1
00:00:08,160 --> 00:00:12,160
all right hey folks

2
00:00:09,840 --> 00:00:13,920
ryan here with the cactus con crew once

3
00:00:12,160 --> 00:00:17,359
again and with

4
00:00:13,920 --> 00:00:19,279
the veyox and we have bear of berlin

5
00:00:17,359 --> 00:00:21,199
hello fellows thank you for joining

6
00:00:19,279 --> 00:00:24,160
appreciate it

7
00:00:21,199 --> 00:00:27,279
thank you for having us classic

8
00:00:24,160 --> 00:00:29,519
overlapping with multiple speakers

9
00:00:27,279 --> 00:00:30,720
gotta love it all right uh we're about

10
00:00:29,519 --> 00:00:33,760
to get into a q a

11
00:00:30,720 --> 00:00:34,879
further session uh but first let's throw

12
00:00:33,760 --> 00:00:38,079
a giveaway

13
00:00:34,880 --> 00:00:42,000
your way we have the amazon

14
00:00:38,079 --> 00:00:43,840
50 amazon gift card sponsored by

15
00:00:42,000 --> 00:00:46,399
digital shadows so we're gonna go ahead

16
00:00:43,840 --> 00:00:52,079
and just give that sucker away right now

17
00:00:46,399 --> 00:00:52,079
let's do it and survey says

18
00:00:52,640 --> 00:00:57,199
boom all right null crisis is the way

19
00:00:55,360 --> 00:00:59,840
i'm gonna go ahead and pronounce that

20
00:00:57,199 --> 00:01:01,839
congratulations and thank you again very

21
00:00:59,840 --> 00:01:03,680
much to the digital shadows crew

22
00:01:01,840 --> 00:01:04,960
destined at all unless you didn't want

23
00:01:03,680 --> 00:01:07,680
me to say your name in which case

24
00:01:04,959 --> 00:01:08,240
too late so thanks very much that's

25
00:01:07,680 --> 00:01:11,040
awesome

26
00:01:08,240 --> 00:01:13,600
um i don't know about the rest of folks

27
00:01:11,040 --> 00:01:16,240
but i like i like money

28
00:01:13,600 --> 00:01:17,520
so good stuff we have a whole bunch of

29
00:01:16,240 --> 00:01:19,679
discussion going on

30
00:01:17,520 --> 00:01:21,840
in the channel and there's a lot of

31
00:01:19,680 --> 00:01:24,080
really good things to dig into

32
00:01:21,840 --> 00:01:25,920
also as we were discussing off air there

33
00:01:24,080 --> 00:01:27,200
are a number of lead-ins essentially

34
00:01:25,920 --> 00:01:28,880
from the previous talk

35
00:01:27,200 --> 00:01:30,880
so it's just kind of like hey malware

36
00:01:28,880 --> 00:01:31,920
analysis and triage stuff and then oh

37
00:01:30,880 --> 00:01:34,079
hey look at this

38
00:01:31,920 --> 00:01:35,759
so i think that worked out really well

39
00:01:34,079 --> 00:01:38,320
um if

40
00:01:35,759 --> 00:01:40,079
uh our team did it on by design awesome

41
00:01:38,320 --> 00:01:43,039
if not well let's pretend we did

42
00:01:40,079 --> 00:01:44,399
so before we go any further and do the

43
00:01:43,040 --> 00:01:46,079
actual questions

44
00:01:44,399 --> 00:01:49,759
uh anything that idu fellows want to

45
00:01:46,079 --> 00:01:49,759
throw out there bring up now

46
00:01:50,799 --> 00:01:54,799
oh sure thank you just thank you thank

47
00:01:54,000 --> 00:01:57,680
you everyone

48
00:01:54,799 --> 00:01:59,119
um thanks for uh everyone uh there's

49
00:01:57,680 --> 00:02:01,439
been a lot of good conversation in the

50
00:01:59,119 --> 00:02:04,399
chat so that that's great to see

51
00:02:01,439 --> 00:02:05,439
um jonas yeah absolutely no i mean i'm

52
00:02:04,399 --> 00:02:06,560
