One thing that has always been hard to keep track of from a security perspective for many SysAdmins without a security team is bad actors with them being internal or these days even external. The last thing you ever want is to be called into a board meeting or even with the marketing team with customers saying they have had emails from what appears to be you and been extorted for funds or what seems to be posts as you on social media.
Sadly this happens way more than you think now more than ever with COVID and people working from home it’s becoming easier to target people with some of the bad actors using attacks such as domain spoofing. Yes there are some ways of preventing this but this starts to take things to a whole new level which I have always wanted to see.
But before we get into all the tech who can help us monitor this, I was asked to look into a company called IntSights and they are headquartered in New York City and were founded in 2015 by former members of an elite intelligence unit equipped with a deep understanding of how threat actors think, collaborate, and act. They set out to build a solution that enables companies to use external intelligence to change the way they protect themselves and let me tell you it looks awesome!
IntSights is not only just an AI platform of which we will cover later but it also has analysts looking through feeds so you can kind of see it as a SOC-As-A-Service of which many companies can not afford a security centre let alone one that appears to be working at this level.
Let’s get back to how some of their product works and how you can start to try and eliminate some of these threats. First of all, you need to add your assets, personally I really like this term as many companies do not view these things as assets until it’s an issue… Your brand is an asset, your domain is an asset such as your email address which is linked to your brand’s reputation.
Once the system starts to find things on scans you are presented with the data such as this below, as you can see this is the main example I was talking about. It’s a great domain spoof as a busy user may well miss that extra i quickly looking over this. Other common examples like micr0soft and amaz0n or things like this are also used to trick users. There is also a common rise of bogus short domains aka.ms which is the url shorter Microsoft use for things such as MFA but I have seen ones where they try and do things such as akaa.ms/mfasetup to try and trick the users too.
So now what… from here you can drill down into the alert and perform some actions. The most common one I can see used is the takedown request and it appears you can get all this done from within the portal which is nice rather than finding various support emails to try and chase to action this if you found it yourself.
What happens if its a bit more sinister… well this is where the ask the analyst option comes in. I have been reliably informed you can ask them to communicate/interact with threat actors on your behalf or even purchase goods on the darker side of the internet to validate a threat… that is one thing I have not seen anywhere else so far.
So wait… how does it get all this data. Well, this must be where all the secret sauce goes 🙂 I can only assume there is some wicked smart people and AI behind this as some of these feeds as they are proprietary to the product.
That said you can also add 3rd party feeds of which can also be searched for on your behalf but I can see many businesses wanting to take advantage of the dark side scanning…
One other stand out feature I found was the IntelliFind applet that allows you to search for data such as IPs and track this back from things such as a rouge email or attack alert. This can really help with things such as cloud services these days as they can be used to try and masquerade what is really going on and lets be fair it draws you a really pretty little map of where all the data goes. Who does not like that and I am sure that will even keep a top level exec happy when explaining how something may have happened or what you prevented from happening.
You can explore around the map by clicking on the nodes and as you can see above there are some IPs that have been flagged as known bad IPs used in something malicious.
There are quite a few good unique aspects to the product such as where they look, how its a SASS (Software-As-a service) services and a PASS (but people as a service) along with the fact they are looking for attack vectors outside of your networking allowing you to defend forward and be proactive rather than just protecting the assets within your network really add to the appeal for me. I think it’s more something now where Tech Teams being IT and Security, Boards and Marketing need to realise that your brand needs to be protected and unfortunately people are out there to potentially damage yours if there is coin to be made. Yes, a quote from a recently released game at the time but it’s apt as these days it not just about common currency but also cryptocurrencies as many times if something happens the actors request this as it’s much harder to trace.
So where does that leave us… well for me personally I want to get a bit more hands-on with the product and see what this has to say about a brand I know. You can even get a free threat report for your company over here
Note : I have been compensated for this review and commentary but I know I will be looking further into this as I think it’s a great topic as people know I like security stuff. All the thoughts and opinions in the post are mine and not linked to the company or the current company I am working for.