(Ch-ch-ch-ch) changes – Mar, 2023
Oh, look out you rock ‘n rollers
Hi all. It’s been a while since our last update, and we’ve been super-busy. Get a coffee, load your favourite Bowie track, and bring yourself up to speed with our progress. Feel free to drop us a line at firstname.lastname@example.org if anything piques your fancy.
- MORE SEED TYPES : Seeds are now available as AI-generated business documents, AWS credentials, hosted honeypots
- DEPLOYMENTS : Seeds can now be planted & retired by unsupervised, automated deployment schedules
- INTEL : We now publish threat intelligence on all observables realted to your organisation
New seed types
Seeds are the deceptive assets we plant inside our customers environments, so that we can detect malicious activity. It’s really important to us that we continuously evolve our range, aiming to make them better camouflaged, or more instrumented (or both). In this latest release, we have 3 new seed types for you:
AI-generated business documents
If you’re going to use deception with an emphasis on luring activity, your assets need to be appealing to their audience.
We’ve used our own threat research to determine what content is appealing, and created a set of seeded document templates that mimic common business documents. Today, that includes;
- Financial reports
- Intellectual property reports
- Strategic plan
- Supplier agreements
Each instance of a document is unique, and populated with relevant content using AI. We instrument the file (it signals us when it’s opened, and we’ve peppered the content with links that also provide us with signals if clicked
If somebody finds an AWS account lying around, they are highly likely to try logging in with it. It’s like the cloud-equivalent of finding a USB drive in a car park. When this happens, we get a signal, which we enrich with intelligence then raise an appropriate alert.
These seeds are great for using in dormant repo’s where nobody should be working. Or on your engineers workstations or email accounts, or other developer comms channels.
It’s useful to know when you’re being scanned, but you don’t want the overhead of running a honeypot, or the risk of connecting something that is intentionally going to act as a target. That’s where our hosted honeypot seed comes in.
We run the underlying infrastructure, you simply point traffic to us using DNS entries. We capture all interactions, analyse for the threat rating and send you appropriately prioritized alerts
We’ve talked about automating the whole seed planting / retiring activity with many of you, and recognise that you see this feature as a major efficiency win, so we’ve built it. Seeds now get created, then planted and retired with a deployment. You can configure;
- Deployment size (how many seeds are concurrently planted)
- Expiry period (how long each seed is left in place
- Seed type, including our new AI documents
- Planting location, which could be an integration to you OneDrive or G-Drive, or local download for manual planting later
We also send notifications for each execution of your deployment.
This is a massive leap forward for our vision of highly deployed deception assets with little operational overhead; configure your deployments, push play, and leave us to it.
At the core of our product is our threat intelligence engine, collecting signals and telemetry from our seeds and running analysis on the observables we see interactions from.
We have updated our platform to present this intel to you in full. As a menu option, you may now view everything we know about a specific IP address, email address or domain that has interacted with your seeds. We assign them each a threat rating, and continue to review this rating after the initial event, providing you with updates if we determine a change for the worse.
What else have we been up to?
Is the above not enough? Ok, well, there are a few more little things;
- IP whitelisting : Add a single IP address or a range of IP addresses to your whitelist and we’ll change how you receive alerts for it
- Jira and Slack integrations : Receive alerts directly into Jira and Slack
- New Dashboard : Movable widgets showing key stats
We’ve got a busy 3 months ahead, and a roadmap full of ideas from us and requests from our users. Specific features getting our attention are:
Internal Honeypots : virtual devices that will mimic infrastructure within your environment and send signals back to us when bad actors try to connect to them
Custom Analysis rules : unique rules for how your organization want analysis to be performed
Custom Alerts : Similar to the planned custom analysis rules, but more concerned with the format of the alert messages we send
More integrations : changing the content of an alert is part of the story; the other part is being able to send that alert to the tools you already use. So, we’re building out-of-the-box connectors to the most common tools in your estate
We hope you agree that we’re building something highly useful, but more importantly, we hope you will share your thoughts and feedback, whether you’re a fan or not. We’re on email@example.com
Thanks, Enrico (CEO) and Matt (CTO)