About

Pixel
I'm a huntress, bred from the early Mandiant days of incident response.

My background is software engineering, web design and development, and then a complete pivot when I got my Master's in Computer Forensics from George Mason.

From there I worked at Mandiant, a completely gratifying experience. I stayed for awhile after the acquisition and created the endpoint services for FaaS. Where do we detect and where do we hunt, how and why?

To my right is my best half, Pixel the pupperino. He isn't the first hunter I trained, but he is my favorite. His first real trick was "Find the Evil!" -- it was bacon, but it was a win on the SOC floor. Since then he has become an amazing anomaly detector -- everything from misplaced toolboxes to glasses of water, he alerts me to them.

My passion lies at an interesting intersection. I enjoy trying to operationalize and scale. I love creating process and procedure that is flexible and nimble. I spend too much time trying to figure out how to be a great leader for my team and grow them beyond their own expectations.

At my core I am a defender. Red teaming has never interested me, then again I don't even cross a road until I get the little man at the intersection, so breaking and entering just isn't my style.

I love EDM not just the beats, but the concept of remixes. Sometimes I prefer the original like the Chainsmokers - Don't Let Me Down and other times the remix just does it for me like Tiesto's Northern Lights remix of Alan Walker's - Faded. I am hoping you take some of the ideas I log in these posts and remix them into something better!

Happy Hunting
~K

Popular posts from this blog

Applying Detection to the Attacker Lifecycle

Image
Thanks everyone for the encouraging comments on my first post and for taking the time to let me know it helped you out!  😁  Now for the next edition. Hunting is a form of detection. It's not monitoring, but it is detection. So let's take a quick look at creating a detection strategy and how it can include your hunt program. Use a Lifecycle for your Story Your detection strategy needs to create a story that your senior leadership can easily understand. The Mandiant Attacker Lifecycle always made more sense to me than the Lockheed Martin Cyber Kill Chain , so I am going to use that as the story for my strategy. Pick whichever lifecycle works for you. There is also the MITRE Attack Lifecycle . Mandiant Attacker Lifecycle For the sake of this post , I am going to say the lifecycle stage, Complete Mission, should be handled by DLP, backups (if mission objective is destructive), and encryption. Alerting You want to alert early in the lifecycle so you catch attackers
Read more

Threat Hunting Team Maturity Model

Image
After talking about scaling a hunt team with the concept of " Pack Hunting " in my last post, now I want to approach a topic that has been weighing on my mind as the year comes to a close. How do I build a kickass hunt program? And how would I know if I did? Admittedly, this is on my mind because next year my program will have been around long enough to be audited, which means I need to be able to measure my program in an audit-able way. I am not talking about the outcome of the program here, the hunting itself, but rather the processes and procedures that lead to the outcomes. The outcomes are currently measured using KPIs, but I haven't stress tested those enough to share yet. Developing a Threat Hunting & Research  Team Maturity Model Why a maturity model? As I looked into how to approach this question I came across the idea of using a maturity model. According to the Institute of Internal Auditors ( IIA ), a maturity model describes process components th
Read more

Building Operational Threat Hunting Models

Image
A successful threat hunting program can't be a black box to the organization. The expense of such elite programs demand executives easily comprehend the value to the organization. Of course, as the program develops, executive comprehension alone will not suffice and metrics will be necessary as well, but that's a post for another day. 5 Threat Hunting Models  I've begun to develop 5 Threat Hunting Models that I hope can be used to frame discussions about a threat hunting program and its objectives. This isn't the first iteration and I highly doubt its the last iteration of the models. ADVERSARY MODEL The Adversary Model is for creating hunts that target a specific adversary, for example APT 28 .  Hunters will review an adversary profile, hopefully created by your cyber threat intelligence team, to learn of the attackers behaviors. Using this knowledge, hunters will create a hypothesis on finding those behaviors in our environments. Don't have your own CTI, do
Read more