just really happy that there's a

53
00:02:05,439 --> 00:02:08,079
discussion going on

54
00:02:06,560 --> 00:02:09,598
uh there's some great stuff going on

55
00:02:08,080 --> 00:02:13,200
right now around

56
00:02:09,598 --> 00:02:15,679
uh you know when do indicators uh

57
00:02:13,200 --> 00:02:16,720
when do we share them i think um for the

58
00:02:15,680 --> 00:02:18,959
vaox and i

59
00:02:16,720 --> 00:02:20,080
we kind of looked at this uh from a

60
00:02:18,959 --> 00:02:21,840
perspective of okay

61
00:02:20,080 --> 00:02:24,160
if you if you get an incident at your

62
00:02:21,840 --> 00:02:26,400
company or something and it's relatively

63
00:02:24,160 --> 00:02:28,000
you know new that's when you're really

64
00:02:26,400 --> 00:02:31,360
going to be looking from the ups back

65
00:02:28,000 --> 00:02:32,400
up sec perspective of let's not divulge

66
00:02:31,360 --> 00:02:35,200
that we're looking at this

67
00:02:32,400 --> 00:02:36,319
publicly to the attacker necessarily

68
00:02:35,200 --> 00:02:38,399
let's wait a while

69
00:02:36,319 --> 00:02:40,000
for that information to be published so

70
00:02:38,400 --> 00:02:41,760
i thought that was interesting to

71
00:02:40,000 --> 00:02:44,560
to give our take on that i saw another

72
00:02:41,760 --> 00:02:47,840
comment about stage versus stages that i

73
00:02:44,560 --> 00:02:50,480
just went to go into so a staged

74
00:02:47,840 --> 00:02:52,800
payload would be something where the

75
00:02:50,480 --> 00:02:55,840
initial show code is just going to be

76
00:02:52,800 --> 00:02:58,400
reaching out and grabbing the rest of

77
00:02:55,840 --> 00:02:59,360
uh the payload code and then executing

78
00:02:58,400 --> 00:03:01,360
that

79
00:02:59,360 --> 00:03:02,480
on the system so it's a much smaller

80
00:03:01,360 --> 00:03:04,159
shell code that actually needs to be

81
00:03:02,480 --> 00:03:05,599
executed it's going to fit into memory

82
00:03:04,159 --> 00:03:08,399
buffers a lot easier

83
00:03:05,599 --> 00:03:09,760
right this staged less stage less is

84
00:03:08,400 --> 00:03:10,879
going to have kind of like your your

85
00:03:09,760 --> 00:03:12,000
whole pack it's going to bring all the

86
00:03:10,879 --> 00:03:14,159
tools with you

87
00:03:12,000 --> 00:03:15,200
but again going to take a lot more

88
00:03:14,159 --> 00:03:17,920
memory space so

89
00:03:15,200 --> 00:03:19,200
you know in certain cases um it's it's

90
00:03:17,920 --> 00:03:20,879
not going to fit into

91
00:03:19,200 --> 00:03:22,799
a vulnerability that you want to exploit

92
00:03:20,879 --> 00:03:25,599
that's where the staged obviously comes

93
00:03:22,800 --> 00:03:25,599
into play

94
00:03:26,799 --> 00:03:31,040
awesome cool thank you for addressing

95
00:03:28,720 --> 00:03:34,000
those bad boys

96
00:03:31,040 --> 00:03:36,079
uh let's see do we want to tap on public

97
00:03:34,000 --> 00:03:37,280
versus private sandboxing in general or

98
00:03:36,080 --> 00:03:39,280
was that already kind of

99
00:03:37,280 --> 00:03:40,799
the general let me let me actually let

100
00:03:39,280 --> 00:03:42,959
me flip that around a little bit

101
00:03:40,799 --> 00:03:44,000
so the whole conversation for folks who

102
00:03:42,959 --> 00:03:45,599
weren't following along

103
00:03:44,000 --> 00:03:48,080
