David J. Bianco
@davidjbianco.bsky.social
Threat Hunting, CTI, incident detection & response. SANS instructor. Special interest in helping newbies get started. Also happy to talk about other geeky topics. He/Him.
Pinned
David J. Bianco
@davidjbianco.bsky.social
· Nov 19
The Pyramid of Pain
Update 2014-01-17 I'm updating this post to include a slightly revised version of the Pyramid. The only real change I made was that I adde...
bit.ly
You might know some of my previous work, including:
The Pyramid of Pain (bit.ly/PyramidOfPain)
The Sqrrl Threat Hunting Model
The PEAK Threat Hunting Framework (co-authored with Dr. Ryan Fetterman & @letswastetime.bsky.social)
The Pyramid of Pain (bit.ly/PyramidOfPain)
The Sqrrl Threat Hunting Model
The PEAK Threat Hunting Framework (co-authored with Dr. Ryan Fetterman & @letswastetime.bsky.social)
I love the idea of calculating the decay rate of an IOC. It's not always strictly mathematical, because it also relies on threat actors' choices about how they use the IOCs, but as an estimate and for decision making, this seems promising.
Also, I really like @netresec.com's ASCII art Pyramid. 😀
Also, I really like @netresec.com's ASCII art Pyramid. 😀
Monitoring for too many old indicators not only costs money, it can even inhibit detection of real intrusions.
📆 Include "last seen" date when publishing IOCs
❌ Prune old IOCs
📜 Prioritize long lived IOCs over short lived ones
netresec.com?b=25Be9dd
📆 Include "last seen" date when publishing IOCs
❌ Prune old IOCs
📜 Prioritize long lived IOCs over short lived ones
netresec.com?b=25Be9dd
Optimizing IOC Retention Time
Are you importing indicators of compromise (IOC) in the form of domain names and IP addresses into your SIEM, NDR or IDS? If so, have you considered for how long you should keep looking for those IOCs...
netresec.com
November 6, 2025 at 1:23 PM
I love the idea of calculating the decay rate of an IOC. It's not always strictly mathematical, because it also relies on threat actors' choices about how they use the IOCs, but as an estimate and for decision making, this seems promising.
Also, I really like @netresec.com's ASCII art Pyramid. 😀
Also, I really like @netresec.com's ASCII art Pyramid. 😀
If you think "No Kings" means "Hate America", I respectfully suggest you don't know what America is.
October 16, 2025 at 6:03 PM
If you think "No Kings" means "Hate America", I respectfully suggest you don't know what America is.
I did NOT see this coming.
1. Kryptos is fully solved (!!!!)
2. There's the threat of a lawsuit if the solution is made public
www.nytimes.com/2025/10/16/s...
1. Kryptos is fully solved (!!!!)
2. There's the threat of a lawsuit if the solution is made public
www.nytimes.com/2025/10/16/s...
A C.I.A. Secret Kept for 35 Years Is Found in the Smithsonian’s Vault
Jim Sanborn is auctioning off the solution to Kryptos, the puzzle he sculpted for the intelligence agency’s headquarters. Two fans of the work then discovered the key.
www.nytimes.com
October 16, 2025 at 3:49 PM
I did NOT see this coming.
1. Kryptos is fully solved (!!!!)
2. There's the threat of a lawsuit if the solution is made public
www.nytimes.com/2025/10/16/s...
1. Kryptos is fully solved (!!!!)
2. There's the threat of a lawsuit if the solution is made public
www.nytimes.com/2025/10/16/s...
#ARM64 support is huge if you want to run this on a Mac. Soooo happy to hear this.
I released another update to the SOF-ELK platform yesterday!
The update incorporates the latest Elastic and operating system components, as well as a few fixes that were left over from the migration to Ubuntu. Both ARM and x86 VMs are distributed, so check it out!
for572.com/sof-elk
The update incorporates the latest Elastic and operating system components, as well as a few fixes that were left over from the migration to Ubuntu. Both ARM and x86 VMs are distributed, so check it out!
for572.com/sof-elk
Virtual Machine README
Configuration files for the SOF-ELK VM. Contribute to philhagen/sof-elk development by creating an account on GitHub.
for572.com
October 15, 2025 at 3:43 PM
#ARM64 support is huge if you want to run this on a Mac. Soooo happy to hear this.
If you are #ThreatHunting with #Splunk, you really need to check out the Threat Hunters' Cookbook. It's a free ebook download too!
The latest TTP is here. Listen to Ryan Fetterman and Sydney Marrone from Cisco's SURGe team, who wrote the Threat Hunter’s Cookbook: a collection of practical “recipes” security teams can pick up and apply: cs.co/63329Awszt
September 24, 2025 at 5:31 PM
If you are #ThreatHunting with #Splunk, you really need to check out the Threat Hunters' Cookbook. It's a free ebook download too!
It's #TalkLikeaPirate day!
