Twitter Facebook Google RSS
Global Defense 

Cybersecurity Experts Hunting for Hackers 


By Yasmin Tadjdeh 

Network security professionals are turning to an emerging concept known as “cyber threat hunting” to ferret out hackers from critical systems, said one expert.

“It’s designed to help surface threats that have evaded detection by other tools and sensors,” said Ely Kahn, co-founder and vice president at Sqrrl, a cybersecurity company based in Cambridge, Massachusetts.

Advanced threats can find their way around firewalls and perimeter security devices, he said. Often, they are undetected by traditional signature or rule-based systems, said Kahn, who also previously served as director of cybersecurity on the national security staff in the White House.

Threat hunting, on the other hand, is a “proactive human-driven approach to find the subtle indicators of those lurking threats that are already inside your network,” he told National Defense.

Sqrrl’s threat hunting platform is currently in use at a number of large security centers around the world, Kahn said. Traditional systems often look at low-level indicators when searching for intrusions, such as suspicious IP addresses. However, “what we actually recommend is instead of focusing on those lower level indicators … to hunt for the higher or more complex indicators that are often times referred to as TTPs — the tactics, techniques and procedures of cyber adversaries,” he said.

Typically, with a high-level indicator, an analyst is looking for a pattern, he said.
Sqrrl’s platform requires a human to be in the loop.

“[We] simplify the hunt by packaging together things into little tool kits that the analyst can analyze, but it’s still going to be the analyst that’s figuring out how to best apply these tool kits and algorithms and visualizations into the data,” he said.

In February, the company released an upgrade that improved the system’s machine learning algorithms to detect tactics, techniques and procedures associated with domain name servers, or DNS, data, Khan said.

“DNS in general is like the phone book of the internet. It translates IP addresses to URLs and pretty much every company as a result has DNS data,” he said. “Adversaries are actually using DNS data in very creative ways. They’re hiding command-and-control channels in DNS data.”

Sqrrl’s threat hunting product would be ideal for the Pentagon, Khan said.

“We are typically targeting security operation centers, so that is applicable to various parts of the Department of Defense,” he said. “Certainly the larger security operations centers are oftentimes the best fits for our products because we have a big data backend [so] we can scale up to massive amounts of data.”

Photo: iStock
Submit Your Reader's Comment Below
The content of this field is kept private and will not be shown publicly.
Please enter the text displayed in the image.
The picture contains 6 characters.
*Legal Notice

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

  Bookmark and Share