Find threats and investigate incidents with Threat Hunting

The Axur Platform now has a Threat Hunting solution. This provides a very powerful search engine to find threats to your organization based on exposed data collected by our system.

Criminals are constantly breaching corporate and end-user systems and sharing this data with other threat actors. This data can help attackers in many ways:

• Leaked credentials can lead threat actors directly into the corporate technology environment. The leaked credentials may include session tokens that bypass multi-factor authentication.
• Password reuse allows attackers to gain access to corporate systems by using passwords that were leaked for different services or systems.
• Exposed personal data can be leveraged in phishing attacks, or for threatening employees into giving out their passwords or disabling MFA.
• Exposed credit cards can be used for fraudulent orders in online stores, leaving merchants vulnerable to chargebacks and customer complaints.

Organizations can proactively detect threats from exposed data. By extending ongoing investigations with an exposure check, or creating a routine process to query this data, it's possible to detect risks and mitigate them before an incident materializes and to prevent ongoing incidents from escalating.

Threat data can also be invaluable for security intelligence gathering, such as when analyzing suspicious orders from a customer, or for vendor security. During security audits, threat and exposure information can help you identify the source of a leak and confirm whether your business was breached.

The current cybersecurity landscape is very challenging, so it's essential to enhance processes with data and threat intelligence. With Axur Threat Hunting, we're giving you a very powerful tool to improve how you use threat data in any cybersecurity.

Axur Threat Hunting: Features Overview

At its core, our Threat Hunting solution works like a search engine that allows you to investigate incidents involving exposed credentials, credit cards, infected machines and URLs and domains. 

Threat Hunting is about zeroing in on specific data points that can identify risks, threats, or even incidents that might already be ongoing.

To start searching, you must select one of the databases to query:

• Credentials – exposed credentials are sourced from data leaks posted and infostealer malware logs that are routinely shared by cybercriminals in the Deep & Dark Web, as well as in data leak forums and other channels.
• Credit cards – This database contains information related to exposed credit cards.
• Infected machines – This option queries the metadata available in malware log files.
• URLs & Domains -  This database enables searching for phishing threats and malicious websites, identifying suspicious activities across the web.

The next step is to input search parameters and operators. 

Parameters allow you to query specific data points based on your chosen criteria. For example, you can check if a certain user had their credentials exposed, or search for all credit cards with a specified BIN that were detected in the last 30 days.

Many search parameters are available so you can find the data that is relevant to you. Some examples are available on the search engine page itself, but there are even more parameters available for advanced queries.

Some of the parameters available include:

• Credentials: username, domain names, password (obscured), leak source.
• Credit cards: card number, bank identification number (BIN), holder name, leak date, expiration date.
• Infected machines: system user, IP, hardware, operating system.
• URLs & Domains: impersonated brands, company logos, detection dates, domain references, open ports, and DNS records.

Operators work the same way as in any conventional search engine. You can combine multiple parameters with "OR" so that any results matching either criteria are returned, or you can use "AND" so that results are only returned when they match two or more criteria. 

Every powerful tool like our Threat Hunting has some complexity, but that's not an issue here. The AI Query Builder can help you build your query, even if you are not familiar with the required parameters or operators. In the AI prompt, you can describe what you are looking for, and the AI will build the appropriate query. You can further tweak the generated query before running it, too.

The AI Query Builder is a great tool for both new and experienced users. It also works for exploring the possibilities available inside Threat Hunting, and for learning new parameters that you might not yet be familiar with. New team members can quickly get up to speed by using the AI Query Builder and leverage many of the Threat Hunting features right away.

When and how Threat Hunting can Help

Not every organization will use threat hunting the same way. There are many situations in which the data we make available in our platform can be leveraged to help explain an attempted intrusion or find the root cause of an incident, but many use cases do not involve direct threats – such as when carrying out risk assessments for a vendor or contract.

Here are some examples:

Analyzing Risk

Our Threat Hunting works like a search engine, so you can use the data we make available for many risk analysis tasks.

