Why Your Threat Analytics Is Useless (The Report You Missed)

1
00:00:00,000 –> 00:00:05,880
Dear congregation, most of us skim alerts and miss the one report that actually closes doors.

2
00:00:05,880 –> 00:00:12,600
We glance, we nod, we move on, and the adversary keeps walking our halls.

3
00:00:12,600 –> 00:00:15,440
Your threat analytics isn’t useless.

4
00:00:15,440 –> 00:00:17,360
It’s unused.

5
00:00:17,360 –> 00:00:21,160
That neglect keeps dwell time long and incidents recurring.

6
00:00:21,160 –> 00:00:23,000
Here’s what actually matters.

7
00:00:23,000 –> 00:00:25,080
We read the reports like orders.

8
00:00:25,080 –> 00:00:28,240
We tie them to incidents and secure score.

9
00:00:28,240 –> 00:00:29,640
And we act today.

10
00:00:29,640 –> 00:00:36,000
We’ll expose the blind spots, show the path, and give you measures to reduce time to detect

11
00:00:36,000 –> 00:00:38,640
and close attack paths.

12
00:00:38,640 –> 00:00:41,440
Hold one pattern in your heart as we walk.

13
00:00:41,440 –> 00:00:45,640
Read, test, act, verify.

14
00:00:45,640 –> 00:00:52,320
What threat analytics really is and isn’t, beloved brothers and sisters in the cloud,

15
00:00:52,320 –> 00:00:57,360
let us define the sanctuary before we pray within it.

16
00:00:57,360 –> 00:01:04,480
Retin, analytics is in product research, written by Microsoft’s own security researchers.

17
00:01:04,480 –> 00:01:07,680
It brings global signal but speaks in our tenants language.

18
00:01:07,680 –> 00:01:14,320
It maps to mighter attack so we see tactics, techniques, and procedures with clarity.

19
00:01:14,320 –> 00:01:18,360
It names indicators of compromise so we can hunt.

20
00:01:18,360 –> 00:01:22,600
And it offers recommendations that become deeds not decorations.

21
00:01:22,600 –> 00:01:26,480
Here’s what actually happens when we open a report with reverence, we see the overview.

22
00:01:26,480 –> 00:01:30,800
A plain account of the actor, the campaign, or the technique.

23
00:01:30,800 –> 00:01:32,840
Then we descend into technical analysis.

24
00:01:32,840 –> 00:01:36,960
We meet the TTPs, we meet the tools, we meet the paths they favor.

25
00:01:36,960 –> 00:01:38,640
The narrative is not a headline.

26
00:01:38,640 –> 00:01:40,160
It is a map.

27
00:01:40,160 –> 00:01:41,880
But here’s where it gets interesting.

28
00:01:41,880 –> 00:01:43,400
The report is not just story.

29
00:01:43,400 –> 00:01:45,280
It is context stitched to our house.

30
00:01:45,280 –> 00:01:46,600
It checks our exposure.

31
00:01:46,600 –> 00:01:49,480
It tells us if the pattern is present here.

32
00:01:49,480 –> 00:01:54,000
It surfaces device and account evidence when defender has seen kindred behavior.

33
00:01:54,000 –> 00:01:57,680
This is wisdom joined to community.

34
00:01:57,680 –> 00:02:01,280
Now the Covenant Read Test Act Verify.

35
00:02:01,280 –> 00:02:02,880
This is our weekly liturgy.

36
00:02:02,880 –> 00:02:07,600
We read the overview in the mighter section to understand intent and method.

37
00:02:07,600 –> 00:02:11,880
We test by pulling IOCs and TTPs into hunting.

38
00:02:11,880 –> 00:02:17,680
We act by converting recommendations into secure score actions and incident tasks.

39
00:02:17,680 –> 00:02:23,960
We verify by rerunning queries and checking exposure status until the shield holds.

40
00:02:23,960 –> 00:02:29,040
All words, strong vows, who writes it matters.

41
00:02:29,040 –> 00:02:32,920
Microsoft researchers sit with global telemetry and live incidents.

42
00:02:32,920 –> 00:02:35,480
They see what breaks, they see what holds.

43
00:02:35,480 –> 00:02:37,680
Their prioritization is not guesswork.

44
00:02:37,680 –> 00:02:39,040
It is battle testimony.

45
00:02:39,040 –> 00:02:44,840
So when a recommendation is listed, we treat it as an order bound to a control, not as

46
00:02:44,840 –> 00:02:47,280
advice, as duty.

47
00:02:47,280 –> 00:02:52,520
And yet threat analytics is not a newsfeed, not a CVE dump, not a substitute for incidents

48
00:02:52,520 –> 00:02:55,680
or secure score, it is the threat that ties them.

49
00:02:55,680 –> 00:03:02,200
The report tells the story and the techniques, incidents hold the evidence and the scope.

50
00:03:02,200 –> 00:03:05,240
Secure score names the controls and the gaps.

51
00:03:05,240 –> 00:03:08,640
Together they form a single hymn of defense.

52
00:03:08,640 –> 00:03:11,720
Most people think the overview is the point.

53
00:03:11,720 –> 00:03:14,080
But the real secret sits lower.

54
00:03:14,080 –> 00:03:17,120
Two sections change our work today.

55
00:03:17,120 –> 00:03:22,600
First, the miter mapping, where techniques are named in plain code we can chase.

56
00:03:22,600 –> 00:03:27,040
Second, the organization specific exposure and protections view.

57
00:03:27,040 –> 00:03:31,280
That quiet panel asks, is this present here?

58
00:03:31,280 –> 00:03:35,960
Our protections enabled here, that is the section most skip, that is the missed door we

59
00:03:35,960 –> 00:03:37,800
were meant to close.

60
00:03:37,800 –> 00:03:40,200
Let me show you the cadence we keep.

61
00:03:40,200 –> 00:03:46,080
We select an active report tied to an actor, a campaign or a widespread technique.