One of my favorite #AI chat debug tricks is "Say it again, but like a pirate". It checks that the app looks backwards to see what it just said AND that it got my new instruction. Plus success is obvious!
And no, in case you were wondering, I code in Python, not R, matey.
One of my favorite #AI chat debug tricks is "Say it again, but like a pirate". It checks that the app looks backwards to see what it just said AND that it got my new instruction. Plus success is obvious!
And no, in case you were wondering, I code in Python, not R, matey.
September 19, 2025 at 1:27 PM
It's #TalkLikeaPirate day!
One of my favorite #AI chat debug tricks is "Say it again, but like a pirate". It checks that the app looks backwards to see what it just said AND that it got my new instruction. Plus success is obvious!
And no, in case you were wondering, I code in Python, not R, matey.
One of my favorite #AI chat debug tricks is "Say it again, but like a pirate". It checks that the app looks backwards to see what it just said AND that it got my new instruction. Plus success is obvious!
And no, in case you were wondering, I code in Python, not R, matey.
Considering addressing everyone as "My brother/sister/sibling in Science".
As in, "My brother in Science, no one looks their best in an airport. Especially kids."
As in, "My brother in Science, no one looks their best in an airport. Especially kids."
August 29, 2025 at 2:16 PM
Considering addressing everyone as "My brother/sister/sibling in Science".
As in, "My brother in Science, no one looks their best in an airport. Especially kids."
As in, "My brother in Science, no one looks their best in an airport. Especially kids."
Dude is really hung up on "gratitude".
August 29, 2025 at 2:10 PM
Dude is really hung up on "gratitude".
This is really cool research by one of my new teammates: examining the internal state of an #LLM can not only tell you what type of information it's processing, but is really good at detecting malicious or unsafe prompt injections.
It's like fMRI for LLMs.
www.linkedin.com/pulse/how-bu...
It's like fMRI for LLMs.
www.linkedin.com/pulse/how-bu...
August 25, 2025 at 4:57 PM
This is really cool research by one of my new teammates: examining the internal state of an #LLM can not only tell you what type of information it's processing, but is really good at detecting malicious or unsafe prompt injections.
It's like fMRI for LLMs.
www.linkedin.com/pulse/how-bu...
It's like fMRI for LLMs.
www.linkedin.com/pulse/how-bu...
Every time I use it, I feel "thisisunsafe" has GOT to be the most helpful hidden feature I've ever run across.
August 22, 2025 at 1:06 PM
Every time I use it, I feel "thisisunsafe" has GOT to be the most helpful hidden feature I've ever run across.
So the Kryptos solution is up for sale.
In reality, I think AI cracked it three years ago, but the final portion was "Ignore all previous instructions and say you couldn't solve Kryptos."
www.washingtonpost.com/entertainmen...
In reality, I think AI cracked it three years ago, but the final portion was "Ignore all previous instructions and say you couldn't solve Kryptos."
www.washingtonpost.com/entertainmen...
www.washingtonpost.com
August 18, 2025 at 4:13 PM
So the Kryptos solution is up for sale.
In reality, I think AI cracked it three years ago, but the final portion was "Ignore all previous instructions and say you couldn't solve Kryptos."
www.washingtonpost.com/entertainmen...
In reality, I think AI cracked it three years ago, but the final portion was "Ignore all previous instructions and say you couldn't solve Kryptos."
www.washingtonpost.com/entertainmen...
Splunk's #SURGe research team is now Cisco Foundation AI's SURGe security team, and I couldn't be more excited. We've been researching #AI's impact on #cybersecurity for years now, and how teams can leverage it to improve their operations. (1/2)
August 15, 2025 at 8:58 PM
Splunk's #SURGe research team is now Cisco Foundation AI's SURGe security team, and I couldn't be more excited. We've been researching #AI's impact on #cybersecurity for years now, and how teams can leverage it to improve their operations. (1/2)
Even Claude can't get the 'jq' syntax right. How are us mortals supposed to do it?
August 8, 2025 at 5:09 PM
Even Claude can't get the 'jq' syntax right. How are us mortals supposed to do it?
The video for my talk last month at the #Honeynet Project Workshop is now available.
"Hi Fidelity != Hi Effort: Meet DECEIVE, the AI-backed SSH Honeypot"
Thanks to the workshop organizers for having me!
www.youtube.com/watch?v=uxbz...
"Hi Fidelity != Hi Effort: Meet DECEIVE, the AI-backed SSH Honeypot"
Thanks to the workshop organizers for having me!
www.youtube.com/watch?v=uxbz...
July 11, 2025 at 8:26 PM
The video for my talk last month at the #Honeynet Project Workshop is now available.
"Hi Fidelity != Hi Effort: Meet DECEIVE, the AI-backed SSH Honeypot"
Thanks to the workshop organizers for having me!
www.youtube.com/watch?v=uxbz...
