Sqrrl Blog

Nov 23, 2016 8:00:00 AM

Threat Hunter Profile - Alan Orlikoski

alan.jpg 

Name: Alan Orlikoski

Organization: Oracle

Years hunting: 3

Favorite datasets: Network data (Bro), stacked Appcompat, shimcache, Windows Powershell event logs, bash shell history files

Favorite hunting techniques: Data traversal analysis, daily dynamic list creation, kill chain analysis

Favorite tools: Log Parser, CCF-VM, LogstashPython, command line (grep, head, tail, sed, awk)

@AlanOrlikoski

Who are you?

I’m Alan Orlikoski and I have 16+ years of experience in the IT Security field.

Why do you hunt and what is your experience hunting?

I have over three years of experience leading and building Hunting teams. I have spoken at multiple security conferences about Hunting in the last two years.

I started my first Hunting team out of necessity. I was working for Mandiant and supporting a customer who needed more than what the automated sensors could detect. This evolved from a one-off exercise to the development of a full time Hunting program that was, eventually, fully integrated into the SOC. I now continue to lead Hunting teams and preach their benefits to the community about how they are a vital part to a mature and healthy SOC.

How would you define Threat Hunting?

Hunting is the process of looking for interesting events that are not defined as malicious by existing automated tools. It uses the knowledge, tools, data, and experience that exists within an organization to determine if events are associated with an attacker or innocuous.

What projects and organizations are you involved with?

I am an active member of Information Systems Security Association where I attend regular meetings, network, and sometimes present information. I also attend various conference such as Security BSides events.

I have created and released multiple open source security tools in the last 2 years:

  • CDQR: The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux and MacOS devices
  • CyLR: CyLR - Live Response Collection Tool
  • CCF-VM: CyLR CDQR Forensics Virtual Machine (CCF-VM): An all-in-one solution to parsing collected data, making it easily searchable with built-in common searches, enable searching of single and multiple hosts simultaneously

Which of the hunts you’ve carried out was the most interesting or challenging?

My most technically challenging hunt was one of my first hunts. The hunt required finding malicious use of compromised service accounts. It involved the monitoring of all authentication events in an enterprise, real time, automated modification of active lists with time based expirations, and the creation/use of hunting channels in a SIEM.  

The resulting hunting channel had a very low fidelity level for each alert individually, but the malicious uses of the accounts were able to be found by the Hunting team.

What hunting techniques, tools, and datasets do you use most frequently?

I presented at the Rocky Mountain Information Security Conference (RMISC) in 2016 and covered this topic in depth. The slides are available here. A quick summary is below.

Hunting Activities work best when organized into a hierarchy of:

  1. Choosing an Anchor Diagram
  2. Creating Hunting Goals
  3. Creating Hunting Activities
  4. Collecting Metrics

The Anchor is a high level description of the Attack Lifecycle model with specific delineations of each phase. Hunting goals are focused on detecting activity in one or more phases of the chosen attack lifecycle model. Hunting activities focus on a methodology of completing a hunting goal (there may be multiple activities for each goal). Finally, metrics are the way of validating the efficacy of the hunting team, its members, and the methodologies themselves.

The Sqrrl Hunting Loop is a great model to use when creating hunting activities as it addresses the methodology and feedback loop inherent in every hunting activity.

In general, for techniques I really enjoy digging into large amounts of data traversing the intranet to internet boundaries. This is a great way to find things trying to hide in plain sight. I also enjoy creating automated system to hunt through datasets too large and dynamic to hunt with tools like grep. Creating daily dynamic lists to track source machine names for all failed login attempts using service accounts can have good results over time.

What value do you actively see come out of your hunting activities?

Each Hunting outcome provides benefit to the organization and they can be categorized as concluding in one of the following three ways:

  • Something Found: Malicious
    • Benefits
      • Identify security incident
      • Validate effectiveness of hunting activity
    • Next Steps
      • Escalate as an Incident
      • Evaluate effectiveness of Hunting Activity

  • Something Found: Non-Malicious
    • Benefits
      • Identify compliance / best practice issue(s)
      • Validate effectiveness of hunting activity
    • Next Steps
      • Escalate to appropriate organization
      • Evaluate effectiveness of Hunting Activity

  • Nothing Found
    • Benefits
      • Activity shown not to be present
    • Next Steps
      • Evaluate effectiveness of Hunting Activity

What types of friendly intelligence are most useful for a hunter to have in an investigation?

The types of intelligence that provide new TTP used by attackers or indicators themselves. Anything that can be used to create new hunting goals and activities.

What general advice do you have for new Threat Hunters?

Stay as organized as possible. The difference between a one time finding and a hunting program is organization. A hunting program has repeatable hunting activities that allow each member to provide continuous improvements and thereby share knowledge across the team.

Be aware to know when a hunt has enough fidelity to be turned into a signature. This allows the machines to look for it, the alert monitoring team to respond to it, and the hunters can then focus on new hunts.

What parts of a hunt could you see as being most successfully automated or assisted by a machine?

Automation is best used to organize and minimize the data sets. The thing that automation fails at is providing context. It is easy for machines to detect anomalies but it is up to each analyst to provide/find that missing context. That is why hunters need to be knowledgeable about attacker TTPs.

What would you want to see Threat Hunting develop into across the industry in the future?

A formalized function within each SOC that provides measurable benefits to the organization. This allows for the standardization of goals, methodologies, dedicated tools, and collaboration for all hunters and hunting teams.

Download the eBook

Don't miss our full Hunter Profile series for different takes, tips and tricks on threat hunting from the experts!

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile