Netlas.io: A Powerful Suite of Tools for Threat Hunting

Adam Goss
6 min readFeb 12, 2024
Netlas.io Header Image

There is a powerful new suite of tools for threat hunting and it’s called Netlas.io. This innovative platform allows you to hunt across a vast network dataset collected from across the globe. You can use this data to enrich your threat hunts, add additional threat intelligence to your investigations, and map the attack surface of adversaries.

In this article, you will discover what makes this platform so powerful and how to use it to perform link analysis that takes your threat hunts to the next level. Let’s jump in and get started by learning what Netlas.io actually is.

What is Netlas.io?

Netlas is a platform for discovering, researching, and monitoring your online assets. The platform scans every IPv4 address and crawls every website and application to generate a rich collection of network data about assets worldwide. It then makes this data available through the Netlas Search tools. Included in this toolset are:

  • Host Search: A summary of public information about an IP address or domain.
  • Attack Surface Discovery Tool: A graph-based tool that maps your target’s attack surface. Great for threat hunting and gaining insight into what an attacker can discover about your organization from the outside.
  • Response Search: Scans a specific group of services or devices, such as IP cameras, IoT devices, databases, or web servers.
  • DNS Search: Searches DNS data Netlas.io has collected from certificates, Whois records, and periodic scans.
  • Whois IP and Domain Search: IP address and domain searches through a curated and carefully structured Whois database.
  • Certificate Search: For searching SSL certificates collected from the Certificate Transparency Log and host responses during scans.

To effectively use these tools, the team at Netlas.io built a powerful search engine that allows you to build complex search queries using different conditions and operators to search through over 10,000 fields. The engine uses Elasticsearch on the backend to support wildcards, regexp, fuzzy, and proximity searches using the web interface or API, allowing you to pivot through data sets effortlessly.

That’s enough talk. Let’s see Netlas.io in action and discover why it is a powerful tool in your threat hunting arsenal!

Threat Hunting With the Netlas Tools

Threat hunting involves proactively searching for threats within your environment that have evaded traditional security tools, like anti-virus, EDR, and IDS. It tasks you with actively uncovering signs of suspicious or malicious activity using human-driven analysis, investigation, and intuition. To be effective, you need a tool that can rapidly enrich indicators you find with intelligence and help you discover new data points to search for.

This is where Netlas.io can be a game-changer. The tool allows you to write powerful search queries to investigate suspicious network indicators you find during your threat hunts, be it an IP address, domain name, or SSL certificate. Using the intelligence returned, you can pivot to new data points, dive deeper into your threat hunt, and complete the indicator lifecycle.

Let’s use a practical example to demonstrate this.

The Scenario

In your network logs, you see one of your endpoint machines connecting to a suspicious IP address you haven’t seen before. This prompts you to gather data about this network indicator and start a threat hunt.

You load up Netlas.io and navigate to the Attack Surface Discover Tool to start your visual link analysis.

Attack Surface Discover Tool
Attack Surface Discover Tool

Next, you add the suspicious IP by selecting the Add Node icon from the toolbar at the top (1), entering the IP address (2), and selecting Ip from the dropdown menu (3).

Adding an IP Node to Graph
Adding an IP Node to Graph
IP Node Added to Graph
IP Node Added to Graph

Once added, click on the node to bring up a popup menu that includes additional network information about the node, such as DNS records, Whois data, and more. You can pivot off of any of these data points by selecting the SEARCH button.

Node Search Button
Node Search Button

Let’s search for domains related to that IP address. This will populate the graph with related IP addresses (1) and the right-hand panel with your node and search data (2) — useful when you need to search for, remove, or exclude a node.

Populating the Graph With Data
Populating the Graph With Data

You could add these domains and subdomains to your threat hunt to see if any appear in your DNS logs as you look to identify any other potentially compromised machines. A good one to start with might be luxspal.com based on VirusTotal.

VirusTotal Lookup
VirusTotal Lookup for luxspal.com

On the other hand, you could choose to pivot to one of these subdomains and find additional indicators to look for by following the indicator lifecycle. For example, luxerntech.com as another IP address associated with that domain. You can use the SEARCH button to add this IP to your graph.

Pivoting to a New IP Address
Pivoting to a New IP Address

This IP address 146.19.4.106 has new domains associated with it. You can add these to your graph using the SEARCH button again.

New Domains From New IP Address
New Domains From New IP Address

As you can see, our list of indicators is growing with every pivot we make, allowing you to expand your threat hunt and uncover suspicious activity related to that original IP address.

Complete Graph
Complete Graph

You don’t just need to pivot from IP addresses and domains. You can pivot from nameservers, Whois data like email addresses, certificates, JARM fingerprints, and more!

Conclusion

Visual link analysis is a great way to expand your threat hunts and uncover additional IOCs to investigate based on a single data point. The Netlas.io Attack Surface Discover Tool is the perfect tool to use. You can quickly pivot around Netlas.io’s vast network data sets, manage your nodes and searches in the right-hand panel, and even save and export your graph!

The Netlas tool suite is free to try out right now. There are also many features I didn’t get to showcase today, like the API and powerful query language, that I highly recommend playing around with using your own indicators. Give it a go, and let me know your thoughts!

Enjoyed this content and want to see more? Consider clapping for this article or giving me a follow. If you want to stay up-to-date with all things cyber threat intelligence and threat hunting subscribe to my newsletter!

Interested in learning the dark arts of penetration testing and red teaming? Check out these courses offered by Zero-Point Security. They will teach you all things red teaming from creating exploits to emulating real-world threat actors.

If you want more of a challenge, take on one of their certification exams and land your next job in cyber:

Do you want to learn more cyber security skills today? Check out The All-Access Membership Pass by TCM Academy. It will provide you with access to courses on all things cyber security, including hacking/pentesting, malware analysis, digital forensics, programming/scripting, and GRC!

If you’re looking to level up your skills even more, have a go at one of their certifications:

--

--

Adam Goss

Helping demystify cyber threat intelligence for businesses and individuals | CTI | Threat Hunting | Custom Tooling