've just opened up Pandora's box I yeah I I think all of this has been so okay what I what I wanted to talk about earlier was this interesting thing when you started talking about like hey.
53:38.10
Jonathan Johnson
20
53:42.39
Steve
Here We go. It's event. It's event Logs isn't it.
53:44.18
Jonathan Johnson
I'm sorry I kind of rambled on there I apologize for talking so long.
53:55.58
Jared Atkinson
We need to be more precise and or sensitive in how we approach collection and then as we go forward. We have a little bit more flexibility I think because we have more manual like we tend I don't think you have to necessarily but we tend at this point to have more manual processes as you go further in the funnel if that makes sense.
54:11.78
Jonathan Johnson
Yeah.
54:13.87
Jared Atkinson
I think something that's interesting to think about too is this idea of like outsourcing ownership of certain funnel processes right? So um, the way that I look at it is each phase of the funnel can also be outsourced right? So ah, for instance, outsourcing collection would be an edr or you know some sort of sensor. And some of some sort right? So like if I buy an edr you know for all intents and purposes outsource my collection capability to that vendor right? And that means that I kind of like to Steve's point I don't have tons of control. Ah initial point when he was like a sock analyst right? I don't have tons of control over. Changes to that besides like ah kind of a long-term long tail feedback mechanism that maybe I could have some influence and then it's like you could outsource your detections to the edr vendor too. So like a lot of edr vendors have telemetry generation and then they have also some sort of detection capability right. Um, and then if you're the sock analyst that's outsourced but you could also outsource the sock with like an mssp and then you could outsource like so really as like an industry. We've started to create opportunities to outsource each of each of the phases like you'd even have like an ir retainer right? which would be kind of outsourced of remediation to some degree and so like.
55:20.24
Jonathan Johnson
Um, in.
55:27.40
Jared Atkinson
Outsourcing is very valuable to a lot of organizations but you have to know that you are taking on assumptions that you don't necessarily know that you're taking on when you do when you do so right? and so there's yeah and I like to say that it's like ah your quality control goes from Am I doing the right thing.
55:37.25
Jonathan Johnson
You're not fully embedded into the process that's been implemented. Yeah.
55:46.51
Jared Atkinson
Ah, that's like the question goes like if you're doing it yourself. You have to be like did I design the process properly to achieve the objective that I want to achieve then it goes towards are they doing the thing that I am paying them to do right? and there's almost like a ah reverse engineering process of like how do I know.
55:55.86
Jonathan Johnson
Um, yeah.
56:03.82
Jared Atkinson
When they say they detect you know, credential dumping. How do I know that they actually detect like what does detect credential dumping even mean because that's an abstract concept in the first place and so like how do I how do I close the gap between what's being said and what I expect of what's being said because it's not obvious.
56:08.85
Jonathan Johnson
Ah, yeah, yep.
56:18.90
Jonathan Johnson
Yeah, before you move on to your second point I just want to say it's really satisfying to see whenever Steve agrees with something he just goes and it shakes his head real big. It's like yes, nailed it.
56:22.19
Jared Atkinson
That those 2 things are the same.
56:28.48
Jared Atkinson
Yeah, or maybe he thought of like a ah rebuttal in his head and he's he's freeelebrating.
56:32.71
Steve
No, no little lot of agreement lot of agreement I think it's probably frustrating for people who are you know on the receiving end of detection. Um, you know just to that point of like.
56:35.91
Jonathan Johnson
Yeah.
56:48.88
Steve
My vendors my edr my product they say they they do this but you know do I even spend the time challenging them and how can I challenge them and a lot of consumers. You know don't have effective ways of doing that and is very expensive to if you want to do that. It's expensive to do that.
56:55.50
Jared Atkinson
Um, yep.
56:55.76
Jonathan Johnson
Um, yeah.
57:04.56
Jared Atkinson
Yeah, for sure I completely agree with that as well. What I ah going back to your other point Johnny of like would I benefit from so like you got you and Luke at least have heard my idea. It's a lame name I know and he's gonna make Luke's gonna make fun but no, no, no.
