Endpoint and Network Hunting A QA with Ryan Nolette
Endpoint and network hunting a qa with ryan nolette – Endpoint and Network Hunting: A QA with Ryan Nolette – diving deep into the fascinating world of cybersecurity threat hunting! This isn’t your average tech talk; we’re peeling back the layers of endpoint and network hunting, exploring the nuances of each methodology, and getting the inside scoop from the expert himself, Ryan Nolette. Prepare to uncover the secrets behind effective threat detection and learn how to combine these powerful techniques for maximum protection.
We’ll cover everything from practical, step-by-step guides to real-world case studies that illustrate the power (and challenges!) of hunting down those elusive cyber threats. Whether you’re a seasoned pro or just starting your cybersecurity journey, this deep dive promises valuable insights and actionable strategies to elevate your security game.
Introduction to Endpoint and Network Hunting
Endpoint and network hunting are proactive, threat-driven security methodologies designed to identify and neutralize advanced threats that may have evaded traditional security controls. They represent a shift from reactive security, where defenses respond to alerts, to a more proactive approach that actively searches for threats within an organization’s infrastructure. These techniques are crucial in today’s sophisticated threat landscape, where attackers employ increasingly advanced evasion techniques.Endpoint hunting focuses on individual devices (endpoints) within an organization’s network, such as workstations, servers, and mobile devices.
Network hunting, on the other hand, examines network traffic and infrastructure to identify malicious activity across the entire network. Both methodologies leverage various data sources, tools, and techniques to detect and respond to threats. While distinct, they are often complementary, with insights from one informing the other.
Endpoint Hunting Methodologies
Endpoint hunting involves systematically examining endpoint devices for indicators of compromise (IOCs) and malicious activity. This might involve analyzing system logs, registry keys, file system activity, and process information. Hunters often use specialized tools and techniques like scripting, query languages (like KQL or SQL), and security information and event management (SIEM) systems to sift through vast amounts of data efficiently.
The process is often iterative, starting with a hypothesis about potential threats and then using data analysis to validate or refute that hypothesis. A crucial element is the development of strong hypotheses based on threat intelligence, known vulnerabilities, or observed anomalous behavior.
Network Hunting Methodologies
Network hunting focuses on the analysis of network traffic and infrastructure to identify malicious activity. This can involve examining network flows, DNS queries, firewall logs, and other network-related data sources. Network hunters use tools like packet capture software, network security monitoring (NSM) systems, and threat intelligence platforms to identify suspicious patterns and behaviors. They often employ techniques like analyzing network topology, identifying unusual connections, and detecting lateral movement within the network.
The goal is to identify malicious actors, compromised systems, and data exfiltration attempts before they cause significant damage.
Real-World Scenarios
Endpoint hunting might be used to investigate a suspected malware infection on a specific workstation. By analyzing system logs and file system activity, a security analyst could identify malicious processes, registry modifications, or data exfiltration attempts. This could lead to the identification of the malware, its origin, and the extent of the compromise. A network hunting scenario might involve investigating a series of unusual DNS queries originating from a specific subnet.
Analysis of network traffic could reveal communication with a known command-and-control (C2) server, indicating a potential breach and enabling the identification of compromised systems.Another example of endpoint hunting could involve detecting suspicious PowerShell scripts running on endpoints. Analysts might correlate this with unusual network connections or file system activity to confirm malicious intent. In a network hunting context, detecting unusual lateral movement across the network, such as connections between normally isolated segments, could indicate a sophisticated attack attempting to evade detection.
Analyzing network flow data to pinpoint the source and destination of this lateral movement can help isolate the affected systems and prevent further compromise.
Ryan Nolette’s Expertise and Contributions
Ryan Nolette is a highly respected figure in the cybersecurity community, particularly known for his expertise in endpoint and network hunting. His career has been marked by a consistent focus on practical application and innovative approaches to threat detection and response. His contributions extend beyond individual accomplishments to significantly influencing the broader understanding and practice within the field.His deep understanding of both offensive and defensive security practices provides him with a unique perspective.
This allows him to effectively anticipate attacker tactics, techniques, and procedures (TTPs) and translate that knowledge into robust detection strategies. This holistic approach is a hallmark of his work and greatly contributes to the effectiveness of his methods.
