Varying degrees of attacking back have been hotly debated for years. Everything from fear of retaliation to collateral damage. Proponents claim that what we as a security collective have been doing for years is simply not working. The truth is, breach after breach is reported despite the millions, if not billions, of dollars spent by organizations to secure their assets. I will not try to solve the debate here; however, as a threat hunter, there are certain areas of Offensive Countermeasures, or Active Defense, that can readily be used to track down an adversary—and hopefully before any real damage occurs.
In the first part of this series, I discussed how suspicious file types could lead to the discovery of malicious activity. I also discussed how to hunt for suspicious file types traversing your network using data sources like HTTP proxy events. In this article, I’ll continue our focus on hunting for suspicious files types by examining the presence and execution of files on the host. I’ll also discuss additional steps you can take to help investigate suspicious file types once you’ve discovered them on your network or systems.
Today we are announcing an exciting new partnership with Deloitte in support of their Managed Threat Hunting Services. This partnership reflects our firm belief that threat hunting services will benefit organizations of all hunting maturity levels. As we work with Read More »
In our Boston Bsides 2016 talk, David Bianco and I briefly mentioned the use of isolation forests to find unusual behavior in cybersecurity log files. Today, we will take a deeper dive into the techniques that we experimented with. These experiments were run in collaboration with Dimitar Karev, our RSI intern. The results we present here are also discussed in a paper that Dimitar wrote for CompSysTech’17. In our experiments, we look at HTTP log data to explore isolation forests’ capability to find malicious outliers under various conditions. We also explore tuning the algorithm parameters and feature space to produce optimal results.
In the spirit of the season I thought I would share a few things I am thankful this year as a security practitioner: Family: While often not mentioned in many security blogs, family plays a large role in the success Read More »
“How do I hunt?”. The instinctual first question uttered by anyone with a mind to build a threat hunting program. Any answer should, as all good philosophies, change over time. You get new information, gain new experiences, etc. The only sure answer is never a singular one. Any threat hunting initiative is a daunting task. This stuff is hard. It’s not even the actual technical competencies that are hard, it’s the logistics of it all. This post endeavors to define a starting point by offering varied plans of attack, how they influence the success of a hunt team, and how Sqrrl can help with those plans.
We’ve all had the paranoia that someone is listening to our phone conversations. You mean you’ve never heard that clicking noise or heavy breathing that isn’t coming from the primary conversation? Okay, maybe I’m just paranoid. In many organizations, the Read More »
Sqrrl Enterprise is the most secure operational data store for massive amounts of structured, semi-structured, and unstructured data. It is the only NoSQL solution that scales elastically to tens of petabytes of data and that has fine-grained security controls. Sqrrl Enterprise enables development of real-time applications on top of Big Data and supports a wide variety of analytics including search, SQL, and graphs.
Sqrrl Enterprise is built on top of the open source projects Apache Accumulo and Hadoop. Accumulo was originally developed by the National Security Agency and is used by a variety of government agencies and companies to tackle some of the largest and most complex datasets in the world.
Sqrrl Enterprise can be used to power real-time applications for Big Data (i.e., Big Apps) in a variety of industries that have massive amounts of data and strong security or privacy requirements, such as healthcare, finance, cybersecurity, telecommunications, and government.