57:04.95
Jonathan Johnson
Um, yeah.
57:19.47
Jonathan Johnson
Um, Netflix um.
57:23.45
Jared Atkinson
Yeah, that yeah detectionomics. So I I have this I have this concept of like micro versus Macro detectionomics and it's like basically how do you evaluate your decision making and where you want to spend resources right? and so like ah macro.
57:24.77
dcppodcast
Detectionomics.
57:25.86
Steve
Here we go.
57:39.80
Jared Atkinson
Micro-deteionomics is kind of what like I focus on so like I have a lot more opinions on that which is if I choose to detect credential dumping. For instance, how do I ensure that my approach to detecting credential dumping is as effective as possible, right? So that's like like focused on 1 specific goal. And making it as technically capable as possible but macro detectionomics is the thing that you're kind of talking about I think which is ah of all the different techniques that an attacker can can perform which ones basically provide me the biggest bang for my buck right? So like ah because. You know it's not a one for like technique for technique. It's not a 1 to one correlation. So like you're saying hey is it worth me solving the like access token manipulation problem where I see I can see like credential theft right? or I mean impersonation for instance or what if I could solve these other like 5 techniques.
58:15.21
Jonathan Johnson
Um, yeah.
58:27.48
Jonathan Johnson
No.
58:34.00
Jared Atkinson
If they give me some other piece of telemetry and like that is not an like from my perspective that is not an easy question to answer because there's like ah there's a question of frequency. So how frequently are those attack techniques used. There's a question of impact. So like how central to success are those attack techniques.
58:38.99
Jonathan Johnson
Um, yeah.
58:53.13
Jared Atkinson
How easy are those attack techniques to replace with some other attack technique that allows them to achieve the same result and like that's just off the top of my head so like that's way more complicated and then I think there's a I think there's a huge There's there's a huge threat and tell component conceptually I have questions about like what I see as implementation of threat and tell in a lot of cases but conceptually like what I envision intelligence to be in general I think there's a huge component of intelligence on the macro question There's also a relatively large. Influence of threat Intel on the micro question which is like you know, show me some examples of this technique being used so I could start to understand what it you know what? it looks like and what the variations might be and like challenge my assumptions but the the question of like the the macro question There's like I think threat Intel could be is the major. Player in making that decision personally.
59:44.92
Steve
Who is and for any given organization. You know is anyone in a good position to determine which techniques are more common.
59:57.30
Jared Atkinson
Yeah I I don't think so ah I'm I'm relatively ignorant on the topic. So I don't think so but I don't know either.
59:57.22
Jonathan Johnson
Thank you this as see this is like what I wish was out there. You know and no like this is like yeah the question. Yeah, that's like something I really wish was out there like the prevalence of a specific attack bath being used.
01:00:05.66
Steve
No, the answer is no.
01:00:12.90
Steve
Yes.
01:00:15.16
Jonathan Johnson
And so it's like the question becomes is like it's drum roll please Jared on the it is yeah drum roll please on os t and Marco chains give it to me Jared um, instead of a whole bunch of c two's being released and all these other things and I like I love. Um.
01:00:17.30
Jared Atkinson
Um, this is a markov chain question isn't it. Johnny.
01:00:31.97
Jonathan Johnson
Love tools being released because it helps me with research I would love to see write ups on attack pass. Why people use that attack path because I think ultimately that can be fed back into detection a lot easier because if that helps me choose the priority by which I want to start looking into detection opportunities. So if I know someone's going from. Um, if I'm hitting point a and then they have a fork in the row and they choose 2 options. They're more likely to choose point c instead of b I want to detect c before I check b because my thought is um, the whole premise behind like bloodhound is to identify the least resistance in terms of attack path to your goal. Um, if I can write a detection for almost two. Let's say there's 5 piece 5 steps and not attack by like all right detection for three great. They have the the attacker now has to move around my detection in theory. Which means that it's more likely for them to make a mistake and trigger another alert.
