Hunt Platform Statistics Launch

Hunt Platform Statistics Launch

Published on

Published on

Published on

Sep 19, 2023

Sep 19, 2023

Sep 19, 2023

Hunt Platform Statistics Launch
Hunt Platform Statistics Launch
Hunt Platform Statistics Launch
TABLE OF CONTENTS

The Power of the Hunt.io Platform

Today, we're providing some transparency on how our platform works. We've designed the Hunt.io platform from the ground up to find and monitor malicious infrastructure. Every piece of the design is meticulously assembled for scale and for finding and saving vectors that will be useful for isolating malicious activity now and in the future.

The platform is very powerful. It starts with a massive observation collection. We've launched a statistics page which allows you to see inside the platform to understand the current activities. Activities shift throughout the hour and are made available in real time to the platform. The data cluster saving all these metrics can save up to 1M observations per second in its current incarnation and can be expanded horizontally.

Platform Statistics Page Launch

httpshuntioimagesblogsblog-4img-1-2xwebp

1 Platform wide observations per second is the sum of all the parts listed below.

2 Port Scans found are ports that reply as being open. We are scanning segments of the entire internet very fast. We are currently tweaking and tuning scanning cadence to see malicious activity.

3 Protocol detection is a custom protocol detector that's made to be fast and extensible. Later we can use it to find custom C2 protocols or other malicious signs running it on every unknown port.

4 HTTP pages are grabs of full HTML content.

5 SSH keys are public SSH keys used to associate malicious activity and look for tenant change on a server.

6 JARM hashes are a large scale collection of TLS fingerprints to give us an idea that a piece of software might be associated or malicious.

7 Parsed certificates are parsed SSL certificates to break out identifying items in each certificate.

Approximate Platform wide Statistics

Previously designing 2 large scale real time data systems for other projects, for Hunt we wanted to build a horizontally scalable cluster from day one. For hunting malicious infrastructure every nuanced detail needs to be saved. Our first iteration of the Hunt platform has the following hardware as of today:

  • 512 Physical Cores
  • 6TB of RAM
  • 280TB NVMe Storage
  • 20gbe networking between nodes

This allows us to store the following and scale horizontally as we need to:

  • 37.4 trillion data points right now
  • 1.5 million scheduled port probes per second
  • 300k port guesses per second
  • 10s of thousands of unique ports detected
  • 200 million certificates per day
  • 25 million unique certificates per day
  • 168 million service detections per day
  • 710 million unique open port/ip combos per day
  • 55 million JARMS per day
  • 60 million HTTP grabs per day
  • 34 million unique public ssh keys per day (13M RSA, 11.2M ED25519 and 10M ECDSA)

How to View Platform Statistics

httpshuntioimagesblogsblog-4img-2-2xwebp

From the Hunt Dashboard look for the graph widget and click it to get to the Platform Wide. If you don't have an account, apply for one now.

TABLE OF CONTENTS

The Power of the Hunt.io Platform

Today, we're providing some transparency on how our platform works. We've designed the Hunt.io platform from the ground up to find and monitor malicious infrastructure. Every piece of the design is meticulously assembled for scale and for finding and saving vectors that will be useful for isolating malicious activity now and in the future.

The platform is very powerful. It starts with a massive observation collection. We've launched a statistics page which allows you to see inside the platform to understand the current activities. Activities shift throughout the hour and are made available in real time to the platform. The data cluster saving all these metrics can save up to 1M observations per second in its current incarnation and can be expanded horizontally.

Platform Statistics Page Launch

httpshuntioimagesblogsblog-4img-1-2xwebp

1 Platform wide observations per second is the sum of all the parts listed below.

2 Port Scans found are ports that reply as being open. We are scanning segments of the entire internet very fast. We are currently tweaking and tuning scanning cadence to see malicious activity.

3 Protocol detection is a custom protocol detector that's made to be fast and extensible. Later we can use it to find custom C2 protocols or other malicious signs running it on every unknown port.

4 HTTP pages are grabs of full HTML content.

5 SSH keys are public SSH keys used to associate malicious activity and look for tenant change on a server.

6 JARM hashes are a large scale collection of TLS fingerprints to give us an idea that a piece of software might be associated or malicious.

7 Parsed certificates are parsed SSL certificates to break out identifying items in each certificate.

Approximate Platform wide Statistics

Previously designing 2 large scale real time data systems for other projects, for Hunt we wanted to build a horizontally scalable cluster from day one. For hunting malicious infrastructure every nuanced detail needs to be saved. Our first iteration of the Hunt platform has the following hardware as of today:

  • 512 Physical Cores
  • 6TB of RAM
  • 280TB NVMe Storage
  • 20gbe networking between nodes

This allows us to store the following and scale horizontally as we need to:

  • 37.4 trillion data points right now
  • 1.5 million scheduled port probes per second
  • 300k port guesses per second
  • 10s of thousands of unique ports detected
  • 200 million certificates per day
  • 25 million unique certificates per day
  • 168 million service detections per day
  • 710 million unique open port/ip combos per day
  • 55 million JARMS per day
  • 60 million HTTP grabs per day
  • 34 million unique public ssh keys per day (13M RSA, 11.2M ED25519 and 10M ECDSA)

How to View Platform Statistics

httpshuntioimagesblogsblog-4img-2-2xwebp

From the Hunt Dashboard look for the graph widget and click it to get to the Platform Wide. If you don't have an account, apply for one now.

Related Posts:

Sep 10, 2024

Compromising a browser can be a goldmine for attackers, offering extensive access to sensitive user data ...

Sep 10, 2024

Compromising a browser can be a goldmine for attackers, offering extensive access to sensitive user data ...

Sep 3, 2024

The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...

Sep 3, 2024

The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...

Aug 29, 2024

During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...

Aug 29, 2024

During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...

Launching AttackVault by Hunt.Io
Aug 23, 2024

We originally launched our "Open Directory" feature in Hunt a year ago.  The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks.  What we learned was that there was a ton of information that could be correlated and indexed.  Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.

Launching AttackVault by Hunt.Io
Aug 23, 2024

We originally launched our "Open Directory" feature in Hunt a year ago.  The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks.  What we learned was that there was a ton of information that could be correlated and indexed.  Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.

Sep 10, 2024

Compromising a browser can be a goldmine for attackers, offering extensive access to sensitive user data ...

Sep 3, 2024

The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...