In this month's hunter spotlight, we sit down with Chris Sanders, veteran hunter with over 10 years experience, as we discuss:
- How to manage different data sources for hunting
- Best pivoting practices and rules of thumb
- How to convert findings into actionable intelligence
- Techniques for reducing evidence abstraction
Richard Bejtlich, Security Author, Brookings Fellow
This panel reunites the original GE CIRT incident handlers to share their perspective on threat huntings origins and current direction. Topics include:
- Foundations, principles, and how to get started
- Requirements, data sources, and visibility
- Early technologies and approaches
- Personnel development and mentoring
- Challenges, especially at scale
Danny Akacki works on the Hunt Team for a Fortune 100 Finance Company. In this interview, Danny will share his experiences hunting and discuss:
1. What makes a good hunter?
2. What makes a good hunt program?
3. How mature does an org need to be in order to benefit from a hunting program?
4. Why should you avoid hunting before your org is ready?
5.What's the difference between an investigation and a hunt?
Ryan Nolette, Hunter and security technologist at Sqrrl
Ryan Nolette, Sqrrl's hunter and security technologist, will break down:
• Determining what endpoints to investigate in a hunt
• Pivoting from network to endpoint investigations
• Essential tools and best practices for endpoint hunting
About the hunter:
Ryan is Sqrrl's primary security technologist and expert. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With over a decade in the infosec field, Ryan has been on the product and operations side of companies such as Carbon Black, Crossbeam Systems, SecureWorks and Fidelity. Ryan has been an active speaker and writer on threat hunting and endpoint security.
Jason Smith, Security Operations Investigator Manager at Cisco
Veteran threat hunter Jason Smith will detail:
• How to structure your Security Operations Center (SOC) and network to help uncover hidden threats
• Best practices to make hunting data accessible and fluid
• Essential tools and tips from Jason's hunting experiences
About the hunter:
Jason Smith has a background in physics and has built everything from particle
accelerators to explosive neutralizing robots used by the military. He has worked in multiple US Department of Defense SOCs and has worked with the largest security vendors to operationalize security in the world's largest
organizations. Jason co-wrote Applied Network Security Monitoring and maintains the open source project FlowBAT, a graphical flow data analysis tool. Jason currently works remotely for Cisco from his home in Nashville, TN.
Our Hunter Spotlight series kicks off with Alan Orlikoski. From his 16+ years of security experience, Alan will share:
• Organizational strategies that work for both hunters and SOC managers
• How to create and sustain effective hunting teams
• Best practices and tools in the field
About the hunter:
Alan Orlikoski is a Security Engineer and Incident Responder with over 17 years of experience. He analyzes and tests existing incident response plans, conducts forensic investigations and provides incident response and forensics training. Alan has an extensive computer forensics background and has been a leader in some of the largest incident response and security operations center development programs in the history of the respective companies.
Edward Amoroso, CEO of TAG Cyber, former CISO at AT&T
Modern SOCs looks very different than those that were built even a few years ago. This webinar discusses the fundamental shifts in thinking and technology that allow security teams to spend more time seeking out and detecting advanced attacks. You'll learn:
• Key characteristics of high-performing security programs
• How to react faster and more efficiently to new, advanced threats
• Necessary skills for hunt teams and how to measure their performance
•The effectiveness of threat hunting in reducing the dwell time of adversaries
Josh Liburdi, Threat Hunter and Security Technologist at Sqrrl
Sqrrl's Security Technologist Josh Liburdi provides an overview of how Sqrrl is used to detect C2 through a combination of automated detection and hunting. You'll learn:
• How hunting can fill gaps not covered by automated alerts
• The Hunting Maturity Model and how Sqrrl's capabilities align with it
• Sqrrl's machine learning TTP detectors use in detecting C2, including Domain Generation Algorithms and DNS tunneling
• Walkthroughs of detecting C2 with common hunting techniques, including IOC searching and data stacking
Chris McCubbin, Director of Data Science at Sqrrl, and Josh Liburdi, Security Technologist at Sqrrl
Watch this training to learn how to uncover advanced threats using DNS and data science. You'll learn:
• What DNS is and how adversaries can utilize it to carry out attacks
• How to use DNS data to launch an incident investigation
• How to leverage data science techniques to detect DNS behaviors like DGA
• The practical fundamentals of how these data science techniques work