01:01:28.35
Jared Atkinson
You just you just got me on the so like one of the the ideas that I have is this base like on the the micro sense which again is where I spend all my time thinking the base condition which is like if I'm going to create a service. What must happen for every service that ever is created and like.
01:01:45.64
Jonathan Johnson
Yeah.
01:01:47.68
Jared Atkinson
For the case of services as far as I'm aware um the the base condition. The thing that must happen is a registry has to be created a registry key has must be created under the like hklm system sort sort current control set services path and that will happen every time um like a lot of a lot of telemetry is based around the Rpc. Um, interface or procedure being called, but that's that's not as that's not the base condition. It's one layer above and so the the question the thing that you're kind of introducing Johnny is this idea of what's the base condition to a successful. Ah overall attack from a macro sense which is like Bloodhound is 1 example of something that might be.
01:02:21.62
Jonathan Johnson
Yes.
01:02:27.92
Jared Atkinson
Illuminating that base condition which is like where is where is the choke point and if I could understand what like where the choke point is and what facilitates what would facilitate the success from the Attacker's perspective. So like what is the primitive that's being Used. It's like to be successful. Maybe a a. Service account is constantly logged onto a computer and a lot of people have access to that computer so they could assume that identity or whatever then now I can create a specifically focused macro kind of approach to solving that problem as well.
01:02:59.14
Jonathan Johnson
yeah absolutely I think um yeah I think the resistance to what an attacker has to do in order to be successful is truly like a key thing there. Um potentially and I think um. I I know like bloodhound is used from a red team perspective a lot but just not enough from a blue team least the majority of environments I've seen has an necessary use bloodhound from a blue perspective and because I think that could be funneled into the priority of detections creating like a wall and then like resisting and setting up group policies and different account changes to where. You're resisting the attacks and then goes back to Luke's phenomenal point of alerting on audit failures. Someone's trying to get into this account now I know someone's in my environment great and then insert you know I hate to use this term with all my might and soul but insert threat hunting but like. Um, that's the only word I can think of right now. Yeah.
01:03:56.34
Jared Atkinson
No boy I mean that's a completely different Pandora's box we could open if somebody's interested.
01:03:59.89
Steve
It You know I I've kind of grown more fond of this like enumerating attack path Stuff. You know, like mentioning bloodhounds and just like it right? and you talk about introducing friction. And the more you introduce friction in some cases. The attacker will just leave altogether right and they will go to a softer easier place. Um, yeah, but yeah in some cases like that that itself.
01:04:26.60
Jonathan Johnson
Laterally move into another box. Potentially.
01:04:36.48
Steve
Most people would not qualify that as threat intelligence but I think it could be I think it could be.
01:04:40.12
Jonathan Johnson
Um, yeah, oh yeah, that's a good point.
01:04:40.18
Jared Atkinson
Oh yeah, okay, okay, yeah, so like I think there's ah again, ignorant, right? So you know threat intelligence people if you're listening. Don't get pissed off at me. But there there has to be like a hierarchy of threat intelligence context right? So there's like. Global context which is like Twitter right? So like you just see stuff right? then and maybe maybe like the global knowledge base of previous attacks that are public. That's like kind of the or maybe shared within some sort of threat group that's like global then there's like maybe like you have fssisac which is like ah industry vertical. Like you could maybe draw some different conclusions if you focus on the industry specifically then there's like corporate risk acceptance and corporate business. Um, like like if you're you know a company x. You may do things a certain way and that creates some amount of risk. And then there's even like ah which I hadn't previously considered and you're kind of introducing this as like a technical threat intelligence approach which is like a layer below the business. The line of business type level of threat intelligence which would be so it's like yeah like I don't there's there's some degree to where I don't even need to know what the business. Does if I look at the network I could evaluate what what the risk is right? But yeah, fair enough. Yeah, got to watch out. Yep, which in in that case, then you know I guess.
01:05:57.19
Steve
Yeah, well the risk is always ransomware right? It doesn't matter what industry you are in like if you have a computer you better, watch out.
