Sqrrl Blog

Sep 24, 2015 9:00:00 AM

A Framework for Cyber Threat Hunting Part 3: The Value of Hunting TTPs

In the first two parts of our “Framework for Cyber Threat Hunting” series, we discussed the heirarchy of Indicators of Compromise, the most valuable of which are an attacker’s Tactics, Techniques, and Procedures (TTPs), and the benefits of using those indicators in a security feedback loop to build an Advanced Persistent Defense. This third and final part aims to provide a concrete example of how the discovery and mapping of TTPs contributes to the strength of an advanced persistent defense.

Read More

Topics: Breach Detection, Cyber Hunting, Incident Response, Threat Hunting

Aug 5, 2015 8:30:00 AM

A Framework for Cyber Threat Hunting Part 2: Advanced Persistent Defense

In part 1 of this series, we discussed the six categories of Indicators of Compromise (IoC) that can be used as trailheads for structured threat hunting trips. In this post, we will focus specifically on how security organizations can build intelligence-driven hunting loops to detect the Tactics, Techniques, and Procedures (TTPs) of advanced threats.

In order to hunt threats, it is important to understand the method of the attacker. The cyber kill chain is the well known framework created by Lockheed Martin to track the steps an attacker goes through to exploit, compromise, and carry out an attack against a targeted system or organization. Disrupting this process at any point in the chain prevents (or at least seriously degrades) an attacker’s ability to accomplish their mission.

Read More

Topics: Breach Detection, Cyber Hunting, Incident Response, Threat Hunting

Jul 23, 2015 4:37:00 PM

A Framework for Cyber Threat Hunting Part 1: The Pyramid of Pain

While rule-based detection engines are a strong foundation for any security organization, cyber threat hunting is a vital capability for security organizations to have in order to detect unknown advanced threats. Hunting goes beyond rule-based detection approaches and focuses on proactively detecting and investigating threats.

Read More

Topics: Cybersecurity, Breach Detection, Cyber Hunting, Linked data analysis, Threat Detection

Jul 16, 2015 9:30:00 AM

Cyber Incident Matrix: IRS Breach

Severity Score: 3
Complexity Score: 4
How did we get these numbers?

Incident Summary

  • What was breached: IRS Database of Taxpayer Information

  • Delivery: February-May, 2015

  • The Attackers:  Undisclosed “sophisticated enemies” originating in Russia


On May 26th, 2015, the United States Internal Revenue Service (IRS) announced that the personal information of over 100,000 American taxpayers was stolen from “Get Transcript,” a service provided by the IRS that allowed taxpayers to get a transcript of their past tax activities. These transcripts were then used to file fraudulent tax returns in the name of the victims. Currently, the culprit is unknown to the public, though the IRS has indicated the attackers were Russian in origin.

Read More

Topics: Cybersecurity, Breach Detection, Data Breach

Jul 9, 2015 8:00:00 AM

Introducing the Sqrrl Cyber Incident Matrix

A Sqrrl blog series focused on Data Breaches

Data Breaches are in the news again and again these days. Between the IRS, OPM, Target, Lastpass, and countless other private and public organizations, data and networks of all varieties are prime targets for both external attackers and internal infiltrators. Our newsfeeds, inboxes, and conversations are all saturated with people asking how and why these incidents occur. Over the past 12 months, cybersecurity issues have centered themselves more prominently at the center of public debate than they ever have been in the past. The rate at which private data is being compromised weekly is as alarming as it is impressive.

Today, we’re launching the Sqrrl Cyber Incident Matrix because we believe that there is a need for a place that collects, catalogues, and breaks down these incidents concisely, and in a manner that is easy to understand. Our goal is to take a look at data breaches in the news, rate them based on their severity and complexity, and analyze the known aspects of each breach. We’re not here to make wild theories; the purpose behind this blog is to collect the known facts about a breach and try to build a contextual narrative of how different breaches relate to each other.

Read More

Topics: Cybersecurity, Breach Detection, Outlier Detection, Data Breach, Incident Response

Jun 24, 2015 8:00:00 AM

Cyber Forensics: Sqrrls on the Crime Scene

By George Aquila, Associate Product Marketing Manager

Recently we featured an excellent guest post by Richard Stiennon, who illuminated the need for accelerating response times against attackers who will increasingly be moving down the kill chain with greater speed. This week we drill down on the practice of incident response, into the realm of cyber forensics, to address how analytics tools help put the pieces back together when an adversary successfully executes an attack.

Read More

Topics: Sqrrl Enterprise, Breach Detection, Outlier Detection, Cyber Forensics

Mar 5, 2015 8:30:00 AM

Cyber Pattern-of-Life Analysis

By Ely Kahn

Pattern-of-life analysis is a well-known (and sometime controversial term) in the US Intelligence Community. One definition of pattern-of-life analysis is:

"A method of surveillance specifically used for documenting or understanding a subject's (or many subjects') habits. This information can then be potentially used to predict future actions by the subject(s) being observed. This form of observation can, and is, generally done without the consent of the subject, with motives including but not limited to security, profit, scientific research, regular censuses, and traffic analysis. Unlike these specific areas of surveillance, pattern-of-life analysis is not limited to one medium and can encompass tracking anything in an individual's (or system of individuals') life from their internet browsing habits to their geophysical movements."

Read More

Topics: Big Data Security, Breach Detection, Data Analysis

Feb 25, 2015 8:30:00 AM

Top of the Food Chain: Cyber Hunting with Sqrrls

An Interview with a Threat Hunter, Sqrrl’s David Bianco

By George Aquila

Executive Summary

Big Data Security Analytics techniques are critical to hunt for advanced cyber threats. Starting with just some hypotheses, a seasoned threat hunter can use a Big Data tool, such as Sqrrl's threat hunting platform, to iterate through large amounts of data and detect anomalies that would otherwise go unnoticed by traditional defenses. While more and more companies are attempting to build cyber threat hunting capabilities, few tools exist to assist analysts in the challenges of the hunt. The expansion of data science capabilities into the cybersecurity realm holds great promise for the advancement of cyber hunting. Sqrrl’s David Bianco sheds some light on these crucial developments surrounding the rise of threat hunting, and how Sqrrl’s solution can provide these much needed solutions.

Read More

Topics: Big Data Security, Breach Detection, Cyber Hunting

Oct 29, 2014 8:00:00 AM

The "Pawn Storm" Campaign and Dynamic Threat Detection

By George Aquila

An advanced and widespread malware campaign dubbed “Pawn Storm” was recently profiled in a white paper by security researcher Trend Micro. The campaign has reportedly been targeting and compromising a number of high value government and private sector defense systems across the world for the past several years.

Target and Scope
Read More

Topics: Cybersecurity, Breach Detection, APT Campaign, Malware

Oct 16, 2014 8:00:00 AM

JPMorgan and Big Data Security Analytics

By George Aquila

The Attack

On October 2nd, JPMorgan Chase revealed through an SEC filing that it had been the target of a massive cyber intrusion resulting in a significant data breach over the course of the summer months, roughly between June and August.

Although reports on the perpetrators’ identity are inconclusive, sources including the New York Times have suggested the protracted attack was carried out by a Russian cyber criminal ring, possibly with connections to the Russian government.

Rather than money, it was information on approximately 83 million customers that was stolen, taken from over 90 servers hosting the company’s data storage systems, as well as some critical information on the company’s inner computers.

The infiltrators were reportedly unable to access the data stores that hold the most sensitive customer financial data (such as account numbers, passwords, and SSNs) before the intrusion was detected and mitigated.

Read More

Topics: Big Data Security, Cybersecurity, Breach Detection