Sqrrl Blog

Sep 12, 2016 3:41:22 PM

The Applicability of Graphs for Information Security Combatants

This post by Henrik Johansen originally appeared on Medium. Henrik is an IT Security professional at a Danish public sector entity called Region Syddanmark.

I have been tweeting a lot lately about Graphs and how they can be utilised in the context of Information Security. Since this is a topic that seems interesting to a few people I thought a more thorough explanation would make sense. Think of this as the “why” and “what” more than the “how”. 

Read More

Topics: Graphs, Incident Response, Threat Hunting, Cyber Threat Hunting

May 4, 2016 1:27:00 PM

Incident Response is Dead... Long Live Incident Response

Originally posted by Scott Roberts, a threat hunter at GitHub, at http://sroberts.github.io/2015/04/14/ir-is-dead-long-live-ir/ 

Talk to anyone in the DFIR Illuminati and one of the topics that always comes up is Hunting. Much like threat intelligence & string theory, people talk a lot about this, but nearly no one knows what it actually means.

Proactive vs. Reactive

At its core, Hunting is about taking a proactive vs a reactive approach to identifying incidents.

Read More

Topics: Cyber Hunting, Incident Response, Threat Hunting, Cyber Threat Hunting

Apr 27, 2016 4:27:00 PM

Threat Hunting Quick Fix

Originally posted by Samuel Alonso, KPMG Global Security Operations Center threat hunter at http://cyber-ir.com/2016/03/08/threat-hunting-quick-fix/ 

Are you currently threat hunting and not finding much? I do not support this threat hunting modality however it is true that I use it when I do not have the time to go on a hunting trip and keep focused.

This is not a silver bullet but it is true that it can help in your hunting trips, looking for already known IOC’s sometimes can bring up interesting results.

Read More

Topics: Incident Response, Threat Hunting, Cyber Threat Hunting, Security Analytics

Apr 20, 2016 10:47:00 AM

Cyber Threat Hunting (3): Hunting in the Perimeter

Originally posted by Samuel Alonso, KPMG Global Security Operations Center threat hunter at http://cyber-ir.com/2016/03/01/cyber-threat-hunting-3-hunting-in-the-perimeter/ 

In this third post, we will learn what we need to look at when hunting and detecting adversaries in the perimeter. We are also going to look at some of the firewall technologies and their log formats in order to detect anomalies in the inbound and outbound traffic in your network.

Read More

Topics: Cyber Hunting, Incident Response, Threat Hunting, Cyber Threat Hunting

Apr 8, 2016 10:49:00 AM

Cyber Threat Hunting (1): Intro

Originally posted by Samuel Alonso, KPMG Global Security Operations Center threat hunter at http://cyber-ir.com/2016/01/21/cyber-threat-hunting-1-intro/ 

After some long months debating whether to write a white paper, and what potential topics I could write about, I have ultimately decided that I do not have enough time to go through the process of writing a research paper for the next 6 to 12 months. Instead, I am taking some of my research and current experience  and I am sharing it with you. I will be brief and to the point – it is not my intention to spend much time in the bushes. I want to provide you with a solid foundation to start hunting and understanding the “creativity” behind the process.

Read More

Topics: Cyber Hunting, Incident Response, Threat Hunting, Cyber Threat Hunting

Oct 16, 2015 8:30:00 AM

The Threat Hunting Reference Model Part 1: Measuring Hunting Maturity

Many organizations are quickly discovering that cyber threat hunting is the next step in the evolution of the modern SOC, but remain unsure of how to start hunting or how far along they are in developing their own hunt capabilities. This blog series will seek to formalize a reference model for how to effectively conduct threat hunting within an organization. We begin with a simple question: How can you quantify where your organization stands on the road to effective hunting? With a general model that can map maturity across any organization.

What is Hunting?

Before we can talk about hunting maturity, though, we need to discuss what exactly we mean when we say "hunting". We define hunting as the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade automated, rule- and signature-based security systems. There are many different techniques hunters might use to find the bad guys, and no single one of them is always "right"; the best one often depends on the type of activity you are trying to find.

