Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,360 --> 00:00:01,980 -: When you're conducting an engagement 2 00:00:01,980 --> 00:00:05,820 sometimes you might be asked to perform adversary emulation. 3 00:00:05,820 --> 00:00:08,340 Now, adversary emulation is a specialized type 4 00:00:08,340 --> 00:00:10,290 of penetration testing where you're trying to 5 00:00:10,290 --> 00:00:12,501 mimic the tactics, techniques, and procedures 6 00:00:12,501 --> 00:00:16,500 of a real world threat actor during your penetration test. 7 00:00:16,500 --> 00:00:19,260 For example, maybe you're conducting a penetration test 8 00:00:19,260 --> 00:00:21,750 against a defense contracting firm that's responsible 9 00:00:21,750 --> 00:00:23,190 for writing the software code that's used 10 00:00:23,190 --> 00:00:24,840 by military aircraft. 11 00:00:24,840 --> 00:00:26,100 That firm might be concerned 12 00:00:26,100 --> 00:00:28,140 with the possibility of a data exfiltration 13 00:00:28,140 --> 00:00:31,530 of their proprietary source code from a nation state actor. 14 00:00:31,530 --> 00:00:34,980 Now, for example, APT25 is believed by experts 15 00:00:34,980 --> 00:00:37,320 to have been attributed to Chinese nation state 16 00:00:37,320 --> 00:00:40,650 actors who target the defense industrial basis contractors 17 00:00:40,650 --> 00:00:42,690 in the United States and over in Europe, 18 00:00:42,690 --> 00:00:44,880 with the goal of conducting data exfiltration 19 00:00:44,880 --> 00:00:47,370 and theft of their trade secrets. 20 00:00:47,370 --> 00:00:49,710 Now, if you're asked to emulate this threat actor, 21 00:00:49,710 --> 00:00:52,020 you would then need to use spearfishing messages 22 00:00:52,020 --> 00:00:54,780 that include malicious attachments or malicious hyperlinks 23 00:00:54,780 --> 00:00:56,610 because that is one of the common tactics, 24 00:00:56,610 --> 00:00:58,440 techniques, and procedures that are used 25 00:00:58,440 --> 00:01:00,840 by this particular threat actor who is characterized 26 00:01:00,840 --> 00:01:03,273 as an advanced persistent threat or APT. 27 00:01:04,230 --> 00:01:07,200 Now, a threat actor is really just a generic term, 28 00:01:07,200 --> 00:01:09,030 and we use this to describe the bad folks 29 00:01:09,030 --> 00:01:10,440 out there who wanna do harm 30 00:01:10,440 --> 00:01:13,110 to our networks or steal our secure data. 31 00:01:13,110 --> 00:01:16,740 Put simply, a threat actor is an unauthorized hacker. 32 00:01:16,740 --> 00:01:19,680 However, not all threat actors are created equal, 33 00:01:19,680 --> 00:01:21,690 so there's different categories or tiers 34 00:01:21,690 --> 00:01:23,220 of adversaries out there. 35 00:01:23,220 --> 00:01:25,530 Some are structured, some are unstructured, 36 00:01:25,530 --> 00:01:27,090 some are more skilled than others, 37 00:01:27,090 --> 00:01:29,010 and there's many different things that motivate 38 00:01:29,010 --> 00:01:30,840 each type of threat actor. 39 00:01:30,840 --> 00:01:33,720 Now we're gonna look at six main types of threat actors: 40 00:01:33,720 --> 00:01:36,930 script kiddie, insider threat, competitor, 41 00:01:36,930 --> 00:01:41,460 organized crime, hacktivist, and a nation state or APT. 42 00:01:41,460 --> 00:01:44,220 The first type of threat actor is called a script kiddie. 43 00:01:44,220 --> 00:01:46,500 This is the least skilled type of attacker. 44 00:01:46,500 --> 00:01:48,182 Now, a script kiddie tends to use other people's 45 00:01:48,182 --> 00:01:50,190 tools to conduct their attacks, 46 00:01:50,190 --> 00:01:52,410 and they don't have the skills to develop their own tools, 47 00:01:52,410 --> 00:01:54,420 like more advanced attackers might. 