Threat Hunting Tools

The active process of detecting abnormal activity within a computer network or system (e.g., server, workstation, mobile device, or IoT device) is called Cyber Threat Hunting. Discovered activities can be a sign of an ongoing attack (e.g., encrypting ransomware), exfiltration of data, command and control activity, or other malicious activity. Threat hunting is an active defense that works by proactively scanning computer networks for threats not detected by ordinary security solutions (e.g., firewalls, IDS, and sandboxing technology) and works to isolate them before they begin or expand their malicious work.

Most organizations employ layered defense (also known as defense-in-depth) to protect their IT assets; however, no system is 100% immune to cyberattacks. There is always a chance for advanced threats to bypass security controls. Traditional defense solutions –including the modern security solutions based on artificial intelligence- focus on stopping a threat in the process of being deployed on the victim system. This approach works with many threats; however, the challenge is much more daunting with new threats (e.g., zero-day attacks or Advanced Persistent Threats).

An alternative approach to deal with advanced threats is threat hunting. In this approach, the network traffic is scanned continually –either automatically using a tool or by a security analyst- to identify potential threats, then work to isolate them before even the conventional security solutions (e.g., Firewall, IDS) fire their alarm. A human originally conducted threat Hunting; however, modern solutions become automated leveraging machine learning and User Behavior Analytics (UBA) to detect threats.

This article will talk about the different threat hunting solutions types and give examples of each type. However, before we start, it is useful to differentiate between the three terms of threat vs. risk vs. vulnerability as they are used by most people interchangeably.

Threat: The threat is anything that can exploit a vulnerability and bring damage to IT assets or help attackers to gain unauthorized access to protected assets.

Vulnerability: This is a weakness in our IT systems or installed applications (e.g., using outdated operating systems make our devices susceptible to many threats).

Risk: The potential of loss of IT assets resulting from a threat originated from exploiting a vulnerability.

Analytics-Driven

This type uses behavior analytics and machine learning to detect threats. Some of the most popular tools that fall under this category are described below.

Maltego CE Maltego is a data mining tool used for online investigation, especially OSINT gathering. Maltego works by finding relationships between investigated data from different online data sources, then correlates the results to see if it poses a threat.

Cuckoo Sandbox This is an open-source automated malware analysis program. Cuckoo analyzes suspicious files in an isolated sandbox environment in real-time and provides a detailed report about the suspicious file's behavior after it executes. This tool can analyze different file types (e.g., executable, office documents, pdf files, emails) in addition to malicious websites under Windows, Linux, macOS, and Android.

Intelligence-Driven

In this type, the threat hunting tool pulls its threat intelligence info from various sources such as malicious URLs, IP addresses, phishing links, and any other malware in addition to Threat intelligence reports, threat intelligence feeds, and vulnerability scan results. YARA, CrowdFMS, and Botscout are examples of intelligence-driven threat hunting tools. The threat intelligence information can be acquired from various sources such as Government / Public Sources (e.g., FBI) and Private Sources (e.g., http://www.isaccouncil.org & https://www.tylercybersecurity.com/tyler-detect).

YARA YARA is a tool for helping security researchers classify malware samples, and it can be used for a variety of other purposes, such as Digital Forensics. YARA allows users to find specific patterns in their data and works by finding patterns in data flowing across the network. YARA accepts user-defined rules created in a specific programming language (e.g., python). These rules define the user's patterns to search for and the conditions that must be met to trigger the rule. These rules are then used to scan any type of files or network traffic to find matching patterns.

CrowdFMS This is a framework for automating the gathering and analyzing of samples from the VirusTotal website and coordinating with YARA. The framework will download the samples automatically and launch an alert on the users' YARA notification feed. Furthermore, a user can specify a specific command to execute when downloading a sample based on a predefined YARA rule.

Botscout Botscout is an online service for preventing bots -or automated web scripts- from abusing web forms on a website. This service works by keeping a record of the names, IPs, and email addresses that bots use and logging them as unique signatures to stop them in the future.

Botscout may slow down form submission, but it is a good (free) solution for preventing web forms' false submissions.

Botscout bot database can be searched manually by bot name, email, or IP address by going to https://botscout.com/search.htm.

Situational Awareness Driven

In this type, individual and organization risk levels are assessed and measured. AIEngine and YETI are examples of threat hunting that is situational awareness driven.

Artificial Intelligence Engine or AIEngine

AIEngine is a threat hunting tool used to boost the network's intrusion detection system. It can learn automatically without human intervention and is programmable while the engine is running. AIEngine has many modern features such as DNS domain classification, spam detection, network collection, network forensics, etc. This tool helps security professionals understand network traffic and extract signatures for firewalls, traffic classifiers, and other network monitoring solutions.

YETI YETI is a platform for organizing security observations (e.g., domain resolution and IP geolocation), indicators of compromise (IoC), Tactics, Techniques, and Procedures (TTP), and knowledge on threats into one repository. Yeti has two interfaces: one for humans and is built using Bootstrap-based UI (web interface) and the second for devices (web API), so other threat intelligence tools can speak to it easily.

Summary

Threat hunting tools help security professionals to fight better-advanced threats that cannot be detected by conventional security solutions like Firewalls and IDS. This article describes different threat hunting tools, focusing on some of the more popular free tools; however, there are many commercial threat hunting tools available. Many commercial versions have a free evaluation period to test their features before deciding on the full version.