Threat hunting is one of the fastest-growing information security practices today. But what really defines threat hunting and how did the practice start?
Author Archives: Sqrrl Team
Cyber threat hunting involves proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools. Yet, determining the Tactics, Techniques and Procedures (TTPs) used by adversaries is challenging for the very reason that there is often no roadmap that can be used to hunt. Instead, the role of hunter requires, in addition to an understanding of data science and some programming experience, a fundamental curiosity about the data and an understanding of how the bad guys work. It is with these skills that cyber threat hunters set about trying to find a needle in a haystack.
How do you prioritize hunting for network and endpoint data? What is the best way to obtain IOCs to orient your hunts? In this interview, we talk to Sqrrl’s resident security subject matter expert, Ryan Nollette, about his takes on tips for gathering, analyzing, and applying data when threat hunting.
As malware continues to proliferate and become more sophisticated, maintaining visibility on your network is more important than ever. In this interview, we cover methods for improving visibility, as well as ways that threat hunting can help to augment your SIEM.
The new Sqrrl Enterprise 2.8 introduces an enhanced risk framework and powerful new analytic tools to simplify, accelerate, and amplify threat hunting. The new framework empowers analysts to create their own custom-built threat hunting analytics (“risk triggers”) without having to write any code. The extensible framework also now includes triggers which enrich Sqrrl’s built-in analytics by incorporating correlated information from external sources of risk like SIEM alerts and threat intelligence feeds for every user, IP address, host, and domain inside the organization.
PowerShell transcripts, Sysmon, Firewall & Host logs
Preferred Hunting Techniques
Anomaly Detection & Offensive Countermeasures
Carbon Black Response, Security Onion, ADHD & Kibana
Alan Orlikoski has over 15 years of experience in both the private and public sectors of the IT industry. He has designed and implemented defense solutions for government and Fortune 100 companies. He has more recently participated on teams tasked to assess and advise Fortune 100 clients, with a focus on maturing an organization’s ability to more quickly and effectively detect, respond to, and contain targeted attacks.
Malware Repositories, Passive DNS, Domain Whois
Preferred Hunting Techniques
Link Analysis, malware analysis, link exploration
VirusTotal, PassiveTotal, DomainTools, internal collection tools
© 2017 Sqrrl Data, Inc. All rights reserved.
Sqrrl Enterprise is the most secure operational data store for massive amounts of structured, semi-structured, and unstructured data. It is the only NoSQL solution that scales elastically to tens of petabytes of data and that has fine-grained security controls. Sqrrl Enterprise enables development of real-time applications on top of Big Data and supports a wide variety of analytics including search, SQL, and graphs.
Sqrrl Enterprise is built on top of the open source projects Apache Accumulo and Hadoop. Accumulo was originally developed by the National Security Agency and is used by a variety of government agencies and companies to tackle some of the largest and most complex datasets in the world.
Sqrrl Enterprise can be used to power real-time applications for Big Data (i.e., Big Apps) in a variety of industries that have massive amounts of data and strong security or privacy requirements, such as healthcare, finance, cybersecurity, telecommunications, and government.