The following resources include some of our uMerc's research and other resources for your reading enjoyment.

Uncovering Insiders With Threat Hunting and Active Defense

Today’s adversaries are advanced and more capable than ever before. Passive defensive tactics are no longer viable for pursuing these attackers. To compound the issue, the existence of an insider threat creates a challenging problem for the passive defender. Techniques like Threat Hunting, attempt to diminish this problem by combating advanced threats with people, also known as Threat Hunters. Although Threat Hunting is proving to be invaluable for many organizations there remains a chasm between detection and disclosure. Offensive Countermeasure tools can be leveraged as a means to proactively hunt insider threats.



Industrial espionage, malware, and targeted attacks bring about a certain stigma. These terms have been around for decades and in many cases become cliche. Yet, they bring a new meaning when dealing with Industrial Control Systems (ICS). ICS systems provide a myriad of functions such as pipeline control, monitoring of the fermentation process in a brewery, and traffic light control. These systems are no longer contained. They are connected, exposed, and vulnerable.

How to Target Critical Infrastructure

TCritical Infrastructure is a target for some because of the yield that a successful attack could result in. Death, disruption or damage is a real possibility. The Return on Investment (ROI) and Return on Security Investment (ROSI) fall short in actually determining the level of protection required for an organization striving to protect the most sensitive data or system. The Adversary Return on Investment (AROI) is the missing piece to the equation. From the adversary’s vantage point, data, infrastructure or systems have value. By understanding this value an organization can more appropriately align its security strategy; especially, for the most critical infrastructure. 



The Huntpedia is an aggregation of wisdom from some seasoned Threat Hunters.

Constructing a Measurable Tabletop Exercise for a SCADA Environment

The incident occurred back in November 2011, or at least that was the story. Initial reports that an advanced hacker had taken control of a Supervisory Control and Data Acquisition (SCADA) system started to surface.  This system controlled a physical component: a water pump. The report also indicated the compromised system was forced to operate beyond normal levels, causing a pump to fail.  But was it true? Weeks later, the report and attribution were under criticism from ICS-CERT, who had conducted the incident handling steps for the Curran-Gardner Public Water District.  By drawing a parallel to the Curran-Gardner attack, a sound and measureable tabletop exercise can be developed to help an organization deal with a reallife incident affecting a SCADA system. 



Threat hunting has been around for a while, but it has only recently become a focus of modern enterprise Security Operation Centers (SOCs). Hunting can revolutionize the threat detection efforts of an organization, and many have already recognized that proactive hunting needs to play a role in their overall detection practices (a common mantra one often hears is “prevention is ideal but detection is a must”). According to a recent survey on threat hunting conducted by the SANS institute, 91% of organizations report improvements in speed and accuracy of response due to threat hunting. It’s clearly worth your time, but it’s also worth knowing what exactly you’re investing in. Before going any further, let’s take a look at 3 common myths about hunting that will help clarify what it is.