48 00:01:54,420 --> 00:01:57,870 Instead, a script kiddie uses freely available tools found 49 00:01:57,870 --> 00:02:00,750 on the internet or an openly available security tool sets 50 00:02:00,750 --> 00:02:03,300 that a penetration testers might also use. 51 00:02:03,300 --> 00:02:06,240 This includes things like Metasploit, Aircrack-NG, 52 00:02:06,240 --> 00:02:08,610 John the Ripper, and many others they can use to 53 00:02:08,610 --> 00:02:10,050 conduct their attacks. 54 00:02:10,050 --> 00:02:12,360 Using these freely available vulnerability assessment 55 00:02:12,360 --> 00:02:14,910 and hacking tools, these script kiddies can conduct their 56 00:02:14,910 --> 00:02:18,720 attacks for profit, to gain credibility, or just for fun. 57 00:02:18,720 --> 00:02:20,910 For example, there's a program out there called 58 00:02:20,910 --> 00:02:22,740 Low Orbit Ion Canon. 59 00:02:22,740 --> 00:02:24,540 This is a simple program that's often used 60 00:02:24,540 --> 00:02:27,690 by script kiddies to conduct a denial of service attack. 61 00:02:27,690 --> 00:02:30,060 The script kiddies will simply enter in a URL 62 00:02:30,060 --> 00:02:32,250 or an IP address into the input box 63 00:02:32,250 --> 00:02:34,057 and click the button labeled go. 64 00:02:34,057 --> 00:02:36,588 Immediately, a barage of traffic begins to flood 65 00:02:36,588 --> 00:02:39,840 the victim system to attempt a denial of service. 66 00:02:39,840 --> 00:02:41,130 It's just that simple. 67 00:02:41,130 --> 00:02:43,860 There's no skill or underlying knowledge required. 68 00:02:43,860 --> 00:02:46,740 They simply plug in a website address and hit go. 69 00:02:46,740 --> 00:02:49,080 Now, script kiddies often don't even understand the tools 70 00:02:49,080 --> 00:02:51,270 they're using and the damage that can cause, 71 00:02:51,270 --> 00:02:53,400 or even what those actions are performing. 72 00:02:53,400 --> 00:02:56,370 That being said, these script kiddies can still use simple 73 00:02:56,370 --> 00:02:58,530 tools to create some really undesirable effects 74 00:02:58,530 --> 00:03:00,176 to your organization's network. 75 00:03:00,176 --> 00:03:02,250 The second type of threat actor we have 76 00:03:02,250 --> 00:03:04,230 is known as an insider threat. 77 00:03:04,230 --> 00:03:05,910 An insider threat is an employee 78 00:03:05,910 --> 00:03:07,860 or former employee who has knowledge 79 00:03:07,860 --> 00:03:10,890 of the organization's network, policies, procedures, 80 00:03:10,890 --> 00:03:12,540 and business practices. 81 00:03:12,540 --> 00:03:14,580 The insider threat is one of the most dangerous 82 00:03:14,580 --> 00:03:16,980 for an organization, because these people usually 83 00:03:16,980 --> 00:03:19,170 have authorized access to the network already, 84 00:03:19,170 --> 00:03:22,170 making them both dangerous and difficult to find. 85 00:03:22,170 --> 00:03:24,990 An insider threat could be either skilled or unskilled, 86 00:03:24,990 --> 00:03:26,670 depending on who they are. 87 00:03:26,670 --> 00:03:29,070 For example, an unskilled insider might 88 00:03:29,070 --> 00:03:31,590 copy the organization's files onto a thumb drive, 89 00:03:31,590 --> 00:03:33,690 and then walk out the front door with them. 90 00:03:33,690 --> 00:03:36,240 Even though they were authorized to access those files, 91 00:03:36,240 --> 00:03:37,860 they were not authorized to remove them 92 00:03:37,860 --> 00:03:39,840 from the network or post them online, 93 00:03:39,840 --> 00:03:42,810 which then results in a data breach for your organization. 94 00:03:42,810 --> 00:03:45,300 Or you may have a very skilled insider threat 95 00:03:45,300 --> 00:03:48,030 who's able to elevate their own user account permissions 96 00:03:48,030 --> 00:03:50,820 so that they can access data from across the entire network 97 00:03:50,820 --> 00:03:53,070 and then try to sell it to a willing buyer. 98 00:03:53,070 --> 00:03:54,750 To prevent the insider threat, 99 00:03:54,750 --> 00:03:56,640 organizations need to put policies 100 00:03:56,640 --> 00:03:58,800 and enforcement technologies into place, 101 00:03:58,800 --> 00:04:01,350 such as data loss prevention to detect these insiders 102 00:04:01,350 --> 00:04:03,840 who are attempting to remove the data from the network. 103 00:04:03,840 --> 00:04:06,843 Also, all of the organization's standard internal defenses 104 00:04:06,843 --> 00:04:08,451 need to be properly configured 105 00:04:08,451 --> 00:04:10,560 and cybersecurity analysts must search 106 00:04:10,560 --> 00:04:11,880 through the security information 107 00:04:11,880 --> 00:04:14,490 and event management systems to identify any patterns 108 00:04:14,490 --> 00:04:17,940 of abuse in order to catch the malicious insider. 109 00:04:17,940 --> 00:04:20,850 The third type of threat actor we have is a competitor. 110 00:04:20,850 --> 00:04:23,370 Now, a competitor is a rogue business that attempts to 111 00:04:23,370 --> 00:04:26,580 conduct cyber espionage against your organization. 112 00:04:26,580 --> 00:04:29,400 Competitors are focused on stealing your proprietary data, 113 00:04:29,400 --> 00:04:32,640 disrupting your business, or damaging your reputation. 114 00:04:32,640 --> 00:04:34,950 Often competitors will seek to use an employee 115 00:04:34,950 --> 00:04:35,970 as an insider threat 116 00:04:35,970 --> 00:04:39,000 inside your organization to steal the data from you. 117 00:04:39,000 --> 00:04:40,590 Or they may attempt to break 118 00:04:40,590 --> 00:04:43,230 into your network over the internet themselves. 119 00:04:43,230 --> 00:04:45,720 The fourth type of threat actor we have is categorized 120 00:04:45,720 --> 00:04:47,460 as organized crime. 121 00:04:47,460 --> 00:04:49,200 Now, organized crime is a category 122 00:04:49,200 --> 00:04:51,240 of threat actor who's focused on hacking 123 00:04:51,240 --> 00:04:54,690 and computer fraud in order to receive financial gain. 124 00:04:54,690 --> 00:04:56,106 Due to the internet's wide reach, 125 00:04:56,106 --> 00:04:58,950 a criminal in one part of the world can hack the computer 126 00:04:58,950 --> 00:05:00,510 of somebody on the other side of the globe 127 00:05:00,510 --> 00:05:02,130 with ease and within seconds. 128 00:05:02,130 --> 00:05:05,160 Oganized crime gangs often run different schemes 129 00:05:05,160 --> 00:05:07,320 or scams using social engineering, 130 00:05:07,320 --> 00:05:09,870 or conduct more technical attacks using ransomware 131 00:05:09,870 --> 00:05:12,300 in order to steal money from their victims. 132 00:05:12,300 --> 00:05:14,580 Organized crime hackers tend to be well funded, 133 00:05:14,580 --> 00:05:17,280 and they use sophisticated attacks and tools. 134 00:05:17,280 --> 00:05:20,248 The fifth type of threat actor is known as a hacktivist. 135 00:05:20,248 --> 00:05:23,100 Hacktivists tend to be comprised of politically motivated 136 00:05:23,100 --> 00:05:25,830 hackers who target governments, corporations, 137 00:05:25,830 --> 00:05:27,690 and individuals to advance their own 138 00:05:27,690 --> 00:05:30,060 political ideologies or agendas. 139 00:05:30,060 --> 00:05:32,610 For instance, an environmentalist might be considered 140 00:05:32,610 --> 00:05:35,220 a hacktivist if they hack into a logging company 141 00:05:35,220 --> 00:05:37,620 because they wanna see that company's stock prices fall 142 00:05:37,620 --> 00:05:39,480 in an effort to drive them outta business, 143 00:05:39,480 --> 00:05:42,030 and thereby they could save the forest. 144 00:05:42,030 --> 00:05:44,760 Hacktivists can be individuals or large groups. 145 00:05:44,760 --> 00:05:47,820 For example, Anonymous is a very large and well known 146 00:05:47,820 --> 00:05:50,490 hacktivist group. Hacktivists tend to vary in levels 147 00:05:50,490 --> 00:05:54,180 of organization from loosely organized to highly structured. 148 00:05:54,180 --> 00:05:55,980 And they can have a high level of sophistication 149 00:05:55,980 --> 00:05:58,380 in their attacks, or they can be very low. 150 00:05:58,380 --> 00:05:59,910 It really does depend. 