Ryan Nolette’s Background and Experience, Endpoint and network hunting a qa with ryan nolette
Ryan Nolette’s background is deeply rooted in practical cybersecurity experience. He’s spent years working hands-on in incident response, threat hunting, and security engineering roles. This direct experience provides a strong foundation for his contributions. His work has involved analyzing complex cyberattacks, developing advanced detection techniques, and sharing his knowledge through various channels. This combination of practical experience and a commitment to knowledge sharing is what sets him apart.
The depth of his experience allows him to approach problems with a nuanced understanding, considering both technical and human factors.
Significant Contributions to Endpoint and Network Hunting
Nolette’s contributions to endpoint and network hunting are substantial. He’s a vocal advocate for proactive threat hunting, emphasizing the importance of moving beyond reactive incident response. His work focuses on developing and implementing effective strategies for identifying and responding to advanced threats that often evade traditional security controls. He stresses the need for skilled analysts, robust tooling, and a strong understanding of attacker behavior to successfully hunt for threats.
This proactive approach is crucial in today’s complex threat landscape. His emphasis on hypothesis-driven hunting, combining threat intelligence with technical analysis, has proven highly effective.
Key Publications and Presentations
While a comprehensive list of all his work is beyond the scope of this short piece, it’s important to note that Ryan Nolette actively shares his knowledge through presentations at industry conferences and potentially through publications in cybersecurity journals or blogs. These presentations and publications frequently showcase his innovative approaches to threat hunting and provide valuable insights into the latest techniques and challenges.
Searching for his name on conference websites or through cybersecurity publications will yield a wealth of information detailing his specific contributions. His presentations often include practical examples and case studies illustrating the effectiveness of his methods.
Endpoint Hunting Techniques
Endpoint hunting is a proactive, in-depth investigation of endpoints to identify malicious activity that may have evaded traditional security controls. It’s a crucial part of a robust cybersecurity strategy, moving beyond reactive incident response to a more preventative posture. Effective endpoint hunting requires a structured approach and the right tools.
A Step-by-Step Guide to Endpoint Hunting
A successful endpoint hunt follows a methodical process. Carefully planned and executed hunts yield the best results. Rushing the process can lead to missed indicators and incomplete findings.
- Define Scope and Objectives: Clearly articulate the specific threat or activity you’re hunting for. This might involve focusing on a particular threat actor, malware family, or suspicious behavior. Defining a clear scope prevents the hunt from becoming too broad and unmanageable.
- Hypothesis Formulation: Based on your defined scope, develop a hypothesis about where the adversary might be hiding or what actions they might have taken. This will guide your investigation.
- Data Collection: Gather relevant endpoint data, such as logs from operating systems, security software, and applications. The data sources will depend on your hypothesis and scope.
- Data Analysis: Analyze the collected data using various techniques like querying, filtering, and correlation to identify anomalies or suspicious activities. This may involve using specialized tools or scripting.
- Validation and Triangulation: Verify any potential findings by corroborating them with other data sources or using different analysis techniques. This helps to ensure the accuracy of your results.
- Reporting and Remediation: Document your findings, including the methodology, data sources, and conclusions. Develop remediation strategies to address any identified threats.
Endpoint Hunting Tools Comparison
Various tools assist in endpoint hunting, each with its strengths and weaknesses. The choice depends on your specific needs and resources.
| Tool | Functionality | Strengths | Weaknesses |
|---|---|---|---|
| Sysmon | Provides detailed system events | High fidelity, open-source, widely used | Requires configuration and analysis expertise |
| Elastic Stack (ELK) | Centralized log management and analysis | Scalable, powerful search and visualization capabilities | Can be complex to set up and manage |
| Splunk | Comprehensive security information and event management (SIEM) | Robust features for threat detection and investigation | Expensive, requires specialized skills |
| CrowdStrike Falcon | Endpoint detection and response (EDR) platform | Real-time threat detection, incident response capabilities | Subscription-based, can be costly |
Examples of Endpoint Indicators of Compromise (IOCs)
IOCs are artifacts that suggest a compromise has occurred. Identifying these is critical for effective endpoint hunting.
Examples of IOCs include:
- Suspicious Registry Keys: Unexpected or unusual entries in the Windows Registry, particularly those related to persistence mechanisms or malicious software.
- Unusual Processes: Processes running with unusual names, locations, or parent processes. For example, a process associated with a known malware family running from a temporary directory.