Read More

Topics: Cyber Hunting, Incident Response, Threat Hunting, Cyber Threat Hunting

Sep 28, 2015 4:20:00 PM

Taking the Backroad to a Secure Enterprise

Guest Blog by Richard Stiennon, Chief Research Analyst at IT-Harvest

This post originally appeared on the IT-Harvest blog.

It is often the case that rapidly changing technology allows laggards to leapfrog leaders. Rather than follow the same path as the trailblazers, those who come behind can take a shortcut. A country in South America bent on joining the modern world does not have to string phone lines across its mountains and jungles to achieve universal access to communications. It can build an LTE infrastructure, allowing its people to skip the fixed line stage and jump right to the latest smartphones and apps for Facebook and Instagram.

So too can an enterprise that is poorly defended get ahead of the race to security. The very best security infrastructures can be found at large financial institutions and defense contractors. Both have been battling targeted attacks for over a decade. They have purchased, deployed, and staffed every new technology brought out to combat every new threat: banks to counter cybercrime, the defense industrial base (DIB) to combat cyber espionage.

Read More

Topics: Cybersecurity, Cyber Hunting, Incident Response

Sep 24, 2015 9:00:00 AM

A Framework for Cyber Threat Hunting Part 3: The Value of Hunting TTPs

In the first two parts of our “Framework for Cyber Threat Hunting” series, we discussed the heirarchy of Indicators of Compromise, the most valuable of which are an attacker’s Tactics, Techniques, and Procedures (TTPs), and the benefits of using those indicators in a security feedback loop to build an Advanced Persistent Defense. This third and final part aims to provide a concrete example of how the discovery and mapping of TTPs contributes to the strength of an advanced persistent defense.

Read More

Topics: Breach Detection, Cyber Hunting, Incident Response, Threat Hunting

Aug 5, 2015 8:30:00 AM

A Framework for Cyber Threat Hunting Part 2: Advanced Persistent Defense

In part 1 of this series, we discussed the six categories of Indicators of Compromise (IoC) that can be used as trailheads for structured threat hunting trips. In this post, we will focus specifically on how security organizations can build intelligence-driven hunting loops to detect the Tactics, Techniques, and Procedures (TTPs) of advanced threats.

In order to hunt threats, it is important to understand the method of the attacker. The cyber kill chain is the well known framework created by Lockheed Martin to track the steps an attacker goes through to exploit, compromise, and carry out an attack against a targeted system or organization. Disrupting this process at any point in the chain prevents (or at least seriously degrades) an attacker’s ability to accomplish their mission.

Read More

Topics: Breach Detection, Cyber Hunting, Incident Response, Threat Hunting

Jul 9, 2015 8:00:00 AM

Introducing the Sqrrl Cyber Incident Matrix

A Sqrrl blog series focused on Data Breaches

Data Breaches are in the news again and again these days. Between the IRS, OPM, Target, Lastpass, and countless other private and public organizations, data and networks of all varieties are prime targets for both external attackers and internal infiltrators. Our newsfeeds, inboxes, and conversations are all saturated with people asking how and why these incidents occur. Over the past 12 months, cybersecurity issues have centered themselves more prominently at the center of public debate than they ever have been in the past. The rate at which private data is being compromised weekly is as alarming as it is impressive.

Today, we’re launching the Sqrrl Cyber Incident Matrix because we believe that there is a need for a place that collects, catalogues, and breaks down these incidents concisely, and in a manner that is easy to understand. Our goal is to take a look at data breaches in the news, rate them based on their severity and complexity, and analyze the known aspects of each breach. We’re not here to make wild theories; the purpose behind this blog is to collect the known facts about a breach and try to build a contextual narrative of how different breaches relate to each other.

Read More

Topics: Cybersecurity, Breach Detection, Outlier Detection, Data Breach, Incident Response