7 THREAT HUNTING TOOLS EVERYONE IN THE INDUSTRY SHOULD BE USING
By Josh Campbell from Cyborg Security
Let’s face it: threat hunting is a tool and technology-intensive discipline. It can sometimes seem like expensive commercial threat hunting tools and services are the only tools in the industry. The reality, though, is that most threat hunters don’t rely exclusively on these fancy tools. Instead, many hunters find themselves reaching for free and flexible tools for investigations. But the pace that these tools are released at often leaves people dazed and confused. We talked to threat hunters across the industry to find their top tools. We then compiled a list of their top free threat hunting tools, scripts, and services for day-to-day hunting.
CyberChef
CyberChef is a threat hunting tool that is well-known across the security profession. Released by the secretive agency known as GCHQ in 2016, the tool is designed for analyzing and decoding data. What data you ask? While its was very robust at launch it has only grown in capabilities. Whether you want to decode XOR, Base64, or something more exotic like the Bacon Cipher, CyberChef can do it with ease. The tool can also automatically detect various types of nested encoding in data.
That isn’t all though, as the tools’ authors are hard at work enabling forensic, networking and even language capabilities! The real power of the platform though is in its “recipe” function, which allows hunters to chain operations, inputs, outputs, and arguments together into “recipes.”
Hunters have told us that whenever they encounter obfuscated or encoded data, CyberChef is their go-to tool.
RSS Readers
This isn’t so much as a single threat hunting tool, but rather a threat hunting tool category: really simple syndication (RSS) readers. Almost every hunter we spoke with emphasized how important keeping up on the news is for a hunter. We aren’t talking about CNN headlines though. Instead, they all emphasized the importance of following popular security sites for industry news. Several hunters also suggested following vendors’ sites that announce vulnerabilities and patches. Some other hunters made following red teaming and exploit publishing sites a priority.
RSS readers come in every flavour with every one of our hunters having a different choice. However, we do suggest picking a free one given the wide selection available.
What if your favorite site doesn’t offer RSS? There are a host of free services hunters recommended for creating custom RSS feeds. We have linked to a few here.
Phishing Catcher
Phishing remains on of the biggest threats to organizations. It is no surprise then that threat hunters recommended the proactive threat hunting tool Phishing Catcher. Phishing Catcher is an open source tool used to detect phishing domains in near real time. How does it do this?
It leverages data about suspicious issued TLS certificates in near-real time. CertStream’s public API publishes the data from the Certificate Transparency Log (CTL). Phishing Catcher then parses this data, while looking for user-defined keywords and scoring the results. These keywords could include suspicious terms or even an organization’s name or trademarks. Phishing Catcher also has scoring basing on specific criteria, allowing hunt teams to focus on real threats.
DNSTwist
Another threat hunting tool for catching suspicious domains that hunters recommended was DNSTwist. DNSTwist is a very powerful tool that uses various fuzzing algorithms to detect suspicious domains. DNSTwist can identify mistyped domains, homoglyphs, and internationalized domain names (IDN). It can also detect live phishing pages and geo locate all its results to identify strange outliers.
If that wasn’t enough, DNSTwist is also capable of rogue MX host detection. This allows the tool to detect domains configured to vacuum up misdirected emails. Attackers sometimes use this to harvest valid email addresses or to perform reconnaissance.
gnuplot
One threat hunting tool that got rave reviews from threat hunters was a simple tool dating back to 1986: gnuplot! Gnuplot is an open source tool that allows plotting of data on two and three dimensions. Why do threat hunters need tools like gnuplot?
The media often portrays threat hunters as knee-deep in log data, but that is only partially true. In reality, threat hunters need data visualization to analyze and identify statistical outliers. This is especially true with data-driven hunting.
While some hunters preferred using Excel for this task, gnuplot was the clear favorite. This is because while Excel uses a GUI, which can struggle with huge amounts of data, gnuplot is a command line tool. This allows hunters to feed huge amounts of delimited data to gnuplot, and have it output instant results.
One warning hunters gacve, almost universally, when it came to gnuplot. While its interface is very powerful, it has a steep learning curve. Be ready to break out the man pages.
AttackerKB
One hunter aptly described AttackerKB as “the yelp of exploits,” and they weren’t wrong. AttackerKBis a threat hunting tool that provides everything adversaries, and their hunters, need to understand exploits. This includes disclosure, technical analysis, outcomes, exploitability, ease of use and much more.
This information allows hunters to identify and rank new and legacy vulnerabilities. It can also enable threat hunters to figure out what vulnerabilities apply to their organizations.
YARA
One of the most common threat hunting tools mentioned by hunters was YARA. YARA is tool with an interesting legacy. While it’s original purpose was for malware classification, the format has become popular choice for hunters. This is because rules written in the YARA format are ingestible by security controls for malware detection. The rules can also be used on sites like VirusTotal to find specific malware or even sensitive company documents.
There are a ton of tools that leverage YARA, including YARAGenerator. YARAGenerator allows threat hunters to build YARA rules for specific malware samples automatically.
Threat hunting is often perceived as a tool-intensive discipline, and it is. But, that doesn’t mean that threat hunters rely exclusively on those expensive commercial tools. In fact, from our discussion with threat hunters across the industry many rely more on free tools. These free tools allow them to solve large and complex problems without a large cost.
Now that you know some of the best threat hunting tools, find the top 3 easiest hunts you can do as an organization!