Sqrrl Blog

Feb 22, 2017 8:00:00 AM

What is Threat Hunting in Cybersecurity Defense

By Håkon Olsen
This article originally appeared on Håkon's blog, Safe Controls.

What is hunting and why do it?

A term that is often used in the cybersecurity community is threat hunting. This is the activity of hunting for intruders in your computer systems, and then locking them out. In the more extreme cases it can also involve attacking them back – but this is illegal in most countries. Threat hunting involves several activities that you can do to find hackers on your network. The reason we need this is that the threats are to some extent intelligent operators who adapt to the defenses you set up in your network – they find workarounds for each new hurdle you throw at them. Therefore, the defense needs to get smart and use a wide arsenal of analysis techniques to find the threats; meaning analysis of data that can indicate that an intrusion has occurred. Data on user behavior, logins, changes to files, errors, and so on can be found in the systems logs. In addition to things that can be automated (looking for peaks in network traffic, etc.), threat hunting will always include some manual inquisitive labor by the analyst – both for understanding the context more deeply, and perhaps utilizing statistical and data science tools for special cases. Based on successful hunts, automated signals can be added to improve future resilience. The interplay between automated red flags, context intelligence and data science is shown below.

Read More

Topics: Threat Hunting, Cyber Threat Hunting

Feb 20, 2017 12:00:00 PM

Top 4 Takeaways from RSA 2017

By Mark Terenzoni, Sqrrl CEO

This year’s RSA Conference has come and gone and my team and I had a blast heading to San Francisco to discuss the newest developments in cybersecurity, big data, and of course, threat hunting. Here are a few of the biggest takeaways that I got from talking to folks at this year’s Conference:

Read More

Topics: Threat Hunting, Cyber Threat Hunting, RSA, Threat Intelligence

Jan 12, 2017 8:00:00 AM

The Hunter's Den: Command and Control

By Josh Liburdi, Sqrrl Security Technologist, and George Aquila

The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. In our previous post, we examined the practical ways that one can hunt for Internal Reconnaissance. In this post, we will take a look at how to hunt for Command and Control (C2) activity. Command and control is the process through which an attacker establishes a connection with a compromised asset that they have taken control of in a target network. C2 is a critical step in the process of carrying out an attack on a network. It is a category broad enough that it has its own kill chain step (KC6, “Command and Control”). Although it is a broad tactic, this post will survey the different ways that it might generally be carried out by an adversary.

Understanding Command and Control

C2 enables remote access for attackers into target networks. Architecturally, C2 is fairly predictable. It will follow generally one of two models for implementation: a Client-Server model or a Peer-to-Peer model. Attackers have multiple options of building their C2 channel, each of which are outlined below.

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den

Nov 10, 2016 7:30:00 AM

The Hunter’s Den: Internal Reconnaissance (Part 2)

By Josh Liburdi, Security Technologist at Sqrrl, and George Aquila

In part 1 of this hunter’s den post we took a look at the adversary tactic of internal reconnaissance, including what kinds of artifacts might be left behind when internal reconnaissance has occurred on your network. In this post we’ll take a look at the types of data and the various hunting techniques that you can use to hunt for the various kinds of internal reconnaissance.

Datasets to explore

Data is a critical component of hunting, and many different kinds of datasets can be useful depending on the type of hunt that you are carrying out. For internal reconnaissance, there are two major data types that are useful to a hunt, process execution metadata and network connection metadata. 

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den

Nov 3, 2016 3:00:00 PM

The Hunter’s Den: Internal Reconnaissance (Part 1)

By Josh Liburdi, Security Technologist at Sqrrl, and George Aquila

As we laid out in our introduction, The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. This first post will focus on hunting for Internal Reconnaissance. Before we dive into the specifics of how to do this, let’s briefly review the two major models that we’ll be referencing over the course of the series.

The first is the Threat Hunting Loop, which outlines a process for threat hunting. As a loop, it is specifically meant to be repeated continually.

