New Versions of RITA and AI-Hunter in the wild!
We are proud to announce that we have released major updates to both RITA, our open source product, and AI-Hunter, our commercial offering. RITA is now up to v2.0.0-beta1 and AI-Hunter is up to v2.1. A huge thank you to our engineering team who have put in a ton of late night hours and weekends making these releases happen!
The work on each product has focused on both speed and scale. We’ve had customers signing up that are seeing single connection pairs that are generating millions of connections per day. In some cases, these were taking far too long to process or just exceeding the limits of what RITA and AI-Hunter could handle. These issues have been resolved and both tools are now blazingly fast. Datasets that used to take an hour to process are now executed in less than five minutes. You’ll notice that AI-Hunter loads datasets of all sizes nearly instantaneously.
We’ve also defined a new communication category called “strobes”. These are similar to beacons in that they create repeated connections with a target system. However, unlike a beacon, strobes make no attempt to be stealthy. They are usually the result of poorly written code. For example, we’ve seen HVAC systems that check in with their status every 100 ms. Do the math, and each unit is checking in 864,000 times a day to convey their status. Ouch!
One of the strengths of RITA and AI-Hunter is their ability to distinguish beacons from normal traffic patterns. If one IP address is calling out to another ten times per second, regular and consistent communications are clearly taking place. You don’t need an in-depth analysis to spot this characteristic. So unlike beacons where we provide lots of visualization aids, with strobes, we will simply report summary information. This reduces a huge amount of overhead.
In order to facilitate these performance improvements, we needed to change up the way we store and process the data. This means that once you upgrade to the latest version of RITA and AI-Hunter, you will need to reprocess old data in order to make it available. Please review the user guide as it includes detailed instructions for upgrading.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.