Using a threat hunting platform like Sqrrl may take a little bit of a shift in thinking for cybersecurity teams. It’s less like being a beat cop and more like being a consulting detective, but arguably much more effective at catching the really dangerous, hidden threats before they can strike.
Network traffic monitoring is a powerful tool for a lot of reasons. It can show, for example, if network resources are being fully utilized, or if bottlenecks are forming along communications backbones. Recently, traffic tools have started to be deployed to aid in cybersecurity defenses, looking for traffic spikes or unauthorized vertical movement, which can be an indication of compromise. Few take this science further than Sqrrl Data however, turning network traffic monitoring into a true threat hunting platform that is easily capable of unmasking advanced threats that many other programs miss — or fail to identify as the grave threat they truly are.
Sqrrl Data was founded by a trio of former analysts from the U.S. National Security Administration (NSA), with the goal of bringing the same level of defensive tools used by the agency to the public. Installation of the Sqrrl server is generally done on premises, likely owing to the fact that government agencies like the NSA generally prefer to have all their hardware physically protected and under their direct control. There is also a cloud version available, which might be better suited for organizations that prefer not to nursemaid hardware, or which are widely distributed at various offices.
The Sqrrl Threat Hunting Platform has network traffic analysis at its core. It requires no network taps to operate, gathering all the data it requires from three main sources, security data from things like SIEMs, network data from DNS or proxy logs, and endpoint and identity data from things like Windows event logs. Once collected, Sqrrl applies machine lear
ning tactics to those logs, looking for any patterns that other programs might miss.
For example, a SIEM might trigger an alert based on a bad user login attempt. And then months later, it might record another one on a different machine. Finally, there might be network traffic between two machines that never happened before, which could generate an alert, or might be overlooked — though still recorded in the log files. There is very little chance that any standard security program or human analyst would be able to connect the dots on those seemingly disparate events, though they might all be linked to a single command and control server, or perhaps to a known attacker technique. This is a common occurrence, especially for very large organizations. Looking back at the famous Target department stores hack, indicators of compromise existed within their SIEM, but nobody could put all the pieces together to discover the bigger, ongoing attack until it was too late.
Where threat hunts begin
What Sqrrl does is recognize those connections, link them together, and provide them to analysts in the program’s main dashboard. None of the events that bubble up into the Sqrrl dashboard have been classified as major threats by other programs. But they are provided to analysts to investigate if they so choose. In fact, this is where Sqrrl says that most threat hunts begin, with an analyst forming a hunch about a hidden threat based on the collected and compiled network traffic data.