Contents:
Are you on the lookout for threat-hunting tools? If so, you’ve come to the right place.
Compared to network security systems that include appliances such as firewalls that monitor traffic as it flows through a scenario, threat hunting is a different approach to dealing with cyber-attacks.
While traditional defense methods generally investigate threats after they have occurred, the threat-hunting strategy involves:
- Searching through networks;
- Detecting and isolating threats;
- Eradicating them before traditional warning systems have even sounded the alarm.
Security analysts can manually accomplish this by searching through a system’s data information to identify potential network weaknesses and proactively creating “what-if” scenarios to counter those weaknesses proactively.
However, threat hunting is relying more on automated detection, and utilizing user and entity behavior analytics to alert the security analyst of any potential risks.
Threat hunters look for three types of hypotheses:
- Analytics-Driven: Analyzes user and entity behavior (UEBA) and machine learning to develop risk scores and theories.
- Intelligence-Driven: Powered by threat intelligence reports, feeds malware analysis, and vulnerability scans.
- Situational-Awareness Driven: Evaluates trends in a company or individual based on enterprise risk assessments.
That said, several vendors offer threat-hunting software and services that are trustworthy.
Suppose you are not looking into investing in a commercial, there are plenty of free threat-hunting tools online that IT security analysts or those looking at security threats on their network can use to stay protected.
What Should You Look for in Threat Hunting Tools?
Threat hunters use various tools, including artificial intelligence, machine learning, advanced analytics, analytical statistics, information analytics, and security monitoring.
The fundamental tenet of threat hunting is that no system is entirely secure and that the threat hunter can anticipate and actively prevent attacks. The threat of cyberattacks is growing, and a variety of destructive malware targets more businesses with the potential of being lethal for organizations.
So, when looking for a threat-hunting tool, make sure to keep an eye out for the following features:
- A data collection service that provides event information to threat hunters.
- The aggregation of data to uniformize the format of event records.
- The option to test it out before purchasing it.
- A security policy governs threat detection.
- Manual analysis options.
- Automated response settings.
Now here’s our list of free and open-source threat-hunting tools you can use to keep your organization safe!
10 Top-Notch Free and Open-Source Threat Hunting Tools
1. AI Engine
As a Python, Ruby, Java, and Lua packet inspection engine, AIEngine is an interactive tool that can update the network’s intrusion detection system.
AIEngine includes next-generation interactive/programmable NIDS (Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics, and many other features.
Using AIEngine, you can detect spam and collect networks without needing human interaction for learning and network forensics. This tool is an example of a situational awareness-driven tool.
IT workers can better comprehend traffic and create signatures for firewalls and security programs using this tool. In addition, a threat hunter would find it valuable because it supports various systems and add-ons.
2. APT-Hunter
Ahmed Khlief designed APT-Hunter, a threat-hunting tool for Windows event logs that can detect suspicious activity and track APT movements. It is helpful for threat hunters, incident responders, and forensic investigators. The default rules of this tool map Mitre ATT&CK tactics and techniques to Windows event log event IDs and detect the indicator of attack, which includes apt techniques.
Free and open-source, APT-Hunter can identify APT movements within the system based on previously discovered APT attacks. Its quicker attack detection will shorten the time it takes to react, enabling swift containment and eradication of attacks. Using it as a filter, millions of events can be filtered down to just a few serious ones.
Fortunately, APT-Hunter has two components that work together to get users the data they need. First, this program is used to speed up Windows log analysis, but it will only replace it partially.
3. Attacker KB
Security teams may have difficulty identifying risk and importance within the noise generated by new vulnerabilities when they gain discussion on Twitter or reach the news. How widespread is the weakness? Should an exploit be developed?
Is it worthwhile to abandon everything to repair or mitigate? Will the adversary or threat actor exploit the opening? Or is it neither valuable nor exciting?
In most cases, security experts and hackers are the first to identify the conditions and qualities that make a vulnerability exploitable and beneficial to an attacker. Its purpose is to record, showcase, and increase the security community’s expertise.
As a threat-hunting solution, Attacker KB provides adversaries and their hunters with everything they need to comprehend exploits. This includes information disclosure, technical evaluation, results, exploitability, usability, and more.
This information allows threat hunters to identify and rank both recent vulnerabilities as well as historical ones. Threat researchers can determine which vulnerabilities apply to their organizations.
4. Automater
A threat-hunting tool from TekDefense, Automater, analyzes URLs, hashes, and URLs to simplify intrusion analysis. Using Automater, you can select a target and gather relevant information from well-known sources.
This application’s interface is quite user-friendly, even for beginners, and modifying the Python code is not necessary to use it. Furthermore, you can choose which sources are checked and what information is retrieved from them.
Searches can be conducted on IP addresses, MD5 hashes, and domains using Automater. Some of the trustworthy websites operated by the Automater tool are Unshorten.me, Urlvoid.com, IPvoid.com, Robtex.com, Fortiguard.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal. Automater is a Python-developed tool made available on the GitHub platform. It is free, open-source, and accessible through GitHub.
5. BotScout
BotScout is a threat-hunting tool that prevents automated web scripts, also known as “bots” from filling out forms on websites, spamming, and registering on forums.
It does this by tracking bots’ names, IP addresses, and email addresses and storing them as unique signatures for future use. You can use the signature data provided by BotScout via an easy-to-use API to evaluate forms as they are submitted on your website.
In addition to manually searching the BotScout database for bots on forums, users can also test for bots using contact forms or other web applications and reject or ban them immediately. Users can obtain a free API key if they need more than 1000 automatic lookups daily. Anti-bot plugins are available for well-known forums as well.
