Active Countermeasures
is a group of like-minded geeks that are passionate about giving back to the security community. We do this through free training, thought leadership, and both open-source and affordable commercial tools.
Incident response Websites
Gathered By Bill Stearns
The first few minutes of a threat investigation or Incident Response are the toughest. These sites help make those minutes easier.
You know something appears wrong, but you don’t have the details to prove it. The following sites take a piece of information you have (like the remote IP address to which one of your systems is talking) and give back more detail on what it is and whether it’s benign or malicious.
For a more comprehensive list, visit acm.re/threat-hunting-resources/
PORT LOOKUPS
speedguide.net/ports.php
Google search for “tcp port portnumber”
or “udp port portnumber”
DOMAINS
ipvoid.com/domain-reputation-check/
IP ADDRESSES
ipinfo.io
WHAT IS MY EXTERNAL IP ADDRESS?
(Handy if you’re on a LAN that shares a single IP address!)
icanhazip.com
RESERVED IP ADDRESS BLOCKS
en.wikipedia.org/wiki/Reserved_IP_addresses
HOSTNAMES
virustotal.com/gui/home/search
ASNs OR AUTONOMOUS SYSTEM NUMBERS
(which are blocks of addresses owned by an organization)
team-cymru.com/ip-asn-mapping
POSSIBLE MALWARE
(files and URLs)
virustotal.com/gui/home/upload
USER AGENT STRINGS
whatismyip.net/tools/user-agent-lookup.php
JA3 HASHES
sslbl.abuse.ch/ja3-fingerprints/
TOR SERVERS
dan.me.uk/tornodes