62
00:03:46,080 –> 00:03:51,040
We read top to bottom but we pause at miter, we list the techniques, we list the artifacts,

63
00:03:51,040 –> 00:03:56,320
we carry those into hunting across the last 14 to 30 days, we join what we find to open

64
00:03:56,320 –> 00:04:01,520
incidents, we enrich those incidents with actor context from the report so the triage

65
00:04:01,520 –> 00:04:08,320
tells truth, then we take each recommendation and bind it to a secure score action and owner

66
00:04:08,320 –> 00:04:10,400
and a deadline.

67
00:04:10,400 –> 00:04:13,800
Now this is important because time is our enemy.

68
00:04:13,800 –> 00:04:19,280
That analytics shortens time to detect when we treat its guidance as a playbook.

69
00:04:19,280 –> 00:04:22,880
It closes attack paths when we translate narrative to control.

70
00:04:22,880 –> 00:04:25,880
It teaches our teams a shared language.

71
00:04:25,880 –> 00:04:31,320
Technique to query, query to incident, incident to control, control to verification.

72
00:04:31,320 –> 00:04:34,920
That circle is the covenant, but remember this truth.

73
00:04:34,920 –> 00:04:37,000
The report will not walk for us.

74
00:04:37,000 –> 00:04:41,240
It will point, it will warn, it will measure, we must move.

75
00:04:41,240 –> 00:04:46,200
So when we open threat analytics this week we do not skim, we do not copy and file, we

76
00:04:46,200 –> 00:04:54,000
read, we test, we act, we verify and we return like faithful stewards to check the doors

77
00:04:54,000 –> 00:04:55,560
we have shut.

78
00:04:55,560 –> 00:05:00,800
The three oversights that make it useless, dear congregation.

79
00:05:00,800 –> 00:05:06,800
Let us confess the three oversights that turn a living report into a quiet newsletter.

80
00:05:06,800 –> 00:05:11,160
We do not confess to wallow, we confess to change.

81
00:05:11,160 –> 00:05:17,000
oversight one, we skim the overview and skip the miter mapping and effected exposure.

82
00:05:17,000 –> 00:05:21,520
We read the headline, we nod at the summary, we never descend into the techniques, we never

83
00:05:21,520 –> 00:05:26,360
ask which tactics were used, we never mark which techniques we can actually hunt.

84
00:05:26,360 –> 00:05:29,520
And then we miss the small panel that speaks to our house.

85
00:05:29,520 –> 00:05:36,440
It says seen here or protected here or at risk here.

86
00:05:36,440 –> 00:05:40,880
We scroll past that whisper, we lose days.

87
00:05:40,880 –> 00:05:43,040
Why this matters?

88
00:05:43,040 –> 00:05:45,280
Techniques are our rosetta stone.

89
00:05:45,280 –> 00:05:47,480
Without them we chase noise.

90
00:05:47,480 –> 00:05:52,080
With them we write queries that bind directly to behavior.

91
00:05:52,080 –> 00:05:54,960
Exposure tells us if the behavior is at our door.

92
00:05:54,960 –> 00:05:58,280
When we skip both, we break the chain.

93
00:05:58,280 –> 00:06:00,080
We cannot test.

94
00:06:00,080 –> 00:06:01,920
We cannot verify.

95
00:06:01,920 –> 00:06:05,280
We are left with story and no sword.

96
00:06:05,280 –> 00:06:11,200
The remedy is simple, map, then measure, take the listed techniques, label them with their

97
00:06:11,200 –> 00:06:23,800
AT tank codes, TN59, T155, T5 fun47, build a small ledger for each technique, note whether

98
00:06:23,800 –> 00:06:26,600
defender already detects it.

99
00:06:26,600 –> 00:06:29,000
Note whether your environment shows exposure.

100
00:06:29,000 –> 00:06:33,400
If the exposure panel says applicable, that is today’s work order.

101
00:06:33,400 –> 00:06:38,400
If it says protected, rerun a quick hunt to confirm the shield holds, we do not guess.

102
00:06:38,400 –> 00:06:40,000
We check.

103
00:06:40,000 –> 00:06:41,600
Oversight 2.

104
00:06:41,600 –> 00:06:44,720
We treat recommendations as suggestions.

105
00:06:44,720 –> 00:06:47,880
Not change requests tied to controls.

106
00:06:47,880 –> 00:06:49,880
We read enable conditional access.

107
00:06:49,880 –> 00:06:56,040
When we read turn on device tamper protection, we say good idea and we move on.

108
00:06:56,040 –> 00:06:58,120
But recommendations are not ideas.

109
00:06:58,120 –> 00:07:00,200
They are controls in plain dress.

110
00:07:00,200 –> 00:07:01,680
They map to secure score.

111
00:07:01,680 –> 00:07:02,760
They map to policy.

112
00:07:02,760 –> 00:07:04,640
They map to owners.

113
00:07:04,640 –> 00:07:05,920
Why this matters?

114
00:07:05,920 –> 00:07:08,920
A recommendation without an owner is a wish.

115
00:07:08,920 –> 00:07:11,920
A control without a deadline is a hope.

116
00:07:11,920 –> 00:07:14,440
Hopes do not close doors, orders do.

117
00:07:14,440 –> 00:07:17,760
So we take each recommendation and bind it to a secure score action.

118
00:07:17,760 –> 00:07:18,840
We attach an owner.

119
00:07:18,840 –> 00:07:20,040
We set an SLA.

120
00:07:20,040 –> 00:07:22,400
We gather evidence of effectiveness.

121
00:07:22,400 –> 00:07:24,840
Screen shot the setting.

122
00:07:24,840 –> 00:07:26,520
Export the policy.

123
00:07:26,520 –> 00:07:29,680
Link the incident that proved the need.

124
00:07:29,680 –> 00:07:31,840
Now the recommendation has a spine.

125
00:07:31,840 –> 00:07:33,880
It will stand.

126
00:07:33,880 –> 00:07:36,520
The remedy again follows the covenant.

127
00:07:36,520 –> 00:07:38,320
Read the recommendation.

128
00:07:38,320 –> 00:07:41,480
Translate it to a control name you recognize in secure score.

129
00:07:41,480 –> 00:07:43,240
Assign it in your tracker.

