USE CASE: CYBER HUNTING
Proactively uncover hidden threats through cyber hunting
The days when Security Operations Center analysts could sit back and wait for alerts to come to them have
long passed. Breaches and attacks at large companies and government agencies have shown that traditional
measures like firewalls, IDS, and SIEMs are not enough. While these measures are still important, today’s
threats demand a more active role in detecting and isolating sophisticated attacks.
Hunting is the practice of searching iteratively through your data to detect and isolate advanced threats that
evade more traditional security solutions. In other words hunting trips are designed to proactively uncover
threats hidden in a network or system.
The Sqrrl Enterprise Edge
Sqrrl Enterprise is a real-time, unified platform for securely integrating, exploring, and analyzing massive
amounts of data from any source. By creating visual models using linked data, Sqrrl is able to generate a
clearer contextual picture for analysts
Sqrrl Enterprise powers cyber hunting via the following features:
• Enables a hunter to filter and prioritize Big Data, employing advanced data science techniques
• Allows pivoting in real time between disparate datasets and distinct parts of a network
• Facilitates iterative question chaining, which streamlines the process of response and investigation
• Generates advanced visualizations consisting of weighted, directional nodes and edges that can provide
compact representations of complex, dense datasets
Example Advanced Persistent Threat Hunting Use Case
Powering the Hunt | Page 2
Sqrrl was founded in 2012 by creators of Apache Accumulo™. With their roots in the U.S. Intelligence Community, Sqrrl’s founders have deep experience
integrating and analyzing complex petabyte-scale datasets. Sqrrl is headquartered in Cambridge, MA and is a venture-backed company with investors from
Matrix Partners, Atlas Venture, and Rally Ventures.
125 Cambridge Park Dr
Cambridge, MA 02140
p: (617) 902-0784
Leveraging Data Science
Making sense of Big Data is no easy task, and your enterprise is will want to keep
as much data as it will be able to store. To actually capitalize on terabytes or even
petabytes of information, you will need a smart and effective way of making sense
of it all. Modern machine learning and statistical tools have the potential to multiply
the effectiveness of a hunter's powers by automating common tasks such as
producing activity summaries or finding the “weird” entities in a dataset. Hunters
need tools, like Sqrrl Enterprise, that provide data science without requiring the
users to be data scientists.
Question Driven Investigations
Hunting trips should start with questions and hypotheses, not necessarily specific
indicators. A question, or a hypothesis you start with might be something like “Is
data exfiltration happening?” or “If there is data exfiltration happening, it’s most
likely going on through this part of the network.” A hunter would then check to see
whether any exfiltration going through that subnet, and try to figure out what
protocols might be used. There are often multiple ways you can look for the
answers to these questions, but having some hypotheses helps figure out what
data you need to examine and what analytic techniques might be most fruitful.
Sqrrl Enterprise’s query language makes asking these questions easy.
Keep on Pivoting
Hunting consists of spending a lot of time searching for something that is elusive
by nature. To locate entrenched threats, your hunt needs to be dynamic and
adaptable. Plus, you need to be able to easily pivot from one dataset to the next to
evaluate the full context of the attacker’s digital footprints. This might include
moving from operating system events to Netflow data and then to application logs.
Sqrrl Enterprise is able to support this kind of nimble data exploration.
Mapping Your Terrain
Knowing the lay of the land and where attackers may hide is a key element to
hunting. Kill chain mapping provides a useful framework to plan your hunting trips
for maximum impact. Typically, you will want to focus on the last two phases of the
kill chain (Command and Control and Act on Objectives) first, since the farther
along the kill chain the adversary is, the worse the incident is for you. Sqrrl
Enterprise provides the capability to annotate investigations with kill chain
Advice from a Hunter
"Organizations are realizing that
their existing traditional security
solutions, such as firewalls and
SIEMs, are not finding
everything that they need to
find. On the detection side
they’re doing well for what they
do, but the problem is that
signature-based or even
monitoring systems are limited.
Attackers are virtually unlimited
in what they can do.
Adversaries are very flexible and
agile, so that's what we have to
-David Bianco, Sqrrl's Security
Architect; former Manager of
Mandiant’s Hunt Team