The first few minutes of a threat investigation or Incident Response are the toughest. These sites help make those minutes easier.

You know something appears wrong, but you don’t have the details to prove it. The following sites take a piece of information you have (like the remote IP address to which one of your systems is talking) and give back more detail on what it is and whether it’s benign or malicious.

For a more comprehensive list, visit acm.re/threat-hunting-resources/

PORT LOOKUPS

speedguide.net/ports.php

Google search for “tcp port portnumber”

or “udp port portnumber”

DOMAINS

ipvoid.com/domain-reputation-check/

IP ADDRESSES

ipinfo.io

WHAT IS MY EXTERNAL IP ADDRESS?

(Handy if you’re on a LAN that shares a single IP address!)

icanhazip.com

RESERVED IP ADDRESS BLOCKS

en.wikipedia.org/wiki/Reserved_IP_addresses

HOSTNAMES

virustotal.com/gui/home/search

ASNs OR AUTONOMOUS SYSTEM NUMBERS

(which are blocks of addresses owned by an organization)

team-cymru.com/ip-asn-mapping

POSSIBLE MALWARE

(files and URLs)

virustotal.com/gui/home/upload

USER AGENT STRINGS

whatismyip.net/tools/user-agent-lookup.php

JA3 HASHES

sslbl.abuse.ch/ja3-fingerprints/

TOR SERVERS

dan.me.uk/tornodes