Upgrading to the New Default Whitelist

One of our favorite features in the 5.x release series is the ability to look for beacons by the domain name contacted, as opposed to the old approach of looking just at the remote IP address. This is especially helpful when a service is hosted on many different IP addresses, like “0.debian.pool.ntp.org”. You can look at all traffic to all of the IP addresses behind that Fully Qualified Domain Name (“FQDN”) at once.

A corresponding benefit is that now you can whitelist¹ FQDNs as well. The “0.debian.pool.ntp.org” is a perfect example of this – you want to whitelist all IPs behind that hostname as opposed to coming up with an exhaustive list (that can change every few months or so) and whitelisting each one individually.

Our new whitelist uses this technique, which shrinks the number of entries and automatically handles changes in the list of IPs behind those hostnames.

The new default whitelist covers:

• NTP (time) servers that are a common false positive in Threat Hunting,
• Patch servers for Apple, Microsoft, Google, and some Linux distributions,
• Certificate validation servers,
• Root nameservers.

These were chosen as they all have a high likelihood of being flagged as beacons, with a low likelihood of ever carrying malicious traffic.

To install the new list, please follow these steps:

1. In the AC-Hunter web interface, go to the Dashboard tab, click on the gear in the upper right, and select “Whitelist” from the left menu.

2. Download your current whitelist by clicking on “Download Whitelist” so you have a backup. This json file will be placed in your browser’s download directory.

3. If you previously uploaded our old whitelist (Feb 2021 or earlier), we encourage you to remove the old entries as they’ll be replaced by the FQDN versions. The comments used in these whitelist entries should be one of the following:

Default whitelist entry
Akamai name server
Cloudflare name server
Fastly name server
Google name server
Hosting Services NTP server
Hurricane Electric NTP server
Multiple hosts resolving to .dscg2.akamai.net
National Institute NTP server
Resolves to multiple Akamai CDN systems.
Ubuntu NTP server
VeriSign name server
akamaiedge.net
blackhole-1.iana.org
root name server
www.alexa.com

4. Download the new default whitelist from https://portal.activecountermeasures.com/whitelist/. You’ll need to unzip the downloaded file (Windows, MacOS, and Linux all have an “unzip” command included). The sole file that will come out of the zip will be the new whitelist and will have a “.json” extension.

5. Now choose “Upload Whitelist” in that same “Whitelist” area of the AC-Hunter console. Choose “Select File”, click on the new default whitelist json file, and finally choose Upload. The new default whitelist will be added to your existing entries as opposed to overwriting them.

We recommend that you not restart either AC-Hunter or the system on which it’s running for a few days – there’s a slow background task that removes the old entries and adds in the new ones. Once fully applied you should find that you spend much less time dealing with false positives.

 

__________

¹We are aware that “whitelist” and “blacklist” are not considered appropriate terms anymore. Our usage here is solely to indicate “trusted domains” used by AC-Hunter to make the process of Threat Hunting simpler. We apologize, especially to those for whom these terms are uncomfortable. We have plans to update our terminology in the future.