130
00:07:43,240 –> 00:07:45,280
Schedule verification.

131
00:07:45,280 –> 00:07:50,200
When the setting lands, re-hunt the technique from the mighter list.

132
00:07:50,200 –> 00:07:54,920
If the detection goes quiet and prevention logs show blocks, record that outcome.

133
00:07:54,920 –> 00:07:55,920
That is proof.

134
00:07:55,920 –> 00:07:58,160
That is grace earned through work.

135
00:07:58,160 –> 00:07:59,640
Oversight 3.

136
00:07:59,640 –> 00:08:05,240
We ignore the tenant specific signals and the device and account evidence.

137
00:08:05,240 –> 00:08:08,560
The report tells us when a pattern appears in our walls.

138
00:08:08,560 –> 00:08:12,000
It highlights devices touched by a similar behavior.

139
00:08:12,000 –> 00:08:14,720
It flags accounts with related anomalies.

140
00:08:14,720 –> 00:08:16,160
And yet we stay abstract.

141
00:08:16,160 –> 00:08:17,920
We say interesting trend.

142
00:08:17,920 –> 00:08:19,720
We do not click into the evidence.

143
00:08:19,720 –> 00:08:21,680
We do not join it to incidents.

144
00:08:21,680 –> 00:08:25,040
We do not call the owners of those devices.

145
00:08:25,040 –> 00:08:27,720
And days pass.

146
00:08:27,720 –> 00:08:29,600
Why this matters?

147
00:08:29,600 –> 00:08:35,360
Intelligence without localization is weather on a distant shore.

148
00:08:35,360 –> 00:08:38,680
Tenant signals bring the storm to our map.

149
00:08:38,680 –> 00:08:42,280
Device and account evidence turn forecasts into coordinates.

150
00:08:42,280 –> 00:08:43,920
That is where we set sail.

151
00:08:43,920 –> 00:08:45,160
That is where we act.

152
00:08:45,160 –> 00:08:46,960
The remedy is to verify.

153
00:08:46,960 –> 00:08:51,640
Open the tenant impact view if it reports related activity pivot into those devices and

154
00:08:51,640 –> 00:08:52,880
users.

155
00:08:52,880 –> 00:08:55,560
Check their incident timelines.

156
00:08:55,560 –> 00:08:59,200
Confirm whether the activity was resolved, suppressed or ignored.

157
00:08:59,200 –> 00:09:04,320
We ignore the incident now and reach it with the actor and TTP context from the report.

158
00:09:04,320 –> 00:09:06,640
So the narrative explains the urgency.

159
00:09:06,640 –> 00:09:10,680
Then bind remediation to controls as in oversight too.

160
00:09:10,680 –> 00:09:12,360
We make the loop complete.

161
00:09:12,360 –> 00:09:15,320
And there is a threat that stitches all three remedies.

162
00:09:15,320 –> 00:09:22,720
The real secret is the link between report, insights, incidents and secure score controls.

163
00:09:22,720 –> 00:09:26,320
Inside becomes incident, incident becomes control.

164
00:09:26,320 –> 00:09:28,680
Control is verified against the same insight.

165
00:09:28,680 –> 00:09:29,680
This is order.

166
00:09:29,680 –> 00:09:31,640
This is our liturgy.

167
00:09:31,640 –> 00:09:35,240
Once we accept our neglect, we can walk the corrective path.

168
00:09:35,240 –> 00:09:36,800
We will choose a live report.

169
00:09:36,800 –> 00:09:38,280
We will extract techniques.

170
00:09:38,280 –> 00:09:41,000
We will hunt, assign and verify.

171
00:09:41,000 –> 00:09:43,320
Brothers and sisters, our tools already speak.

172
00:09:43,320 –> 00:09:44,640
Let us listen.

173
00:09:44,640 –> 00:09:45,640
Then move.

174
00:09:45,640 –> 00:09:47,200
The corrective path.

175
00:09:47,200 –> 00:09:49,720
Turn reports into action within one hour.

176
00:09:49,720 –> 00:09:52,520
Dear congregation, let us walk the hour.

177
00:09:52,520 –> 00:09:54,160
60 minutes of ordered steps.

178
00:09:54,160 –> 00:09:55,160
No panic.

179
00:09:55,160 –> 00:09:56,160
No drift.

180
00:09:56,160 –> 00:09:58,360
Just covenant and craft.

181
00:09:58,360 –> 00:10:03,440
Step one, choose a current, active report with organizational impact.

182
00:10:03,440 –> 00:10:04,920
We do not chase novelty.

183
00:10:04,920 –> 00:10:10,240
We choose relevance and actor known to touch our sector, a campaign observed in our region,

184
00:10:10,240 –> 00:10:13,600
a technique that crosses many doors, open the report.

185
00:10:13,600 –> 00:10:14,960
Note the published date.

186
00:10:14,960 –> 00:10:16,840
Note the last updated line.

187
00:10:16,840 –> 00:10:19,040
Fresh bread feeds better.

188
00:10:19,040 –> 00:10:24,400
Step two, read top to bottom but stop with purpose at the miter section.

189
00:10:24,400 –> 00:10:25,800
This is the spine.

190
00:10:25,800 –> 00:10:32,280
This the tactics, list the techniques by their codes and names T1-759 command and scripting

191
00:10:32,280 –> 00:10:33,280
interpreter.

192
00:10:33,280 –> 00:10:35,760
T1-1-4 email collection.

193
00:10:35,760 –> 00:10:38,200
T5-5 use of stolen tokens.

194
00:10:38,200 –> 00:10:40,040
3-5 is enough for the hour.

195
00:10:40,040 –> 00:10:41,800
Copy the technique descriptions.

196
00:10:41,800 –> 00:10:44,360
Note any tool names called out.

197
00:10:44,360 –> 00:10:47,480
These will guide our queries, but here is where it gets interesting.

198
00:10:47,480 –> 00:10:53,000
The report often provides sample detections, artifacts or known behaviors.

199
00:10:53,000 –> 00:10:56,000
Note the required detections implied by each technique.

