Author Archives: Sqrrl Team

by

Threat Hunter Profile: Jordan Wigley

Name
Jordan Wigley

Organization
Fortune 50 Company

Years Hunting
5

Preferred Datasets
Full packet capture, Proxy logs, DNS logs, Endpoint data

Preferred Hunting Techniques
Baselining, Outlier analysis, Behavioral analysis

Preferred Tools
NetWitness, Splunk, Wireshark

by

Threat Hunter Profile – Brandon Baxter

Name
Brandon Baxter

Organization
Sqrrl

Years Hunting
4

Preferred Datasets
Registry data, Process data, Command-line auditing, Netflow

Preferred Hunting Techniques
Visualization, Outlier analysis, Baselining, Stacking

Preferred Tools
Carbon Black (Response and Protection), Sysmon, Bro, PowerShell, Sqrrl, REMnux

by

Threat Hunter Profile – Bilal Malik

Name
Bilal Malik

Organization
Stroz Friedberg

Preferred Datasets
DNS, HTTP, Proxy, connection logs and Windows endpoint logs

Preferred Hunting Techniques
Visualization, Outlier analysis

Preferred Tools
Unix command line, custom scripts, Tanium/Carbon Black, Bro, ELK/Splunk, RITA

by

Threat Hunting for Needles in Haystacks

Cyber threat hunting involves proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools. Yet, determining the Tactics, Techniques and Procedures (TTPs) used by adversaries is challenging for the very reason that there is often no roadmap that can be used to hunt. Instead, the role of hunter requires, in addition to an understanding of data science and some programming experience, a fundamental curiosity about the data and an understanding of how the bad guys work. It is with these skills that cyber threat hunters set about trying to find a needle in a haystack.

 

by

Threat Hunter Profile – Keith Gilbert

Name
Keith Gilbert

Organization
Sqrrl

Years Hunting
5

Preferred Datasets
Malware Repositories, Passive DNS, Domain Whois

Preferred Hunting Techniques
Link Analysis, malware analysis, link exploration

Preferred Tools
VirusTotal, PassiveTotal, DomainTools, internal collection tools

by

Threat Hunter Profile – Pietro Bempos

Name
Pietro Bempos

Organization
Zurich Insurance

Years Hunting
1

Preferred Datasets
Endpoint logs/process data, windows event logs, DNS logs, server application logs

Preferred Hunting Techniques
Threat mapping, IP stacking (outlier detection), asset prioritization and investigation

Preferred Tools
Linux command line, custom scripting (Python and Bash), custom tools

by

Threat Hunter Profile – James Bower

Name
James Bower

Organization
Quantum Security

Years Hunting
10

Preferred Datasets
Bro logs, DNS, HTTP proxy logs, Sysmon and OSSEC

Preferred Hunting Techniques
Outbound traffic analysis, Stacking (outlier detection), process and registry change analysis, temporal baselining

Preferred Tools
Bro, Unix commands (grep, sed, awk), TShark, Splunk