151 00:05:59,910 --> 00:06:03,240 Often though, these hacktivists tend not to be well funded. 152 00:06:03,240 --> 00:06:05,190 The sixth type of threat actor is known as 153 00:06:05,190 --> 00:06:07,200 a nation state or APT. 154 00:06:07,200 --> 00:06:10,290 Now, an APT is an advanced persistent threat. 155 00:06:10,290 --> 00:06:12,180 Now, an APT is the most skilled type 156 00:06:12,180 --> 00:06:14,280 of threat actor that you're going to encounter. 157 00:06:14,280 --> 00:06:17,100 This is a group of attackers with exceptional capability, 158 00:06:17,100 --> 00:06:19,590 funding, and organization, who have an intent to 159 00:06:19,590 --> 00:06:21,990 hack a particular network or system. 160 00:06:21,990 --> 00:06:24,180 Nation states don't simply pick any network 161 00:06:24,180 --> 00:06:25,440 at random to attack, 162 00:06:25,440 --> 00:06:27,960 but instead they determine specific targets to 163 00:06:27,960 --> 00:06:29,850 achieve their political motives. 164 00:06:29,850 --> 00:06:31,920 These incredibly organized team of hackers 165 00:06:31,920 --> 00:06:35,550 conduct highly covert attacks over long periods of time. 166 00:06:35,550 --> 00:06:37,920 In fact, on average, an APT is 167 00:06:37,920 --> 00:06:40,740 in a victimized network for six to nine months 168 00:06:40,740 --> 00:06:43,620 before network defenders actually discover the intrusion. 169 00:06:43,620 --> 00:06:46,470 And some have gone several years between the breach 170 00:06:46,470 --> 00:06:48,870 and their eventual discovery by defenders. 171 00:06:48,870 --> 00:06:51,450 Nation state actors are extremely good at what they do 172 00:06:51,450 --> 00:06:53,880 and they're very difficult to find in a network. 173 00:06:53,880 --> 00:06:55,834 Over the years, many nation states have also 174 00:06:55,834 --> 00:06:58,380 supported various threat actors that pose 175 00:06:58,380 --> 00:07:00,405 as hacktivists or organized crime groups too, 176 00:07:00,405 --> 00:07:02,610 to maintain a plausible deniability 177 00:07:02,610 --> 00:07:04,350 for the hacks they're conducting. 178 00:07:04,350 --> 00:07:06,870 Other times, a nation state might use TTPs 179 00:07:06,870 --> 00:07:08,220 of a different nation state 180 00:07:08,220 --> 00:07:10,530 in order to implicate them in the attack. 181 00:07:10,530 --> 00:07:13,680 When this happens, it's known as a false flag attack. 182 00:07:13,680 --> 00:07:17,430 For example, back in 2015, a French TV network known as 183 00:07:17,430 --> 00:07:20,130 TV Five Monde, was taken off the air by 184 00:07:20,130 --> 00:07:22,200 a sophisticated cyber attack. 185 00:07:22,200 --> 00:07:23,910 The network's website was also defaced 186 00:07:23,910 --> 00:07:26,610 by a group calling itself the Cyber Caliphate 187 00:07:26,610 --> 00:07:29,520 and made to look like it was launched by the Islamic state. 188 00:07:29,520 --> 00:07:31,110 When security investigators actually looked 189 00:07:31,110 --> 00:07:33,240 into the attack though, they found the attack 190 00:07:33,240 --> 00:07:35,520 was actually Russian in origin, because the code 191 00:07:35,520 --> 00:07:38,280 used in the attack was typed using a cyrillic keyboard 192 00:07:38,280 --> 00:07:41,760 during normal working hours in Moscow in St. Petersburg. 193 00:07:41,760 --> 00:07:44,220 If this was accurate, then this means a Russian 194 00:07:44,220 --> 00:07:46,170 nation state actor was trying to appear 195 00:07:46,170 --> 00:07:48,510 as an Islamic state actor, so they would be blamed 196 00:07:48,510 --> 00:07:51,780 for the attack making this a false flag attack. 197 00:07:51,780 --> 00:07:53,887 Now, each threat actor also conducts these attacks 198 00:07:53,887 --> 00:07:57,330 for different reasons and are motivated by different things. 199 00:07:57,330 --> 00:07:59,160 This might be for greed or money, 200 00:07:59,160 --> 00:08:01,140 like crimeware and ransomware. 