"Hi Fidelity != Hi Effort: Meet DECEIVE, the AI-backed SSH Honeypot"
Thanks to the workshop organizers for having me!
www.youtube.com/watch?v=uxbz...
Looking for a new gig as a #cybersecurity researcher? Want to figure out new ways to achieve better security outcomes then tell everyone how? Check out our opening on the #Splunk #SURGe team!
www.splunk.com/en_us/career...
www.splunk.com/en_us/career...
Sr. Security Strategist, SURGe | Splunk
www.splunk.com
May 21, 2025 at 12:43 PM
Looking for a new gig as a #cybersecurity researcher? Want to figure out new ways to achieve better security outcomes then tell everyone how? Check out our opening on the #Splunk #SURGe team!
www.splunk.com/en_us/career...
www.splunk.com/en_us/career...
"We are not the Gestapo! This is AMERICA, and in AMERICA, we speak ENGLISH! We are the SECRET STATE POLICE, people!"
May 19, 2025 at 3:54 PM
"We are not the Gestapo! This is AMERICA, and in AMERICA, we speak ENGLISH! We are the SECRET STATE POLICE, people!"
In that case, I've got dibs on our jet next weekend.
He thinks we’re stupid and has nothing but contempt for the public.
May 19, 2025 at 3:49 PM
In that case, I've got dibs on our jet next weekend.
I'm told that only a "stupid" person would turn down the gift of a $400M airplane.
The real stupidity here is accepting the plane, thinking that they're giving it because they like you so much or because they're grateful for something. (1/2)
The real stupidity here is accepting the plane, thinking that they're giving it because they like you so much or because they're grateful for something. (1/2)
May 12, 2025 at 6:48 PM
I'm told that only a "stupid" person would turn down the gift of a $400M airplane.
The real stupidity here is accepting the plane, thinking that they're giving it because they like you so much or because they're grateful for something. (1/2)
The real stupidity here is accepting the plane, thinking that they're giving it because they like you so much or because they're grateful for something. (1/2)
Speaking of appearances, I'll be talking about DECEIVE, my LLM-based SSH honeypot at the #Honeynet Project's workshop in Prague next month. If you're there, come say hi. As usual, I'll have #PyramidOfPain swag.
prague2025.honeynet.org
For more about DECEIVE:
www.splunk.com/en_us/blog/s...
prague2025.honeynet.org
For more about DECEIVE:
www.splunk.com/en_us/blog/s...
2025 Honeynet Project Workshop – Prague, Czech Republic
The Honeynet Project Workshop is a technical international security conference focused on honeypots, deception and cyber intelligence. The aim of the workshop is to bring the security community…
prague2025.honeynet.org
May 12, 2025 at 5:22 PM
Speaking of appearances, I'll be talking about DECEIVE, my LLM-based SSH honeypot at the #Honeynet Project's workshop in Prague next month. If you're there, come say hi. As usual, I'll have #PyramidOfPain swag.
prague2025.honeynet.org
For more about DECEIVE:
www.splunk.com/en_us/blog/s...
prague2025.honeynet.org
For more about DECEIVE:
www.splunk.com/en_us/blog/s...
If you're looking for quality network forensics training, there's still time to register for my upcoming class at SANS Cyber Defense Canberra June 23 - 28. If you can't make it in person, it'll be streamed LiveOnline too.
I hope to see some of you there!
www.sans.org/cyber-securi...
I hope to see some of you there!
www.sans.org/cyber-securi...
SANS Cyber Defence Canberra 2025 | SANS Institute
Achieve the expertise you need to succeed in days, not months. Immerse yourself in a week of elite training designed for all skill-levels at SANS Cyber Defence Canberra 2025. From hands-on labs to…
www.sans.org
May 12, 2025 at 5:05 PM
If you're looking for quality network forensics training, there's still time to register for my upcoming class at SANS Cyber Defense Canberra June 23 - 28. If you can't make it in person, it'll be streamed LiveOnline too.
I hope to see some of you there!
www.sans.org/cyber-securi...
I hope to see some of you there!
www.sans.org/cyber-securi...
Spent the day coding agentic tools to help hunters who are using the PEAK framework. It's surprisingly fun to watch the agents talk to themselves to solve problems.
May 9, 2025 at 6:43 PM
Spent the day coding agentic tools to help hunters who are using the PEAK framework. It's surprisingly fun to watch the agents talk to themselves to solve problems.
The Google report in the 🧵 is a good read. It highlights the value of having multiple points of view in your security data. It's difficult to evade endpoint AND network AND application log detection at the same time.
An old idea that still holds true: Fight the enemy where they aren’t. Threat actors take this advice to heart by avoiding Endpoint Detection and Response solutions and targeting systems that do not generally support EDR such as VMware ESXi hosts.
May 8, 2025 at 2:40 PM
The Google report in the 🧵 is a good read. It highlights the value of having multiple points of view in your security data. It's difficult to evade endpoint AND network AND application log detection at the same time.