200
00:10:56,000 –> 00:11:00,240
For T1-155 we expect token replay patterns.

201
00:11:00,240 –> 00:11:04,280
For T1-059 script interpreter process trees.

202
00:11:04,280 –> 00:11:09,120
For T1-114 suspicious mailbox access.

203
00:11:09,120 –> 00:11:11,080
Write one sentence for each.

204
00:11:11,080 –> 00:11:13,760
What would prove this technique happened here?

205
00:11:13,760 –> 00:11:15,080
That is our test.

206
00:11:15,080 –> 00:11:21,400
Step three, pull IOCs and TTPs into defender hunting or advanced hunting.

207
00:11:21,400 –> 00:11:25,360
Select with TTPs they endure longer than single indicators.

208
00:11:25,360 –> 00:11:29,080
In advanced hunting select last 14 to 30 days.

209
00:11:29,080 –> 00:11:32,200
Choose based on your dwell time reality.

210
00:11:32,200 –> 00:11:36,000
Use device process events for interpreter pivots.

211
00:11:36,000 –> 00:11:40,640
Use identity logo and events and cloud app events for token and auth traces.

212
00:11:40,640 –> 00:11:43,720
Use email events for collection patterns.

213
00:11:43,720 –> 00:11:49,880
Create focused queries for each technique using the artifacts named in the report.

214
00:11:49,880 –> 00:11:53,720
Find everything, only what maps to the TTP list.

215
00:11:53,720 –> 00:11:55,360
Now we add speed.

216
00:11:55,360 –> 00:11:58,640
Save each query with the technique code in the name.

217
00:11:58,640 –> 00:12:01,360
T1-155 token replay probe.

218
00:12:01,360 –> 00:12:04,680
T1059 interpreter spawn probe.

219
00:12:04,680 –> 00:12:08,720
T114 for mailbox access probe.

220
00:12:08,720 –> 00:12:09,720
Run them.

221
00:12:09,720 –> 00:12:12,360
Sort by severity and recency.

222
00:12:12,360 –> 00:12:14,840
Export the results to a working sheet.

223
00:12:14,840 –> 00:12:17,920
This is our field list for the next steps.

224
00:12:17,920 –> 00:12:18,920
Step four.

225
00:12:18,920 –> 00:12:21,360
Think findings to active incidents.

226
00:12:21,360 –> 00:12:26,440
For each hit pivot to the device or account and open its incident timeline.

227
00:12:26,440 –> 00:12:29,560
If there is an existing incident, join our evidence to it.

228
00:12:29,560 –> 00:12:30,880
Add a note.

229
00:12:30,880 –> 00:12:36,720
Correlated to threat analytics report title technique code.

230
00:12:36,720 –> 00:12:40,280
If there is no incident, open one now.

231
00:12:40,280 –> 00:12:44,240
Title it with the actor or technique named in the report.

232
00:12:44,240 –> 00:12:48,000
Enrich the summary with two lines of context from the report.

233
00:12:48,000 –> 00:12:52,000
We do this so triage sees the why not only the what.

234
00:12:52,000 –> 00:12:56,320
This turns isolated alerts into a story with direction.

235
00:12:56,320 –> 00:12:59,000
And yet we remain grounded.

236
00:12:59,000 –> 00:13:00,600
We verify scope.

237
00:13:00,600 –> 00:13:02,800
Our multiple devices showing the pattern.

238
00:13:02,800 –> 00:13:05,080
Our multiple users affected.

239
00:13:05,080 –> 00:13:12,320
If two or more endpoints or identities share the same TTP within the window elevate priority.

240
00:13:12,320 –> 00:13:13,240
That is not noise.

241
00:13:13,240 –> 00:13:14,800
That is a path.

242
00:13:14,800 –> 00:13:18,800
Step five.

243
00:13:18,800 –> 00:13:23,440
Open the recommendation section of the report.

244
00:13:23,440 –> 00:13:27,640
For each item find its mirror in secure score.

245
00:13:27,640 –> 00:13:29,440
Conditional access hardening.

246
00:13:29,440 –> 00:13:32,520
Orth app consent policies.

247
00:13:32,520 –> 00:13:38,800
Tampa protection attack surface reduction rules create an action entry with the secure

248
00:13:38,800 –> 00:13:43,000
score control name the owner and the SLA.

249
00:13:43,000 –> 00:13:47,080
Or device or user specifics discovered in step four.

250
00:13:47,080 –> 00:13:49,120
Add concrete tasks.

251
00:13:49,120 –> 00:13:51,320
Revoque sessions for named users.

252
00:13:51,320 –> 00:13:54,240
Block legacy protocols on name devices.

253
00:13:54,240 –> 00:13:55,840
Reset credentials.

254
00:13:55,840 –> 00:13:59,040
Remove risky or orth apps by ID.

255
00:13:59,040 –> 00:14:01,160
We bind strategy to stewardship.

256
00:14:01,160 –> 00:14:04,760
Now this is important because a recommendation without evidence can stall.

257
00:14:04,760 –> 00:14:05,760
So attach evidence.

258
00:14:05,760 –> 00:14:07,160
Paste the query name.

259
00:14:07,160 –> 00:14:08,760
Attach the exported hits.

260
00:14:08,760 –> 00:14:10,360
Link the incident ID.

261
00:14:10,360 –> 00:14:11,640
This is how we move a meeting.

262
00:14:11,640 –> 00:14:12,640
We show the door.

263
00:14:12,640 –> 00:14:13,640
We show the draft.

264
00:14:13,640 –> 00:14:14,640
We show the wind.

265
00:14:14,640 –> 00:14:16,640
Step six.

266
00:14:16,640 –> 00:14:18,520
Validate protections.

267
00:14:18,520 –> 00:14:21,640
Return to the report’s exposure and protections panel.

268
00:14:21,640 –> 00:14:24,520
Does it say applicable here for any element.

269
00:14:24,520 –> 00:14:27,160
Treat those as must verify controls.

270
00:14:27,160 –> 00:14:30,720
In defender and entra check the actual policy status.

271
00:14:30,720 –> 00:14:32,240
For device protections.

