Author Archives: Sqrrl Team

by

Threat Hunter Profile – Brandon Baxter

Name
Brandon Baxter

Organization
Sqrrl

Years Hunting
4

Preferred Datasets
Registry data, Process data, Command-line auditing, Netflow

Preferred Hunting Techniques
Visualization, Outlier analysis, Baselining, Stacking

Preferred Tools
Carbon Black (Response and Protection), Sysmon, Bro, PowerShell, Sqrrl, REMnux

by

Threat Hunting for Needles in Haystacks

Cyber threat hunting involves proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools. Yet, determining the Tactics, Techniques and Procedures (TTPs) used by adversaries is challenging for the very reason that there is often no roadmap that can be used to hunt. Instead, the role of hunter requires, in addition to an understanding of data science and some programming experience, a fundamental curiosity about the data and an understanding of how the bad guys work. It is with these skills that cyber threat hunters set about trying to find a needle in a haystack.

 

by

Threat Hunter Profile – Pietro Bempos

Name
Pietro Bempos

Organization
Zurich Insurance

Years Hunting
1

Preferred Datasets
Endpoint logs/process data, windows event logs, DNS logs, server application logs

Preferred Hunting Techniques
Threat mapping, IP stacking (outlier detection), asset prioritization and investigation

Preferred Tools
Linux command line, custom scripting (Python and Bash), custom tools

by

Threat Hunter Profile – James Bower

Name
James Bower

Organization
Quantum Security

Years Hunting
10

Preferred Datasets
Bro logs, DNS, HTTP proxy logs, Sysmon and OSSEC

Preferred Hunting Techniques
Outbound traffic analysis, Stacking (outlier detection), process and registry change analysis, temporal baselining

Preferred Tools
Bro, Unix commands (grep, sed, awk), TShark, Splunk