Sqrrl Blog

Mar 29, 2017 8:00:00 AM

Threat Hunter Profile - Ryan Nolette


Name: Ryan Nolette

Organization: Sqrrl

Years hunting: 7

Favorite datasets: Process execution, process parentage, registry key modification/creation, IDS/IPS logs, Bro, firewall logs

Favorite hunting techniques: Daily dynamic list creation, OODA looping, data traversal analysis

Favorite tools: Bro, Snort, Suricata, Sqrrl, volatility, nmap, Wireshark, REMnux, SIFT, PFsense, malzilla

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Mar 9, 2017 8:00:00 AM

The Nuts and Bolts of Detecting DNS Tunneling

DNS-based attacks have been commonly used since the early 2000’s, but over 40% of firms still fall prey to DNS tunneling attacks. Tunneling attacks originate from uncommon vectors, so traditional automated tools like SIEMs have difficulty detecting them, but they also must be found in massive sets of DNS data, so hunting for tunneling manually can be challenging as well. So, how can we use more advanced analytic techniques to isolate these adversary behaviors? In a different publication we covered Domain Generation Algorithms and what the best sources are for detecting them. In this piece, we’ll be covering how best to sniff out malicious DNS tunneling on your network.

Read More

Topics: Machine Learning, UEBA, DNS