uh in the talk discussion i believe

104
00:03:45,599 --> 00:03:49,679
primarily was about indicator management

105
00:03:48,080 --> 00:03:50,159
essentially is what kind of dovetailed

106
00:03:49,680 --> 00:03:51,760
into

107
00:03:50,159 --> 00:03:53,359
like well okay when you age out an

108
00:03:51,760 --> 00:03:54,879
indicator all right there's

109
00:03:53,360 --> 00:03:56,640
there's really is no quote-unquote right

110
00:03:54,879 --> 00:03:57,040
answer on that i'm sure the three of us

111
00:03:56,640 --> 00:03:58,720
now

112
00:03:57,040 --> 00:03:59,920
all malware folks would have different

113
00:03:58,720 --> 00:04:00,879
responses that different you know

114
00:03:59,920 --> 00:04:02,879
whatever

115
00:04:00,879 --> 00:04:04,399
um and there's some folks who you know

116
00:04:02,879 --> 00:04:05,518
some of us know very well in the chat

117
00:04:04,400 --> 00:04:07,280
you know who are like

118
00:04:05,519 --> 00:04:08,879
do it this way and we you know it's just

119
00:04:07,280 --> 00:04:11,680
been a common thing

120
00:04:08,879 --> 00:04:12,399
so let's let's look at it this way are

121
00:04:11,680 --> 00:04:16,000
there any

122
00:04:12,400 --> 00:04:16,399
private sandboxes that you believe would

123
00:04:16,000 --> 00:04:18,880
work

124
00:04:16,399 --> 00:04:20,638
better as a public sandbox any kind of

125
00:04:18,880 --> 00:04:22,560
just you know a thought process of like

126
00:04:20,639 --> 00:04:24,720
well this is something we normally

127
00:04:22,560 --> 00:04:26,479
use privately but if this were something

128
00:04:24,720 --> 00:04:28,800
that could be public slash maybe

129
00:04:26,479 --> 00:04:30,960
crowdsource or what have you would that

130
00:04:28,800 --> 00:04:31,759
potentially change things just trying to

131
00:04:30,960 --> 00:04:33,919
think of a question you wouldn't

132
00:04:31,759 --> 00:04:35,759
normally think of

133
00:04:33,919 --> 00:04:37,039
i'll take that because it's something

134
00:04:35,759 --> 00:04:37,600
that i've that i've thought about

135
00:04:37,040 --> 00:04:40,240
recently

136
00:04:37,600 --> 00:04:42,000
uh a lot especially around phishing um i

137
00:04:40,240 --> 00:04:44,160
think it'd be really interesting if if

138
00:04:42,000 --> 00:04:46,240
there was more crowdsourced responses to

139
00:04:44,160 --> 00:04:48,160
fishing sandboxing

140
00:04:46,240 --> 00:04:49,600
right because there are you know

141
00:04:48,160 --> 00:04:51,280
multiple different actors that are going

142
00:04:49,600 --> 00:04:51,600
to be attacking different orgs some of

143
00:04:51,280 --> 00:04:53,599
it's

144
00:04:51,600 --> 00:04:56,080
cross organizational be great to kind of

145
00:04:53,600 --> 00:04:56,639
get more of a community focus i mean

146
00:04:56,080 --> 00:04:57,919
there's some

147
00:04:56,639 --> 00:05:00,479
you know there's another thing that i'd

148
00:04:57,919 --> 00:05:03,440
like to see is um crowdsourcing

149
00:05:00,479 --> 00:05:04,880
fake login pages i think url scan has a

150
00:05:03,440 --> 00:05:05,440
little bit of this that i've seen that i

151
00:05:04,880 --> 00:05:08,240
like

152
00:05:05,440 --> 00:05:10,240
where it'll it'll over time it'll it'll

153
00:05:08,240 --> 00:05:12,000
identify you know like a fake law a

154
00:05:10,240 --> 00:05:13,919