01:05:59.94
Jonathan Johnson
Um, yeah, yeah.
01:06:14.76
Jared Atkinson
The only thing that really matters is the technical level of analysis to some degree that ah like the attack path level I guess we could call it.
01:06:17.11
Jonathan Johnson
Um, yeah.
01:06:20.64
Steve
Yeah, maybe maybe you know I'm in favor of calling like you know things that are derived from like real breach examples. You know those have their own spectrum of like threat intelligence whether that's Atomic indicators or. Tradecraft or um or more strategic things like targeting Yada Yada Yada but like attack path stuff you know because that's based on techniques. Um, you know, maybe it's not quote Threat Intel Maybe it's more different type of you know, security insight or.
01:06:56.93
Jonathan Johnson
I think that's like a mixture of like threatened tell plus a little research you know all splash together. Yeah Jared do you have fancy words but what's a good word for that.
01:06:59.12
Steve
Or a different. Yeah yeah detection Intel I don't know right? We make up new words for things.
01:07:08.26
Jared Atkinson
Yeah I don't I don't know man. But yeah, it's It's certainly like it's certainly valuable to the same problem that threat intelligence should be trying to solve. Yeah and like I mean if you for instance just using bloodhound as an example and obviously this is a little hyperbolic because I don't know that it's practical.
01:07:17.70
Jonathan Johnson
Um, yeah.
01:07:27.84
Jared Atkinson
Ah, it's practical to implement it this way. But in theory you could use bloodhound to evaluate the entire concept of where where ransomware would be able to spread and you can in Theory shut it down completely if you just focused on that. But then you might not it might not be usable. Obviously like your network might not be usable if you did that? Um, but it is.
01:07:40.29
Jonathan Johnson
Um, yeah.
01:07:47.75
Jared Atkinson
Like in theory possible I suppose Yeah I don't know it's It's certainly interesting and how that how that could be used. But I think we don't use that information to make those macro level decisions enough.
01:08:02.35
Jonathan Johnson
Yeah I think it's interesting too because we talk about this and like the reality is like although it seems like a conceptually like ah, a fairly easy problem to solve I think there's a lot of practice that goes behind it. Um from ah like a actual impact. Impactful or like fundamental perspective in the sense of okay we have to pull all this data somehow from all the quote unquote attacks that we have alerted on in the past x amount of years and then we have to do analysis on that and start to group everything together. Um the question becomes is like. And this is like this is general just generally a problem with cyber in general like we're on our understanding of attacks are limited by what we have caught like that. That's where I think like research particular comes in and we start to uncover different things in different. Um. Ah, like abilities out there. Like for example, I was playing around on my computer last night and I saw that there's a native binary sitting on windows called gather network info dot vbs and I'm like dear god what is this and I run it and then it just pulls a group policy info network info the whole nine s and I'm like. This is potentially another recon opportunity that attackers could use um and so like that's the lucky wins I mean that's a very minimal win right? But that's a lucky wins that comes out of research every once in a while. Um, but when it comes to like the whole mark of chains and prevalence with attack path. I think the same thing could be said potentially as I said with data about optimizing data as optimizing our processes on each layer of the funnel because I don't know if most organizations could handle that type of operation yet because either they're not doing. Detection well yet or triage. Well yet investigation. Well I r well etc. Even if they're outsourcing it potentially um, so maybe the first step is let's optimize those processes before moving on to the more advanced problems. Um like the prevalence attack path.
01:10:14.21
Jared Atkinson
I Think at the very least there's um, there's an aspect of a lot of organizations could just use intuition to determine what they should be looking at right? like you if you pay attention at all, you probably have.
01:10:15.10
Jonathan Johnson
Peace.
01:10:24.52
Jonathan Johnson
Um, yeah.
01:10:30.55
Jared Atkinson
5 or 10 different attack techniques that you are pretty certain are used frequently that you you should be addressing before like there's a analysis paralysis aspect of like trying to have a perfect like technique selection process and it's like yeah sometimes it's just better to do something than do nothing I guess. And wait for a perfect solution.