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den

Oct 18, 2016 7:00:00 AM

Former AT&T CISO Ed Amoroso Interviews Sqrrl CTO Adam Fuchs

This was originally posted in conjunction with the 2017 TAG Cyber Annual report. The full report can be be downloaded here.

Hunting Down Cyber Attacks in Enterprises with Big Data

A promising shift in enterprise cybersecurity is the trend toward proactive hunting of cyber security issues in advance of their causing consequential damage. Previously, cyber security analysis consisted of collecting data from gateway systems that would passively watch as an attack occurred. This collected data would be passed to analysts who hopefully would recognize what was happening in order to initiate response. By shifting this approach to a more proactive approach offers hope that attacks can be stopped before they are completed.

Read More

Topics: Threat Hunting, Cyber Threat Hunting

Sep 12, 2016 3:41:22 PM

The Applicability of Graphs for Information Security Combatants

This post by Henrik Johansen originally appeared on Medium. Henrik is an IT Security professional at a Danish public sector entity called Region Syddanmark.

I have been tweeting a lot lately about Graphs and how they can be utilised in the context of Information Security. Since this is a topic that seems interesting to a few people I thought a more thorough explanation would make sense. Think of this as the “why” and “what” more than the “how”. 

Read More

Topics: Graphs, Incident Response, Threat Hunting, Cyber Threat Hunting

Jul 26, 2016 7:06:00 AM

Increasing Hunt Confidence by Combining Network and Endpoint Data

This post originally appeared on Carbon Black's blog as an introduction to a threat hunting webinar with Carbon Black. A recording of that webinar is now available.

Threat Hunting is quickly becoming common practice in Security Operation Centers (SOCs). While many security analysts undertake hunting either formally or informally (86% according to a recent SANS Institute survey) hunts are often limited by the data that is available to them. This post explores how the unification of network and endpoint data can increase the effectiveness of threat hunts.

Read More

Topics: Big Data, Threat Hunting, Threat Detection, Cyber Threat Hunting, UEBA

Jun 16, 2016 4:47:34 PM

An Introduction to Machine Learning for Cybersecurity and Threat Hunting

At BSides Boston 2016, Sqrrl’s Lead Security Technologist, David Bianco, and Director of Data Science, Chris McCubbin, gave a presentation about the importance of machine learning in the field of Cyber Threat Hunting. In this interview, we talk with them about how it relates to tools like UEBA, and where they see it taking the world of cybersecurity in the future. When used effectively, machine learning provides more accurate, effective insight into threats of all kinds. They predict that machine learning will soon take hold as a major influencing factor on organizations’ Security Operations Center workflows. In addition to their presentation, David and Chris also provide code for anyone interested in taking a hands-on approach to machine learning.

What is machine learning?

Chris: Very basically, machine learning is the capability of a deployed algorithm to adapt to the data that’s being input into it. A normal algorithm, for example, will run on a particular set of data and give you a result, and if you run it on the same set of data again, it will give you the same result. Machine learning has an adaptive component where if you run it on a piece of data it will do something and then change its behavior based on that data. So, even if you ran it on the same data twice, it might give you a different result because it’s adapting. That’s a very broad definition.

Read More

Topics: Threat Hunting, Threat Detection, Cyber Threat Hunting, Machine Learning, UEBA

Jun 13, 2016 11:19:03 AM

June Webinar Recap: How Threat Hunting and UEBA Fit Into the Cybersecurity Landscape

On June 2nd Sqrrl hosted a webinar in collaboration with Momentum Partners that examined the current state of the cybersecurity landscape. The webinar covered ways in which various solutions, like threat hunting platforms and User and Entity Behavior Analytics (UEBA) tools, can complement an existing security ecosystem, ensuring security efforts are efficient, effective, and comprehensive.

Read More

Topics: Cyber Hunting, Cyber Threat Hunting, User and Entity Behavior Analytics, UEBA