Sqrrl Blog

Jan 25, 2017 8:30:00 AM

Threat Hunter Profile - Hem Karlapalem

Hem-Karlapem.jpg 

Name: Hem Karlapalem

Organization: Global Fortune 100 Company

Years hunting: 3

Favorite datasets: Proxy, DNS, Domain controller and endpoing logs

Favorite hunting techniques: Time series analysis, linked data analysis

Favorite tools: SysInternals, Wireshark/tcpdump, ELK suite, Powershell

@hemkrlplm

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Jan 12, 2017 8:00:00 AM

The Hunter's Den: Command and Control

By Josh Liburdi, Sqrrl Security Technologist, and George Aquila

The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. In our previous post, we examined the practical ways that one can hunt for Internal Reconnaissance. In this post, we will take a look at how to hunt for Command and Control (C2) activity. Command and control is the process through which an attacker establishes a connection with a compromised asset that they have taken control of in a target network. C2 is a critical step in the process of carrying out an attack on a network. It is a category broad enough that it has its own kill chain step (KC6, “Command and Control”). Although it is a broad tactic, this post will survey the different ways that it might generally be carried out by an adversary.

Understanding Command and Control

C2 enables remote access for attackers into target networks. Architecturally, C2 is fairly predictable. It will follow generally one of two models for implementation: a Client-Server model or a Peer-to-Peer model. Attackers have multiple options of building their C2 channel, each of which are outlined below.

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den

Jan 11, 2017 8:00:00 AM

Threat Hunter Profile - Katie Horne

KatiePic.jpg 

Name: Katie Horne

Organization: GoSecure

Years hunting: 2

Favorite datasets: Network flow, application level data, firewall/switch/AP logs, file/process data, Windows event logs

Favorite hunting techniques: Searching, grouping, intel analysis

Favorite tools: SuricataSpamScope, Sagan, STIX, honeypots (cowrie, YALIH)

@WaysideKt

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Jan 5, 2017 8:00:00 AM

Demystifying Threat Hunting Concepts

By Josh Liburdi

This post is about demystifying threat hunting concepts that seem to trip up practitioners and outsiders. If the summary in the TLDR below seems appealing, then please continue to the meat of the post.

TLDR?

  • Threat hunting doesn’t have to be complex, but it’s not for everyone
  • Knowing how to begin and end a hunt is more important than knowing how to carry out a hunt
  • If you need a place to start, look at trends in the threat landscape and focus on threats that you do not have automated alerts/detections for
  • Hunting is a creative process that rewards those who take chances
  • Finish with something, anything actionable — so long as it provides value

All set?

Read More

Topics: Cyber Hunting, Threat Hunting