Upgrading to the New Default Whitelist
One of our favorite features in the 5.x release series is the ability to look for beacons by the domain name contacted, as opposed to the old approach of looking just at the remote IP address. This is especially helpful when a service is hosted on many different IP addresses, like “0.debian.pool.ntp.org”. You can look at all traffic to all of the IP addresses behind that Fully Qualified Domain Name (“FQDN”) at once.
A corresponding benefit is that now you can whitelist¹ FQDNs as well. The “0.debian.pool.ntp.org” is a perfect example of this – you want to whitelist all IPs behind that hostname as opposed to coming up with an exhaustive list (that can change every few months or so) and whitelisting each one individually.
Our new whitelist uses this technique, which shrinks the number of entries and automatically handles changes in the list of IPs behind those hostnames.
The new default whitelist covers:
- NTP (time) servers that are a common false positive in Threat Hunting,
- Patch servers for Apple, Microsoft, Google, and some Linux distributions,
- Certificate validation servers,
- Root nameservers.
These were chosen as they all have a high likelihood of being flagged as beacons, with a low likelihood of ever carrying malicious traffic.
To install the new list, please follow these steps:
1. In the AC-Hunter web interface, go to the Dashboard tab, click on the gear in the upper right, and select “Whitelist” from the left menu.
2. Download your current whitelist by clicking on “Download Whitelist” so you have a backup. This json file will be placed in your browser’s download directory.
3. If you previously uploaded our old whitelist (Feb 2021 or earlier), we encourage you to remove the old entries as they’ll be replaced by the FQDN versions. The comments used in these whitelist entries should be one of the following:
Default whitelist entry Akamai name server Cloudflare name server Fastly name server Google name server Hosting Services NTP server Hurricane Electric NTP server Multiple hosts resolving to .dscg2.akamai.net National Institute NTP server Resolves to multiple Akamai CDN systems. Ubuntu NTP server VeriSign name server akamaiedge.net blackhole-1.iana.org root name server www.alexa.com
4. Download the new default whitelist from https://portal.activecountermeasures.com/whitelist/. You’ll need to unzip the downloaded file (Windows, MacOS, and Linux all have an “unzip” command included). The sole file that will come out of the zip will be the new whitelist and will have a “.json” extension.
5. Now choose “Upload Whitelist” in that same “Whitelist” area of the AC-Hunter console. Choose “Select File”, click on the new default whitelist json file, and finally choose Upload. The new default whitelist will be added to your existing entries as opposed to overwriting them.
We recommend that you not restart either AC-Hunter or the system on which it’s running for a few days – there’s a slow background task that removes the old entries and adds in the new ones. Once fully applied you should find that you spend much less time dealing with false positives.
¹We are aware that “whitelist” and “blacklist” are not considered appropriate terms anymore. Our usage here is solely to indicate “trusted domains” used by AC-Hunter to make the process of Threat Hunting simpler. We apologize, especially to those for whom these terms are uncomfortable. We have plans to update our terminology in the future.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Bill has authored numerous articles and tools for client use. He also serves as a content author and faculty member at the SANS Institute, teaching the Linux System Administration, Perimeter Protection, Securing Linux and Unix, and Intrusion Detection tracks. Bill’s background is in network and operating system security; he was the chief architect of one commercial and two open source firewalls and is an active contributor to multiple projects in the Linux development effort. Bill’s articles and tools can be found in online journals and at http://github.com/activecm/ and http://www.stearns.org.