From about 2015 until they were purchased by Amazon Web Services (AWS) in early 2018, Sqrrl was a threat hunting platform vendor with an unusually strong focus on teaching the cybersecurity community about threat hunting best practices. They published some of what are still foundational documents about threat hunting.
When their website finally went offline in 2019, many of these foundational documents lost their permanent home on the Internet, making them harder to find and to reference in subsequent work.
With Sqrrl’s permission, I mirrored the documents from their website and am hosting selected pages here so that they will continue to have a permanent home. The formatting is not great since the original blog engine had a dynamic backend to help with lots of that, and I’m just hosting static pages which I’ve had to edit to render well, but everything should be readable.
I’m not hosting the entire Sqrrl website, but rather picking and choosing documents I think are helpful to the threat hunting community. If you’d like me to add something from their site, though, just get in touch and if I have it, I’ll add it for you.
An discussion about the Pyramid of Pain and how to apply it to Threat Hunting.
Introduces the Hunting Cycle, a conceptual model describing the steps in a typical hunting trip. Also shows how the Hunting Cycle integrates with both the threat intel and incident response processes.
Why you should concentrate your hunting efforts on adversary behaviors.
Introduces the Hunting Maturity Model (HMM), which measures the maturity of an organization’s hunting program.
Expands upon the Hunting Cycle (noted above) and introduces a more polished and complete version, the Threat Hunting Loop.
Incorporating both the Hunting Maturity Model and the Hunting Loop, the Hunt Matrix describes what each loop stage’s typical processes look like for each maturity level.
Demystifying Threat Hunting Concepts, Josh Liburdi
A look at reality behind some hunting concepts that often confuse even experienced hunters, with a special emphasis on the beginning and the end of the hunting process.
Huntpedia, Richard Bejtlich, Danny Akacki, David Bianco, Tyler Hudak, Scott Roberts, et al.
An ebook collection of essays and “how-to” articles on threat hunting. Although it was originally published by a vendor (Sqrrl) that no longer exists, it’s not tied to their product, and is a great reference for both beginners and advanced threat hunters. The first section talks about hunting theory and practice, while the second focuses on providing detailed, concrete examples of actionable hunts.
A summary of many of the concepts mentioned in the blog posts above, in one convenient white paper.
Hands-on guidance for both hunt team managers and hunt practitioners.