In the Fall of 2019, I joined the Splunk Global Security organization to build Splunk’s internal threat hunting program. Over a few months, we went from an organization with no defined hunting mission or program to one that can do full-scale, high-value hunting. This post is one in a short series that describes how we manage our threat hunting program.

Before diving into this topic, I recommend that you take a moment to watch this presentation from Justin Kohler and Patrick Perry — it covers some of the concepts I’m going to describe: https://www.youtube.com/watch?v=23v_LCObNbs.

Structured Vs. Unstructured Threat Hunting

Before we operationalized our hunting program…


In the Fall of 2019, I joined the Splunk Global Security organization to build Splunk’s internal threat hunting program. Over a few months, we went from an organization with no defined hunting mission or program to one that can do full-scale, high-value hunting. This post is one in a short series that describes how we manage our threat hunting program.

Measuring Success

Before we operationalized our hunting program, I knew that metrics tracking needed to be a part of everything we did. Metrics are essential for describing the performance and success of any program or team; they’re extra crucial for hunting programs…


In support of my presentation at BSides San Francisco this year, I thought it would be helpful to write about some of the design decisions that went into building Strelka. This post is about the decision to not use microservices, an increasingly popular system architecture model that breaks large components into small, distributed pieces.

Here’s my take on microservices: they’re for the 0.01% of application owners. Microservices, like any system architecture model, have advantages and disadvantages; for the majority of users (including the Strelka project), I think the disadvantages outweigh the advantages. …


In support of my presentation at BSides San Francisco this year, I thought it would be helpful to write about some of the design decisions that went into building Strelka. This post is about the decision to use Python instead of Go, Rust, or any of the other newer, popular compiled languages — all of which would be faster and more efficient than Python.

Are you ready for the dirty truth about Python?

People, especially digital forensics/incident response practitioners, like Python. Prototyping in Python is fast — it’s easy to take an idea and turn it into working code…


This post goes through the process of building a (proof of concept!) secure PCAP retrieval service for Google’s Stenographer. The core of the service is built on Google’s gRPC — gRPC is a remote procedure call framework that supports SSL and HTTP2, has compatibility with several languages (Go, Python, etc.), and has the capability to stream messages between clients and servers. The service described in this post will make use of each of these features to create a secure, flexible RPC system for retrieving PCAP.

Components of Stenographer

Per the project description, Stenographer is a “packet capture solution which aims to quickly spool…


Building on work that I previously shared, I decided to put together a generic library for creating scalable, distributed Python applications. It’s called “mpzmq” and is now available on GitHub and PyPI. This library isn’t a replacement for an API or RPC system, but it is a reliable, lo-fi alternative for when you need to offload Python processing to a multi-core remote server. (It’s also one of the simplest examples of a production-ready ZeroMQ system that I’ve ever seen — that’s pretty damn cool!)


Anyone who writes custom Bro/Zeek scripts will know that once you start the application you cannot modify (i.e. redef) script variables … at least, that’s what I thought until I realized that all of the necessary components to do on-demand variable modification without restarts already exist. Before getting into the details on how to do this, it’s best to start with the motivating reason for why I wanted to do this.

Big Problems in File Extraction Land

Building stable, distributed services isn’t easy. It isn’t made any easier when some of the systems in the larger service ecosystem were not designed to be part of a…


This post describes how pyzmq and multiprocessing can be used to turn arbitrary Python projects into scalable, production-ready services. We’ll look at how the MaliciousMacroBot (MMBot) project — which uses machine learning to identify malicious VBA — can be turned into a remote service by building it as a pyzmq-enabled application.

There are three main steps involved in building applications with pyzmq: understand the requirements of the underlying Python project (i.e., MMBot), choose the appropriate ZMQ architecture, and build the proxy, server, and client components.

Reviewing MMBot

In the context of this post, it isn’t important to review MMBot’s features, but it…


UPDATE 02–19–2017: The laika-bro-client.py script referenced below is now on Github.

Over the past few nights I took some time to understand how Lockheed Martin’s Laika BOSS works in a networked environment and, after getting it setup in a virtualized network relatively quickly, was tempted to get it working with Bro. I’m surprised at the lack of information that describes how to get these two tools working together, so I thought I’d share my experience. …


What is threat hunting?

If you ask a group of information security professionals for the definition of threat hunting, then you’re likely to get multiple (potentially divisive) responses. There seems to be general agreement among threat detection and incident response (IR) practitioners on what hunting conceptually is, but there is often little discussion of how one performs it and what the outcome should be (and as with most things, as vendors and non-practitioners add their voices into the mix, the concept of hunting becomes muddy).

In the context of this post (and any other personal writing from me on this topic), threat hunting is…

Josh Liburdi

dale cooper is my spirit animal. opinions are mine.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store