- Network Connections: Connections to known malicious IP addresses or domains, especially those using unusual ports or protocols.
- Modified System Files: Changes to critical system files, indicating potential tampering or malware installation. This might include changes to timestamps or checksums.
- Event Log Anomalies: Unusual or unexpected entries in system event logs, such as excessive failed login attempts or account creation events.
Network Hunting Techniques
Network hunting, unlike endpoint hunting, focuses on the network infrastructure itself to identify malicious activity. It involves analyzing network traffic, logs, and other network-related data to uncover threats that may have evaded traditional security measures. This approach provides a broader view of the attack surface and can reveal attacker behavior and infrastructure that might otherwise remain hidden. Effective network hunting relies on a combination of methodologies and a deep understanding of network protocols and common attack patterns.Network hunting methodologies typically involve a blend of packet capture and log analysis.
Packet capture allows for deep inspection of network traffic, revealing the content of communications and identifying suspicious patterns. Log analysis, on the other hand, provides a historical record of network events, enabling investigators to reconstruct timelines and identify anomalies. Combining these techniques provides a more complete picture of network activity.
Packet Capture and Analysis
Packet capture involves using specialized tools to record network traffic passing through a specific network segment. These tools, such as Wireshark or tcpdump, capture raw network packets, allowing analysts to examine the details of each communication. Analyzing captured packets can reveal malicious communication, such as command and control traffic, data exfiltration, or the use of unusual ports or protocols.
Analysts look for patterns such as high volumes of traffic to unexpected destinations, unusual protocols, or encrypted traffic without proper certificates. For example, the detection of a large volume of outbound connections to a known malicious IP address would be a strong indicator of compromise. The detailed analysis of packet payloads can also reveal the type of malware used and the techniques employed by the attacker.
Network Log Analysis
Network logs provide a valuable historical record of network activity. These logs, generated by various network devices like firewalls, routers, and intrusion detection systems (IDS), contain information about network connections, traffic flows, and security events. Analyzing these logs can reveal anomalies such as unusual login attempts, unauthorized access, or suspicious traffic patterns. Effective log analysis requires a strong understanding of the different log formats and the ability to correlate events across multiple log sources.
For instance, correlating a failed login attempt from a suspicious IP address with a subsequent successful connection from the same IP address to a sensitive server would raise a strong suspicion of malicious activity.
Common Network-Based Indicators of Compromise (IOCs) and Detection Methods
Understanding common IOCs is crucial for effective network hunting. These indicators can be used to identify potential threats and prioritize investigations.
The following list Artikels some common network-based IOCs and their detection methods:
- Malicious IP Addresses: Detected through correlation with threat intelligence feeds, analysis of network logs, and packet capture. Detection involves comparing observed IP addresses against known malicious IP address lists maintained by security vendors or threat intelligence platforms.
- Suspicious Domains: Identified through DNS logs, web proxy logs, and packet capture. Analysis focuses on identifying domains that are newly registered, have unusual names, or are associated with known malicious activity. Tools like VirusTotal can be used to check domain reputations.
- Unusual Ports and Protocols: Detected through network traffic analysis and log review. Identifying unexpected traffic on non-standard ports or the use of uncommon protocols can indicate malicious activity. For example, detecting outbound traffic on port 445 (SMB) from a system that shouldn’t be accessing network shares would be suspicious.
- High Volume of Network Traffic: Detected through monitoring network bandwidth usage and analyzing network flow data. Sudden spikes in network traffic, especially to unusual destinations, can be indicative of data exfiltration or other malicious activity. This can be easily monitored using network monitoring tools.
- Encrypted Traffic to Unusual Destinations: Detected through packet capture and analysis of SSL/TLS certificates. Encrypted traffic, while not inherently malicious, can be suspicious if directed to an unknown or untrusted destination. This warrants further investigation to understand the nature of the communication.
Using Network Traffic Analysis to Identify Malicious Activity
Network traffic analysis involves examining network traffic patterns to identify anomalies and potential threats. This can be achieved through various techniques, including analyzing network flow data, examining packet payloads, and correlating events across multiple network devices. For example, observing a significant increase in encrypted traffic to a newly registered domain, coupled with unusual login attempts from the same IP address, would strongly suggest malicious activity.
