Sqrrl Blog

Sep 28, 2016 8:00:00 AM

Threat Hunter Profile - Jason Smith


Name: Jason Smith

Organization: FireEye

Years hunting: 6

Favorite datasets: Flow data, Bro logs (http, dns, etc.), Windows event logs

Favorite hunting techniques: Pivoting from statistical anomalies, behavioral deviations for local assets

Favorite tools: SiLK, FlowBAT, Bro, Security Onion, Wireshark, Bash

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Sep 14, 2016 8:30:00 AM

Threat Hunter Profile - Samuel Alonso


Name: Samuel Alonso

Organization: KPMG

Years hunting: 2

Favorite datasets: AV, firewall, proxy, IDS and passive DNS

Favorite hunting techniques: Stack counting, anomaly detection and visualization

Favorite tools: Volatility, Passive Total, Santoku and Kali Linux

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Sep 12, 2016 3:41:22 PM

The Applicability of Graphs for Information Security Combatants

This post by Henrik Johansen originally appeared on Medium. Henrik is an IT Security professional at a Danish public sector entity called Region Syddanmark.

I have been tweeting a lot lately about Graphs and how they can be utilised in the context of Information Security. Since this is a topic that seems interesting to a few people I thought a more thorough explanation would make sense. Think of this as the “why” and “what” more than the “how”. 

Read More

Topics: Graphs, Incident Response, Threat Hunting, Cyber Threat Hunting

Aug 30, 2016 8:00:00 AM

Threat Hunter Profile - Chris Sanders


Name: Chris Sanders

Organization: FireEye

Years hunting: 10

Favorite datasets: Flow, Bro, Windows endpoint logs

Favorite hunting techniques: Aggregations, pivots, relationship graph visualizations

Favorite tools: SiLK, FlowBAT, Python, Wireshark, FireEye TAP, Splunk

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Aug 17, 2016 8:00:00 AM

Threat Hunter Profile - Josh Liburdi


Name: Josh Liburdi

Organization: Sqrrl

Years hunting: 3

Favorite datasets: Bro, memory artifacts, file metadata

Favorite hunting techniques: Stack Counting, baselining, data visualization

Favorite tools: Bro, LaikaBoss, Volatility, Sqrrl

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Aug 1, 2016 5:45:22 PM

Threat Hunter Profile - David Bianco

Editor's Note: This is the first in a series of posts that will profile various threat hunters, highlighting their experiences, as well as hunting techniques and lessons from the field.

Name: David J. Bianco

Organization: Sqrrl

Years hunting: 8

Favorite datasets: HTTP proxy logs, authentication logs, process data

Favorite hunting techniques: Outlier detection, visualization

Favorite tools: Sqrrl, Unix command line, Python, Apache Spark, scikit-learn

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Jul 26, 2016 7:06:00 AM

Increasing Hunt Confidence by Combining Network and Endpoint Data

This post originally appeared on Carbon Black's blog as an introduction to a threat hunting webinar with Carbon Black. A recording of that webinar is now available.

Threat Hunting is quickly becoming common practice in Security Operation Centers (SOCs). While many security analysts undertake hunting either formally or informally (86% according to a recent SANS Institute survey) hunts are often limited by the data that is available to them. This post explores how the unification of network and endpoint data can increase the effectiveness of threat hunts.

Read More

Topics: Big Data, Threat Hunting, Threat Detection, Cyber Threat Hunting, UEBA

Jun 16, 2016 4:47:34 PM

An Introduction to Machine Learning for Cybersecurity and Threat Hunting

At BSides Boston 2016, Sqrrl’s Lead Security Technologist, David Bianco, and Director of Data Science, Chris McCubbin, gave a presentation about the importance of machine learning in the field of Cyber Threat Hunting. In this interview, we talk with them about how it relates to tools like UEBA, and where they see it taking the world of cybersecurity in the future. When used effectively, machine learning provides more accurate, effective insight into threats of all kinds. They predict that machine learning will soon take hold as a major influencing factor on organizations’ Security Operations Center workflows. In addition to their presentation, David and Chris also provide code for anyone interested in taking a hands-on approach to machine learning.

What is machine learning?

Chris: Very basically, machine learning is the capability of a deployed algorithm to adapt to the data that’s being input into it. A normal algorithm, for example, will run on a particular set of data and give you a result, and if you run it on the same set of data again, it will give you the same result. Machine learning has an adaptive component where if you run it on a piece of data it will do something and then change its behavior based on that data. So, even if you ran it on the same data twice, it might give you a different result because it’s adapting. That’s a very broad definition.

Read More

Topics: Threat Hunting, Threat Detection, Cyber Threat Hunting, Machine Learning, UEBA

Jun 13, 2016 11:19:03 AM

June Webinar Recap: How Threat Hunting and UEBA Fit Into the Cybersecurity Landscape

On June 2nd Sqrrl hosted a webinar in collaboration with Momentum Partners that examined the current state of the cybersecurity landscape. The webinar covered ways in which various solutions, like threat hunting platforms and User and Entity Behavior Analytics (UEBA) tools, can complement an existing security ecosystem, ensuring security efforts are efficient, effective, and comprehensive.

Read More

Topics: Cyber Hunting, Cyber Threat Hunting, User and Entity Behavior Analytics, UEBA

May 25, 2016 11:31:30 AM

Surveying the Threat Hunting Landscape, Part 2: Threat Hunting Practices and Next Steps

In part 1 of this series, we outlined the current state of cyber threat hunting as it was profiled in SANS’s recent survey of 464 companies on the handling of proactive cyber threat detection. In this section, we’ll discuss specifically what types of hunting practices these companies use to track and remove threats in their systems, and we will take a look ahead to see how threat hunting will continue to grow in the future.

In addition to the process of data collection, automation is used to speed up certain parts of the hunting process so that analysts can focus on what’s really valuable, as opposed to having to spend time gathering and parsing through large, disparate data sets. When SANS asked the survey participants what percentage of their threat hunting capacity is automated, the responses were fairly split, with each option (1 - 10%, 11 - 25%, 26 - 50%, 51 - 75%, 76-99%) each receiving about 20%. Each stage in the Threat Hunting Loop provides opportunities for automation that can make the hunting process much more efficient. When forming a hypothesis, automated risk scoring and heat mapping can highlight where to start looking; when investigating, automated visualizations with predetermined pathways and prescribed hunting techniques help you reach your target sooner; automated TTP detection analytics allow you to easily uncover and identify threats; and feeding data back into automated tools to enrich your analytics will only make the process quicker and more powerful for the next hunt.

Read More

Topics: Sqrrl Enterprise, Threat Hunting, Cyber Threat Hunting