microsoft login page on a

155
00:05:12,000 --> 00:05:15,600
on a non microsoft domain or it'll flag

156
00:05:13,919 --> 00:05:17,599
it as like hey potentially

157
00:05:15,600 --> 00:05:18,639
you know a fake login page it'd be cool

158
00:05:17,600 --> 00:05:21,120
you know maybe

159
00:05:18,639 --> 00:05:21,759
you know using using those kind of of

160
00:05:21,120 --> 00:05:23,680
sources

161
00:05:21,759 --> 00:05:25,360
and and getting that more crowdsourced

162
00:05:23,680 --> 00:05:27,360
and instead of you know only for your

163
00:05:25,360 --> 00:05:28,160
orgs i think a lot of people can benefit

164
00:05:27,360 --> 00:05:30,160
a lot of

165
00:05:28,160 --> 00:05:32,080
organizations can benefit from from that

166
00:05:30,160 --> 00:05:34,160
information

167
00:05:32,080 --> 00:05:35,199
absolutely and just to piggyback on that

168
00:05:34,160 --> 00:05:37,039
a little bit

169
00:05:35,199 --> 00:05:39,919
and as someone pointed points out in the

170
00:05:37,039 --> 00:05:43,520
chat here checking hashes is one thing

171
00:05:39,919 --> 00:05:45,440
um but i think more of what i had in

172
00:05:43,520 --> 00:05:49,359
mind was like submitting the actual

173
00:05:45,440 --> 00:05:51,440
binaries themselves to a public um

174
00:05:49,360 --> 00:05:53,039
sandbox because you never know that

175
00:05:51,440 --> 00:05:55,039
might be the first time

176
00:05:53,039 --> 00:05:56,400
that that binary is submitted to that

177
00:05:55,039 --> 00:05:59,840
sandbox and

178
00:05:56,400 --> 00:06:03,198
you never know threat actors you know

179
00:05:59,840 --> 00:06:06,318
what they might be monitoring

180
00:06:03,199 --> 00:06:10,160
so that's where the that opsec piece

181
00:06:06,319 --> 00:06:12,400
is is important the fir very first edr

182
00:06:10,160 --> 00:06:13,360
uh enterprise detection response for

183
00:06:12,400 --> 00:06:16,400
folks who don't

184
00:06:13,360 --> 00:06:18,319
uh are familiar with the term general

185
00:06:16,400 --> 00:06:20,080
that i ever used and that we used at a

186
00:06:18,319 --> 00:06:20,720
particular location that i will not

187
00:06:20,080 --> 00:06:22,880
disclose

188
00:06:20,720 --> 00:06:23,919
let alone the name of the edr its

189
00:06:22,880 --> 00:06:26,800
default setting

190
00:06:23,919 --> 00:06:30,240
was any binary that it was analyzing was

191
00:06:26,800 --> 00:06:33,360
to upload it to virustotal

192
00:06:30,240 --> 00:06:34,080
what yeah that was my next point was the

193
00:06:33,360 --> 00:06:35,520
automated

194
00:06:34,080 --> 00:06:37,359
piece right i mean i think that's the

195
00:06:35,520 --> 00:06:39,680
other portion of like

196
00:06:37,360 --> 00:06:40,639
where where are where is the uploading

197
00:06:39,680 --> 00:06:42,479
of of of

198
00:06:40,639 --> 00:06:43,759
evidence coming if it's a manual thing

199
00:06:42,479 --> 00:06:45,758
well then you have the analyst

200
00:06:43,759 --> 00:06:46,319
discretion right you can kind of tune it

201
00:06:45,759 --> 00:06:48,720
around

202
00:06:46,319 --> 00:06:50,560
the situation have situational awareness

203
00:06:48,720 --> 00:06:51,199
if if you're if you're automating for

204
00:06:50,560 --> 00:06:52,880
instance

205
00:06:51,199 --> 00:06:54,639
sending all of your artifacts you run