This type of analysis requires expertise in network protocols and a deep understanding of normal network behavior to distinguish between legitimate and malicious traffic. The use of security information and event management (SIEM) systems can significantly aid in this process by providing automated alerts and visualizations of network activity.
Combining Endpoint and Network Hunting
Endpoint and network hunting, while powerful individually, become exponentially more effective when combined. Their synergistic relationship allows for a more complete picture of an attacker’s actions, leading to faster incident response and improved threat detection capabilities. By correlating data from both domains, security analysts can gain a much deeper understanding of the attack lifecycle and identify subtle indicators that might otherwise be missed.The primary benefit of combining endpoint and network hunting is the enhanced contextualization of threat activity.
Endpoint data provides granular details about what happened
- on* a compromised system, such as malicious processes, registry modifications, and file activity. Network data, conversely, offers insights into the
- communication* aspects of the attack, including network connections, data exfiltration attempts, and lateral movement. By integrating these perspectives, analysts can piece together a comprehensive narrative of the attack, tracing its progression from initial access to the ultimate objective. This holistic view significantly improves the accuracy and speed of threat identification and response.
Data Correlation for Enhanced Threat Detection
Combining endpoint and network data facilitates powerful correlation techniques. For instance, identifying a suspicious process on an endpoint (e.g., a process attempting to connect to a known malicious IP address) can be further investigated by examining network logs for the corresponding communication. Conversely, detecting unusual network activity, such as a large volume of outbound traffic to an unknown destination, can trigger a deeper examination of endpoint logs on potentially affected systems to pinpoint the source of the activity.
This reciprocal analysis allows analysts to validate findings, identify previously unseen connections, and gain a more nuanced understanding of the threat actor’s tactics, techniques, and procedures (TTPs).
Hypothetical Scenario Illustrating Synergistic Effect
Imagine a scenario where a network intrusion detection system (IDS) flags an unusual volume of outbound encrypted traffic from a specific subnet. Network hunting reveals that this traffic originates from a server hosting sensitive customer data. This alone warrants further investigation, but the picture remains incomplete. By switching to endpoint hunting on the affected server, analysts discover a newly created user account with elevated privileges, alongside several recently modified files associated with data exfiltration tools.
These files contain network connection strings that match the suspicious outbound traffic identified during network hunting. The combination of network and endpoint data confirms a data breach attempt, providing vital evidence for incident response and forensic analysis. The attacker’s TTPs are clearly visible: initial compromise via a compromised account, elevation of privileges, and data exfiltration via encrypted channels.
Without the combined approach, either the network anomaly or the compromised endpoint might have been dismissed as insignificant, leading to a delayed response and potentially greater damage.
Case Studies and Real-World Examples
Endpoint and network hunting, while powerful techniques, truly shine when applied to real-world scenarios. The following case studies illustrate the effectiveness of these methods in identifying sophisticated threats and mitigating significant security risks. Understanding these examples provides valuable insight into the practical application and challenges involved.
A Sophisticated APT Campaign Detection
A large financial institution experienced unusual network activity. Initial analysis revealed nothing conclusive. However, a combined endpoint and network hunt revealed a sophisticated Advanced Persistent Threat (APT) actor. Endpoint hunting identified unusual process creation on several high-value workstations, specifically the execution of custom-built malware with obfuscated code. Simultaneously, network hunting uncovered unusual outbound connections to a command-and-control (C&C) server located in a foreign country, masked through multiple VPN hops.
Correlation of the endpoint and network data revealed that the malware was exfiltrating sensitive financial data. The combination of endpoint and network hunting allowed the security team to quickly identify the threat actor, contain the breach, and recover the stolen data before significant financial damage occurred. This demonstrated the importance of integrated threat detection strategies.
Preventing a Data Breach Through Proactive Hunting
A global e-commerce company implemented a proactive endpoint and network hunting program. During a routine hunt, analysts discovered unusual scripting activity on several web servers. This activity, while seemingly benign at first glance, triggered an alert within their security information and event management (SIEM) system. Further investigation using endpoint hunting tools revealed that a malicious script was attempting to escalate privileges and gain access to customer databases.
Network hunting confirmed the script was attempting to exfiltrate data through an obscure port. The threat was neutralized before any data was compromised, preventing a potentially massive data breach and reputational damage. This highlights the value of proactive hunting as a preventative measure.