• Vendor or customer: You can find data or credential exposures related to vendors or customers. This can be used when onboarding vendors, in audits, or when calculating the risk for a contract.
• Applications and platforms: There are many platforms, applications, or similar Software-as-a-Service (SaaS) offerings that do not offer individual contracts for each customer. Threat hunting helps address this by uncovering data leaks and exposures, providing valuable insights for assessing risks.
• Credit Cards: Even when a credit card number is not available, you can search for exposed credit cards based on the name of the cardholder. This can be used by online stores to clear or block suspicious transactions.
  

The parameters you can use for these tasks are:

• accessUrl=example.com
  Returns credential leaks related to a specific login URL (for example, the platform's login page or domain)

• holder=name
  Returns credit card exposures matching the name of the cardholder. You can discover an exposed card using this information and the digits of the card that you have access to, even when the card number isn't fully available (for PCI-DSS compliance).
  
  

Finding the source of a breach

User information is often stored by many services. Much of this data is duplicated, and users may reuse passwords. When leaks occur, users may complain to you as they believe that it was your business that suffered a breach.

The Threat Hunting data can help discover the actual source of the leak. 

Some parameters that can be useful for this are:

• user=email@domain.example.com or user=username
  Returns all known credential leaks related to the email address or user id. The results may contain information indicating the source of the leak (an infostealer malware, a data breach, and so on).
• password=password
  Returns all leaks with the specified password. Can detect instances of password reuse.
  
  

Finding fraud and phishing attempts 

Some businesses face complex phishing or fake website attacks, many of which don't explicitly use the brand name in the domain or content. Our platform addresses this by detecting even the most covert threats. With the "URLs & Domains" search, users can conduct tailored investigations that identify malicious pages based on custom content searches, even if the brand is not directly referenced.

You can investigate phishing threats using various parameters, such as:

• Brand Impersonation by Visual Elements: Identify sites mimicking well-known brands or displaying specific logos. For example, detect variations of "BrandName" impersonation levels or find sites that show "BrandLogo."
• Content Type and Sensitive Data Requests: Search for phishing sites by content type, such as login pages, error pages, or e-commerce sites. You can also pinpoint those that ask for sensitive information like passwords or payment details.
• Domain and Lifecycle Analysis: Investigate domains based on their creation or expiration dates, or filter results by recent detection dates to focus on new threats.
• References and URL Attributes: Examine specific URLs or references and filter by domain, subdomain, or top-level domain (TLD) attributes to narrow down your search.
• Network Indicators and Source Tracking: Identify threats by analyzing open ports or tracing their origins, such as collectors or threat intelligence sources.
• Language and Region-Specific Threats: Narrow your investigations to certain languages or regions to identify more localized phishing campaigns.

These parameters allow for targeted investigations, uncovering phishing sites and fraudulent activities even when indicators are subtle.

Investigating incidents

When investigating a security incident, you can leverage Threat Hunting to learn whether attackers used exposed information to carry out their campaign. You can also identify whether an incident has the potential to escalate to other parts of the network (due to other linked credentials, password reuse, and other risks).

Here are some useful parameters for investigating cybersecurity incidents:

• emailDomain=yourcompanydomain.example.com
• Locates exposed credentials with your organization's domain name. You can also use the operator "OR" to include additional domains.
• user=compromisedaccount@yourcompanydomain.example.com
• As above, this finds any exposed credentials belonging to the specified user.
• password=password
  When investigating failed or suspicious access attempts, you can also use this parameter to find out if the password used in the access attempt has been leaked before.
• ip=0.0.0.0
  This can locate machines that had a certain IP address when they were hit with an infostealer malware. You can find infected machines that reported an IP address inside your corporate network. This can also be used to track a compromise linked to a suspicious network (for example, if a user used their corporate credential on a personal machine to connect from an untrusted network).

It's worth noting that, although you can query this data proactively, the Axur Platform can automatically warn about high-risk events, such as when a corporate credential might be compromised. Threat Hunting, as the name implies, will shine when you're actively trying to uncover (or "hunt") threat data and find the root cause of an incident.

See Threat Hunting in Action

If you’d like to explore it further, you can also start with our free plan and experience the power of threat hunting firsthand. Reach out to us—we look forward to helping you secure your business.