01:10:51.10
Jonathan Johnson
Yeah Analysis Paralysis interrupt start go ahead.
01:10:53.51
Steve
Yeah I mean if you got it, you're right you you're kind of like your you're an organization. You've got event logs you probably naturally start to think of things you can pick up with event logs right? And you you might pick those first just because they're.
01:11:06.67
Jonathan Johnson
Yeah.
01:11:11.68
Steve
You think that they're the easiest to get to even.
01:11:12.59
Jared Atkinson
Well, they have the minimal they have minimal friction right? because um, getting additional data is not a simple like in many organizations, not a simple process right? like so you you may have to purchase an edr or like. And then get it deployed which is also not necessarily simple for some organizations and so it's like yeah like the the least friction is going to come from using the things that you already have whether or not. It's the best. The best solution is maybe besides the point to some degree.
01:11:42.25
Jonathan Johnson
I Think yeah I think it's interesting because you think about it and this is probably a pretty well Num but between most people but like I feel like red team is their job is to create the most resistance for blue teamers and the Analyst's job is to create the most resistance for red teamers. But that also like leads me to the point of.
01:11:42.26
Steve
Right.
01:12:00.82
Jonathan Johnson
When it comes to red all right here's my controversial conversation. How valuable is red teaming and what I mean by that is like I'm not saying it's not valuable. My question is how do we objectively? um, put a value number or list on red teaming and what is providing to a certain environment. I'm pretty abstracted from this process I mean previously like I was working with red teamers at specter. But I mean I'm pretty abstracted from red teamers in general now being at Red Canary. Um, so like my question is like when because ultimately red teamers should be feeding like however the report is should be as robust as possible to feedback into the detection process. Or even the collection process so that the um, the sock can do their job better. Um, But how do we quantify that right.
01:12:45.87
Jared Atkinson
I Think there's um, it it depends on what you mean by red teaming. Ah but from my perspective like there's a a training element of red teaming which is um, let me create a scenario that you don't see on a regular basis so that you can.
01:12:50.53
Jonathan Johnson
Um, it depends. Um.
01:13:05.16
Jared Atkinson
Basically execute your response to it and evaluate whether or not that response achieves the objective that you want so like maybe you have some process for rolling your your Krbtgt account Password and like nobody like you conceptually you've written down what it is nobody's ever done it and so like you probably you might want some like. Some activity to occur that forces that to to happen in like ah in a you know, contrived example and then like you might also want the feedback of does our procedure actually like stop the golden ticket from being useful in the future right? Which like unless you test that you shouldn't assume that that.
01:13:38.12
Jonathan Johnson
Um, yeah.
01:13:43.25
Jared Atkinson
It works the way that you think it does just because somebody wrote a blog post doesn't mean that that person tested it either. Um, so that's 1 aspect and we'll put that to the side for now I guess but then the like the other aspect and I think it's probably more complicated than this but I used to have like 4 things that I thought red teaming was good for and then I took like a month off work for ah for delayed paternity leave and i. Now forgotten what those were and can't find my notes on it. But I think there's I think there's like ah yeah, I'm at 1 I'm at 1 there's like ah ah, a quality like it's quality control right? and so it's like when you do a full scope ah like no notice red team what you're evaluating is does the aggregate of my process.
01:14:03.50
Jonathan Johnson
so so Jared's now at 0 now just play.
