Sqrrl ferrets out network traffic anomalies to find hidden threats

Using a threat hunting platform like Sqrrl may take a little bit of a shift in thinking for cybersecurity teams. It’s less like being a beat cop and more like being a consulting detective, but arguably much more effective at catching the really dangerous, hidden threats before they can strike.

Threat hunting guide to securing the enterprise
erikmueller via pixabay

Network traffic monitoring is a powerful tool for a lot of reasons. It can show, for example, if network resources are being fully utilized, or if bottlenecks are forming along communications backbones. Recently, traffic tools have started to be deployed to aid in cybersecurity defenses, looking for traffic spikes or unauthorized vertical movement, which can be an indication of compromise. Few take this science further than Sqrrl Data however, turning network traffic monitoring into a true threat hunting platform that is easily capable of unmasking advanced threats that many other programs miss — or fail to identify as the grave threat they truly are.

Sqrrl Data was founded by a trio of former analysts from the U.S. National Security Administration (NSA), with the goal of bringing the same level of defensive tools used by the agency to the public. Installation of the Sqrrl server is generally done on premises, likely owing to the fact that government agencies like the NSA generally prefer to have all their hardware physically protected and under their direct control. There is also a cloud version available, which might be better suited for organizations that prefer not to nursemaid hardware, or which are widely distributed at various offices.

The Sqrrl Threat Hunting Platform has network traffic analysis at its core. It requires no network taps to operate, gathering all the data it requires from three main sources, security data from things like SIEMs, network data from DNS or proxy logs, and endpoint and identity data from things like Windows event logs. Once collected, Sqrrl applies machine learning tactics to those logs, looking for any patterns that other programs might miss.

For example, a SIEM might trigger an alert based on a bad user login attempt. And then months later, it might record another one on a different machine. Finally, there might be network traffic between two machines that never happened before, which could generate an alert, or might be overlooked — though still recorded in the log files. There is very little chance that any standard security program or human analyst would be able to connect the dots on those seemingly disparate events, though they might all be linked to a single command and control server, or perhaps to a known attacker technique. This is a common occurrence, especially for very large organizations. Looking back at the famous Target department stores hack, indicators of compromise existed within their SIEM, but nobody could put all the pieces together to discover the bigger, ongoing attack until it was too late.

Where threat hunts begin

What Sqrrl does is recognize those connections, link them together, and provide them to analysts in the program’s main dashboard. None of the events that bubble up into the Sqrrl dashboard have been classified as major threats by other programs. But they are provided to analysts to investigate if they so choose. In fact, this is where Sqrrl says that most threat hunts begin, with an analyst forming a hunch about a hidden threat based on the collected and compiled network traffic data.

Sqrrl Main Dash John Breeden/IDG

The main dashboard of the Sqrrl platform provides a graphical look at suspected threats within a network. Some of these have been overlooked by other tools, and recompiled by Sqrrl’s machine learning capabilities.

In our testing, we dove into a particular pattern of failed logins that occurred over a prolonged period of time in the test network. None of the captured logins were successful, and thus no security alerts were triggered other than recording the failed attempt. But Sqrrl was able to find some interesting similarities between those events and group them together to form the basis of an investigation.

Sqrrl Odd Logins John Breeden/IDG

Sqrrl can pull anomalous logs and consolidate them in one place. It’s good at finding truly suspicious events that might escape other programs.

The first thing we did once we accepted the new case was to look at the events graphically, which began to tell us a bit of a story of a certain group of computers in one part of the network that were being probed from an overseas IP. Right clicking allowed us to pivot the graph and expand it to include any other traffic events with similar characteristics. And just like that, Sqrrl searched the billions of log and traffic events and discovered that, amazingly enough, there was lateral movement within the network that was tied to that same IP used in the failed logins.

Sqrrl find beacon in traf John Breeden/IDG

Here, Sqrrl has located an IP at the center of several suspicious network events, likely uncovering a command and control server for malware.

Diving in further, we discovered that certain computers were beaconing out to a different IP, but only after they were touched by systems apparently being controlled by the original attacker. Little by little we began to get a clear picture of what the attacker was doing, in this case using a compromised system with administrator credentials to control others. Only the one system was beaconing out to its command and control host, which was further masking the attack by using a series of proxies.

Sqrrl Query Based on Hunt John Breeden/IDG

Sqrrl allows for threat hunting based on anomalous events in the network traffic logs. A good threat hunter can find things that other programs easily miss.

The fact that the network was under an attack was completely obvious at that point for any human working with the program, but only after starting the hunt and using Sqrrl to group the seemingly disparate events.

Sqrrl Create Trigger John Breeden/IDG

One of the most powerful elements of Sqrrl is the ability to ask it how events are related, using seemingly unique event data to uncover targeted threat campaigns.

Without a tool like Sqrrl, analysts would be forced to sift though billions of log files on traffic data, probably taking notes by hand on paper, and trying to form the same conclusion. More likely, they would never even have a reason to begin their investigation without Sqrrl.

Drag and drop

A new feature for Sqrrl, and one that makes the program even more useful, is the ability to drag and drop events into the program from popular SIEMs or other security programs. For this, we pulled four events from QRadar, dropping them into the center of a new Sqrrl graph. We then queried the program to see if any of the events were related. Sure enough, after a little bit of time, Sqrrl came back with the answer, that all four shared at least one element. We were presented with a graphical view that outlined this case, enabling us to see at a glance that this was a coordinated effort. Putting that together by hand would have been extremely difficult and time consuming, if we even thought to do it at all.

Sqrrl Qradar Alert help John Breeden/IDG

Here four seemingly unrelated events brought in from QRadar are linked, showing how they are all related and uncovering a much greater network threat.

The last word

Using a threat hunting platform like Sqrrl may take a little bit of a shift in thinking for cybersecurity teams. It’s certainly different from what they likely do right now, responding to threats and alerts generated by their SIEM. Using Sqrrl requires a more proactive type of defense, generating hunches based on data — while getting liberal assistance from Sqrrl — and then investigating those leads to see where the evidence goes. It’s less like being a beat cop and more like being a consulting detective, but arguably much more effective at catching the really dangerous, hidden threats before they can strike.

More on threat hunting:

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)