Sqrrl Blog

Sep 28, 2016 8:00:00 AM

Threat Hunter Profile - Jason Smith

jason.jpg 

Name: Jason Smith

Organization: FireEye

Years hunting: 6

Favorite datasets: Flow data, Bro logs (http, dns, etc.), Windows event logs

Favorite hunting techniques: Pivoting from statistical anomalies, behavioral deviations for local assets

Favorite tools: SiLK, FlowBAT, Bro, Security Onion, Wireshark, Bash

@Automayt

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Sep 14, 2016 8:30:00 AM

Threat Hunter Profile - Samuel Alonso

SAG.jpg

Name: Samuel Alonso

Organization: KPMG

Years hunting: 2

Favorite datasets: AV, firewall, proxy, IDS and passive DNS

Favorite hunting techniques: Stack counting, anomaly detection and visualization

Favorite tools: Volatility, Passive Total, Santoku and Kali Linux

@Cyber_IR_UK

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Aug 30, 2016 8:00:00 AM

Threat Hunter Profile - Chris Sanders

chris_headshot.jpg

Name: Chris Sanders

Organization: FireEye

Years hunting: 10

Favorite datasets: Flow, Bro, Windows endpoint logs

Favorite hunting techniques: Aggregations, pivots, relationship graph visualizations

Favorite tools: SiLK, FlowBAT, Python, Wireshark, FireEye TAP, Splunk

@chrissanders88

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Aug 17, 2016 8:00:00 AM

Threat Hunter Profile - Josh Liburdi

headshot.png

Name: Josh Liburdi

Organization: Sqrrl

Years hunting: 3

Favorite datasets: Bro, memory artifacts, file metadata

Favorite hunting techniques: Stack Counting, baselining, data visualization

Favorite tools: Bro, LaikaBoss, Volatility, Sqrrl

@jshlbrd

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Aug 1, 2016 5:45:22 PM

Threat Hunter Profile - David Bianco

Editor's Note: This is the first in a series of posts that will profile various threat hunters, highlighting their experiences, as well as hunting techniques and lessons from the field.

Name: David J. Bianco

Organization: Target

Years hunting: 8

Favorite datasets: HTTP proxy logs, authentication logs, process data

Favorite hunting techniques: Outlier detection, visualization

Favorite tools: Sqrrl, Unix command line, Python, Apache Spark, scikit-learn

@DavidJBianco

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Jul 26, 2016 7:06:00 AM

Increasing Hunt Confidence by Combining Network and Endpoint Data

This post originally appeared on Carbon Black's blog as an introduction to a threat hunting webinar with Carbon Black. A recording of that webinar is now available.

Threat Hunting is quickly becoming common practice in Security Operation Centers (SOCs). While many security analysts undertake hunting either formally or informally (86% according to a recent SANS Institute survey) hunts are often limited by the data that is available to them. This post explores how the unification of network and endpoint data can increase the effectiveness of threat hunts.

Read More

Topics: Big Data, Threat Hunting, Threat Detection, Cyber Threat Hunting, UEBA

Jun 16, 2016 4:47:34 PM

An Introduction to Machine Learning for Cybersecurity and Threat Hunting

At BSides Boston 2016, Sqrrl’s Lead Security Technologist, David Bianco, and Director of Data Science, Chris McCubbin, gave a presentation about the importance of machine learning in the field of Cyber Threat Hunting. In this interview, we talk with them about how it relates to tools like UEBA, and where they see it taking the world of cybersecurity in the future. When used effectively, machine learning provides more accurate, effective insight into threats of all kinds. They predict that machine learning will soon take hold as a major influencing factor on organizations’ Security Operations Center workflows. In addition to their presentation, David and Chris also provide code for anyone interested in taking a hands-on approach to machine learning.

What is machine learning?

Chris: Very basically, machine learning is the capability of a deployed algorithm to adapt to the data that’s being input into it. A normal algorithm, for example, will run on a particular set of data and give you a result, and if you run it on the same set of data again, it will give you the same result. Machine learning has an adaptive component where if you run it on a piece of data it will do something and then change its behavior based on that data. So, even if you ran it on the same data twice, it might give you a different result because it’s adapting. That’s a very broad definition.

Read More

Topics: Threat Hunting, Threat Detection, Cyber Threat Hunting, Machine Learning, UEBA

Jul 23, 2015 4:37:00 PM

A Framework for Cyber Threat Hunting Part 1: The Pyramid of Pain

While rule-based detection engines are a strong foundation for any security organization, cyber threat hunting is a vital capability for security organizations to have in order to detect unknown advanced threats. Hunting goes beyond rule-based detection approaches and focuses on proactively detecting and investigating threats.

Read More

Topics: Cybersecurity, Breach Detection, Cyber Hunting, Linked data analysis, Threat Detection