201 00:08:01,140 --> 00:08:04,170 Or it might be for power, revenge, or blackmail, 202 00:08:04,170 --> 00:08:06,600 such as in the case of an insider threat. 203 00:08:06,600 --> 00:08:09,120 For a script kiddie, it might just be for thrills, 204 00:08:09,120 --> 00:08:11,580 increased reputation, or some kind of recognition 205 00:08:11,580 --> 00:08:13,140 from fellow hackers. 206 00:08:13,140 --> 00:08:16,020 An APT, though, might hack for intelligence that they 207 00:08:16,020 --> 00:08:18,360 can gain this as a form of espionage to further 208 00:08:18,360 --> 00:08:20,280 their nation's political agendas. 209 00:08:20,280 --> 00:08:22,980 By keeping these motivations in mind, an organization 210 00:08:22,980 --> 00:08:26,220 can build better defenses against each type of threat actor. 211 00:08:26,220 --> 00:08:28,920 So, why is it important to consider the different types 212 00:08:28,920 --> 00:08:30,150 of threat actors? 213 00:08:30,150 --> 00:08:33,120 Well, as a penetration tester, you can use your knowledge 214 00:08:33,120 --> 00:08:34,740 of these threat actors to conduct 215 00:08:34,740 --> 00:08:36,870 threat modeling and emulation. 216 00:08:36,870 --> 00:08:38,940 Depending on the objectives of the engagement, 217 00:08:38,940 --> 00:08:41,490 you may be told to simulate an attack by a script kiddie, 218 00:08:41,490 --> 00:08:45,060 a hacktivist, an insider threat, or even an APT. 219 00:08:45,060 --> 00:08:47,250 Depending on which archetype we're emulating 220 00:08:47,250 --> 00:08:50,220 we're gonna model our techniques after that threat actor. 221 00:08:50,220 --> 00:08:53,430 For example, if you're asked to simulate an APT attack, 222 00:08:53,430 --> 00:08:54,690 you're gonna have to develop your own 223 00:08:54,690 --> 00:08:57,091 custom codes and exploits, which takes a lot 224 00:08:57,091 --> 00:08:58,590 more time and effort. 225 00:08:58,590 --> 00:09:00,150 This is gonna require a higher cost to 226 00:09:00,150 --> 00:09:01,620 conduct that assessment. 227 00:09:01,620 --> 00:09:02,640 On the other hand, 228 00:09:02,640 --> 00:09:04,350 if you're asked to emulate a script kiddie, 229 00:09:04,350 --> 00:09:06,180 you can simply use open source tools to 230 00:09:06,180 --> 00:09:07,680 conduct your attacks. 231 00:09:07,680 --> 00:09:09,780 Modeling an insider threat would require some 232 00:09:09,780 --> 00:09:12,420 insider knowledge, such as a username and password 233 00:09:12,420 --> 00:09:13,800 of an authenticated user 234 00:09:13,800 --> 00:09:15,810 or other information that somebody would know 235 00:09:15,810 --> 00:09:18,270 as part of a known environment assessment. 236 00:09:18,270 --> 00:09:20,640 Now, these are all factors to consider during your planning 237 00:09:20,640 --> 00:09:22,920 and scoping phase of your engagement. 238 00:09:22,920 --> 00:09:24,930 In the industry, we like to categorize 239 00:09:24,930 --> 00:09:26,970 these different threat actors into tiers, 240 00:09:26,970 --> 00:09:30,390 and we call them tier one going up to tier six. 241 00:09:30,390 --> 00:09:32,790 Now, tier one is for people who have little money, 242 00:09:32,790 --> 00:09:35,130 and rely on off-the-shelf tools and exploits. 243 00:09:35,130 --> 00:09:37,590 You guessed it, these are your script kiddies. 244 00:09:37,590 --> 00:09:38,857 Next we have tier two. 245 00:09:38,857 --> 00:09:41,670 This is people who have little money, but they've invested 246 00:09:41,670 --> 00:09:44,160 in their own tools against known vulnerabilities 247 00:09:44,160 --> 00:09:46,710 and this includes hacktivists, like Anonymous. 248 00:09:46,710 --> 00:09:49,170 Tier three actors tend to invest a lot of money 249 00:09:49,170 --> 00:09:52,050 to find unknown vulnerabilities in order to make a profit, 250 00:09:52,050 --> 00:09:55,380 and this includes criminal hackers who create ransomware. 