Sqrrl Blog

May 25, 2016 11:31:30 AM

Surveying the Threat Hunting Landscape, Part 2: Threat Hunting Practices and Next Steps

In part 1 of this series, we outlined the current state of cyber threat hunting as it was profiled in SANS’s recent survey of 464 companies on the handling of proactive cyber threat detection. In this section, we’ll discuss specifically what types of hunting practices these companies use to track and remove threats in their systems, and we will take a look ahead to see how threat hunting will continue to grow in the future.

In addition to the process of data collection, automation is used to speed up certain parts of the hunting process so that analysts can focus on what’s really valuable, as opposed to having to spend time gathering and parsing through large, disparate data sets. When SANS asked the survey participants what percentage of their threat hunting capacity is automated, the responses were fairly split, with each option (1 - 10%, 11 - 25%, 26 - 50%, 51 - 75%, 76-99%) each receiving about 20%. Each stage in the Threat Hunting Loop provides opportunities for automation that can make the hunting process much more efficient. When forming a hypothesis, automated risk scoring and heat mapping can highlight where to start looking; when investigating, automated visualizations with predetermined pathways and prescribed hunting techniques help you reach your target sooner; automated TTP detection analytics allow you to easily uncover and identify threats; and feeding data back into automated tools to enrich your analytics will only make the process quicker and more powerful for the next hunt.

Read More

Topics: Sqrrl Enterprise, Threat Hunting, Cyber Threat Hunting

May 18, 2016 2:46:33 PM

Surveying the Threat Hunting Landscape, Part 1: The Current State of Threat Hunting


In April, the SANS Institute published the results of the first threat hunting survey to date. The results were gathered from 464 security practitioners in a variety of fields (including financial, cybersecurity, defense contracting, and government organizations) on threat hunting and the role it plays in their security infrastructure. The survey sought to determine if and how organizations are currently hunting, how they feel about their present hunting maturity, and what they have planned for increasing their hunting capabilities in the future. The survey results come at a critical time - today, companies are starting to realize what SANS calls the “three absolute facts” of security: 1) companies cannot prevent every attack; 2) an organization’s network will, at some point, be compromised; and 3) 100% security simply does not exist. It’s imperative, then, that companies try to ramp up their detection capabilities as much as possible to minimize the impact and severity of inevitable cyber attacks.
Read More

Topics: Threat Hunting, Cyber Threat Hunting

May 16, 2016 12:54:05 PM

Sqrrl releases Enterprise 2.5

Sqrrl’s latest release, Sqrrl Enterprise 2.5, revolutionizes the hunt by delivering a wide range of new capabilities aimed at streamlining and automating threat hunting activities for security analysts. By combining big data, analytics, investigation, and collaboration capabilities all in a single tool, Sqrrl Enterprise fulfills all of the requirements of a Threat Hunting Platform. Sqrrl’s hunting approach focuses on identifying, gathering, and acting upon an adversary’s Tactics, Techniques, and Procedures (TTPs), in order to rapidly detect and mitigate threats in your network. This release marks the most comprehensive update to Sqrrl since the release of Enterprise 2.0, which launched the Sqrrl visual investigation interface. These are some of the new features added to Sqrrl to make hunting for advanced threats more streamlined than ever. The new release is generally available to all current Sqrrl users as of  May 16, 2016.

Read More

Topics: Sqrrl Enterprise, Sqrrl, Cyber Threat Hunting

May 4, 2016 1:27:00 PM

Incident Response is Dead... Long Live Incident Response

Originally posted by Scott Roberts, a threat hunter at GitHub, at http://sroberts.github.io/2015/04/14/ir-is-dead-long-live-ir/ 

Talk to anyone in the DFIR Illuminati and one of the topics that always comes up is Hunting. Much like threat intelligence & string theory, people talk a lot about this, but nearly no one knows what it actually means.

Proactive vs. Reactive

At its core, Hunting is about taking a proactive vs a reactive approach to identifying incidents.