272
00:14:32,240 –> 00:14:34,680
Spot check the affected endpoints.

273
00:14:34,680 –> 00:14:36,480
Is Tampa protection on?

274
00:14:36,480 –> 00:14:43,360
Our ASR rules enforced for identity confirm conditional access conditions for risky sign-ins

275
00:14:43,360 –> 00:14:45,560
and token lifetimes.

276
00:14:45,560 –> 00:14:49,120
When controls are set, rerun the saved hunting queries.

277
00:14:49,120 –> 00:14:53,920
We expect fewer hits, different patterns or explicit block events.

278
00:14:53,920 –> 00:15:00,120
If the pattern persists unchanged, we misapply the control or targeted the wrong gap.

279
00:15:00,120 –> 00:15:01,120
Adjust and test again.

280
00:15:01,120 –> 00:15:02,120
The loop must close.

281
00:15:02,120 –> 00:15:04,920
Close the loop with documentation.

282
00:15:04,920 –> 00:15:06,440
Create a brief record.

283
00:15:06,440 –> 00:15:08,200
Report name.

284
00:15:08,200 –> 00:15:09,560
Techniques targeted.

285
00:15:09,560 –> 00:15:10,880
Queries used.

286
00:15:10,880 –> 00:15:12,280
Incidents touched.

287
00:15:12,280 –> 00:15:13,280
Controls enacted.

288
00:15:13,280 –> 00:15:14,920
Verification outcome.

289
00:15:14,920 –> 00:15:15,920
One page.

290
00:15:15,920 –> 00:15:17,400
Plane words.

291
00:15:17,400 –> 00:15:19,400
Store it where the team prays together.

292
00:15:19,400 –> 00:15:20,400
Your run book.

293
00:15:20,400 –> 00:15:21,400
Your wiki.

294
00:15:21,400 –> 00:15:23,440
Your digital sanctuary of memory.

295
00:15:23,440 –> 00:15:25,360
Set the review cadence now.

296
00:15:25,360 –> 00:15:28,800
Daily weeklans had saved queries for new hits.

297
00:15:28,800 –> 00:15:34,160
Weekly we open threat analytics and repeat the hour for a new or updated report.

298
00:15:34,160 –> 00:15:41,080
Monthly we verify that secure score actions tied to past recommendations remain in force.

299
00:15:41,080 –> 00:15:45,600
We turn practice into rhythm, rhythm into culture.

300
00:15:45,600 –> 00:15:47,120
Measure two vowels.

301
00:15:47,120 –> 00:15:51,480
Time to detect from first indicator to analyst view.

302
00:15:51,480 –> 00:15:55,920
Name the tag paths closed by technique with date and control.

303
00:15:55,920 –> 00:15:57,800
Add these to your dashboard.

304
00:15:57,800 –> 00:15:59,840
Incident timelines for speed.

305
00:15:59,840 –> 00:16:02,480
Secure score history for control coverage.

306
00:16:02,480 –> 00:16:05,280
What specific exposure for today’s posture?

307
00:16:05,280 –> 00:16:08,360
When metric stall return to the report.

308
00:16:08,360 –> 00:16:10,960
Reassess TTP coverage.

309
00:16:10,960 –> 00:16:12,600
Enrich queries.

310
00:16:12,600 –> 00:16:15,080
Renew the covenant.

311
00:16:15,080 –> 00:16:17,880
Beloved brothers and sisters in the cloud.

312
00:16:17,880 –> 00:16:23,320
The hour is enough when we walk it with order to choose the report.

313
00:16:23,320 –> 00:16:24,800
Extract the techniques.

314
00:16:24,800 –> 00:16:26,760
Hunt the truth.

315
00:16:26,760 –> 00:16:29,440
Find findings to incidents.

316
00:16:29,440 –> 00:16:33,720
Read guidance to controls.

317
00:16:33,720 –> 00:16:35,720
Document review.

318
00:16:35,720 –> 00:16:36,720
Measure.

319
00:16:36,720 –> 00:16:39,960
This is how threat analytics becomes a shield, not a story.

320
00:16:39,960 –> 00:16:42,040
This is how we reduce time to detect.

321
00:16:42,040 –> 00:16:44,280
This is how we close named paths.

322
00:16:44,280 –> 00:16:45,840
Let us walk.

323
00:16:45,840 –> 00:16:46,840
Detection gaps.

324
00:16:46,840 –> 00:16:49,560
Two live scenarios to expose weakness.

325
00:16:49,560 –> 00:16:50,880
Dear congregation.

326
00:16:50,880 –> 00:16:52,960
Now we test our guard in the wild.

327
00:16:52,960 –> 00:16:54,200
Two live paths.

328
00:16:54,200 –> 00:16:55,800
Two mirrors for our readiness.

329
00:16:55,800 –> 00:16:57,280
We will not dramatize.

330
00:16:57,280 –> 00:16:58,280
We will examine.

331
00:16:58,280 –> 00:16:59,280
We will act.

332
00:16:59,280 –> 00:17:02,120
Scenario A. Fishing to token theft.

333
00:17:02,120 –> 00:17:06,120
The adversary does not need your password when they can borrow your session.

334
00:17:06,120 –> 00:17:10,200
The TTP focus is consent abuse and token replay.

335
00:17:10,200 –> 00:17:15,360
The pattern begins with a crafted email that lowers a user to a malicious OAuth consent

336
00:17:15,360 –> 00:17:16,880
screen.

337
00:17:16,880 –> 00:17:18,840
It asks for read mail.

338
00:17:18,840 –> 00:17:21,200
It asks for offline access.

339
00:17:21,200 –> 00:17:23,680
All the user accepts.

340
00:17:23,680 –> 00:17:27,080
A service principle gains long-lived reach.

341
00:17:27,080 –> 00:17:30,640
All the attacker captures a token through a web proxy and replays it.

342
00:17:30,640 –> 00:17:32,960
The doors open without a knock.

343
00:17:32,960 –> 00:17:36,040
Let us hunt as the report teaches.