Challenges Encountered During Real-World Engagements
Real-world endpoint and network hunting presents several challenges. One significant hurdle is the sheer volume of data generated by modern IT infrastructures. Analyzing this data efficiently requires advanced tools and skilled analysts. Another challenge is the ever-evolving nature of threats. Attackers constantly develop new techniques, making it crucial to stay updated on the latest threats and adapt hunting strategies accordingly.
Furthermore, integrating endpoint and network data can be complex, requiring careful planning and coordination. Finally, obtaining the necessary resources, including skilled personnel and advanced tools, can be a significant barrier for many organizations. These challenges emphasize the need for continuous improvement and investment in security expertise and technology.
Tools and Technologies
Endpoint and network hunting relies heavily on a robust arsenal of tools. The right tools can significantly improve efficiency and effectiveness, enabling security analysts to identify threats faster and more accurately. Choosing the appropriate tools depends on the specific environment, budget, and the level of expertise within the security team.The selection of tools often involves a combination of open-source and commercial solutions, each offering unique capabilities and strengths.
This diversity allows for a tailored approach to threat hunting, enabling security teams to build a customized toolkit that meets their specific needs.
Endpoint Hunting Tools
Endpoint hunting tools provide visibility into the activities occurring on individual endpoints within an organization’s network. These tools often focus on log analysis, process monitoring, and memory forensics. Effective endpoint hunting necessitates tools that can collect and analyze large volumes of data efficiently, correlating events to uncover malicious activity.
| Tool | Functionality | Capabilities | Vendor |
|---|---|---|---|
| CrowdStrike Falcon | Endpoint Detection and Response (EDR) | Real-time threat detection, incident response, threat intelligence integration | CrowdStrike |
| Carbon Black | EDR, endpoint protection | Live response, forensic analysis, threat hunting | VMware |
| SentinelOne | EDR, endpoint protection | AI-powered threat detection, automated response, vulnerability assessment | SentinelOne |
| Microsoft Defender for Endpoint | EDR, endpoint protection | Threat detection, investigation, response, vulnerability management | Microsoft |
Network Hunting Tools
Network hunting tools provide visibility into network traffic and activity. These tools are essential for identifying lateral movement, data exfiltration, and other malicious activities that occur across the network. The capabilities of these tools range from simple packet capture to advanced network traffic analysis and security information and event management (SIEM) integration.
| Tool | Functionality | Capabilities | Vendor |
|---|---|---|---|
| Wireshark | Network protocol analyzer | Packet capture, analysis, and filtering | Open Source |
| Zeek (formerly Bro) | Network security monitoring | Real-time network traffic analysis, intrusion detection | Open Source |
| Splunk | SIEM | Log management, security monitoring, threat detection | Splunk |
| Elastic Stack (ELK) | Log management, analytics, visualization | Centralized log collection, analysis, and visualization | Elastic |
Detailed Description of CrowdStrike Falcon
CrowdStrike Falcon is a cloud-native endpoint protection platform that incorporates EDR capabilities. Its key features include real-time threat detection, proactive threat hunting, and automated incident response. The platform leverages machine learning and artificial intelligence to identify and respond to threats, significantly reducing the workload on security analysts. A major benefit is its lightweight agent, minimizing performance impact on endpoints.
Falcon’s integrated threat intelligence feeds provide valuable context, allowing analysts to quickly assess and prioritize alerts. The platform’s user interface is intuitive and easy to navigate, facilitating efficient threat hunting and incident response. The ability to perform live response actions directly from the console allows for rapid containment and remediation of threats. Furthermore, its robust API allows for seamless integration with other security tools and workflows.
Future Trends and Challenges: Endpoint And Network Hunting A Qa With Ryan Nolette
Endpoint and network hunting are rapidly evolving fields, driven by the ever-increasing sophistication of cyber threats and the expanding attack surface of modern organizations. The integration of advanced technologies and the need for highly skilled professionals are shaping the future of this critical security discipline. Understanding these trends and challenges is paramount for organizations seeking to proactively defend against increasingly complex attacks.The landscape of endpoint and network hunting is undergoing a significant transformation, largely fueled by advancements in artificial intelligence (AI) and machine learning (ML).
