Critical Data Sources for External Threat Hunting
Posted in Cyber Security

Critical Data Sources for External Threat Hunting

Latest Blogs

Critical Data Sources for External Threat Hunting

By AMSAT Jan 26,2021

Critical Data Sources for External Threat Hunting

That strong intelligence begins with good sources goes without saying. And when it comes to gaining the most context around suspicious events or rivals of interest, nothing is more crucial than external hunting.

Most existing threat hunting is duly focused on hunting inside the firewalls of an organization, but often, security teams are unable to arrive at decisive conclusions due to significant visibility breaks and a want of effective log aggregation.

A number of enterprises take years to establish a threat hunting team within a security operations center. In this context, secure remote access is a vital component of any healthy application pile, working with other elements such as DNS and TLS to ensure your applications are constantly protected and efficient. Policy and business considerations between human resources, legal, IT, and engineering need to develop and the business has to make the budget work.

While a majority of organizations are constantly evaluating the cost-benefit analysis of storing, aggregating, and examining their own data to carry out internal threat hunting, they ought to comprehend that external threat hunting can radically raise the setting used in internal threat hunting, allowing swifter times to spot and respond.

Passive DNS

This is a system of record that stores DNS resolution data for a given place, record, and time period. This historical resolution data set lets experts view which areas resolved to an IP address and the other way around. This data set allows for time-based association based on domain or IP overlap.

Most of these IPs and hosts are controllers typically managed by hackers and cybercriminals. Some of these host names and IP addresses striking the internally collected logs can be used by passive DNS to recognize supplementary host names and IP addresses that a network protector might not have seen through preliminary examination on the internally-collected logs.


Global Netflow

On the inside, the netflow practice is used by IT experts as a network traffic evaluator to find its point of source, destination, volume and paths on the network. Using internally collected logs such as application and firewall logs, you can consider being able to cross reference that internal data of similar type but different collection activity external to the enterprise.

External netflow is significant since it allows for storing huge amounts of traffic data over time without the large storage condition of full-packet capture.

Mobile Data

Mobile data and adtech data collection are used to target ads to users through mobile apps and browser data.  This data can occasionally comprise personal information but more often than not comprises a unique marketing identifier that does not recognize an individual by name but rather by characteristics and history.

Some of these characteristics related to your ad ID include WiFi networks that you have connected to, IP addresses the device has been allocated, physical site, model of phone/computer, browser version and, in some cases, profounder historical data positioned around buying interests. Using this data, a hunter can recognize a single device by IP or location and follow that device chronologically to find out activities that device conducted from different addresses and networks.


Aggregation of Scanning Traffic

One of the key issues with scanning traffic hitting external applications and devices is the sheer number of systems on the internet that are regularly skimming for open services and crawling applications for indexing. A brief look at any firewall or application log without any sort of sifting can be awe-inspiring and time-consuming.

This is where services that sieve the noise from recognized scanning hosts and underline more focused investigation of devices and applications are very beneficial.  These services supervise scanning activity using several listening posts on the internet as well as combined threat intelligence.

They then use data from these listening posts and threat intelligence to help recognize hosts that are of slight interest and can be sifted from logs when looking for targeted probing and attack setup.


  • Cyber Security
  • Security Updates
  • Threat Hunting
  • DNS
  • Data Sources

Recent Blogs

Share this article

Ready to Get Started?

Our specialists are ready to tailor our security service solutions to fit the needs of your organization.

    By submitting the form, you agree to the Terms of Use and Privacy Policy

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes:

    <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>