344
00:17:36,040 –> 00:17:39,920
Use the guidance to search sign in anomalies and OAuth abuse.

345
00:17:39,920 –> 00:17:45,680
In identity logon events filter for successful sign-ins from unfamiliar sign-in properties within

346
00:17:45,680 –> 00:17:48,120
minutes of a fishing alert.

347
00:17:48,120 –> 00:17:54,400
In cloud app events, query for new OAuth app consents with broad scopes, especially offline

348
00:17:54,400 –> 00:17:56,360
access and mail.

349
00:17:56,360 –> 00:18:01,400
It granted by non-admin accounts pivot to app consent grant events.

350
00:18:01,400 –> 00:18:05,920
Look for service principles created near the time of consent.

351
00:18:05,920 –> 00:18:08,240
Verify the device and account scope.

352
00:18:08,240 –> 00:18:12,920
Do the same two or three users appear across the last 14 days?

353
00:18:12,920 –> 00:18:16,640
Do we see token lifetimes without corresponding MFA prompts?

354
00:18:16,640 –> 00:18:18,920
If yes, the pattern breathes here.

355
00:18:18,920 –> 00:18:22,120
Where gaps appear, they are often plain.

356
00:18:22,120 –> 00:18:28,640
Conditional access controls demand reauthentication for risky sign-ins.

357
00:18:28,640 –> 00:18:32,840
Stale app consents grant legacy access to dormant applications.

358
00:18:32,840 –> 00:18:36,960
Week session defenses allow token use beyond expected boundaries.

359
00:18:36,960 –> 00:18:40,880
This is important because consent once granted becomes a quiet river.

360
00:18:40,880 –> 00:18:42,840
It flows until we place a gate.

361
00:18:42,840 –> 00:18:44,560
So we confirm policy.

362
00:18:44,560 –> 00:18:52,040
In entra, inspect conditional access for sign-in-risk, device compliance, and session controls.

363
00:18:52,040 –> 00:18:55,520
Require reauthentication for risky sessions.

364
00:18:55,520 –> 00:18:58,240
Enforce continuous access evaluation.

365
00:18:58,240 –> 00:18:59,800
Where applicable.

366
00:18:59,800 –> 00:19:02,120
Review enterprise applications.

367
00:19:02,120 –> 00:19:04,680
List consents by scope and age.

368
00:19:04,680 –> 00:19:09,120
Revoke questionable grants disable user consent except vetted scenarios.

369
00:19:09,120 –> 00:19:10,400
Then rerun the queries.

370
00:19:10,400 –> 00:19:15,760
If OAuth abuse goes silent and we see explicit blocks, we have tightened the path.

371
00:19:15,760 –> 00:19:19,800
If we still see unusual token reuse, rotate secrets.

372
00:19:19,800 –> 00:19:24,760
Revoque refresh tokens for named users and audit app credentials.

373
00:19:24,760 –> 00:19:26,960
We do not guess.

374
00:19:26,960 –> 00:19:28,960
We reset.

375
00:19:28,960 –> 00:19:30,360
Scenario B.

376
00:19:30,360 –> 00:19:36,360
Living off the land persistence, the adversary avoids their own tools they borrow hours.

377
00:19:36,360 –> 00:19:40,680
The TTP focus is script interpreters and abused binaries.

378
00:19:40,680 –> 00:19:43,240
They launch PowerShell with encoded commands.

379
00:19:43,240 –> 00:19:51,760
They use W-Script, CScript, MSHTA, Regis VR32, or Rundle L32 to stage payloads.

380
00:19:51,760 –> 00:19:52,960
They schedule tasks.

381
00:19:52,960 –> 00:19:54,960
They plant registry-run keys.

382
00:19:54,960 –> 00:19:56,400
They live in the seams.

383
00:19:56,400 –> 00:20:00,040
We use the report’s miter mapping to query process trees.

384
00:20:00,040 –> 00:20:05,760
In device process events, hunt for parent child chains where office or a browser spawns

385
00:20:05,760 –> 00:20:07,520
an interpreter.

386
00:20:07,520 –> 00:20:12,520
Flag command lines with base 64 hidden windows or outbound web calls.

387
00:20:12,520 –> 00:20:16,600
Search for Rags VR32 loading remote scriptlets.

388
00:20:16,600 –> 00:20:22,000
Hunt for MSHTA invoking HTTP URLs.

389
00:20:22,000 –> 00:20:29,840
In persistence artifacts, review scheduled tasks, events for newly created tasks under user

390
00:20:29,840 –> 00:20:36,040
context with odd names in registry activity, check run and run.

391
00:20:36,040 –> 00:20:41,080
Once keys altered by non-installer processes.

392
00:20:41,080 –> 00:20:46,600
Some prevention and remediation settings are attack surface reduction rules in force.

393
00:20:46,600 –> 00:20:48,640
Is Tampa protection enabled?

394
00:20:48,640 –> 00:20:51,840
Our PowerShell logs in deep script block mode.

395
00:20:51,840 –> 00:20:56,840
Where gaps appear they are predictable allow lists that bless legacy interpreters without

396
00:20:56,840 –> 00:20:57,840
monitoring.

397
00:20:57,840 –> 00:21:01,680
Unmonitored endpoints where sensor health is poor.

398
00:21:01,680 –> 00:21:06,160
Incomplete hardening where ASR rules are in audit, not block.

399
00:21:06,160 –> 00:21:13,160
And yet we do not despair. We turn recommendation into order, enable ASR for blocking office from

400
00:21:13,160 –> 00:21:20,160
creating child processes and for blocking executable content from email and web clients.

401
00:21:20,160 –> 00:21:23,680
Turn on controlled folder access if appropriate.

402
00:21:23,680 –> 00:21:27,760
Enforced Tampa protection across the fleet requires script block logging.

403
00:21:27,760 –> 00:21:30,320
Then test again.

404
00:21:30,320 –> 00:21:37,160
Launch a benign interpreter chain in a lab and confirm block events fire.

405
00:21:37,160 –> 00:21:43,040
In production data we expect fewer suspicious parent child pairs and more preventive outcomes.