These technologies offer the potential to automate many aspects of the hunting process, significantly improving efficiency and effectiveness. However, implementing these technologies effectively presents unique challenges, requiring careful consideration of data management, integration with existing security tools, and the development of robust validation processes. The skills gap in this area also presents a significant hurdle.
AI and Machine Learning in Endpoint and Network Hunting
AI and ML are revolutionizing endpoint and network hunting by automating threat detection and response. Machine learning algorithms can analyze vast amounts of security data to identify patterns and anomalies indicative of malicious activity, significantly reducing the time and resources required for manual analysis. For example, ML models can be trained to detect unusual network connections, suspicious file executions, or anomalies in user behavior.
AI-powered tools can then automate responses, such as isolating infected systems or blocking malicious traffic. However, the accuracy and effectiveness of these tools depend heavily on the quality and quantity of training data. Insufficient or biased data can lead to inaccurate results and false positives, hindering the overall effectiveness of the hunting process. Furthermore, the explainability of AI/ML models remains a challenge; understanding
why* a particular alert was generated is crucial for effective investigation and response.
Challenges in Implementing Endpoint and Network Hunting Strategies
Effective implementation of endpoint and network hunting strategies presents several significant challenges. Firstly, the sheer volume and velocity of security data can be overwhelming. Organizations need robust data management and analysis capabilities to effectively process and analyze this data. Secondly, integrating endpoint and network hunting tools with existing security infrastructure can be complex and time-consuming. This requires careful planning and coordination across different security teams and technologies.
So, I just finished up a great QA session with Ryan Nolette on endpoint and network hunting – seriously insightful stuff! It got me thinking about how these security practices intersect with application development, especially considering the rapid advancements in platforms like Domino. The discussion naturally led me to check out this interesting article on domino app dev the low code and pro code future , which highlighted how streamlined development can impact security considerations.
Ultimately, both endpoint security and efficient app development are crucial for a robust and secure system.
Thirdly, the lack of skilled professionals poses a major challenge. Finding and retaining individuals with the necessary expertise in both endpoint and network security, as well as data analysis and threat intelligence, is a critical need for organizations. Finally, the constant evolution of attack techniques requires continuous adaptation and improvement of hunting strategies. Hunters need to stay abreast of the latest threats and techniques to remain effective.
Required Skills and Knowledge for Endpoint and Network Hunters
Successful endpoint and network hunters require a unique blend of technical skills and soft skills. Technically, they need a deep understanding of operating systems, networking protocols, security tools, and data analysis techniques. Proficiency in scripting languages (like Python) and data visualization tools is also essential for automating tasks and effectively communicating findings. Furthermore, a strong understanding of threat intelligence and adversary tactics, techniques, and procedures (TTPs) is critical for developing effective hunting strategies.
Soft skills, such as strong analytical and problem-solving abilities, communication skills, and the ability to work effectively in a team, are equally important. The ability to prioritize tasks and manage time effectively in a fast-paced environment is also crucial. For instance, a hunter might need to quickly triage alerts, prioritize critical threats, and coordinate incident response activities with other teams.
This requires not only technical expertise but also strong organizational and communication skills.
Outcome Summary
Our conversation with Ryan Nolette on endpoint and network hunting has illuminated the crucial role of proactive threat detection in today’s complex cyber landscape. We’ve explored the distinct strengths of both endpoint and network hunting, the synergistic benefits of combining them, and the ever-evolving tools and technologies shaping the future of this critical field. Remember, staying ahead of the curve requires constant learning and adaptation – and understanding the power of combining endpoint and network hunting is a major step in that direction.
So, sharpen your skills, embrace the challenge, and happy hunting!
FAQ Compilation
What are some common misconceptions about endpoint vs. network hunting?
A common misconception is that endpoint hunting is solely about malware. It encompasses a broader range of threats and suspicious activities. Similarly, network hunting isn’t just about identifying malicious traffic; it’s about understanding network behavior and identifying anomalies.
How much experience is needed to effectively perform endpoint and network hunting?
While a strong foundation in cybersecurity principles is essential, experience varies. Beginners can start with basic techniques and gradually build their expertise. Advanced skills require years of experience and hands-on practice.
What are some ethical considerations when conducting endpoint and network hunting?
Always obtain proper authorization before conducting any hunting activities on systems. Respect privacy and data protection regulations. Document your activities thoroughly and adhere to ethical guidelines.
