Version 3 is in the wild!
Although specifically, its version 3.1.4159 for all you Pi fans. 😉
This is a huge update that includes a lot of changes! We would very much like to thank our customers who were kind enough to submit feature requests, as well as the folks that helped out with beta testing. You’ve really made this a team effort.
Here’s a quick rundown of all of the new AI-Hunter goodness.
- Rolling analysis of the last 24 hours rather than analysis in daily blocks. You can still do daily reviews, but the rolling data set will always contain the most current info.
- The software now does the first pass at a threat hunt for you. This means the hunt is continuous, not just when you log into the dashboard.
- Systems that achieve a threat score above a user defined threshold can be sent to your SIEM or Syslog compatible server as an alert.
- Systems that achieve a threat score above a user defined threshold can be sent to a specified Slack channel as an alert.
- Whitelisting is now persistent. You no longer need to apply a whitelist to each data set prior to analysis.
- Individual and bulk delete of all whitelist entries.
- Identify communications where the server’s digital certificate is invalid and add this to a systems overall threat score.
- Identify unique SSL client hello sessions and add to a systems overall threat score.
- Identify unique useragent fields and add to a systems overall threat score.
- The amount of data transmitted to a blacklisted IP address is highlighted and weighted against a system’s threat score.
- Well known ports are analyzed to ensure that only the expected applications are using them. Non-compliant session are weighted against the threat score.
- Threat score weights can now be changed by the user. Use the defaults or customize for your environment as needed.
- Combined RITA and AI-Hunter into a single platform to leverage performance improvements and feature enhancements.
- Additional speed improvements. Analyzing large Internet links now uses a lot less CPU time.
- Dramatically reduced storage requirements. Seriously, AI-Hunter uses 1/5 to 1/10 as much space to store historical data.
- Beacon screen includes expanded capability when investigating remote IP addresses. Just click the IP address and a menu will appear.
- You can now investigate external IP addresses as well as internal on the Deep Dive screen.
- Historical data can be maintained based on age (example: delete all databases older than 30 days).
We will be returning to a regular release cadence after this, so expect to see more incremental improvements over the next few weeks.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.