Sqrrl Blog

Jun 29, 2017 8:00:00 AM

Cyber Incident Investigation Series: Investigating Attack Scopes

By Chris Sanders

As defenders, the critical moment is when we've determined that an attacker's attempt to gain a foothold onto the network was successful. This sets of a chain of investigative activity where we follow breadcrumbs through our data to understand where they attacker went, what their mission is, and what they took. As these breadcrumbs are uncovered, we don't just have to follow their path, we also must ascertain if similar evidence can be found at other points on the network. This is all part of scoping the attacker to better understand the attack. In this post, I'm going to talk about strategies for attack scoping and discuss how Sqrrl enables them intuitively. 

Read More

Jun 27, 2017 2:00:00 PM

Q&A Interview with Jason Smith: Best Data Sources and Basic Techniques For Threat Hunting

Jason Smith currently works for Cisco from his home in Nashville, TN and has worked for multiple US Department of Defense SOCs, as well as the lead security monitoring architect for the Commonwealth of Kentucky. He co-wrote Applied Network Security Monitoring and maintains the open source project FlowBAT, a graphical flow data analysis tool.

Key Takeaways:

  • Contextual data is important, but a lot of success can be gained by gathering relatively simple forms of data. For example, flow data can be analyzed with tools like FlowBAT, Bro logs and SiLK to create a comprehensive picture of your network that is very conducive for hunting.
  • SOCs should take steps to avoid information siloing, especially when deployment groups within an organization are geographically separated.
  • Hunting can be challenging, but is by no means impossible. A lot of good work can be done by getting set up with simple tools and expanding from there.  In other words, “Find weirdness in all that data and you'll learn a lot.”
Read More

Topics: Data Analysis, Threat Detection

Jun 22, 2017 8:00:00 AM

Cyber Incident Investigation Series: Reducing Evidence Abstraction

By Chris Sanders

An incident investigation will only go as far as the evidence allows it. Of course, there's a lot of components that have to come together to make that happen. The network must support the collection of robust and diverse evidence sources and it must be searchable by the analyst. From there, the incident investigation hinges on the ability of the analyst to ask questions, successfully traverse evidence to answer those questions, and draw conclusions from the findings.

Read More

Topics: Cyber Threat Hunting, Incident Investigations

Jun 19, 2017 8:00:00 AM

Threat Hunter Profile - Keith Gilbert

 fullsizerender_2-2.jpg

Name: Keith Gilbert

Organization: Sqrrl

Years hunting: 5

Preferred datasets: Malware Repositories, Passive DNS, Domain Whois

Preferred hunting techniques: Link Analysis, malware analysis, link exploration

Preferred tools: VirusTotal, PassiveTotal, DomainTools, internal collection tools

@Digital4rensics

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Jun 13, 2017 8:00:00 AM

Q&A Interview with Alan Orlikoski on Building a High-Performing Hunt Team

Alan Orlikoski has over 15 years of experience in both the private and public sectors of the IT industry. He has designed and implemented defense solutions for government and Fortune 100 companies. He has more recently participated on teams tasked to assess and advise Fortune 100 clients, with a focus on maturing an organization’s ability to more quickly and effectively detect, respond to, and contain targeted attacks.

Key Takeaways:

  • A good hunter is a “jack of all trades” and is able to cover alert monitoring, incident response, signature development, and intelligence gathering. They don’t have to be the best in every one of those categories, but they need to know the functions.
  • Senior hunters should guide junior analysts to search for specific Tactics, Techniques, and Procedures (TTPs). This expands the talent base of the hunt team and takes pressure off senior analysts.
  • Every hunt should begin and end within an 8-12 hour shift. This allows SOCs to gather metrics on how successful their methodologies are. 
Read More

Topics: Threat Hunting, Hunting How-To's

Jun 1, 2017 12:00:00 PM

Cyber Incident Investigation Series: Answering Questions Before They’re Asked

By Chris Sanders

Investigations are all about iterating through evidence that helps you make decisions about what events transpired on your network. That sounds easy enough, but asking the right questions and identifying the data you need to answer them is tricky. This problem manifests in two ways. First, not having enough of the right data means you may be unable to answer the questions that will move the investigation forward. Conversely, having too much data may be overwhelming with a tremendous number of fields and complementary evidence sources to examine. In either case, asking good questions and moving towards a conclusion quickly and accurately depends on knowing what data is available to you in any given scenario. In this post, I’ll address these concerns and discuss how Sqrrl helps you better understand your data so that you know where the gaps are and what options you have available to you within the context of an active investigation.

Read More

Topics: Threat Hunting, Incident Investigations