206
00:06:52,880 --> 00:06:56,719
into issues what if what if there is

207
00:06:54,639 --> 00:06:58,720
pii what if there's any sort of company

208
00:06:56,720 --> 00:07:00,000
information in those artifacts that they

209
00:06:58,720 --> 00:07:01,919
that the attacker

210
00:07:00,000 --> 00:07:03,759
put in right there's there's reasons why

211
00:07:01,919 --> 00:07:04,318
you would want to kind of stop gap and

212
00:07:03,759 --> 00:07:06,880
not say

213
00:07:04,319 --> 00:07:07,599
let's just upload everything regardless

214
00:07:06,880 --> 00:07:09,120
you know

215
00:07:07,599 --> 00:07:12,400
um there's some discretion i think

216
00:07:09,120 --> 00:07:14,080
that's that's definitely useful

217
00:07:12,400 --> 00:07:15,919
so thought about this this is something

218
00:07:14,080 --> 00:07:17,599
that's bothered me for a while now i

219
00:07:15,919 --> 00:07:18,639
have not yet personally heard of it

220
00:07:17,599 --> 00:07:21,360
occurring

221
00:07:18,639 --> 00:07:22,400
even a single time but i'm just waiting

222
00:07:21,360 --> 00:07:26,319
someone's

223
00:07:22,400 --> 00:07:29,359
private tip threat intelligence platform

224
00:07:26,319 --> 00:07:31,919
is breached is stolen is accessed

225
00:07:29,360 --> 00:07:32,479
whatever imagine whether it's a local

226
00:07:31,919 --> 00:07:34,479
crits

227
00:07:32,479 --> 00:07:35,520
instance or you know a lot of folks are

228
00:07:34,479 --> 00:07:37,758
moving over to miss

229
00:07:35,520 --> 00:07:39,120
um government these are still in crits

230
00:07:37,759 --> 00:07:39,759
what if all of a sudden someone's like

231
00:07:39,120 --> 00:07:42,240
ah hey

232
00:07:39,759 --> 00:07:44,319
i grabbed it you know i have their misp

233
00:07:42,240 --> 00:07:46,000
and people were like yo why now

234
00:07:44,319 --> 00:07:47,440
yo what up right how many of those

235
00:07:46,000 --> 00:07:49,520
indicators that you consider

236
00:07:47,440 --> 00:07:51,520
solely private are all of a sudden not

237
00:07:49,520 --> 00:07:52,400
private and how do you handle that

238
00:07:51,520 --> 00:07:54,878
i don't think we have time for that

239
00:07:52,400 --> 00:07:58,000
discussion but yeah

240
00:07:54,879 --> 00:08:00,560
that's how i see you know yeah

241
00:07:58,000 --> 00:08:02,560
imagine that they're like oh no our

242
00:08:00,560 --> 00:08:04,400
threat connect account is private

243
00:08:02,560 --> 00:08:05,680
not anymore it's like actually it's

244
00:08:04,400 --> 00:08:12,318
public now yeah

245
00:08:05,680 --> 00:08:14,400
whoops um

246
00:08:12,319 --> 00:08:16,240
that's ever gonna stay private forever

247
00:08:14,400 --> 00:08:18,000
like that's you know probably that idea

248
00:08:16,240 --> 00:08:19,039
is probably we should get away from

249
00:08:18,000 --> 00:08:21,520
thinking of that

250
00:08:19,039 --> 00:08:22,400
you know there's a time and place for

251
00:08:21,520 --> 00:08:24,318
private but i think

252
00:08:22,400 --> 00:08:25,679
it should have kind of like when it runs

253
00:08:24,319 --> 00:08:27,120
out which have some sort of a date we're

254
00:08:25,680 --> 00:08:29,199
like okay let's let's

255
00:08:27,120 --> 00:08:30,879
divulge this let's let's open this up to

256
00:08:29,199 --> 00:08:32,159
the community for sure or and again

