Sqrrl Blog

Dec 7, 2016 12:15:08 PM

Threat Hunter Profile - Travis Barlow


Name: Travis Barlow

Organization: GoSecure

Years hunting: 7

Favorite datasets: Firewall/Switch/Server logs, DNS logs, Netflow Data

Favorite hunting techniques: Endpoint behavior analysis, DNS analysis

Favorite tools: Suricata, WiresharkBroGrimm, Log Intrusion Detection tool sets


Who are you?

I'm Travis Barlow. I am the Vice President of Advanced Security Services at GoSecure, and I'm also the founder of AtlSecCon and HASK.

Why do you hunt and what is your experience hunting?

I lead an advanced threat hunting team which serves global clientele from multiple industry sectors. For me, threat hunting was the natural evolution in creating the next highly impactful service that could actually make a difference to many organisations. I started years ago while performing forensic investigations and incident response and grew from there.

How would you define Threat Hunting?

Threat hunting has been around for quite some time now, however it has much more popular as of recently and it has been interesting to watch the industry and tools evolve. While the industry changes the definition to meet their needs in reality it is the detection of threats that other controls miss.

What projects and organizations are you involved with?

Heavily involved with building the InfoSec community via the AltSecCon (Atlantic Security Conference) and HASK (Halifax Area Security Klatch).

Which of the hunts you’ve carried out was the most interesting or challenging?

One of the more interesting hunts I've been involved with involved a skilled adversary who was deeply embedded within a client organization and changed tactics as we attempted to disrupt and mitigate their attack. The attacker had established multiple points of presence that were independent of each other and as one was eradicated the attacker would move to another. It was interesting to watch his/her actions escalate as we cornered their movements and undertook additional eradication initiatives.

What hunting techniques, tools, and datasets do you use most frequently? 

Some of the tools I use include Suricata, Wireshark, Grimm, Bro, Log Intrusion Detection tool sets, and Countertack. My datasets will vary depending on what I am hunting for, but generally include firewall/switch/server logs, DNS logs, or netflow data.

I use different kinds of DNS and endpoint behavior analyses in investigations. Visualizations are a big help, as well as machine learning based decision making capabilities. However I want to stress that machine learning is not the sole answer yet, and it is hard to replace knowledgeable people.

What types of friendly intelligence are most useful for a hunter to have in an investigation?

There are different types of friendly intelligence that might be useful but it is difficult to have any more useful than client situation awareness knowledge, i.e. how their network operates, what their business processes are, and where they keep their critical assets, including data and human components.

What general advice do you have for new Threat Hunters?

Question everything and assume nothing! One of the most useful things you can do as a hunter is to harvest as much data as possible and then examine it using multiple different lenses. 

What parts of a hunt could you see as being most successfully automated or assisted by a machine?

Machine learning could be used to remove the 70% low level issues that never add to a successful hunt and increase emphasis on smaller items they may go unnoticed otherwise.

What would you want to see Threat Hunting develop into across the industry in the future?

I would like to see an industry accepted model for threat hunting, currently it is not fully baked and still evolving which leads to infosec marketing departments misleading customers on what it really is.

Download the eBook

Check out our full Hunter Profile series for different takes, tips and tricks on threat hunting from the experts!

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile