Threat Hunter Profile – Brandon Baxter
Registry data, Process data, Command-line auditing, Netflow
Preferred Hunting Techniques
Visualization, Outlier analysis, Baselining, Stacking
Carbon Black (Response and Protection), Sysmon, Bro, PowerShell, Sqrrl, REMnux
Who are you?
Hello, my name is Brandon Baxter and I recently joined Sqrrl as a Threat Hunter. Aside from threat hunting, I’ll help drive training material and features within the Sqrrl platform.
I began my career in the Air Force doing physical security but quickly realized that I had a passion for security; just not in 120-degree temperatures with sand hitting me in the face. I decided to go back to school and get my degree in Information Assurance after leaving the military.
In InfoSec, my career started out as a SIEM SOC Analyst working with an MSSP supporting operations for various clients over different industry verticals. I advanced into other roles and jobs which included Incident Responder, Malware Analyst, and Threat Hunter.
Why do you hunt and/or how did you get started?
I started my career as a SIEM analyst working with the usual alerts that come out of any SOC environment just at a larger scale and with different industry verticals. I ran into two different scenarios a lot:
- The SIEM didn’t alert on an incident and I found myself hunting to find some sort of suspicious event(s). After pivoting through different data sources, I attempted to piece together a time line of events. I usually was limited on what data was going into the SIEM or at the mercy of a signature based device such as a IDS/IPS or DLP.
- In order to get better automation (correlated SIEM rules) in place, I decided to go look for anomalous activity on client networks to determine if we were missing anything. I started using David Bianco’s Pyramid of Pain model in order to get a better understanding of what data was available to me and what data I needed to answer questions when I would find an incident.
I started to gain ground on malicious activity when comparing network activity against threat intelligence reports. Once I knew what “evil look liked” my hunts started turning up more results. The company invested into some threat intelligence tools and the syslog data coming out of the multiple SIEMs had way more context than ever before. I still found that I wasn’t able to answer every question in an investigation which lead me to find other tools.
I eventually was introduced to the world of EDR products, specifically Carbon Black Response and Crowdstrike. Suddenly, I had even more meaningful data which lead to answering those previous unanswered questions. My eyes were opened to the endpoint/forensic world. Everyday I learn something which is why I love my job and career field.
How would you define Threat Hunting?
I think Matthew Hosburgh’s reference to the modified Carbon Black definition is right on target: “the [proactive] pursuit of abnormal activity on servers and endpoints that may be signs of compromise, intrusion, or exfiltration of data [both from external and internal entities].”
What projects and organizations are you involved with right now?
I’m a SANS facilitator and I’m currently scheduled for the FOR572 class in May. Other than that, I like to tinker in my home lab (which I’m building) and learn new ways to hunt.
Which of the hunts you’ve carried out was the most interesting or challenging?
A client had recently deployed a “next generation” AV product and was getting some interesting alerts but lacked context on what was happening on the network. Doing a simple hunt on certain processes and command line activity associated with those processes revealed lateral movement within the network. The client was simply reimaging certain endpoints but wasn’t getting rid of the compromise. We were able to not only determine the scope of the compromise, but do attribution on the attacker based on TTPs.
What value do you actively see come out of your hunting activities?
- Malicious activity was observed, and an incident was created. Determine root cause analysis and focus on TTPs. During lessons learned, determine the gap in visibility and automate for future activity.
- Non-malicious activity was observed but security risks were discovered. A good example of this is a sysadmin using PsExec to deploy software using cleartext credentials (caching domain admin credentials on the network). Go over best practices and automate detection methods. Go a step further and prevent this activity from happening. Other examples would include mis-configurations.
- Nothing Found. You know the activity isn’t taking place on the network from the available data sets. Review sources and determine if there is a better way in detecting your use case. Refine the process with analytics learned in the hunt. Document your findings so others on your team and organization can reference.
What types of friendly intelligence are most useful for a hunter to have in an investigation? (i.e. not just threat intel feeds, but institutional knowledge and information about your own network)
Knowing what is normal can be your best friend when doing threat hunting in any environment. Baselining network and host based activity can not only speed up hunting activities but help the overall IT infrastructure team troubleshoot host or network based issues.
I specifically like application white-listing tools like Carbon Black Protection that have a high level of detail on what is going on in your environment. If managed correctly, you know down to the kernel level who is doing what. Combine this knowledge with AD groups/user information and you start to get a better picture of what normal looks like. The first two controls in the CIS Critical Controls reference this in detail.
What general advice do you have for new Threat Hunters?
Get to know your data sources and start to measure what information you need to do a successful hunt. More importantly, know the data sources or logging levels needed in order to be successful (especially with crown jewel assets). Get additional training in either host or network based forensics (or both) and always learn something each and every day. Think like an attacker and know what they might be after. Document your findings and network with other parts of the organization (IT Operations). A helpful sysadmin can be your best friend when normalizing events.
What hunting procedure would you recommend for a new to Threat Hunter?
I prefer endpoint data (process, registry, command-line) but start with what you know. If you really know flow data, start by going to The ThreatHunting Project and work with what data you have. Be mindful to document any sources where you can’t answer your hypothesis. Help drive visibility by learning log levels for different devices so you have the context needed to answer the hard questions.
What would you like to see Threat Hunting develop into across the industry in the future?
A formalized job within a SOC that includes ways to measure the effectiveness of visibility (logging levels), technology (normalization of events from data sources), and processes.