Name: Deirdre Morrison
Years hunting: 2
Favorite datasets: Firewall/Server/
Favorite hunting techniques: Endpoint behavior analysis, anomaly detection
Who are you?
My name is Deirdre Morrison and I currently work with the GoSecure AAP Threat Hunt Team as a cyber security analyst. Alongside threat hunting, I also develop custom rulesets with Cybox and regex to detect various malware strains and network traffic irregularities. My office nicknames include Knuckles, Ex Machina, and Furiosa.
Why do you hunt and what is your experience hunting?
I have been involved in threat hunting for approximately two years, both professionally and recreationally. I originally gained my IT diploma in database administration, but later developed a passion for security related studies.
When I first started threat hunting, it was as an introduction into the wide spectrum of possible attack vectors that could be employed toward individuals or businesses. I was extremely fascinated by the immense number of ways that a target could be successfully infiltrated, and how these attack vectors could be mitigated through the use of patching and code modifications.
I hunt because it is tremendously rewarding to know that you have made a difference in maintaining a positive security posture for friends, family, local businesses, and entire corporations alike. Along with that reasoning, the intrigue of attribution and code dissection will always keep me active in the IT security realm.
How do you define threat hunting?
I would define threat hunting as the investigative process of seeking out threats that bypass or are unbeknownst to current industry-standard detection methods.
What projects and organizations are you involved with?
Recreationally, I have my own personal malware lab in which I research and develop new rulesets to effectively capture previously undetected hunt data.
Which of the hunts you've carried out was the most interesting or challenging?
There have been a lot of interesting hunts I have been involved with, but an interesting one that comes to mind was correlating a mass malvertising campaign that affected many users within our varied client base. Attribution was gained through working with a few members of the IT security community, and it was incredibly interesting to see the techniques the threat actors employed in their campaign.
What hunting techniques, tools, and datasets do you use most frequently?
Professionally, we use a varied toolset of data sources integrated with Intrusion Detection Systems, sandboxes, Endpoint Detection and Response, and custom built threat aggregation platforms to assist in threat hunting.
Recreationally, I personally mainly use an IDS system with both basic and custom detection rules that translate to json/http/dns/firewall/etc logs, network segregation to avoid infection elsewhere in my humble little home, a lot of virtual machines, and a lot of open source intelligence.
What value do you actively see come out of your hunting activities?
Professionally, we often see great value in the form of advising clients of potential infections and actively mitigating the spread of malwares to their organization.
Recreationally, I often end up contacting small local businesses which do not have an IT team to actively patch and monitor their websites to inform them of vulnerabilities and infections.
What general advice do you have for new Threat Hunters?
If you have access to more experienced members on your team, ask a lot of questions! A huge advantage of having senior team members is so that juniors can learn how to develop processes and thinking patterns that have already proven effective in that job role.
Reach out to the IT community via avenues like Twitter and Reddit. People are often genuinely welcoming to new threat hunters and are willing to aid in investigatory situations.
What hunting procedure would you recommend for a new to Threat Hunter?
I would say it largely depends on what specific tools they have at their disposal, really. But generally speaking, do not be too focused on the specific event. Broaden your scope when investigating a potential malicious event, or you may be missing key events surrounding it that could be detrimental to client advisories.
What parts of a hunt could you see as being most successfully automated or assisted by a machine?
Machine learning and automation can assist in threat hunting by deterministically rooting out false positives to diminish the number of events that an analyst may be required to investigate. Naturally, a rich dataset is required from a particular environment to be able to successfully cater the results of machine learning.
What would you want to see Threat Hunting develop into across the industry in the future?
I would like to see more collaboration in regards to open source intelligence gathering and sharing. Sometimes the toughest part of a hunt can be being the first person to experience a particular malware, and therefore be unable to confidently assess the origins and characteristics of it if you’re unfamiliar with specific code dissection (especially when you’re new).
Check out our full Hunter Profile series for different takes, tips and tricks on threat hunting from the experts!