Modern cybersecurity defense mechanisms are no longer only defensive. The more you care about cybersecurity the more you need to start acting offensively. Of course, this doesn’t mean you should start hacking the hackers. But there are some offensive cybersecurity processes and tools that can help improve your security posture. In this post, you’ll learn about one of those processes: threat hunting. We’ll briefly explain what it is and then talk about the five best tools for threat hunting.
What is Threat Hunting
Before diving into specific tools, let’s quickly define threat hunting for those of you not so familiar with it. Threat hunting means proactively searching for cybersecurity threats in your network. So basically, you’re trying to be one step ahead of the attackers. Traditionally, when we think about cybersecurity, we think about defensive tools like firewalls or scanning tools that periodically search for threats in your infrastructure. But with threat hunting, you actually go and search for threats that could potentially bypass your firewall and remain undetected by your scanners.
Threat hunting used to be a manual process. In addition, it required quite advanced knowledge because if a threat was undetected by your traditional tools, this meant it was advanced and well hidden. To actually spot these well-hidden threats required a lot of experience and knowledge from security analysts. Fortunately, nowadays, we have more advanced tools that can help with that process, making threat hunting a little bit easier and more accessible.
Five Threat Hunting Tools Explained
The first tool on our list is dnstwist. Maybe it’s not the most advanced dedicated threat hunting tool, but it does one job and does it really well. You see, these days phishing is one of the most popular attacks around. dnstwist finds suspicious domains, whether randomly generated domains or domains that look very similar to real websites (meant to steal your data). dnstwist has quite a lot of features and it’s a definite must-have when threat hunting. This is because (almost) all malware needs to “phone home,” and dnstwist is really good at finding domains used for that purpose. So while it doesn’t find malware itself, it definitely helps you to know if your network contains threats you need to investigate further.
Malware becomes more and more advanced every day, making it harder to detect. You can spend millions of dollars on hardware or software malware protection, but nothing guarantees complete malware protection. dnstwist, however, can quite easily tell you if there is something fishy going on in your network.
Another tool that we highly recommend is phishing catcher. Even though it started as a simple POC (proof of concept) it’s been used by many threat hunters and has proven to work really well. As the name suggests, it’s dedicated to catching phishing attempts. It’s similar to dnstwist but it works quite differently. Phishing catcher does its job mainly “by looking for suspicious TLS certificate issuances reported to the Certificate Transparency Log (CTL) via the CertStream API.” The advantage of phishing catcher is that it works in (near) real-time.
It’s written in Python and uses YAML for configuration, making it quite easy to use. It comes with a default configuration file so you can literally just download it, execute it, and benefit straight away. But, of course, you’ll get the best security by adjusting the default configuration or creating your own configuration file adjusted to your company’s specifics.
Moving on from simple specialized tools to a tool that calls itself a true “swiss knife,” YARA is one of the most popular tools when it comes to threat hunting. It can identify and classify malware based on textual or binary patterns. Originally, YARA’s only job was to be a simple tool for malware classification. However, it’s grown substantially since its beginnings. Nowadays, even some commercial security tools use YARA under the hood because you can write rules in YARA and use these rules for malware detection. But that’s just the most common use case. You can use YARA rules with many other tools—even on websites like VirusTotal. Another great thing about YARA is that it runs on Windows, Linux, and Mac OS X, and you can use it from a command-line or from your own Python scripts.
In order to hunt threats, you need to constantly stay up to date with new vulnerabilities and malware types. The next tool on our list, Machinae, can help you with exactly that. It can collect security-related data from public websites such as domains, URLs, and IP addresses. You can then use that information to feed YARA in order to find ever-changing malware. Machinae was modeled after another well-known tool called Automater. They both try to achieve the same goal, but Machinae, in theory, improves on Automater. As with most security tools, Machinae is written in Python and it uses YAML for configuration. So, again, you’ll find it quite easy to use.
Threat hunting is usually a two-step process. As a first step, you need to actually find the hidden threats. But threat hunting doesn’t end there. The second step involves reacting to the threat. For this, you need to understand what the attacker designed the found threat to actually do. You’ll probably find a lot of similar malware threats because many of them evolve from common roots and you’ll find only a few malware families.
But, sometimes you’ll find exotic malware that doesn’t seem similar to any other common threats. In such cases, you need to actually reverse engineer the threat. For that, you’ll need a good sandbox environment where you can safely execute the threat. Cuckoo Sandbox is one of the most commonly used tools for that purpose. It lets you run the suspicious file and will generate a nice report about exactly what the file tried to do. And we’re not talking only about executable files. You can use Cuckoo for all threats commonly used by attackers against file types such as Microsoft Office files, PDFs, emails, and so on. It can also dump and analyze all malware-related network activity and integrate with YARA for advanced process-memory analysis.
Cuckoo is open-source and it works on Windows, MacOS, Linux, and Android.
Malware can sneak into your network undetected. Scanners and firewalls aren’t perfect. Therefore, just because your typical malware scanners and firewalls don’t report anything suspicious, doesn’t mean you’re actually safe. However, you can take the next step and instead of relying purely on defensive security processes, adopt an offensive mode. By using threat hunting tools like those mentioned above you can actually detect what once seemed undetectable.
Most malware these days focuses on stealing your data or redirecting you to malicious websites. Therefore, tools like dnstwist or phishing catcher can really make a difference in your security posture. Even if malware manages to sneak onto your network undetected, it still needs to make some network calls to send your stolen data back to the attacker. Thus, you still have the chance to stop it at this point.
Of course, don’t forget that ideally, you wouldn’t let malware onto your network in the first place, so threat hunting is definitely not a solution for poorly configured firewalls and security scanners. Threat hunting is a good next step once you have your security basics covered. If you want to learn more about security, check out our blog.
This post was written by Dawid Ziolkowski. Dawid has 10 years of experience as a Network/System Engineer at the beginning, DevOps in between, Cloud Native Engineer recently. He’s worked for an IT outsourcing company, a research institute, telco, a hosting company, and a consultancy company, so he’s gathered a lot of knowledge from different perspectives. Nowadays he’s helping companies move to cloud and/or redesign their infrastructure for a more cloud-native approach.