406
00:21:43,040 –> 00:21:49,760
Now verify scope and ownership if the same abused binary appears across multiple devices that

407
00:21:49,760 –> 00:21:51,440
is a named path.

408
00:21:51,440 –> 00:21:59,320
Assign an owner to close it, remove the legacy tool, replace the workflow or add assigned alternative.

409
00:21:59,320 –> 00:22:05,200
If a single device repeats suspicious chains treated as a patient source, rebuild or reimage

410
00:22:05,200 –> 00:22:06,440
if needed.

411
00:22:06,440 –> 00:22:09,640
It is better to cleanse than to nurse a wound.

412
00:22:09,640 –> 00:22:12,760
Tie both scenarios back to incidents.

413
00:22:12,760 –> 00:22:19,720
For token theft findings create or enrich an identity incident titled with the technique.

414
00:22:19,720 –> 00:22:24,840
Attach cloud app events evidence, consent IDs and user names.

415
00:22:24,840 –> 00:22:30,120
For living off the land hits enrich endpoint incidents with the exact process tree and command

416
00:22:30,120 –> 00:22:31,440
line.

417
00:22:31,440 –> 00:22:36,040
Add a note binding each to the threat analytics report and its techniques.

418
00:22:36,040 –> 00:22:39,480
This gives analysts the why and the how in one place.

419
00:22:39,480 –> 00:22:44,560
Finally, bind controls to secure score and measure change.

420
00:22:44,560 –> 00:22:51,080
For scenario A, map to conditional access, app consent policies and session governance.

421
00:22:51,080 –> 00:22:57,040
For scenario B, map to ASR rules, tamper protection and logging.

422
00:22:57,040 –> 00:23:02,440
Set SLA’s, attach evidence, rerun the saved probes daily for a week.

423
00:23:02,440 –> 00:23:06,640
If hits decline and blocks rise record the date the path closed.

424
00:23:06,640 –> 00:23:12,040
If not return to the report, we miss the turn, adjust and verify.

425
00:23:12,040 –> 00:23:14,920
This is how we keep our covenant.

426
00:23:14,920 –> 00:23:19,080
Measurement and governance prove value in days not months.

427
00:23:19,080 –> 00:23:24,000
Be a congregation, measurement is our witness, governance is our vow.

428
00:23:24,000 –> 00:23:30,560
Without them our work fades like smoke, with them our shield gains weight and proof.

429
00:23:30,560 –> 00:23:32,680
Let us define two vows.

430
00:23:32,680 –> 00:23:35,680
Reduce time to detect.

431
00:23:35,680 –> 00:23:38,160
Close named attack paths.

432
00:23:38,160 –> 00:23:40,720
We speak them aloud so our teams can carry them.

433
00:23:40,720 –> 00:23:42,280
We post them where we gather.

434
00:23:42,280 –> 00:23:44,120
We review them each week.

435
00:23:44,120 –> 00:23:48,360
Time to detect is simple to state, hard to live.

436
00:23:48,360 –> 00:23:55,080
Measure from first indicator seen by defender to analyst eyes on an incident with context,

437
00:23:55,080 –> 00:23:57,600
not alert creation.

438
00:23:57,600 –> 00:24:02,320
Analyst eyes, context present, that is the clock.

439
00:24:02,320 –> 00:24:10,680
Use incident timelines, mark the earliest related alert, mark the analyst’s first action.

440
00:24:10,680 –> 00:24:11,680
Subtract.

441
00:24:11,680 –> 00:24:18,320
Record daily, chart weekly, when the line does not fall we change something that day.

442
00:24:18,320 –> 00:24:23,640
Name the attack paths are concrete, by technique and control.

443
00:24:23,640 –> 00:24:28,680
T1-5 token replay closed by conditional access enforcement on this date.

444
00:24:28,680 –> 00:24:33,200
T1059 interpreter abuse closed by ASR block on this date.

445
00:24:33,200 –> 00:24:39,000
Maintain a ledger, count open paths, count closed paths, track the age of open ones.

446
00:24:39,000 –> 00:24:42,840
No abstractions, only named doors and their locks.

447
00:24:42,840 –> 00:24:46,840
Now dashboards, we keep three in our sanctuary.

448
00:24:46,840 –> 00:24:48,840
Time lines for speed.

449
00:24:48,840 –> 00:24:50,720
This is where time to detect breathes.

450
00:24:50,720 –> 00:24:56,280
Secure score history for control coverage, not as vanity but as evidence of controls actually

451
00:24:56,280 –> 00:24:57,280
landing.

452
00:24:57,280 –> 00:25:01,680
And report specific exposure status tied to the threat analytics reports we work this

453
00:25:01,680 –> 00:25:02,680
month.

454
00:25:02,680 –> 00:25:07,560
If exposure returns to applicable, that is a bell.

455
00:25:07,560 –> 00:25:08,960
We answer.

456
00:25:08,960 –> 00:25:12,680
Cadence creates culture, daily a brief, 10 minutes.

457
00:25:12,680 –> 00:25:16,240
Review fresh incidents with the saved probes from our hour.

458
00:25:16,240 –> 00:25:18,120
Name the two slowest detections.

459
00:25:18,120 –> 00:25:20,320
Name one action to shorten them today.

460
00:25:20,320 –> 00:25:22,400
Weekly a threat analytics review.

461
00:25:22,400 –> 00:25:24,640
Choose one active report.

462
00:25:24,640 –> 00:25:26,760
Walk the hour.

463
00:25:26,760 –> 00:25:29,040
Update the ledger.

464
00:25:29,040 –> 00:25:32,120
Monthly control verification.

465
00:25:32,120 –> 00:25:37,160
Spot check 10 endpoints and five identities against the controls we claimed.

466
00:25:37,160 –> 00:25:44,520
Screen shots, policy exports, block events, prayer without words.

467
00:25:44,520 –> 00:25:50,360
Interability turns recommendation into order for each recommendation converted to sign

468
00:25:50,360 –> 00:25:52,360
an owner.

469
00:25:52,360 –> 00:25:53,880
Attach the SLA.

