Threat Vector 12.14.23
Ep 11 | 12.14.23

Decoding Cyber Adversaries: Unveiling Intent and Behavior in the World of Threat Hunting with Madeline Sedgwick


Madeline Sedgwick: [Music] Top Guns, the reason why I joined the Navy. I didn't end up being a pilot obviously. There was not a lot of belief that I was going to do very well in the military mostly because I had done four years at a very art centric environment.

David Moulton: Welcome to "Threat Vector," a segment where Una 42 shares unique threat intelligence insights, new threat actor TTPs, and real world case studies. Una 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, director of thought leadership for Una 42. [ Music ] In today's episode, I'm going to speak with Madeline Sedgwick about the types of skills and methods needed to understand threat actor intent and behaviors as part of threat hunting and how that helps with threat deterrence. Madeline is a Senior Cyber Research Engineer and Threat Analyst for the Cortex Expanse Team at Palo Alto Networks. She's held roles in the Navy, the DOD, the Marine Corps, along with several private sector jobs. Madeline, where are you recording from today?

Madeline Sedgwick: Jacksonville, Florida.

David Moulton: I remember the last time I was in Jacksonville. It's beautiful.

Madeline Sedgwick: Oh, it is. Home of the Jacksonville Jaguars.

David Moulton: So before the show, we were talking a little bit about the different types of skills that you're looking for when you're building a team. And I thought that was really fascinating. Talk to me about what types of people you're looking for when you're putting together a team.

Madeline Sedgwick: Cybersecurity is not just about understanding how networks work and house computers process information. It's also about understanding behavior. Why an adversary does what an adversary does? And what are the motivations behind the adversaries activity? I can anticipate how the world's changing and how the geopolitical landscape is changing, then I can anticipate also potential threats on the horizon i need to be aware of. I think there's a misconception that the higher educated, the more certifications you have as a potential cybersecurity analyst, the better you're going to be at the job. I would take the person who has the understanding of systems, who can break down a system identify what makes this system work, what doesn't make a system work, and then also be able to pivot that understanding of the system to how human beings work.

David Moulton: So, Madeline, tell our listeners your thoughts on how analyzing a threat actor's behavior and intent help threat hunters avoid guesswork.

Madeline Sedgwick: So if you look at adversary behavior, you don't have to guess what infrastructure is vulnerable. I know that if I have a public facing device, it can be exploited by an adversary using an exploit. What does that exploit use? Is it a get request, an HTTP get request? Is it something that gets thrown at my network to make that device do something? All of these things can contribute to identifying the behavior behind an actor, that's not necessarily tied to specific vulnerabilities? Because that's how we kind of pigeonhole ourselves into thinking if I protect from the vulnerability, I'll protect my network, which is not the case.

David Moulton: What are some of the most helpful resources that you found to help understand threat actor behavior and intent.

Madeline Sedgwick: Sure. So I day in, day out employ a number of different capabilities. I come from an intelligence background and we don't like to rely on one data source. Twitter is a great one stop shop for people trying to get out information as quickly as possible. There's very talented cybersecurity analysts who get into the weeds and are subject matter experts where I'm not a subject matter expert on a particular actor, and certain tactics they those actors use. And then a combination of data sources, so packet capture data, and then open source information. We like to combine as many different perspectives as possible so that we can get true insight by identifying threat activity.

David Moulton: What's the one thing that you should remember from this conversation?

Madeline Sedgwick: Cyber adversaries are human beings. That's why they make mistakes. Being a computer hacker, being a threat actor doesn't give you superpowers. It doesn't give you, like, matrix level neo insight into the Internet. They're limited to the same, like, all like the laws of internet physics, right? [Music] I can anticipate why an adversary does what an adversary does and what are the motivations behind that adversaries activity, then I can anticipate potential threats on the horizon I need to be aware of. [ Music ]

David Moulton: Madeline, thanks for joining me today on Threat Vector. We'll be back on the CyberWire Daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]