257
00:08:30,879 --> 00:08:34,080
there are private intel sharing

258
00:08:32,159 --> 00:08:35,679
communities already with different you

259
00:08:34,080 --> 00:08:36,800
know there's there's tlp there's all

260
00:08:35,679 --> 00:08:39,598
these protocols for

261
00:08:36,799 --> 00:08:41,519
sharing intel specifically you know and

262
00:08:39,599 --> 00:08:42,240
with regards to kind of these concerns

263
00:08:41,519 --> 00:08:44,000
around

264
00:08:42,240 --> 00:08:45,279
around confidentiality and stuff like

265
00:08:44,000 --> 00:08:48,480
that

266
00:08:45,279 --> 00:08:50,000
trust groups yep i i find the problem

267
00:08:48,480 --> 00:08:54,320
with trust groups is that

268
00:08:50,000 --> 00:08:55,680
the trust group itself grows to uh

269
00:08:54,320 --> 00:08:57,760
and then too many people are allowed to

270
00:08:55,680 --> 00:09:01,439
bring folks in and then your trust group

271
00:08:57,760 --> 00:09:02,959
of you know 80 highly skilled all like

272
00:09:01,440 --> 00:09:04,560
you're on the same page you know when

273
00:09:02,959 --> 00:09:06,079
there's 500 people all of a sudden

274
00:09:04,560 --> 00:09:08,560
no one wants to share information you

275
00:09:06,080 --> 00:09:10,160
know there are a couple big names still

276
00:09:08,560 --> 00:09:11,518
still not big enough to mention you know

277
00:09:10,160 --> 00:09:12,640
and i supposed to mention the trust

278
00:09:11,519 --> 00:09:14,320
group name

279
00:09:12,640 --> 00:09:16,080
that some folks are aware like oh yeah

280
00:09:14,320 --> 00:09:16,560
that died no one was gonna do that

281
00:09:16,080 --> 00:09:20,399
anymore

282
00:09:16,560 --> 00:09:22,160
then you got that problem oh let's see

283
00:09:20,399 --> 00:09:24,480
here

284
00:09:22,160 --> 00:09:26,640
oh i love the fact that you brought up

285
00:09:24,480 --> 00:09:29,600
the uh fishing indicators

286
00:09:26,640 --> 00:09:31,199
many times fishing threats these days

287
00:09:29,600 --> 00:09:34,720
are based on credential harvesting

288
00:09:31,200 --> 00:09:37,040
versus actual binaries and then the

289
00:09:34,720 --> 00:09:38,880
credential harvesting stuff oftentimes

290
00:09:37,040 --> 00:09:40,399
will just get lost so like you mentioned

291
00:09:38,880 --> 00:09:41,760
url scan is great

292
00:09:40,399 --> 00:09:43,760
sites like virustotal where you can just

293
00:09:41,760 --> 00:09:45,120
put the domain in you know um

294
00:09:43,760 --> 00:09:47,120
you have to be very careful with all the

295
00:09:45,120 --> 00:09:48,959
opsec you take a phishing url and you

296
00:09:47,120 --> 00:09:51,360
put it into the search

297
00:09:48,959 --> 00:09:53,040
not the url but the search and virus

298
00:09:51,360 --> 00:09:54,800
total and what is the default

299
00:09:53,040 --> 00:09:56,719
thing that it does if it's not currently

300
00:09:54,800 --> 00:09:58,560
in the database right now

301
00:09:56,720 --> 00:10:00,240
it auto analyzes it for you it didn't

302
00:09:58,560 --> 00:10:01,760
used to do that it used to say oh we

303
00:10:00,240 --> 00:10:02,399
don't have that one but now it searches

304
00:10:01,760 --> 00:10:05,680
it and you're like

305
00:10:02,399 --> 00:10:07,600
that's cute thank you so a lot of uh

306
00:10:05,680 --> 00:10:09,359
potential hurdles in our way to deal