470
00:25:53,880 –> 00:25:55,720
Capture evidence of effectiveness.

471
00:25:55,720 –> 00:25:57,360
A screenshot of the setting.

472
00:25:57,360 –> 00:25:59,560
A query result before and after.

473
00:25:59,560 –> 00:26:01,240
The incident ID linked.

474
00:26:01,240 –> 00:26:02,800
Hold a short covenant check each week.

475
00:26:02,800 –> 00:26:04,120
Did we meet the SLA?

476
00:26:04,120 –> 00:26:05,560
If not, what blocked us?

477
00:26:05,560 –> 00:26:08,320
Remove the obstacle or escalate.

478
00:26:08,320 –> 00:26:09,640
Escalation is not anger.

479
00:26:09,640 –> 00:26:11,160
It is stewardship.

480
00:26:11,160 –> 00:26:14,920
In metric stall we return to the report that began the work.

481
00:26:14,920 –> 00:26:17,480
We reassess TTP coverage.

482
00:26:17,480 –> 00:26:20,360
Did our queries truly reflect the techniques?

483
00:26:20,360 –> 00:26:21,360
We enrich them.

484
00:26:21,360 –> 00:26:24,240
Add related artifacts from the report’s change log.

485
00:26:24,240 –> 00:26:27,520
Widen the time window if it well suggests it.

486
00:26:27,520 –> 00:26:28,680
Test again.

487
00:26:28,680 –> 00:26:32,280
If exposure remains applicable, audit control deployment.

488
00:26:32,280 –> 00:26:34,760
Our ASR rules in block or audit.

489
00:26:34,760 –> 00:26:38,880
Is conditional access applied to the right users and apps?

490
00:26:38,880 –> 00:26:39,880
Correct.

491
00:26:39,880 –> 00:26:40,880
Verify.

492
00:26:40,880 –> 00:26:43,520
Free measure.

493
00:26:43,520 –> 00:26:46,200
Beloved brothers and sisters in the cloud.

494
00:26:46,200 –> 00:26:48,720
This is governance with grace.

495
00:26:48,720 –> 00:26:50,120
Clear vows.

496
00:26:50,120 –> 00:26:51,360
Simple measures.

497
00:26:51,360 –> 00:26:52,520
Frequent proof.

498
00:26:52,520 –> 00:26:54,320
We do not wait for quarters.

499
00:26:54,320 –> 00:26:56,040
We show value in days.

500
00:26:56,040 –> 00:26:57,720
We show progress in weeks.

501
00:26:57,720 –> 00:26:59,960
We engrave change in months.

502
00:26:59,960 –> 00:27:02,320
Let us stand guard with numbers that speak.

503
00:27:02,320 –> 00:27:04,160
Let us keep our covenant.

504
00:27:04,160 –> 00:27:06,400
The vow and the next step.

505
00:27:06,400 –> 00:27:10,640
Dear congregation, let us speak one truth plainly.

506
00:27:10,640 –> 00:27:18,400
When we read, test, act and verify, threat analytics stops being a newsletter and becomes

507
00:27:18,400 –> 00:27:20,200
a shield we can live today.

508
00:27:20,200 –> 00:27:21,280
So we make a vow.

509
00:27:21,280 –> 00:27:22,280
We will not skim.

510
00:27:22,280 –> 00:27:23,480
We will not delay.

511
00:27:23,480 –> 00:27:26,280
We will not separate inside from action.

512
00:27:26,280 –> 00:27:27,280
We bind them.

513
00:27:27,280 –> 00:27:28,280
We walk the hour.

514
00:27:28,280 –> 00:27:29,440
We measure the vows.

515
00:27:29,440 –> 00:27:30,760
This is our covenant.

516
00:27:30,760 –> 00:27:33,840
Each week we choose one living report.

517
00:27:33,840 –> 00:27:35,240
We extract its techniques.

518
00:27:35,240 –> 00:27:36,280
We hunt our house.

519
00:27:36,280 –> 00:27:38,920
We join our findings to incidents.

520
00:27:38,920 –> 00:27:42,920
We translate guidance into controls with owners and deadlines.

521
00:27:42,920 –> 00:27:43,920
We verify.

522
00:27:43,920 –> 00:27:44,760
We document.

523
00:27:44,760 –> 00:27:48,520
We measure time to detect and count closed paths by name.

524
00:27:48,520 –> 00:27:50,160
Then we do it again.

525
00:27:50,160 –> 00:27:51,760
And yet we keep humility.

526
00:27:51,760 –> 00:27:53,680
We know the adversary adapts.

527
00:27:53,680 –> 00:27:55,400
We answer by renewing our rhythm.

528
00:27:55,400 –> 00:27:57,440
We keep our saved probes warm.

529
00:27:57,440 –> 00:28:00,640
We revisit controls to confirm block, not audit.

530
00:28:00,640 –> 00:28:04,120
We watch exposure panels like sentinels at dusk.

531
00:28:04,120 –> 00:28:07,000
If a bell rings, we rise.

532
00:28:07,000 –> 00:28:11,320
The path is not complicated.

533
00:28:11,320 –> 00:28:12,520
It is faithful.

534
00:28:12,520 –> 00:28:13,880
Read with intent.

535
00:28:13,880 –> 00:28:15,640
Test with precision.

536
00:28:15,640 –> 00:28:17,240
Act with ownership.

537
00:28:17,240 –> 00:28:19,080
Verify with evidence.

538
00:28:19,080 –> 00:28:20,720
That circle holds.

539
00:28:20,720 –> 00:28:24,240
If this teaching served you, subscribe and stay with us.

540
00:28:24,240 –> 00:28:27,560
Our next message walks the same path across privilege,

541
00:28:27,560 –> 00:28:29,960
escalation and lateral movement,

542
00:28:29,960 –> 00:28:32,400
naming the exact techniques to hunt

543
00:28:32,400 –> 00:28:34,600
and the controls to close them.

544
00:28:34,600 –> 00:28:37,480
Let us walk its pathways with humility.

545
00:28:37,480 –> 00:28:39,320
This is our covenant in the cloud.