Threat Hunter Profile – Keith Gilbert
Malware Repositories, Passive DNS, Domain Whois
Preferred Hunting Techniques
Link Analysis, malware analysis, link exploration
VirusTotal, PassiveTotal, DomainTools, internal collection tools
Who are you?
Hello, my name is Keith Gilbert and I recently joined Sqrrl as a Security Technologist assisting in directing product features, integrations, and capabilities.
I started my career as a forensic analyst and pivoted through a few roles. For the last 5 years, I’ve been in Threat Intelligence roles supporting Incident Responders or customers with intel production.
Why do you hunt and what is your experience hunting?
For the majority of my career, my threat hunting has been focused on outward sources and techniques. This provides a bit of a different perspective while maintaining a similar role as hands-on defenders; identifying unknown activity within a given collection of data sets.
How would you define threat hunting?
Examining data sets to identify otherwise unknown activity of potential interest.
I leave the definition intentionally vague for a few reasons. 1.) Determining that a set of activity is not of interest is valid and useful 2.) Data sets vary across organizations 3.) Hunting should be primarily independent of atomic indicators 4.) Activity can be of interest, but not be malicious.
What hunting techniques, tools, and datasets do you use most frequently?
With my prior area of focus, I made extensive use of external data sets for passive DNS, malware information, and infrastructure registration information. This data served as the basis for building context around malicious activity of interest. A common method that I used to connect the data to build the initial contextual picture is link analysis. A repetitive collection and pruning process can help quickly build out relevant data sets.
What value do you actively see come out of your hunting activities?
In my prior roles as an Intel Analyst, the primary value in the work was in helping bolster the defensive capability of others. When working with responders, there was direct influence on response activity based on data uncovered.
What types of intelligence are most useful for a hunter to have in an investigation?
There are a wealth of internal data points that can significantly improve the capability of an organization. Network asset lists and internal passive DNS can greatly decrease the time to identify specific systems involved in interesting activity. Those resources can also allow you to conduct different types of hunts, such as starting with crown jewel analysis.
Diving deeper with network data (IE: request headers and netflow) and adding high value host data (IE: specific events and registry changes) then allows you to start building out a more comprehensive comprehensive data set for your hunts. You can always get more thorough, but you need a strong baseline to be able to adequately determine what is of interest and what is not.
What general advice do you have for new Threat Hunters?
Try to be methodical and make notes as to what questions you’ve asked and how you arrived at useful conclusions. Try to avoid the temptation to freely explore the data you have without a defined purpose. It may be possible to uncover interesting activity that way, but it will not be easily repeatable and it is unlikely to result in generation of additional questions.
What parts of a hunt could could you see as being most successfully automated or assisted by automation?
If you’ve found a particular series of events or collection of behaviors that produce high fidelity hits, being able to automate the collection and presentation can be useful in speeding up analysis and making it a recurring analysis. Machines can also assist in highlighting pieces of data or conditions that may be of interest as true outliers.
What would you like to see Threat Hunting develop into across the industry in the future?
I’d love to see hunting become a standard practice across organizations. We have teams that focus on defense, teams that focus on responding to known incidents, and we should also have teams that focus on finding items of interest in the area between those two.