Read More

Topics: Cyber Hunting, Incident Response, Threat Hunting, Cyber Threat Hunting

Apr 27, 2016 4:27:00 PM

Threat Hunting Quick Fix

Originally posted by Samuel Alonso, KPMG Global Security Operations Center threat hunter at http://cyber-ir.com/2016/03/08/threat-hunting-quick-fix/ 

Are you currently threat hunting and not finding much? I do not support this threat hunting modality however it is true that I use it when I do not have the time to go on a hunting trip and keep focused.

This is not a silver bullet but it is true that it can help in your hunting trips, looking for already known IOC’s sometimes can bring up interesting results.

Read More

Topics: Incident Response, Threat Hunting, Cyber Threat Hunting, Security Analytics

Apr 20, 2016 10:47:00 AM

Cyber Threat Hunting (3): Hunting in the Perimeter

Originally posted by Samuel Alonso, KPMG Global Security Operations Center threat hunter at http://cyber-ir.com/2016/03/01/cyber-threat-hunting-3-hunting-in-the-perimeter/ 

In this third post, we will learn what we need to look at when hunting and detecting adversaries in the perimeter. We are also going to look at some of the firewall technologies and their log formats in order to detect anomalies in the inbound and outbound traffic in your network.

Read More

Topics: Cyber Hunting, Incident Response, Threat Hunting, Cyber Threat Hunting

Apr 14, 2016 11:16:00 AM

Cyber Threat Hunting (2): Getting Ready

Originally posted by Samuel Alonso, KPMG Global Security Operations Center threat hunter at http://cyber-ir.com/2016/02/05/cyber-threat-hunting-2-getting-ready/ 

In my previous post, I went through the basics of hunting and its benefits for organizations and their analysts. To continue the journey, today I am going to cover the preparations you need to do before you go out there and hunt. 

As you need some degree of preparation for many of the activities we do on a daily basis, you can improvise, but I suggest you don't as hunting is an activity that requires a high level of concentration so you only want to focus on what it is important for the hunt.

Read More

Topics: Cyber Hunting, Threat Hunting, Cyber Threat Hunting

Apr 8, 2016 10:49:00 AM

Cyber Threat Hunting (1): Intro

Originally posted by Samuel Alonso, KPMG Global Security Operations Center threat hunter at http://cyber-ir.com/2016/01/21/cyber-threat-hunting-1-intro/ 

After some long months debating whether to write a white paper, and what potential topics I could write about, I have ultimately decided that I do not have enough time to go through the process of writing a research paper for the next 6 to 12 months. Instead, I am taking some of my research and current experience  and I am sharing it with you. I will be brief and to the point – it is not my intention to spend much time in the bushes. I want to provide you with a solid foundation to start hunting and understanding the “creativity” behind the process.

Read More

Topics: Cyber Hunting, Incident Response, Threat Hunting, Cyber Threat Hunting

Mar 15, 2016 6:22:00 PM

What Is a Threat Hunting Platform: Part 2 - Benefits and Sqrrl

In Part 1 of this blog series we discussed the concept of a threat hunting platform and the capabilities that a THP provides to security analysts that are looking to proactively find threats hidden in their data. In part 2 of this series we will take a look at the benefits that a THP can deliver and present Sqrrl as an example of a best-in-class THP.

Read More

Topics: Cyber Threat Hunting, Hunting Platform

Jan 14, 2016 4:22:06 PM

Living On an Exponential Curve of Breaches

Guest Blog by Richard Stiennon, Chief Research Analyst at IT-Harvest

Most of us live in the moment and most of us have trouble getting the big picture from the flood of breach announcements throughout the year. Anthem, Ashley Madison, OPM, all shocked us. After all these years how could large organizations be so ill protected against what are invariably unsophisticated attacks?

Read More

Topics: Malware, Data Breach, Cyber Threat Hunting, Security Analytics