AC-Hunter v5.1 Is in the Wild!
Version 5.1 of AC-Hunter Has Been Released!
Beacon Detection and Whitelisting by Domain Name
The big news in version 5.1.0 is whitelisting by domain name. To explain why, we need to give a little background (don’t worry, this will be brief).As security professionals we know that a tool that constantly presents benign information to human eyes will not be used for long – one of the reasons why we find log analysis so tiring.
To avoid this AC-Hunter has steadily added new ways to whitelist:
- By source or destination IP
- By IP, ASN, ASN organization, or subnet
- By pairs of IP addresses
These tools get benign traffic off the screen, but they don’t address the question: What do we trust?
Ideally, we want to assign trust in a company or organization, which often maps neatly to a domain name. If I state that I want to put trust in the public network of time servers that show up on the beacon screen all the time, now I can whitelist “*.pool.ntp.org.”. That one whitelist entry replaces about 3,600 IP addresses for the entire pool. If I run Ubuntu Linux and want to trust the patch servers and other systems that support those, I can whitelist “*.ubuntu.com.”
Not only does the size of the whitelist shrink dramatically, but you also get to clear off benign traffic more quickly and more accurately. There’s far less chance of trusting an IP at a Cloud provider and never realizing that the IP you whitelisted was later assigned to a different – and farless trustworthy – client
On a practical note, the AC-Hunter interface now has 2 Beacons tabs. The new one considers connections between your client IPs and external host names. The old one shows connections between internal and external IP addresses (identical to the Beacons tab you’ve worked with before).
As always, we discourage any whitelisting strategy that ends up whitelisting large blocks of cloud services (like “*.amazonaws.com.”) since you’re not placing trust in the cloud provider. Instead, whitelist the domain names your clients look up.
Bug Fixes and Improvements
Whitelist Pairs Are Now Unidirectional
We have one security improvement to whitelisted pairs of IPs. When you entered a pair of addresses (say 220.127.116.11 and 18.104.22.168), earlier releases would allow connections in both directions:from 22.214.171.124 to 126.96.36.199 and from 188.8.131.52 to 184.108.40.206 . Since these pairs usually are intended for traffic in one direction we decided to return this to unidirectional whitelisting (just from 220.127.116.11 to 18.104.22.168). If you need to allow connections in the other direction, you can add a second whitelisted IP pair (in the above example: 22.214.171.124 to 126.96.36.199).
Ubuntu 20.04 Installer Fix
While Ubuntu 20.04 LTS is not a fully tested platform, we have enough customers using it now to include it in our Beta support program. Please feel free to give it a try and let us know if you find any issues!
The installer in 5.1.0 includes a fix to a packaging bug that affected Ubuntu 20.04; the install should now proceed successfully. We’ve also cleaned up the installer to more gracefully handle other packaging corner cases.
Unfortunately, we did have one more bug that showed up late in testing. Before you start the install, run the following command on all systems to work around it:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 656408E390CFB1F5
- We check that Docker’s network blocks aren’t in use before trying the install.
- Since a single system can’t run more than one of Zeek, Espy, and Active-Flow, we block that in the installer.
- On the dashboard, instead of showing “>100” Threat Score, we show the actual number.
- In some circumstances, we hid the error messages coming out of the tool that patches the system and installs new packages. Now we show those, making it much easier to identify and fix packaging issues. The side effect is that you’ll see more status messages from these tools.
- The IP address information block at the top center of the Beacons, Strobes, and Long connections screens use to provide a long list of all hostnames we’ve found for this IP address (in the field “fqdn”). Starting in 5.1.0 we show the specific name this host requested in the “queried fqdn” field, and all other names we have for this host in the “historic fqdn” field.
- The Dashboard used to refer to “TXT Query Count” * as one of the components of the combined threat score. For detecting c2 over DNS, it is more useful to know how many
unique FQDNs have been queried by a particular host, so this field has been updated to reflect this count. It has been relabeled to “Too Many FQDNs Per Domain.”
- In our August 2020 4.0.0 release we mentioned that apility.io was deprecated as an investigation source as it had been acquired by Auth0. It was removed in 5.1.0. If you use this service and have an account there, there’s a line that can be uncommented to enable Auth0 (see “Customizing Investigation Sources” in the User Guide).
Independent of the whitelist-by-domain feature above, we’re aware of a slowdown in adding and removing whitelist entries. We’re investigating it and hope to have an answer for it soon.
Default Whitelist Improvements
We’ll be updating the Default whitelist to use the new whitelist-by-domain-name feature. When ready you’ll find the updated list in the Portal under Downloads.
As always, this new release includes additional behind-the-scenes improvements to make it more stable and efficient.
This newest version of AC-Hunter is available for download now: https://portal.activecountermeasures.com/my-account/ (under Downloads)
For details on how to install it, please see the Install Guide PDF included in the tarball or the Documentation section of the portal website. If you run into any issues, feel free to contact us: [email protected]
Enjoy and Happy Threat Hunting!
~The Active Countermeasures Team
(For our AC-Hunter Hosted SaaS customers, we will be performing upgrades to v5.1.0 on that platform in the coming days.)
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Bill has authored numerous articles and tools for client use. He also serves as a content author and faculty member at the SANS Institute, teaching the Linux System Administration, Perimeter Protection, Securing Linux and Unix, and Intrusion Detection tracks. Bill’s background is in network and operating system security; he was the chief architect of one commercial and two open source firewalls and is an active contributor to multiple projects in the Linux development effort. Bill’s articles and tools can be found in online journals and at http://github.com/activecm/ and http://www.stearns.org.