Author Archives: Sqrrl Team

by

The Best Data Sources and Basic Techniques For Threat Hunting

Key Takeaways:

  • Contextual data is important, but a lot of success can be gained by gathering relatively simple forms of data. For example, flow data can be analyzed with tools like FlowBAT, Bro logs and SiLK to create a comprehensive picture of your network that is very conducive for hunting.
  • SOCs should take steps to avoid information siloing, especially when deployment groups within an organization are geographically separated.
  • Hunting can be challenging, but is by no means impossible. A lot of good work can be done by getting set up with simple tools and expanding from there.  In other words, “Find weirdness in all that data and you’ll learn a lot.”
by

Building a High-Performing Hunt Team

Alan Orlikoski has over 15 years of experience in both the private and public sectors of the IT industry. He has designed and implemented defense solutions for government and Fortune 100 companies. He has more recently participated on teams tasked to assess and advise Fortune 100 clients, with a focus on maturing an organization’s ability to more quickly and effectively detect, respond to, and contain targeted attacks.

by

Threat Hunter Profile – Pietro Bempos

Name
Pietro Bempos

Organization
Zurich Insurance

Years Hunting
1

Preferred Datasets
Endpoint logs/process data, windows event logs, DNS logs, server application logs

Preferred Hunting Techniques
Threat mapping, IP stacking (outlier detection), asset prioritization and investigation

Preferred Tools
Linux command line, custom scripting (Python and Bash), custom tools

by

3 Reasons the Next NIST Update Should Include Threat Hunting

Are we giving our automated security tools too much credit for threat detection? Nearly half of all threats go undetected by automated security tools (44%), according to a recent LinkedIn poll to the 360,000+ member InfoSec Community. Here’s why Sqrrl is arguing to add human-driven analysis to the list of “appropriate activities to identify the occurrence of a cybersecurity event”.

by

Threat Hunter Profile – James Bower

Name
James Bower

Organization
Quantum Security

Years Hunting
10

Preferred Datasets
Bro logs, DNS, HTTP proxy logs, Sysmon and OSSEC

Preferred Hunting Techniques
Outbound traffic analysis, Stacking (outlier detection), process and registry change analysis, temporal baselining

Preferred Tools
Bro, Unix commands (grep, sed, awk), TShark, Splunk

by

Threat Hunter Profile – Ryan Nolette

Name
Ryan Nolette

Organization
Sqrrl

Years Hunting
7

Preferred Datasets
Process execution, process parentage, registry key modification/creation, IDS/IPS logs, Bro, firewall logs

Preferred Hunting Techniques
Daily dynamic list creation, OODA looping, data traversal analysis

Preferred Tools
Bro, Snort, Suricata, Sqrrl, volatility, nmap, Wireshark, REMnux, SIFT, PFsense, malzilla

by

The Nuts and Bolts of Detecting DNS Tunneling

DNS-based attacks have been commonly used since the early 2000’s, but over 40% of firms still fall prey to DNS tunneling attacks. Tunneling attacks originate from uncommon vectors, so traditional automated tools like SIEMs have difficulty detecting them, but they also must be found in massive sets of DNS data, so hunting for tunneling manually can be challenging as well. So, how can we use more advanced analytic techniques to isolate these adversary behaviors? In a different publication we covered Domain Generation Algorithms and what the best sources are for detecting them. In this piece, we’ll be covering how best to sniff out malicious DNS tunneling on your network.