Name: Travis Barlow
Years hunting: 7
Favorite datasets: Firewall/Switch/Server logs, DNS logs, Netflow Data
Favorite hunting techniques: Endpoint behavior analysis, DNS analysis
Who are you?
Why do you hunt and what is your experience hunting?
I lead an advanced threat hunting team which serves global clientele from multiple industry sectors. For me, threat hunting was the natural evolution in creating the next highly impactful service that could actually make a difference to many organisations. I started years ago while performing forensic investigations and incident response and grew from there.
How would you define Threat Hunting?
Threat hunting has been around for quite some time now, however it has much more popular as of recently and it has been interesting to watch the industry and tools evolve. While the industry changes the definition to meet their needs in reality it is the detection of threats that other controls miss.
What projects and organizations are you involved with?
Heavily involved with building the InfoSec community via the AltSecCon (Atlantic Security Conference) and HASK (Halifax Area Security Klatch).
Which of the hunts you’ve carried out was the most interesting or challenging?
One of the more interesting hunts I've been involved with involved a skilled adversary who was deeply embedded within a client organization and changed tactics as we attempted to disrupt and mitigate their attack. The attacker had established multiple points of presence that were independent of each other and as one was eradicated the attacker would move to another. It was interesting to watch his/her actions escalate as we cornered their movements and undertook additional eradication initiatives.
What hunting techniques, tools, and datasets do you use most frequently?
Some of the tools I use include Suricata, Wireshark, Grimm, Bro, Log Intrusion Detection tool sets, and Countertack. My datasets will vary depending on what I am hunting for, but generally include firewall/switch/server logs, DNS logs, or netflow data.
I use different kinds of DNS and endpoint behavior analyses in investigations. Visualizations are a big help, as well as machine learning based decision making capabilities. However I want to stress that machine learning is not the sole answer yet, and it is hard to replace knowledgeable people.
What types of friendly intelligence are most useful for a hunter to have in an investigation?
There are different types of friendly intelligence that might be useful but it is difficult to have any more useful than client situation awareness knowledge, i.e. how their network operates, what their business processes are, and where they keep their critical assets, including data and human components.
What general advice do you have for new Threat Hunters?
Question everything and assume nothing! One of the most useful things you can do as a hunter is to harvest as much data as possible and then examine it using multiple different lenses.
What parts of a hunt could you see as being most successfully automated or assisted by a machine?
Machine learning could be used to remove the 70% low level issues that never add to a successful hunt and increase emphasis on smaller items they may go unnoticed otherwise.
What would you want to see Threat Hunting develop into across the industry in the future?
I would like to see an industry accepted model for threat hunting, currently it is not fully baked and still evolving which leads to infosec marketing departments misleading customers on what it really is.
Check out our full Hunter Profile series for different takes, tips and tricks on threat hunting from the experts!