01:14:22.10
Jared Atkinson
Work the way that I expect it to if if we are hacked will I know about it and be able to stop it and like the problem is is that when you do a full scope. That's that's the level of detail that you can derive from it which is potentially not super valuable like it might not be valuable to every. Every customer right? because ah, that's a pretty broad perspective and it's hard to really derive. Okay, we didn't detect it like that's that's a common result is we didn't detect it. But if you're focused broadly. It's very difficult to say we didn't detect it because of x right? It's hard to go back to the like. Reason why you where you felled the place where you fell or the place is where you felled and so a lot of times I like to think about ah providing some sort of like red team interaction like adversary emulation such and such at the different levels of different phases of the funnel right? So there's like a you know. detection like we wrote a detection detect credential dumping. Is it possible to dump credentials and not be detected by that by that detection detection rule that would be like 1 level of red teaming quote unquote that would be more so more precise right? So you're you're narrowing the focus and like when that if that fails like if you fail to detect that. You now have a better idea of where the failure occurred but you could also do that in like ah a triage scenario right? So like hey we know that we're going to detect this because like we're going to contrive like make it so contrived that we know that an alert is going to be raised but is our sock analyst or our mssp going to actually process and triage that. Appropriately and then escalate it right? and then if that fails we know the problem occurred right there because that's like we contrived we made it contrived enough to where there's only 1 place where it could fail. Go ahead. Johnny.
01:16:07.10
Jonathan Johnson
Um, yeah I'm curious you guys just thoughts on this like I'm curious if the quality of red team could be tied to the same constraints as the funnel so in the sense of like a red team happens. Did we collect the data.
01:16:24.79
Jared Atkinson
Um, yeah I think you? yeah I think you I think you see that? Well yeah, so you have the by like the different bypasses. You have a blog post about which is like ah a bypasses in a bypasses in a bypass right? There's there's.
01:16:24.88
Jonathan Johnson
Yes, or no move on to the next piece did it bypass this bypass like I hate I hate that that's another Pandora Box Pandora's box right? Yeah yeah.
01:16:42.40
Jared Atkinson
Different levels of analysis of bypasses which inform you if you if you just think of it as a generic bypass you have no solution right? like you have no way to come up with a solution because you have to like was the problem that that our detection didn't fire or was the problem that we are just too slow in executing the funnel.
01:16:47.74
Jonathan Johnson
Yeah.
01:16:57.67
Jonathan Johnson
Um, yep, yeah.
01:16:59.91
Jared Atkinson
Remediation because like the solution for those is radically different right? So you you must be able to diagnose where the where the problem occurred but like yeah so you could you could do it I think in a way to where you literally break it up and say we're just going to test this portion and that's a little bit more consumable I think.
01:17:06.60
Jonathan Johnson
Um, yeah.
01:17:13.26
Jonathan Johnson
Um e.
01:17:17.15
Jared Atkinson
Um, and you could also make it contrived enough to where you guarantee to get the training objective that or like the testing objective that you that you're after or you could do it to where you do the whole thing but you evaluate it at each phase and I think you see that in like the miter attack evals to some degree to where they say like hey this.
01:17:25.54
Jonathan Johnson
Um, yeah.
01:17:34.60
Jared Atkinson
This was detected but it was detected in the sense that ah an event was generated which was related to this or a detection an alert fired related to this or like a prevention occurred right? So like they they're ah I don't know that I agree with like the language that they use because I don't know that there's like ah like a ah, whatever. Whatever the terminology for like a proper language for describing and differentiating between those would be but um, they they're at least identifying like hey there's there's a difference in success right? So a prevention is counted is measured differently than like generating an event which would. Kind of what you're talking about I think Johnny that's of course looking at the edr and not the process I guess so it's slightly different.
01:18:12.60
Jonathan Johnson
Um, yeah. Yeah, I'm thinking well I think yeah I think could be done both ways potentially like quality control like if you hit like the triage investigation phase and it's like hey we did x you you quote unquote alerted at it but the process you went. Um. To actually classify this was malicious or benign was a either too slow or wrong. Um, and so like how do we? How do we utilize as a teaching moment. What do you do you have any thoughts on that Steve.
01:18:44.50
Steve
I'm enormously underqualified really to talk about red team red teaming in general um with that out of the way here's all my ideas. Um, but you know I think.
01:18:50.35
Jared Atkinson
So with that out of the way tell us what you think? yeah.
01:18:52.43
Jonathan Johnson
Um.
01:19:01.28
Steve
There's a lot of different and this is dumb because it's not really about detection at all. But I think there's a lot of different types of buyers for red teams most of the time and I'm only thinking of the full scope red teaming like do an intrusion and get some stuff and.
01:19:11.53
Jared Atkinson
Sure sure I I think ah to be fair I Think that's what I think that's what the market thinks about as well. Yeah.
01:19:20.49
Steve
Yeah, well I think a lot of times this is something that is served up to already very you know organizations that invest a lot in security and they already have a lot of maturity. They already have. They have their own funnels right? and they have a funnel and they have layers at every step of the funnel and I think people want to know right at every step how many dots do I have how do we reduce it how long did it take the red team like how many weeks do I have.
01:19:40.52
Jonathan Johnson
Um, me.
01:19:57.42
Steve
To Get to that point where we find where we find them and I don't know I think it's a useful exercise for people and I think it's a lot.. It's about a lot more than detection. But if detection starts at that collection area. Um, that's where detection engineering comes In. We have to say Like. What can we do to give those other teams and those other consumers the right types of data so that they can do their thing. How do we feed that funnel in the right way and maybe the answer is we don't because we did a good job or maybe the red team gets in and.
01:20:22.23
Jonathan Johnson
Um, yeah.
01:20:34.85
Steve
And and does their thing and like just absolutely owns the whole process and as long as you can have some evidence of it and as long as your business can operate successfully throughout it. Maybe the Ceo says that's great. We did our thing. We got a pretty good process. We actually don't need any changes at all and we're not going to give you that money you want for extra network network sensors and so I think it's kind of a crapshoot. You know.
01:20:59.53
Jonathan Johnson
Yeah.
01:21:02.93
Jared Atkinson
I think there's an interesting aspect of one of the things so like at spectroops I'm kind of like or I've been in charge of the like How do we make sure that the services that we provide are technically valuable or like technically good for the customer that we're providing them for. And then there's like the service delivery side which is kind of like how do I make sure that when we deliver that service. The customer's happy right? I think those those like in any business those 2 things have a natural tension because it's like is like the customer's happiness is not actually necessarily tied to ah like. Efficacious performance right? And so like ah there there's this weird kind of thing to where um yeah, just like when you do a red team. The output could be oh yeah, the customer loved the red team. But that doesn't and this this is true outside of red teams I think as well. But that doesn't mean that like the red team was valuable for them right. And like 1 of the things that I try to that I'm exploring conceptually like is how can you create red team offerings and maybe it's not red team in the traditional sense right? but some sort of like adversary induced offering that ah that actually provides a practical. Benefit. That's that's digestible I think the key is digestible for the for the consumer. Yeah.
01:22:23.90
Steve
Yeah, Well this is where I Really love this concept of like purple teaming like yo we got Hunters. We got a sock. We got instant responders we got detection engineers like let's have a scrimmage where both where people are working on both sides like attack and defense. And like let's just walk through this process like let's get reps in when it's not that when it's less stressful and in it's like very like it's much more real than just a simulation right.
01:22:54.78
Jared Atkinson
Yeah, maybe what I'm describing as purple teaming but ah maybe even less abstracted than that because like ah purple teaming still sounds more like ah what you described Anyway, sounds more like a full scope thing and I still think that there's value in ah caging the exercise to a specific component.
01:23:00.59
Jonathan Johnson
Um.
01:23:14.74
Jared Atkinson
So that you could evaluate it obviously it becomes more expensive as you reduce the scope because then you have to stack it in order to in order to cover have coverage. But I think there's more bang for your buck potentially in that in that arena so. It's a interesting thing to kind of explore I think. Cool I think we're getting towards the end of our time Steve we really appreciate you. It was a great. This was actually a really really awesome conversation. I had a good time. Um I wanted to give you some time to maybe share any partying thoughts. Maybe you have something with your with your business that you want to share or just. Some I don't know random thoughts. Maybe tell us a hobby of yours or I don't know whatever you want to you get you? You have some you have some time just to talk I'm terrible at war zone but I have good partners so I get lots of dubs more than Johnny and Luke. So.
01:23:56.31
Jonathan Johnson
How good you are at War zone.
