Whitelisting Import/Export Feature
Yet again we have received more awesome feedback from our customers!
AI-Hunter gives you the ability to “whitelist” IP addresses that you wish to exclude from your threat hunting analysis. It’s a popular feature, as you can whitelist based on individual IP address, subnets, or even full autonomous system numbers (ASNs). It’s a great way to move the stuff you understand out-of-the-way so you can focus in on the actual threats.
One of the requested features was the ability to share whitelists. For example, let’s say you have multiple analysts using AI-Hunter. You want to ensure they are whitelisting a consistent list of targets so that analysis becomes more consistent across multiple team members. We’ve even even had customers request a “best practice” list of systems to whitelist so they can quickly ignore targets that show beaconing behavior but are known to be safe (patching servers are a great example).
We are happy to announce that we have a new version going through testing that permits you to import and export whitelists. In fact, we took this feature one step further. With AI-Hunter, you will be able to load multiple whitelists and combine them together. For example, let’s say you are an international organizations with sites across the globe. There are some targets you wish to whitelist globally, but you have others that should only be whitelisted regionally. This new feature will permit you to create multiple whitelists and combine them as your needs require. Further, the save file is in JSON format. So you are free to edit and manage the lists outside of the AI-Hunter interface. Pro tip: Check these into your software repository (Github or similar) so you can maintain revision control.
We plan on including a default whitelist you can choose to load prior to analysis. This will include all of the IPs we’ve identified that exhibit beacon like behaviour but are actually legitimate (false positives).
As always we love hearing from our customers so if you have comments or questions on any of the features within AI-Hunter please drop me a line.
Interested in threat hunting tools? Check out AI-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.