The following are some recommended tools that can be used for threat hunting. While the list is far from exhaustive, they will help when starting off.
Cisco Threat Response automates integrations across select Cisco Security products, applies threat intelligence from Cisco Talos and third-party sources against security events to automatically research indicators of compromise (IoCs) and confirm threats quickly. It also provides the capability to collect and store key investigation information, to manage and document your progress and findings, and remediate threats directly from the dashboard.
Threat Grid combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. With a robust, context-rich malware knowledge base, you will understand what malware is doing, or attempting to do, how large a threat it poses, and how to defend against it.
Cisco Stealthwatch is a comprehensive visibility and network traffic and cloud security analytics solution. It can even detect malware in encrypted traffic without decryption. It provides advanced threat detection, accelerated threat response, and simplified network segmentation using multilayer machine learning and entity modeling. With advanced behavioral analytics, you can find out who is on your network or in your public cloud infrastructure and what they are doing.
Not only does AMP protect your endpoints, but it can assist in malware analysis and proactive threat hunting. AMP’s robust search capabilities allow you to find various information, like file, hash, URL, IP address, registry keys, users, processes, applications, and much more. It can also show the lifecycle of a file in your environment, from the first time it was seen, what it did on the endpoint, and other intelligence.
Investigate provides the most complete view of the relationships and evolution of domains, IPs, autonomous systems (ASNs), and file hashes. Accessible via web console and API, Investigate’s rich threat intelligence adds the security context needed to uncover and predict threats.
Having a SIEM is a key step in carrying out threat hunting activities, especially when starting out. A well configured SIEM can greatly reduce the amount of time spent gathering log files and performing basic analysis. Examples of well-known SIEMs include Splunk, IBM QRadar, and Exabeam.
There are a variety of tools available to collect detailed logs from endpoints. Windows built-in Event Log is a good place to start, and more complex tools such as Sysmon and Process Monitor can extend your logging capabilities. (There are even pre-built configurations to help you get started.) On Apple Macs, check out Console to view logs.
These are tools that can be used to monitor your network traffic. Applications like Wireshark and tcpdump, and APIs like pcap are popular tools for gathering information about the data being transferred across your network.