01:23:58.10
Steve
Ah, yeah, I'm not good at War zone.
01:24:04.54
Steve
Well, you know? no I think the detection conversations are really good and you know I definitely appreciate coming on because I think a lot of people are kind of thinking about it and just noodling on on ways to just. Advance just how we all think about detection and I think it's cool. We all have slightly different approaches and a little bit of the different languages in terms of how we describe these things but I think like for everybody who's interested in detection digging into that problem. Where we say detection is is a multistage thing. It's not a fault right? that whole like that funnel of opportunity the detections across a spectrum of specificity and then when it's within ah, an active like defense process. There's like fps and fns at all these little steps along the way and I just think that is such a that is such a shift from like the last decade of thinking on detection and the world's not there yet, right? and like that's this is a hard conversation like it's easy for ah for us to have because we have.
01:25:06.71
Jared Atkinson
Yeah, yeah.
01:25:15.69
Steve
Words and the experience to talk about this but a lot of people are just not there. Um, and so like we have this huge challenge to bring it bring it to the people in ways that are digestible and understandable and offers them like tangible help like it's. Like it's great to think big ideas and mental models and all that but like we actually have to frame it in a way that it really helps organizations like do something you know and I think this is a part of it I think this is a part of it and I know I think it's sweet.
01:25:40.13
Jared Atkinson
Yeah, for sure you you mentioned something to me about how you you're interested in trying to like get some people together to start putting ah like because you said we all have divert like semi divergent opinion like you and I actually have I think fairly similar. Thoughts on the overall approach. But maybe we don't use the exact same language in some cases we use very similar language in a vacuum which is pretty interesting that makes me feel good personally. But um, like there there should There is an opportunity I think to get some people together and actually start working through.
01:26:04.70
Steve
Yeah.
01:26:17.59
Jared Atkinson
Kind of like a community opinion because like ah we have community tooling Community data sets that type of stuff but we we don't really have like at least I'm not aware of like a community approach to the overall vision for how a detection and response program should function and I think that.
01:26:34.10
Jonathan Johnson
Um, yeah.
01:26:37.50
Jared Atkinson
That could be something that is really interesting to pursue in the long run.
01:26:39.48
Steve
Yeah I know it would be fun to you know we all have our own blogs and our own research we do our own presentations I think it's worthwhile to get ah you know folks who are interested in detection in you know, writing together and like coming up with with.
01:26:53.27
Jonathan Johnson
I agree.
01:26:57.73
Steve
You know things that kind of transcend a lot of technologies and organizations because I think it's easy to get kind of stuck in. You know the way you learned things and the kind of lenses through which you see the world right? And as much as we love to tweet like is hard to tweet meaningful stuff. It's mostly vapid trash right.
01:27:12.10
Jonathan Johnson
Yeah.
01:27:13.49
Jared Atkinson
Um, yep.
01:27:16.68
Steve
So like let's let's try to let's try to write something man. Let's put together a blog or a website or a ah an ebook I don't know.
01:27:17.97
Jared Atkinson
Um, yeah, yeah, and like ah, an interesting thing is like ah it's it's cool to develop these things on your own but it's also great to get constructive feedback from people that you know are at least putting ah some amount of thought into.
01:27:22.30
Jonathan Johnson
Um, yeah.
01:27:37.66
Jared Atkinson
Like the feedback and not just trying to dismiss. Whatever whatever it is right.
01:27:39.15
Jonathan Johnson
Yeah I think it's perspective too right? like um like again like our perspective is limited to what we see on a day-to-day basis. Um, and so the more that we interact with others that see different things the more our perception or perspective expands. Um I Think that's where we can actually start to move the needle forward. In the community um is start to expand that perspective not limit our eyes and try to put stuff out like I love collaborating with people because I think that's where the true value comes because again perspective and exposure.
01:28:13.57
Jared Atkinson
Yeah, for sure, cool all righty. Thanks gentlemen great conversation. Steve thank you for joining us. We appreciate it and until next time thanks to everybody for listening. Hopefully you made it all the way through.
