The ThreatHunting Project

Hunting for adversaries in your IT environment

View project on GitHub

Sqrrl Archive

From about 2015 until they were purchased by Amazon Web Services (AWS) in early 2018, Sqrrl was a threat hunting platform vendor with an unusually strong focus on teaching the cybersecurity community about threat hunting best practices. They published some of what are still foundational documents about threat hunting.

When their website finally went offline in 2019, many of these foundational documents lost their permanent home on the Internet, making them harder to find and to reference in subsequent work.

With Sqrrl’s permission, I mirrored the documents from their website and am hosting selected pages here so that they will continue to have a permanent home. The formatting is not great since the original blog engine had a dynamic backend to help with lots of that, and I’m just hosting static pages which I’ve had to edit to render well, but everything should be readable.

I’m not hosting the entire Sqrrl website, but rather picking and choosing documents I think are helpful to the threat hunting community. If you’d like me to add something from their site, though, just get in touch and if I have it, I’ll add it for you.

Blog Posts

A Framework for Cyber Threat Hunting Part 1: The Pyramid of Pain, Sqrrl Team

An discussion about the Pyramid of Pain and how to apply it to Threat Hunting.

A Framework for Cyber Threat Hunting Part 2: Advanced Persistent Defense, Sqrrl Team

Introduces the Hunting Cycle, a conceptual model describing the steps in a typical hunting trip. Also shows how the Hunting Cycle integrates with both the threat intel and incident response processes.

A Framework for Cyber Threat Hunting Part 3: The Value of Hunting TTPs, Sqrrl Team

Why you should concentrate your hunting efforts on adversary behaviors.

The Threat Hunting Reference Model Part 1: Measuring Hunting Maturity, Sqrrl Team

Introduces the Hunting Maturity Model (HMM), which measures the maturity of an organization’s hunting program.

The Threat Hunting Reference Model Part 2: The Hunting Loop, Sqrrl Team

Expands upon the Hunting Cycle (noted above) and introduces a more polished and complete version, the Threat Hunting Loop.

The Threat Hunting Reference Model Part 3: The Hunt Matrix, Sqrrl Team

Incorporating both the Hunting Maturity Model and the Hunting Loop, the Hunt Matrix describes what each loop stage’s typical processes look like for each maturity level.

Demystifying Threat Hunting Concepts, Josh Liburdi

A look at reality behind some hunting concepts that often confuse even experienced hunters, with a special emphasis on the beginning and the end of the hunting process.

Other

Huntpedia, Richard Bejtlich, Danny Akacki, David Bianco, Tyler Hudak, Scott Roberts, et al.

An ebook collection of essays and “how-to” articles on threat hunting. Although it was originally published by a vendor (Sqrrl) that no longer exists, it’s not tied to their product, and is a great reference for both beginners and advanced threat hunters. The first section talks about hunting theory and practice, while the second focuses on providing detailed, concrete examples of actionable hunts.

A Framework for Cyber Threat Hunting, Sqrrl

A summary of many of the concepts mentioned in the blog posts above, in one convenient white paper.

Hunt Evil: Your Practical Guide to Threat Hunting, Sqrrl

Hands-on guidance for both hunt team managers and hunt practitioners.