Sqrrl Blog

Nov 23, 2016 8:00:00 AM

Threat Hunter Profile - Alan Orlikoski

alan.jpg 

Name: Alan Orlikoski

Organization: Oracle

Years hunting: 3

Favorite datasets: Network data (Bro), stacked Appcompat, shimcache, Windows Powershell event logs, bash shell history files

Favorite hunting techniques: Data traversal analysis, daily dynamic list creation, kill chain analysis

Favorite tools: Log Parser, CCF-VM, LogstashPython, command line (grep, head, tail, sed, awk)

@AlanOrlikoski

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Nov 10, 2016 7:30:00 AM

The Hunter’s Den: Internal Reconnaissance (Part 2)

By Josh Liburdi, Security Technologist at Sqrrl, and George Aquila

In part 1 of this hunter’s den post we took a look at the adversary tactic of internal reconnaissance, including what kinds of artifacts might be left behind when internal reconnaissance has occurred on your network. In this post we’ll take a look at the types of data and the various hunting techniques that you can use to hunt for the various kinds of internal reconnaissance.

Datasets to explore

Data is a critical component of hunting, and many different kinds of datasets can be useful depending on the type of hunt that you are carrying out. For internal reconnaissance, there are two major data types that are useful to a hunt, process execution metadata and network connection metadata. 

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den

Nov 9, 2016 8:00:00 AM

Threat Hunter Profile - Matt Arnao

IMG_2176.jpg 

Name: Matt Arnao

Organization: Lockheed Martin

Years hunting: 5

Favorite datasets: Network sensor and security device logs, windows events, application logs

Favorite hunting techniques: Pivoting, "over the horizon" data gathering, kill chain analysis

Favorite tools: Suricata, yaraSecurity Onion, jq

@mattarnao

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Nov 3, 2016 3:00:00 PM

The Hunter’s Den: Internal Reconnaissance (Part 1)

By Josh Liburdi, Security Technologist at Sqrrl, and George Aquila

As we laid out in our introduction, The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. This first post will focus on hunting for Internal Reconnaissance. Before we dive into the specifics of how to do this, let’s briefly review the two major models that we’ll be referencing over the course of the series.

The first is the Threat Hunting Loop, which outlines a process for threat hunting. As a loop, it is specifically meant to be repeated continually.

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den