251 00:09:55,380 --> 00:09:58,440 At tier four, we find organized, highly technical, 252 00:09:58,440 --> 00:10:00,960 proficient, and well-funded hackers who are working 253 00:10:00,960 --> 00:10:02,820 in teams to develop new exploits, 254 00:10:02,820 --> 00:10:04,950 and this includes some terrorist groups. 255 00:10:04,950 --> 00:10:07,470 Tier five includes nation states who are investing 256 00:10:07,470 --> 00:10:10,050 lots of money to create vulnerabilities and exploits, 257 00:10:10,050 --> 00:10:12,030 and these are your low end APTs, 258 00:10:12,030 --> 00:10:14,310 and these are gonna be some people who are state sponsored 259 00:10:14,310 --> 00:10:17,040 but maybe not working directly for the state. 260 00:10:17,040 --> 00:10:19,680 And finally, we have tier six, which is comprised 261 00:10:19,680 --> 00:10:22,320 of nation state actors investing even more money 262 00:10:22,320 --> 00:10:24,480 to carry out cyber attacks and military 263 00:10:24,480 --> 00:10:27,120 and intelligence operations that achieve political, 264 00:10:27,120 --> 00:10:29,220 military, and economic goals. 265 00:10:29,220 --> 00:10:30,780 This tier tends to be exclusive 266 00:10:30,780 --> 00:10:32,430 to the larger and wealthier countries 267 00:10:32,430 --> 00:10:34,890 around the developed world, who essentially have an army 268 00:10:34,890 --> 00:10:36,600 of cyber attackers that are combined 269 00:10:36,600 --> 00:10:39,210 into their military intelligence agencies. 270 00:10:39,210 --> 00:10:41,130 Tier six threat actors also are known to 271 00:10:41,130 --> 00:10:43,020 conduct supply chain attacks. 272 00:10:43,020 --> 00:10:46,110 For example, back in 2020, there was an attack 273 00:10:46,110 --> 00:10:48,570 on the company SolarWinds that was allegedly tied 274 00:10:48,570 --> 00:10:50,640 to Russian nation state actors. 275 00:10:50,640 --> 00:10:52,710 The threat actors hacked into SolarWinds 276 00:10:52,710 --> 00:10:56,130 in order to add a backdoor into the SolarWinds code base. 277 00:10:56,130 --> 00:10:58,560 SolarWinds had numerous corporations and governments 278 00:10:58,560 --> 00:11:01,080 as their users, so when this backdoor was embedded 279 00:11:01,080 --> 00:11:03,900 into their next update and release, all of these companies 280 00:11:03,900 --> 00:11:06,720 and government networks effectively became compromised 281 00:11:06,720 --> 00:11:09,270 and given over to this nation state actor. 282 00:11:09,270 --> 00:11:12,690 This attack was not directly targeted at SolarWinds though, 283 00:11:12,690 --> 00:11:15,690 it was really being directed at SolarWind's customers, 284 00:11:15,690 --> 00:11:18,000 making it a supply chain attack. 285 00:11:18,000 --> 00:11:20,460 Another attack credited to tier six nation states 286 00:11:20,460 --> 00:11:22,650 over the years, was the embedding of root kits 287 00:11:22,650 --> 00:11:25,020 into Cisco routers and switches that were purchased 288 00:11:25,020 --> 00:11:26,820 from third party suppliers. 289 00:11:26,820 --> 00:11:28,410 This is why supply chain management 290 00:11:28,410 --> 00:11:30,810 and using trusted suppliers becomes really important 291 00:11:30,810 --> 00:11:32,610 to the security of an organization. 292 00:11:32,610 --> 00:11:34,590 And it might be something you're asked to consider 293 00:11:34,590 --> 00:11:36,720 as part of the scope for an engagement. 294 00:11:36,720 --> 00:11:39,330 Now, to summarize this lesson, you need to remember 295 00:11:39,330 --> 00:11:41,550 that as you climb up the tiers of threat actors, 296 00:11:41,550 --> 00:11:44,460 going from one to six, you're gonna see more money, 297 00:11:44,460 --> 00:11:46,740 more skill, and more time being invested 298 00:11:46,740 --> 00:11:48,750 into the capabilities and attacks, 299 00:11:48,750 --> 00:11:50,610 because more is at stake based on what 300 00:11:50,610 --> 00:11:53,523 the threat actor's motivation is to conduct those attacks. 23919