Sqrrl Blog

Feb 22, 2017 8:00:00 AM

What is Threat Hunting in Cybersecurity Defense

By Håkon Olsen
This article originally appeared on Håkon's blog, Safe Controls.

What is hunting and why do it?

A term that is often used in the cybersecurity community is threat hunting. This is the activity of hunting for intruders in your computer systems, and then locking them out. In the more extreme cases it can also involve attacking them back – but this is illegal in most countries. Threat hunting involves several activities that you can do to find hackers on your network. The reason we need this is that the threats are to some extent intelligent operators who adapt to the defenses you set up in your network – they find workarounds for each new hurdle you throw at them. Therefore, the defense needs to get smart and use a wide arsenal of analysis techniques to find the threats; meaning analysis of data that can indicate that an intrusion has occurred. Data on user behavior, logins, changes to files, errors, and so on can be found in the systems logs. In addition to things that can be automated (looking for peaks in network traffic, etc.), threat hunting will always include some manual inquisitive labor by the analyst – both for understanding the context more deeply, and perhaps utilizing statistical and data science tools for special cases. Based on successful hunts, automated signals can be added to improve future resilience. The interplay between automated red flags, context intelligence and data science is shown below.

Read More

Topics: Threat Hunting, Cyber Threat Hunting

Feb 20, 2017 12:00:00 PM

Top 4 Takeaways from RSA 2017

By Mark Terenzoni, Sqrrl CEO

This year’s RSA Conference has come and gone and my team and I had a blast heading to San Francisco to discuss the newest developments in cybersecurity, big data, and of course, threat hunting. Here are a few of the biggest takeaways that I got from talking to folks at this year’s Conference:

Read More

Topics: Threat Hunting, Cyber Threat Hunting, RSA, Threat Intelligence

Feb 8, 2017 8:00:00 AM

Threat Hunter Profile - Deirdre Morrison


Name: Deirdre Morrison

Organization: GoSecure

Years hunting: 2

Favorite datasets: Firewall/Server/Proxy logs, Syslog, ((N|L)IDS)

Favorite hunting techniques: Endpoint behavior analysis, anomaly detection

Favorite tools: Wireshark, Nmap, Kali, Custom/Github Tools

Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Jan 25, 2017 8:30:00 AM

Threat Hunter Profile - Hem Karlapalem


Name: Hem Karlapalem

Organization: Global Fortune 100 Company

Years hunting: 3

Favorite datasets: Proxy, DNS, Domain controller and endpoint logs

Favorite hunting techniques: Time series analysis, linked data analysis

Favorite tools: SysInternals, Wireshark/tcpdump, ELK suite, Powershell


Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Jan 12, 2017 8:00:00 AM

The Hunter's Den: Command and Control

By Josh Liburdi, Sqrrl Security Technologist, and George Aquila

The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. In our previous post, we examined the practical ways that one can hunt for Internal Reconnaissance. In this post, we will take a look at how to hunt for Command and Control (C2) activity. Command and control is the process through which an attacker establishes a connection with a compromised asset that they have taken control of in a target network. C2 is a critical step in the process of carrying out an attack on a network. It is a category broad enough that it has its own kill chain step (KC6, “Command and Control”). Although it is a broad tactic, this post will survey the different ways that it might generally be carried out by an adversary.

Understanding Command and Control

C2 enables remote access for attackers into target networks. Architecturally, C2 is fairly predictable. It will follow generally one of two models for implementation: a Client-Server model or a Peer-to-Peer model. Attackers have multiple options of building their C2 channel, each of which are outlined below.

Read More

Topics: Threat Hunting, Cyber Threat Hunting, Hunting How-To's, Hunter's Den

Jan 11, 2017 8:00:00 AM

Threat Hunter Profile - Katie Horne


Name: Katie Horne

Organization: GoSecure

Years hunting: 2

Favorite datasets: Network flow, application level data, firewall/switch/AP logs, file/process data, Windows event logs

Favorite hunting techniques: Searching, grouping, intel analysis

Favorite tools: SuricataSpamScope, Sagan, STIX, honeypots (cowrie, YALIH)


Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Jan 5, 2017 8:00:00 AM

Demystifying Threat Hunting Concepts

By Josh Liburdi

This post is about demystifying threat hunting concepts that seem to trip up practitioners and outsiders. If the summary in the TLDR below seems appealing, then please continue to the meat of the post.


  • Threat hunting doesn’t have to be complex, but it’s not for everyone
  • Knowing how to begin and end a hunt is more important than knowing how to carry out a hunt
  • If you need a place to start, look at trends in the threat landscape and focus on threats that you do not have automated alerts/detections for
  • Hunting is a creative process that rewards those who take chances
  • Finish with something, anything actionable — so long as it provides value

All set?

Read More

Topics: Cyber Hunting, Threat Hunting

Dec 21, 2016 10:30:00 AM

Threat Hunter Profile - Eric Cole


Name: Eric Cole

Organization: Secure Anchor Consulting

Years hunting: 10+

Favorite datasets: Firewall and router logs, Netflow, Windows logs and Syslog

Favorite hunting techniques: Connection analysis, kill chain orientation

Favorite tools: Wireshark, Bro, Perl, Powershell, Custom Tools


Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Dec 7, 2016 12:15:08 PM

Threat Hunter Profile - Travis Barlow


Name: Travis Barlow

Organization: GoSecure

Years hunting: 7

Favorite datasets: Firewall/Switch/Server logs, DNS logs, Netflow Data

Favorite hunting techniques: Endpoint behavior analysis, DNS analysis

Favorite tools: Suricata, WiresharkBroGrimm, Log Intrusion Detection tool sets


Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile

Nov 23, 2016 8:00:00 AM

Threat Hunter Profile - Alan Orlikoski


Name: Alan Orlikoski

Organization: Oracle

Years hunting: 3

Favorite datasets: Network data (Bro), stacked Appcompat, shimcache, Windows Powershell event logs, bash shell history files

Favorite hunting techniques: Data traversal analysis, daily dynamic list creation, kill chain analysis

Favorite tools: Log Parser, CCF-VM, LogstashPython, command line (grep, head, tail, sed, awk)


Read More

Topics: Cyber Hunting, Threat Hunting, Threat Detection, Hunter Profile