FireEye, one of today's top cybersecurity companies, has released a new pre-configured virtual machine (VM) that was specifically set up to help threat intelligence analysts hunt down adversaries.
Named the ThreatPursuit VM, this is a Windows 10 installation that comes with more than 50 software programs that are commonly used by threat intel analysts.
The idea behind ThreatPursuit is to provide companies with a ready-made OS that can be deployed to new workstations before, during, or after a security incident and provide threat intel analysts with a ready-to-use work environment.
For example, ThreatPursuit could be deployed to tens or hundreds of machines at the same time and scale up a security firm's incident response capabilities.
It can also be deployed on computers inside a customer's network when providing incident response in a remote location, where a victim company may be lacking a threat analysis environment.
ThreatPursuit comes preinstalled with a wide range of tools
More than 50 tools are currently included with ThreatPursuit. The tools range across multiple categories.
There are tools preinstalled in ThreatPursuit that can be used by threat intel analysts to feed indicators of compromise (IOCs) like URLs and file hashes into local or remote MISP platforms.
There are also tools that can allow analysts to see connections between servers and malware samples using visual graphs. And there are tools that can be used to emulate attackers and their intrusion patterns against a company's network.
The full list of tools is below, as available today on ThreatPursuit's GitHub repository:
Development, Analytics and Machine Learning Tools:
- Apache Spark
- Apache Zeppelin
- Jupyter Notebook
- MITRE Caret
- Python (x64)
Triage, Modelling & Hunting Tools:
- MITRE ATT&CK Navigator
- Greynoise API and GNQL
- threatcrowd API
- Threat Hunters Playbook
- MITRE TRAM
- Azure Zentinel
- AMITT Framework
Adversarial Emulation Tools:
- MITRE Calderra
- Red Canary ATOMIC Red Team
- MITRE Caltack Plugin
Information Gathering Tools:
Utilities and Links:
- Google Chrome
- Docker Desktop
Installation instructions are included in this FireEye blog post.
Third VM image released by FireEye
This is the third ready-made VM image that FireEye has crafted for security purposes and released as open source software.
In 2018, FireEye released FLARE VM, another Windows 10 image that was specifically pre-configured to come with all the tools security researchers need to crack and analyze malware samples.
In 2019, FireEye also released Commando VM, a Windows 10 VM image that came preinstalled with all the major offensive hacking and penetration-testing tools. This VM was specifically built for "red teams" — a term that describes security researchers who perform on-demand penetration tests against a customer's network to test a company's defenses and detection capabilities.
With ThreatPursuit VM, FireEye has now released VM images for all the major cyber-security job categories, all to help security practitioners simplify and automate their daily work routines.