Threat hunting

Top 10 Free Threat-Hunting Tools

Mahwish Khan
February 15, 2019 by
Mahwish Khan

Threat hunting is an alternative approach to dealing with cyber-attacks, compared to network security systems that include appliances such as firewalls that monitor traffic as it flows through a system. While these common methods of defense generally investigate threats after they have occurred, the strategy of threat hunting involves searching through networks, detecting and isolating threats, and eradicating them before traditional warning systems have even sounded the alert.

This can be achieved manually by security analysts, who search through a system's data information to identify potential weaknesses within the network and create "what-if" scenarios they use to proactively counter those weaknesses. Today, though, threat hunting is becoming more automated, and the process takes advantage of user and entity behavior analytics to inform the security analyst of any potential risks.

Become a certified threat hunter

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

There are three types of hypotheses that analysts look for while threat hunting:

  • Analytics-Driven: Considers user and entity behavior analytics (UEBA) and machine learning to develop accumulated risk scores and further hypotheses
  • Intelligence-Driven: Fueled by threat intelligence reports, feeds, malware analysis and vulnerability scans
  • Situational-Awareness Driven: Uses enterprise risk assessments or Crown Jewel analysis, evaluating a company or individual's trends

There are a variety of trustworthy vendors that offer threat-hunting software and services. If you are not looking into investing in a commercial, paid software plan that can run your company a lot of money, there are plenty of free tools online that IT security analysts or those looking to secure threats on their network can use to stay protected.

Analytics-Driven

Maltego CE

This is a data-mining tool that renders interactive graphs for link analysis. It's used most frequently in online investigations by finding relationships between portions of data from various sources of the internet. Maltego CE automates processes of different query resources and displays a graph that's useful for link analysis.

It seamlessly integrates nearby data sources, and for that reason, many data vendors have chosen Maltego CE as the delivery platform for their data. Customization of this application is easy and can adapt to your own unique specific requirements.

Cuckoo Sandbox

Cuckoo Sandbox is a leader in open-source automated malware analysis systems. It enables you to dispose of any suspicious files and receive instantaneous, detailed results that outline what the file in question did when tested in an isolated environment.

Rather than simply disposing of malware it detects, Cuckoo's advantage gives you analytics on how the malicious files are operating to help you understand the intended outcome of a breach.

Automater

TekDefense's Automater can analyze URLs, hashes, and URLs to make intrusion analysis a much more seamless process. Simply choose a target, and Automater will fetch relevant results from popular sources. You're able to modify what sources the system is checking, and what data is taken from them. Modification of Python code is not required to use this application and the interface is very user-friendly, even for a beginner.

Intelligence-Driven

YARA

This multi-platform tool helps users classify malware and create descriptions of similar malware categories based on binary or textual patterns. Each description is comprised of a boolean expression and a set of strings and expressions that determine its identity.

YARA operates on Windows, Mac and Linux, and utilizes Python scripts or its own command-line interface. YARA is often used by commercial software to enhance its performance and abilities.

CrowdFMS

This application is a framework that automatically collects and processes samples from VirusTotal, a website that publishes details of phishing emails, by leveraging the Private API system. CrowdFMS downloads recent samples and triggers an alert to users' YARA notification feed.

In addition, users can indicate a specific command to execute these samples according to their YARA ID.

BotScout

The tool BotScout helps fight automated web scripts, more commonly known as "bots," by preventing them from being able to register on forums that lead to spam, server abuse, and the pollution of databases. BotScout tracks the IP, name and email address so that the source of bots is terminated for future encounters. This powerful yet simple API is used by many companies and universities to keep their online assets safe.

Machinae

Machinae can be utilized by compiling intelligence from public websites and feeds about security-related data such as domain names, URLs, email and IP addresses, and more. This software is free and has better compatibility than other security intelligence collectors on the market. Its configuration is also well-optimized and supports many inputs and outputs.

Situational-Awareness Driven

AIEngine

AIEngine is an interactive tool that revolutionizes your network's intrusion detection system, capable of learning without human interaction. It is programmable and includes features abilities such as:

  • Network forensics
  • Network collection
  • Spam detection

The tool aids IT professionals to better understand traffic, and to form signatures to use on firewalls and other protection software. It supports many systems and add-ons that would prove useful to a threat hunter.

YETI

Trusted Automated eXchange of Indicator Information (TAXII) is a set of message exchanges and services that enable threat details to be shared seamlessly across product lines, service boundaries and organizations. It empowers companies to share data they choose from trusted partners.

YETI supports pool, discovery, and inbox service defined by TAXII. It was written for Python 2.7 and takes advantage of Django 1.7 for the web framework. This application helps developers test TAXII applications as well as become more comfortable on the TAXII platform.

Conclusion

All the tools above have their own applications, and many can be used in combination to gather a comprehensive defense against cyber-attacks without shelling out any money. Once you have utilized some of the applications above, you can use your own to discretion to decide if you would like to upgrade to a paid commercial plan.

Threat hunting is a conscious battle between IT security personnel and attackers, and having many tools at your disposal gives you the best odds in winning the fight. Be sure that you and your company are prepared with solutions that are effective for you.

Sources

Cyber Threat Hunting, Elasticito

Getting Started, TAXII Project

Tools, Github

Become a certified threat hunter

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

Information Sharing Specifications for Cybersecurity, US-Cert

Mahwish Khan
Mahwish Khan

Mahwish Khan is a Pharm-D graduate from The University of Faisalabad. She is experienced in technical writing. She currently works for a university as a technical trainer and documentation specialist. In the past, she has taught university writing courses and worked in two university writing centers, both as a consultant and administrator.