307
00:10:07,600 --> 00:10:10,959
with all these indicators

308
00:10:09,360 --> 00:10:12,720
so i'll go ahead and bring it up we only

309
00:10:10,959 --> 00:10:14,560
have three or four minutes for

310
00:10:12,720 --> 00:10:15,760
continued discussion so keep that in

311
00:10:14,560 --> 00:10:18,319
mind but

312
00:10:15,760 --> 00:10:19,279
the overall concept of indicator

313
00:10:18,320 --> 00:10:22,640
management or

314
00:10:19,279 --> 00:10:24,399
aging out indicators um any general

315
00:10:22,640 --> 00:10:27,360
thoughts on that that you wanna

316
00:10:24,399 --> 00:10:29,760
you wanna make in such a limited amount

317
00:10:27,360 --> 00:10:29,760
of time

318
00:10:30,160 --> 00:10:33,519
i'll start off and just say it's a

319
00:10:32,640 --> 00:10:35,760
challenge

320
00:10:33,519 --> 00:10:37,680
and i don't know if there's a right

321
00:10:35,760 --> 00:10:40,800
answer i would argue that there

322
00:10:37,680 --> 00:10:43,279
isn't a right answer um how many times

323
00:10:40,800 --> 00:10:46,959
have you seen something from a year

324
00:10:43,279 --> 00:10:48,880
ago creep up again now it might be

325
00:10:46,959 --> 00:10:49,680
slightly different i mean the the hash

326
00:10:48,880 --> 00:10:51,920
might not be

327
00:10:49,680 --> 00:10:53,680
exactly the same but maybe some of the

328
00:10:51,920 --> 00:10:57,040
infrastructure behind it

329
00:10:53,680 --> 00:10:58,079
is partly the same like it's a it's a

330
00:10:57,040 --> 00:11:00,079
great discussion

331
00:10:58,079 --> 00:11:01,680
and i would love to see maybe like a

332
00:11:00,079 --> 00:11:03,279
panel discussion on that or something

333
00:11:01,680 --> 00:11:05,040
that that would be a great topic to talk

334
00:11:03,279 --> 00:11:06,560
about

335
00:11:05,040 --> 00:11:08,719
we have a couple folks in the chat who

336
00:11:06,560 --> 00:11:09,760
are discussing who uh the very concept

337
00:11:08,720 --> 00:11:12,079
who would make a great

338
00:11:09,760 --> 00:11:14,319
panel on that in fact one of the fellows

339
00:11:12,079 --> 00:11:15,599
brought up uh

340
00:11:14,320 --> 00:11:16,959
i won't throw his name on him sure he

341
00:11:15,600 --> 00:11:18,480
wants his name out there but in the

342
00:11:16,959 --> 00:11:20,399
discussion at the very least

343
00:11:18,480 --> 00:11:22,320
was talking about the fact that your

344
00:11:20,399 --> 00:11:25,200
threat intelligence platforms

345
00:11:22,320 --> 00:11:26,240
may not be built to support a gratuitous

346
00:11:25,200 --> 00:11:29,040
number of indicators

347
00:11:26,240 --> 00:11:30,640
so if you are like me i i'm the old

348
00:11:29,040 --> 00:11:32,000
school style personally i want to hoard

349
00:11:30,640 --> 00:11:33,279
them all and i want them always and i

350
00:11:32,000 --> 00:11:35,200
just want to know like i want the dates

351
00:11:33,279 --> 00:11:36,959
to be associated but i want them

352
00:11:35,200 --> 00:11:38,880
and he's like okay that's cute right you

353
00:11:36,959 --> 00:11:40,959
try to generate x number of gra

354
00:11:38,880 --> 00:11:42,240
or a graph or whatever over you know

355
00:11:40,959 --> 00:11:44,479
ryan's 17

356
00:11:42,240 --> 00:11:46,959
billion indicators you're like cool

357
00:11:44,480 --> 00:11:49,200
