Here are three types of hypotheses that analysts look for while threat hunting:
- Analytics-Driven: Considers user and entity behavior analytics (UEBA) and machine learning to develop accumulated risk scores and further hypotheses
- Intelligence-Driven: Fueled by threat intelligence reports, feeds, malware analysis and vulnerability scans
- Situational-Awareness Driven: Uses enterprise risk assessments or Crown Jewel analysis, evaluating a company or individual’s trends
Analytics-Driven
Maltego CE
This is a data-mining tool that renders interactive graphs for link analysis. It’s used most frequently in online investigations by finding relationships between portions of data from various sources of the internet. Maltego CE automates processes of different query resources and displays a graph that’s useful for link analysis.
Cuckoo Sandbox
Cuckoo Sandbox is a leader in open-source automated malware analysis systems. It enables you to dispose of any suspicious files and receive instantaneous, detailed results that outline what the file in question did when tested in an isolated environment.
Automater
TekDefense’s Automater can analyze URLs, hashes, and URLs to make intrusion analysis a much more seamless process. Simply choose a target, and Automater will fetch relevant results from popular sources. You’re able to modify what sources the system is checking, and what data is taken from them. Modification of Python code is not required to use this application and the interface is very user-friendly, even for a beginner.
Intelligence-Driven
YARA
This multi-platform tool helps users classify malware and create descriptions of similar malware categories based on binary or textual patterns. Each description is comprised of a boolean expression and a set of strings and expressions that determine its identity.
YARA operates on Windows, Mac and Linux, and utilizes Python scripts or its own command-line interface. YARA is often used by commercial software to enhance its performance and abilities.
CrowdFMS
This application is a framework that automatically collects and processes samples from VirusTotal, a website that publishes details of phishing emails, by leveraging the Private API system. CrowdFMS downloads recent samples and triggers an alert to users’ YARA notification feed.
BotScout
The tool BotScout helps fight automated web scripts, more commonly known as “bots,” by preventing them from being able to register on forums that lead to spam, server abuse, and the pollution of databases. BotScout tracks the IP, name and email address so that the source of bots is terminated for future encounters. This powerful yet simple API is used by many companies and universities to keep their online assets safe.
Machinae
Machinae can be utilized by compiling intelligence from public websites and feeds about security-related data such as domain names, URLs, email and IP addresses, and more. This software is free and has better compatibility than other security intelligence collectors on the market. Its configuration is also well-optimized and supports many inputs and outputs.
Situational-Awareness Driven
AIEngine
AIEngine is an interactive tool that revolutionizes your network’s intrusion detection system, capable of learning without human interaction. It is programmable and includes features abilities such as:
- Network forensics
- Network collection
- Spam detection
YETI
Trusted Automated eXchange of Indicator Information (TAXII) is a set of message exchanges and services that enable threat details to be shared seamlessly across product lines, service boundaries and organizations. It empowers companies to share data they choose from trusted partners.
Fuente: resources.infosecinstitute.com
No hay comentarios:
Publicar un comentario