Threat hunting with Cymon API

Introduction

In this article, we’ll discuss mock intrusion attempts on our systems and show you how to make use of Cymon API to query important information that you can use in an effective threat hunt. In our case, we’ll demonstrate how we halted progression of the attack, effectively stopping it in its tracks.

It should be noted that although the discussed scenarios are entirely fictional, they are very possible in today’s world of increasing threats.

Introduction to the Cymon API

Cymon is the largest tracker of malware, phishing, botnets, spam and more. It is maintained by the private security company eSentire. Cymon allows you to:

  1. Search threat reports for free. Reports could include reported IPs, domains, binary hashes and so much more
  2. Collaborate with other researchers. Cymon allows you to create your own feed and invite users to contribute IoC data or submit reports to other feeds
  3. Export feeds. You are able to export your own feeds or public ones
  4. Integrate with existing tools. Cymon allows you to integrate with existing tools in order to deliver on threat intelligence

The above functions can be performed directly on the Cymon app or by interacting with the provided API. It should be noted that the first version of Cymon will be discontinued on April 30th, 2019, paving the way for the improved second version.

Intrusion detection and threat hunting with Cymon API

Before we can begin using the Cymon API, we are required to register for an account through Cymon. You will also need to use your credentials to create a session here in order to access the API. The steps to be followed are as follows:

  1. Click on “Create Session”
  2. On the left panel, click on “Switch to Console”
  3. We click on “body” and manually feed in our credentials as (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Lester Obbayi. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/UVDmwIzA_wU/