You can use this tool to identify and remove bots by people, businesses, and universities worldwide, including Oracle Corporation, Deutsche Bank, Banco di Napoli, University of Washington, University of Milan, and others.
6. CrowdFMS
In the automated program CrowdFMS, samples are collected and processed from a website that publishes information about phishing emails. An alert is triggered if a phishing email reaches the network.
By utilizing the Private API architecture, CrowdFMS provides a framework for automating the collecting and processing of samples from VirusTotal. The user’s YARA notification feed was alerted when the framework downloaded recent examples. YARA IDs can also specify a specific command to run these samples.
7. Cuckoo Sandbox
The Cuckoo Sandbox is an open-source tool for analyzing malware. It’s free to download, but it’s challenging to install due to the numerous dependencies it needs. Once you have it fixed, though, it’s advantageous.
This tool can analyze various malicious files, including executables, office documents, pdfs, emails, scripts, and websites. Thanks to its open-source nature and robust modular design, you can customize the analysis environment, data processing, and reporting stages.
You can use Cuckoo Sandbox in Windows, Linux, macOS, and Android virtualized environments to examine malicious files and websites. Volatility and YARA also allow for sophisticated memory analysis on an infected virtualized system process-by-process.
Cuckoo Sandbox has two pieces of equipment. First, it is a Linux Ubuntu host with a nested Windows 7 system on top of it.
The primary Cuckoo package, which is based on Python, is installed on the Ubuntu host, along with several dependencies that are configured to take advantage of Cuckoo’s modularity.
On the Ubuntu host, VirtualBox is installed, and a Windows 7 guest is created. In addition, a Cuckoo agent is installed on the Windows 7 machine, allowing communication between the two devices.
8. DeepBlue CLI
DeepBlueCLI is an open-source tool that analyzes Windows event logs automatically on Linux/Unix systems running ELK (Elasticsearch, Logstash, and Kibana) or Windows (PowerShell version) (Python version). Eric Conrad created it, and it is available on GitHub.
DeepBlueCLI enables rapid detection of specific events found in Windows Security, System, Application, PowerShell, and Sysmon logs. Moreover, DeepBlueCLI is quick when working with saved or archived EVTX files. Querying the active event log service takes slightly longer but is just as efficient.
9. CyberChef
CyberChef is a web application developed by GCHQ, also known as the “Cyber Swiss Army Knife.” It is licensed under the Apache 2.0 license and is protected by Crown Copyright.
You can perform many “cyber” operations in a web browser using CyberChef, a straightforward, user-friendly web application. In addition to creating binary and hex dumps, compressing and decompressing data, computing hashes and checksums, parsing IPv6 and X.509, and altering character encodings, these operations include XOR and Base64 encodings.
There is no need for technical and non-technical analysts to deal with complicated tools or methods. They will be able to modify data in complex ways with the program’s help. Using their 10% innovation time, an analyst created, designed, implemented, and incrementally refined it over several years.
By using CyberChef you can encode, decode, formatt, pars, compress, and extract the data. You can also perform mathematical operations, if you will.
10. Phishing Catcher
This tool enables you to discover potential phishing domains by checking for suspicious TLS certificate issuances submitted to the Certificate Transparency Log (CTL). Its most important benefit is that it works in almost real-time. Since it`s written in Python and uses YAML for configuration it is also easy to employ.
According to GitHub, Phishing Catcher uses a YAML configuration file to assign a numeric score for strings that can be found in a TLS certificate’s common name or SAN field. If you don`t want to go through too much trouble with configuring it and you want to benefit immediately, you can just download and execute the default configuration.
However, security-wise it is best to adjust the default configuration to your company’s needs. For macOS or another operating system installation might turn out difficult. If that is the case, you should consider dockerizing the tool.
- Granular telemetry across endpoints and networks.
- Equipped with built-in hunting and action capabilities.
- Pre-computed risk scores, indicators & detailed attack analysis.
- A single pane of glass for intelligence, hunting, and response.
Heimdal® Threat-hunting & Action Center – One Platform to Rule Them All
The Heimdal Threat-hunting and Action Center is a ground-breaking platform that works in tandem with the Heimdal solution suite.
The solution employs granular telemetry to enable swift decision-making. It uses built-in hunting, remediation, and actioning capabilities – managed from the Heimdal Unified Security Platform – to provide security teams with an advanced threat-centric view of their IT landscape.
In addition, the Threat-hunting and Action Center employs the industry-standard MITRE ATT&CK techniques to assist security teams in proactively classifying and prioritizing security risks, hunting anomalies, and neutralizing threats in a secure environment.
This product reshapes cybersecurity as we know it. The Threat-hunting and Action Center represents security leaders, practitioners, and operational MSPPs.
Without a doubt, Heimdal is continuing its commitment to driving revolutionary changes in cybersecurity. We are confident that this new tool will take threat-hunting one step further by mitigating risks faster and with less effort. We are also confident that it will cause a change in productivity for mid-market and enterprise customers and MSP and MSSPs.
Wrap Up
All the aforementioned free open-source tools have their applications, and you can use many of them in tandem to create a comprehensive defense against cyber-attacks without spending any money. After using them, you can decide whether or not you want to upgrade to a paid commercial plan.
Threat hunting is a deliberate battle between IT security personnel and attackers, and having many tools at your disposal gives you the best chance of winning. Make sure that you and your company are prepared with practical solutions.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.
Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.
