Monthly Archives: March 2017


Threat Hunter Profile – Ryan Nolette

Ryan Nolette


Years Hunting

Preferred Datasets
Process execution, process parentage, registry key modification/creation, IDS/IPS logs, Bro, firewall logs

Preferred Hunting Techniques
Daily dynamic list creation, OODA looping, data traversal analysis

Preferred Tools
Bro, Snort, Suricata, Sqrrl, volatility, nmap, Wireshark, REMnux, SIFT, PFsense, malzilla


The Nuts and Bolts of Detecting DNS Tunneling

DNS-based attacks have been commonly used since the early 2000’s, but over 40% of firms still fall prey to DNS tunneling attacks. Tunneling attacks originate from uncommon vectors, so traditional automated tools like SIEMs have difficulty detecting them, but they also must be found in massive sets of DNS data, so hunting for tunneling manually can be challenging as well. So, how can we use more advanced analytic techniques to isolate these adversary behaviors? In a different publication we covered Domain Generation Algorithms and what the best sources are for detecting them. In this piece, we’ll be covering how best to sniff out malicious DNS tunneling on your network.