story so that also has to you know come

358
00:11:46,959 --> 00:11:51,518
into play like okay what do you not just

359
00:11:49,200 --> 00:11:52,800
maintain and keep but also analyze over

360
00:11:51,519 --> 00:11:54,959
when you're trying to correlate can your

361
00:11:52,800 --> 00:11:57,359
systems even do that when it becomes

362
00:11:54,959 --> 00:11:59,359
to a certain scale so that's that was a

363
00:11:57,360 --> 00:12:01,440
really good conversation in the chat

364
00:11:59,360 --> 00:12:02,880
thank you fellas very very much for your

365
00:12:01,440 --> 00:12:04,639
presentation um

366
00:12:02,880 --> 00:12:06,480
i'm such a malware guy myself so i was

367
00:12:04,639 --> 00:12:08,959
like yeah i loved it

368
00:12:06,480 --> 00:12:10,160
uh hopefully folks who have never seen

369
00:12:08,959 --> 00:12:11,439
that type of analysis

370
00:12:10,160 --> 00:12:13,279
and especially folks who just aren't

371
00:12:11,440 --> 00:12:15,839
familiar very much so with

372
00:12:13,279 --> 00:12:17,360
reverse engineering or malware analysis

373
00:12:15,839 --> 00:12:17,920
seeing the previous and this talk

374
00:12:17,360 --> 00:12:19,680
together

375
00:12:17,920 --> 00:12:20,800
are like okay maybe that's something i

376
00:12:19,680 --> 00:12:21,439
want to start playing around with you

377
00:12:20,800 --> 00:12:23,199
know so

378
00:12:21,440 --> 00:12:24,880
i think that that would make a good

379
00:12:23,200 --> 00:12:29,600
impact both of those especially going

380
00:12:24,880 --> 00:12:29,600
one after the other uh all right

381
00:12:29,760 --> 00:12:33,279
thank you thank you thanks everyone and

382
00:12:31,760 --> 00:12:34,000
we'll be around for questions and stuff

383
00:12:33,279 --> 00:12:37,519
so

384
00:12:34,000 --> 00:12:37,519
don't hesitate to reach out

385
00:12:38,639 --> 00:12:42,639
thanks so much everyone yeah absolutely

386
00:12:41,360 --> 00:12:44,560
all right we're going to throw

387
00:12:42,639 --> 00:12:47,120
a new giveaway this is going to be the

388
00:12:44,560 --> 00:12:47,760
last giveaway of the day as we move into

389
00:12:47,120 --> 00:12:50,639
the

390
00:12:47,760 --> 00:12:52,079
uh final talk hour of the day and this

391
00:12:50,639 --> 00:12:55,279
is going to be another

392
00:12:52,079 --> 00:12:57,199
set of ted thermopolis signed

393
00:12:55,279 --> 00:12:58,560
infosec rockstar books so we're going to

394
00:12:57,200 --> 00:13:00,480
give out two of these bad

395
00:12:58,560 --> 00:13:03,040
boys so i'm going to go ahead and go

396
00:13:00,480 --> 00:13:04,959
into the room now

397
00:13:03,040 --> 00:13:07,519
and we're going to make that guy right

398
00:13:04,959 --> 00:13:09,599
there and there we go so you should see

399
00:13:07,519 --> 00:13:10,959
that there we go

400
00:13:09,600 --> 00:13:12,399
everyone head on over to the giveaway

401
00:13:10,959 --> 00:13:14,239
section and throw your thumbs up we'll

402
00:13:12,399 --> 00:13:14,959
be giving two of those out at the final

403
00:13:14,240 --> 00:13:17,040
q a

404
00:13:14,959 --> 00:13:18,638
after the upcoming talk and for now

405
00:13:17,040 --> 00:13:21,519
we're going to sign off so again thank

406
00:13:18,639 --> 00:13:25,839
you fellas very much

407
00:13:21,519 --> 00:13:25,839
thank you cheers thank you see everyone