Sqrrl Blog

Oct 13, 2016 8:00:00 AM

Threat Hunter Profile - Danny Akacki

dannyak.png 

Name: Danny Akacki

Organization: Hunt Team for a Fortune 100 Company

Years hunting: 4

Favorite datasets: Proxy, Firewall, IDS, AV, endpoint logs

Favorite hunting techniques: Behavioral detection, breadth scoping, miconfiguration searching

Favorite tools: FireEye TAP, Splunk, Wireshark, Bro, Moloch, Security Onion

@DAkacki

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Sep 28, 2016 8:00:00 AM

Threat Hunter Profile - Jason Smith

jason.jpg 

Name: Jason Smith

Organization: FireEye

Years hunting: 6

Favorite datasets: Flow data, Bro logs (http, dns, etc.), Windows event logs

Favorite hunting techniques: Pivoting from statistical anomalies, behavioral deviations for local assets

Favorite tools: SiLK, FlowBAT, Bro, Security Onion, Wireshark, Bash

@Automayt

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Sep 14, 2016 8:30:00 AM

Threat Hunter Profile - Samuel Alonso

SAG.jpg

Name: Samuel Alonso

Organization: KPMG

Years hunting: 2

Favorite datasets: AV, firewall, proxy, IDS and passive DNS

Favorite hunting techniques: Stack counting, anomaly detection and visualization

Favorite tools: Volatility, Passive Total, Santoku and Kali Linux

@Cyber_IR_UK

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Aug 30, 2016 8:00:00 AM

Threat Hunter Profile - Chris Sanders

chris_headshot.jpg

Name: Chris Sanders

Organization: FireEye

Years hunting: 10

Favorite datasets: Flow, Bro, Windows endpoint logs

Favorite hunting techniques: Aggregations, pivots, relationship graph visualizations

Favorite tools: SiLK, FlowBAT, Python, Wireshark, FireEye TAP, Splunk

@chrissanders88

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Aug 17, 2016 8:00:00 AM

Threat Hunter Profile - Josh Liburdi

headshot.png

Name: Josh Liburdi

Organization: Sqrrl

Years hunting: 3

Favorite datasets: Bro, memory artifacts, file metadata

Favorite hunting techniques: Stack Counting, baselining, data visualization

Favorite tools: Bro, LaikaBoss, Volatility, Sqrrl

@jshlbrd

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Aug 1, 2016 5:45:22 PM

Threat Hunter Profile - David Bianco

Editor's Note: This is the first in a series of posts that will profile various threat hunters, highlighting their experiences, as well as hunting techniques and lessons from the field.

Name: David J. Bianco

Organization: Target

Years hunting: 8

Favorite datasets: HTTP proxy logs, authentication logs, process data

Favorite hunting techniques: Outlier detection, visualization

Favorite tools: Sqrrl, Unix command line, Python, Apache Spark, scikit-learn

@DavidJBianco

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Jun 13, 2016 11:19:03 AM

June Webinar Recap: How Threat Hunting and UEBA Fit Into the Cybersecurity Landscape

On June 2nd Sqrrl hosted a webinar in collaboration with Momentum Partners that examined the current state of the cybersecurity landscape. The webinar covered ways in which various solutions, like threat hunting platforms and User and Entity Behavior Analytics (UEBA) tools, can complement an existing security ecosystem, ensuring security efforts are efficient, effective, and comprehensive.

Read More

Topics: Cyber Hunting, Cyber Threat Hunting, User and Entity Behavior Analytics, UEBA

May 4, 2016 1:27:00 PM

Incident Response is Dead... Long Live Incident Response

Originally posted by Scott Roberts, a threat hunter at GitHub, at http://sroberts.github.io/2015/04/14/ir-is-dead-long-live-ir/ 

Talk to anyone in the DFIR Illuminati and one of the topics that always comes up is Hunting. Much like threat intelligence & string theory, people talk a lot about this, but nearly no one knows what it actually means.

Proactive vs. Reactive

At its core, Hunting is about taking a proactive vs a reactive approach to identifying incidents.

Read More

Topics: Cyber Hunting, Incident Response, Threat Hunting, Cyber Threat Hunting

Apr 20, 2016 10:47:00 AM

Cyber Threat Hunting (3): Hunting in the Perimeter

Originally posted by Samuel Alonso, KPMG Global Security Operations Center threat hunter at http://cyber-ir.com/2016/03/01/cyber-threat-hunting-3-hunting-in-the-perimeter/ 

In this third post, we will learn what we need to look at when hunting and detecting adversaries in the perimeter. We are also going to look at some of the firewall technologies and their log formats in order to detect anomalies in the inbound and outbound traffic in your network.

Read More

Topics: Cyber Hunting, Incident Response, Threat Hunting, Cyber Threat Hunting

Apr 14, 2016 11:16:00 AM

Cyber Threat Hunting (2): Getting Ready

Originally posted by Samuel Alonso, KPMG Global Security Operations Center threat hunter at http://cyber-ir.com/2016/02/05/cyber-threat-hunting-2-getting-ready/ 

In my previous post, I went through the basics of hunting and its benefits for organizations and their analysts. To continue the journey, today I am going to cover the preparations you need to do before you go out there and hunt. 

As you need some degree of preparation for many of the activities we do on a daily basis, you can improvise, but I suggest you don't as hunting is an activity that requires a high level of concentration so you only want to focus on what it is important for the hunt.

Read More

Topics: Cyber Hunting, Threat Hunting, Cyber Threat Hunting