Welcome to the start of this new series on building threat hunting tools with Python!
In this series I will be showcasing a variety of threat hunting tools which you can use to hunt for threats, automate tedious processes, and extend to create your own toolkit! The majority of these tools will be simple with a focus on being easy to understand and implement. This is so that you, the reader, can learn from these tools and begin to develop your own. There will be no cookie-cutter tutorial on programming fundamentals, instead this series will focus on the practical implementation of scripting/programming through small projects. It is encouraged that you play with these scripts, figure out ways to break or extend them, and try to improve on their basic design to fit your needs. I find this approach the best way to learn any new programming language/concept.
Before we delve into any technical details let’s consider why we should develop our own threat hunting tools in the first place.
So why would you need your own tools when a simple Google search will reveal tons of free and paid options?
When you first start out in cybersecurity you don’t need to know how to build things. There are plenty of free and paid tools you can use, and your company should provide training on the tools it has chosen to utilise. However, I believe there is a point that everyone reaches in their cybersecurity career (or any technical career) where they graduate beyond being given toys to play with and, instead, are ready to make their own toys. It’s a natural next step for anyone who wants to progress in a technical career. But why?
This question can be answered in four parts:
- Everything has an API nowadays
- You have a specific need for a tool that just isn’t being met
- You need to tailor or extend an existing tool to your needs
- You want to gain a deeper understanding of something