Author Archives: Sqrrl Team

by

Hunting for Needles in Haystacks

Cyber threat hunting involves proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools. Yet, determining the Tactics, Techniques and Procedures (TTPs) used by adversaries is challenging for the very reason that there is often no roadmap that can be used to hunt. Instead, the role of hunter requires, in addition to an understanding of data science and some programming experience, a fundamental curiosity about the data and an understanding of how the bad guys work. It is with these skills that cyber threat hunters set about trying to find a needle in a haystack.

 

by

Arm Your Threat Hunters with Self-Service Analytics

The new Sqrrl Enterprise 2.8 introduces an enhanced risk framework and powerful new analytic tools to simplify, accelerate, and amplify threat hunting. The new framework empowers analysts to create their own custom-built threat hunting analytics (“risk triggers”) without having to write any code. The extensible framework also now includes triggers which enrich Sqrrl’s built-in analytics by incorporating correlated information from external sources of risk like SIEM alerts and threat intelligence feeds for every user, IP address, host, and domain inside the organization.

by

Filling in Threat Detection Gaps: a Q&A Interview with Danny Akacki

Key Takeaways:

  • Embrace “purple teaming.” The best SOCS have have red team and blue team analysts that closely coordinate with each other to share information.
  • A good way to establish baselines for network behaviour is to use blogs to establish a timeline of events. This can serve as a useful jumping off point for pivoting through data.
  • Hunting is useless without documentation. There’s no use going down rabbit holes without having data to feed back into your program. You need to be able to retrace your incident investigation steps.
by

The Best Data Sources and Basic Techniques For Threat Hunting

Key Takeaways:

  • Contextual data is important, but a lot of success can be gained by gathering relatively simple forms of data. For example, flow data can be analyzed with tools like FlowBAT, Bro logs and SiLK to create a comprehensive picture of your network that is very conducive for hunting.
  • SOCs should take steps to avoid information siloing, especially when deployment groups within an organization are geographically separated.
  • Hunting can be challenging, but is by no means impossible. A lot of good work can be done by getting set up with simple tools and expanding from there.  In other words, “Find weirdness in all that data and you’ll learn a lot.”
by

Building a High-Performing Hunt Team

Alan Orlikoski has over 15 years of experience in both the private and public sectors of the IT industry. He has designed and implemented defense solutions for government and Fortune 100 companies. He has more recently participated on teams tasked to assess and advise Fortune 100 clients, with a focus on maturing an organization’s ability to more quickly and effectively detect, respond to, and contain targeted attacks.