Last week we talked to you about Threat Hunting and why you should be actively looking for trouble. We’ve assembled a few links to tools and repositories you can use to fill up your threat hunting utility belt
1. Awesome Threat Intelligence (https://github.com/hslatman/awesome-threat-intelligence#tools)
This one’s a doozy. Honestly, we don’t even know where to start so we might as well start with the title. “Awesome Threat Intelligence” is exactly what it sounds like. 30 frameworks, 50 free tools, and a literal mountain of reference material. The list goes on and on.
We don’t have the time to get everything that’s on the ATI list but if you’ve got a spare minute or two and you’re feeling adventurous it’s worth taking a look at.
Awesome Threat Intelligence is curated by Herman Slatman, a software architect from the Netherlands.
2. The Threat Hunting Project (threathunting.net)
Started by David J. Bianco, a Incident Detection & Response Specialist employed by Target, the Threat Hunting Project is an open source community repository hosted on GitHub that is reasonably well maintained. They’ve leveraged Python and Jupyter Notebooks (http://jupyter.org) together to create a platform they’ve dubbed “Hunter” (http://www.threathunting.net/hunting-platform).
We haven’t had a chance to play around with the platform ourselves but after looking through the readme.md file (https://github.com/ThreatHuntingProject/hunter/blob/master/README.md) it seems to be a fairly decent option for those looking at an open source solution and favors an analytical approach.
According to the website, Bianco hopes the Threat Hunting Project will give the amateur threat hunters a concrete starting point and offer experienced hunters additional techniques they might not have been aware of.
There’s no cost to utilizing the The Threat Hunting Project but they do request you contribute in some way.
“This repo is here for the community. You are free to use it for personal or commercial use provided you attribute it in some visible manner,” said Bianco on the website. “We suggest Data provided by The ThreatHunting Project, http://threathunting.net or something substantially similar. Please do include the URL, though, to help more people find us.”
Sounds fair to us.
3. Scott Roberts Hunting Tools Guide (https://sroberts.github.io/2015/04/21/hunting-tools/)
Robert’s list isn’t as in depth at the others, but that’s really okay. We like that he gets a little more specific with his recommendations. It allows us to peel back a layer or two and get a more personal idea of what active threat hunters like about the open source tools they recommend.
4. VirusTotal (virustotal.com)
VirusTotal is a a searchable virus and malware database—to be quite frank, it’s awfully neat. All you have to do is create an account and you’re golden. After creating an account you can search with a wide variety of parameters including keywords, file type, and first/last submission date.
VirusTotal offers the end user a unique opportunity to customize their search to exactly meet their needs and best of all, it’s free.
There’s an abundance of tools out there that can help you look for threats on your network and endpoints. What works best for you is ultimately up to you as well. Our goal isn’t to tell you what to do or when to do it, we’re just here to advise.
Now that we’ve covered open source threat hunting tools, tune in next week for our recommended commercial options and if you’ve got any open source threat hunting tools that you’d like to us to take a look at feel free to send them our way. We’d be happy to take a look.
*Bat-Shark Repellant Not Included