Inside 3 top threat hunting tools

Endgame, Sqrrl, Infocyte allow security pros to hunt down and kill advanced persistent threats (APT).

primary intro
Thinkstock

Taking down the threat

Advanced Persistent Threats (APT) are able to slip past even the most cutting-edge security defenses thanks to a diabolically clever strategy. Hackers may try to breach your defenses thousands of times until they finally get in. Once a network is breached, most APTs go into stealth mode. They move slowly, laterally compromising other systems and inching toward their goals. But what if you could hunt down these active, but hidden threats before they can do real damage? For this review, we tested threat hunting systems from Sqrrl, Endgame and Infocyte. Read the full review as well.

sqrrl lateral hunt start

Sqrrl Data

Sqrrl collects data from the SIEM and other sources, such as outside threat data feeds. It is normally installed as software but can be run in a virtualized or cloud environment. Sqrrl does not install agents on endpoints, but can incorporate data from existing endpoint protection programs. The installation takes no more than a couple of hours for most deployments. At the beginning of every day, security analysts are greeted with a control panel showing suspicious behaviors along with their relative severity.

sqrrl lateral hunt beacon

Let the Sqrrl hunt begin

It’s critical to note that the behaviors which bubble up to the Sqrrl dashboard are not ones that have triggered a SIEM alert. Sqrrl identifies odd little things that may, or may not, be an indicator of compromise which has slipped through the cracks. Security analysts can then use their expertise to investigate. We launched an investigation, or hunt, based on a single odd event captured by Sqrrl where an administrator logged into a system labeled C586. The strange thing was that the admin had never touched that system before, but since they logged on using valid credentials the first time they tried, no alerts were triggered. Sqrrl flagged the behavior, and thus we began our investigation.

sqrrl lateral hunt complete

A successful hunt completed

The great thing about Sqrrl is that everything is displayed visually. We sent a query from the drop-down menu and discovered a chain going back through four other systems with lateral movement ties to C586. We looked at beaconing behavior and discovered that the next system in the chain had beaconed out recently. Because beaconing behavior is one way that APTs reach back to their hosts, this was suspicious. We searched for that IP address and discovered that two other systems in the same chain had also beaconed out. Now the picture was becoming more clear. By using Sqrrl, we were able to identify and block the threat, even though C586 itself was totally clean and triggered no alarms. With a successful hunt completed, we could generate a report so that the network could be protected.

sqrrlrelationships

Sqrrl summary

The Sqrrl Threat Hunting Platform is a great tool to aid those hunting hidden threats inside their network. It works for users with any skill level, but more experienced analysts will be able to create better theories about attacks and thus likely have more successful hunts. Pricing for Sqrrl is based on the number of hunters who need to use the system and the amount of internal traffic data that needs to be analyzed. A system with a single hunter on a modest sized network would start at $25,000.

Given that the average successful breach can cost half a million dollars or more in direct and indirect costs, sponsoring a hunter and equipping them with Sqrrl seems like a good preemptive investment.

hunt memory hooks

Infocyte HUNT

Infocyte HUNT has added vast amounts of automation to the point where an entire network can be hunted in about a day. It’s like hunting from a helicopter with a machine gun. The main console sends out agents to all endpoints. However, the agents only exist for about 90 seconds on each endpoint and are dissolved afterwards. HUNT works natively with Linux and Windows endpoints plus most payment processing terminals. A Mac version is in the works. HUNT is able to scan about 25,000 endpoints a day.

hunt compromised report
hunt

On the HUNT

The main console controls the agent deployment and response process as well as the reporting dashboards, but heavy lifting is done in the Infocyte cloud. That includes hash and DNS lookups, comparing results with outside threat feeds and even sandboxing. Plus, unknown executables can be submitted to Infocyte for analysis. The default scan looks at everything within the detection capabilities of HUNT including processes, modules, drivers, memory scanning, account information, network connections and hooks.

hunt firefox investigation

Firefox hunting

We found an instance where Firefox.exe was listed as 'probably bad' on one client machine. We dove into that part of the report, which was easy to do using a good graphical interface. Drilling down to the first level, through 21 antivirus programs, we found that everything was fine. Drilling down further, the hash for the Firefox file was correct.

We started to think that HUNT was providing us with a false positive, until we went a little deeper. It turns out that a module installed inside that version of Firefox turned out to be a bitcoin miner. HUNT not only caught this during the sandboxing process, but also allowed us to see every module that was part of the core program. That enabled us to identify a threat that would have escaped almost every other type of endpoint protection.

hunt clean report
hunt

Infocyte reports

Once a scan is complete, a report with multiple levels can be generated. For security analysts, very detailed descriptions of all threats is available. And for the C-suite, HUNT provides a top-level overview of everything that is wrong or compromised within a network. On the flip side, a HUNT report could also certify that a network is completely clean and uncompromised, something very few other programs are willing to do. A clean report shows everything that HUNT did and checked, and explains why it is so confident that no APT or other breaches exist. That should help executives sleep a little better at night. Pricing for HUNT starts at $6,000 for 100 endpoint licenses with volume discounts available.

endgame main

Endgame

The core Endgame console can be deployed as a virtual machine or placed on a physical system like an appliance. It can also exist in a cloud or hybrid environment. Once up and running, the program needs to deploy agents on all endpoints. The agents are powerful, able to work with Endgame to stop processes, delete files and restrict access to machines when needed. In a sense, the agents arm the hunters who will be prowling the network looking for threats. Not only can hunters find threats with Endgame, they can analyze and even destroy them. Deploying the agents is a simple process using the included wizard. The agents work with any Windows system and any Linux desktop or server. There is no Mac version, though one is expected sometime next year.

endgame av like

Endgame as traditional AV

In addition to providing tools for threat hunters, Endgame also acts as a more traditional endpoint protection program that fills the same role as antivirus, stopping low-level threats automatically. In our testing, Endgame worked in conjunction with antivirus programs already installed on the endpoints, though they do sometimes compete to be the first to stop a threat.

If the antivirus intercepted the threat, it never got to Endgame. Likewise, if Endgame grabbed it first, the antivirus never triggered. None of that really matters in terms of hunting because the caught threat never enters the realm of the hunter. But it does show that Endgame can either fill the role as the primary antivirus protection for endpoints or work alongside whatever program is already being used.

endgame hunter help

Endgame on the hunt

The threat hunting main interface provides a clean list of all endpoints being protected within a network, their IP addresses, what OS is running, how long the asset has been active, plus any alerts the machines are generating. Like with most threat hunting tools, the alerts within the Endgame console are ones that have bypassed traditional protections and are likely unknown to the SIEM.

Endgame simply takes those odd little events and compiles them into an alert type format that is well known to most analysts. Hunters can either move through the collected alerts or start their own investigation in the Hunt Selection menu.

endgame killer

Endgame hunter

Drilling down into an alert with Endgame is a surprisingly easy process that provides helpful advice on what to look for, and what actions to take. For example, we found a system that might have been COM hijacked. In addition to all the file and path information, Endgame also explained what type of potential attack we were examining. We confirmed that a COM hijack was in play and that it had not been detected by other network protection. We had the ability to get the file itself for further analysis or sandboxing and to kill the process on the endpoint in question. Being able to kill the process and delete the file is an incredible tool. In terms of pricing, Endgame starts at $225,000 for 5,000 endpoints for an annual subscription and premium support.