Sqrrl Blog

Jan 12, 2017 8:00:00 AM

The Hunter's Den: Command and Control

By Josh Liburdi, Sqrrl Security Technologist, and George Aquila

The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. In our previous post, we examined the practical ways that one can hunt for Internal Reconnaissance. In this post, we will take a look at how to hunt for Command and Control (C2) activity. Command and control is the process through which an attacker establishes a connection with a compromised asset that they have taken control of in a target network. C2 is a critical step in the process of carrying out an attack on a network. It is a category broad enough that it has its own kill chain step (KC6, “Command and Control”). Although it is a broad tactic, this post will survey the different ways that it might generally be carried out by an adversary.

Understanding Command and Control

C2 enables remote access for attackers into target networks. Architecturally, C2 is fairly predictable. It will follow generally one of two models for implementation: a Client-Server model or a Peer-to-Peer model. Attackers have multiple options of building their C2 channel, each of which are outlined below.

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den

Jan 11, 2017 8:00:00 AM

Threat Hunter Profile - Katie Horne

KatiePic.jpg 

Name: Katie Horne

Organization: GoSecure

Years hunting: 2

Favorite datasets: Network flow, application level data, firewall/switch/AP logs, file/process data, Windows event logs

Favorite hunting techniques: Searching, grouping, intel analysis

Favorite tools: SuricataSpamScope, Sagan, STIX, honeypots (cowrie, YALIH)

@WaysideKt

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Jan 5, 2017 8:00:00 AM

Demystifying Threat Hunting Concepts

By Josh Liburdi

This post is about demystifying threat hunting concepts that seem to trip up practitioners and outsiders. If the summary in the TLDR below seems appealing, then please continue to the meat of the post.

TLDR?

  • Threat hunting doesn’t have to be complex, but it’s not for everyone
  • Knowing how to begin and end a hunt is more important than knowing how to carry out a hunt
  • If you need a place to start, look at trends in the threat landscape and focus on threats that you do not have automated alerts/detections for
  • Hunting is a creative process that rewards those who take chances
  • Finish with something, anything actionable — so long as it provides value

All set?

Read More

Topics: Cyber Hunting, Threat Hunting

Dec 21, 2016 10:30:00 AM

Threat Hunter Profile - Eric Cole

eric.jpeg 

Name: Eric Cole

Organization: Secure Anchor Consulting

Years hunting: 10+

Favorite datasets: Firewall and router logs, Netflow, Windows logs and Syslog

Favorite hunting techniques: Connection analysis, kill chain orientation

Favorite tools: Wireshark, Bro, Perl, Powershell, Custom Tools

@drericcole

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Dec 14, 2016 8:00:00 AM

Sqrrl releases version 2.7

We’re pleased to announce Sqrrl’s latest release, version 2.7, which delivers a host of new features to the industry-leading Threat Hunting Platform. With a special focus on DNS data and the investigative power that it affords you, Sqrrl 2.7 introduces two new TTP detectors and a set of new capabilities to add to the hunting tool set. DNS logs provide information on a network’s domain resolution activity that can be used to correlate domain resolutions to internal hosts. As such, it is one of the most widely useful data types to hunt for a wide range of activities, including malware command and control and exfiltration activity.

Read More

Topics: Sqrrl Enterprise, Threat Hunting Platform

Dec 7, 2016 12:15:08 PM

Threat Hunter Profile - Travis Barlow

TravisBnWFull.jpg 

Name: Travis Barlow

Organization: GoSecure

Years hunting: 7

Favorite datasets: Firewall/Switch/Server logs, DNS logs, Netflow Data

Favorite hunting techniques: Endpoint behavior analysis, DNS analysis

Favorite tools: Suricata, WiresharkBroGrimm, Log Intrusion Detection tool sets

@Travis_R_Barlow

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Nov 23, 2016 8:00:00 AM

Threat Hunter Profile - Alan Orlikoski

alan.jpg 

Name: Alan Orlikoski

Organization: Oracle

Years hunting: 3

Favorite datasets: Network data (Bro), stacked Appcompat, shimcache, Windows Powershell event logs, bash shell history files

Favorite hunting techniques: Data traversal analysis, daily dynamic list creation, kill chain analysis

Favorite tools: Log Parser, CCF-VM, LogstashPython, command line (grep, head, tail, sed, awk)

@AlanOrlikoski

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Nov 10, 2016 7:30:00 AM

The Hunter’s Den: Internal Reconnaissance (Part 2)

By Josh Liburdi, Security Technologist at Sqrrl, and George Aquila

In part 1 of this hunter’s den post we took a look at the adversary tactic of internal reconnaissance, including what kinds of artifacts might be left behind when internal reconnaissance has occurred on your network. In this post we’ll take a look at the types of data and the various hunting techniques that you can use to hunt for the various kinds of internal reconnaissance.

Datasets to explore

Data is a critical component of hunting, and many different kinds of datasets can be useful depending on the type of hunt that you are carrying out. For internal reconnaissance, there are two major data types that are useful to a hunt, process execution metadata and network connection metadata. 

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den

Nov 9, 2016 8:00:00 AM

Threat Hunter Profile - Matt Arnao

IMG_2176.jpg 

Name: Matt Arnao

Organization: Lockheed Martin

Years hunting: 5

Favorite datasets: Network sensor and security device logs, windows events, application logs

Favorite hunting techniques: Pivoting, "over the horizon" data gathering, kill chain analysis

Favorite tools: Suricata, yaraSecurity Onion, jq

@mattarnao

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Nov 3, 2016 3:00:00 PM

The Hunter’s Den: Internal Reconnaissance (Part 1)

By Josh Liburdi, Security Technologist at Sqrrl, and George Aquila

As we laid out in our introduction, The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. This first post will focus on hunting for Internal Reconnaissance. Before we dive into the specifics of how to do this, let’s briefly review the two major models that we’ll be referencing over the course of the series.

The first is the Threat Hunting Loop, which outlines a process for threat hunting. As a loop, it is specifically meant to be repeated continually.

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den