In a recent episode of Rapid7’s podcast, Security Nation, we talked with Jonathan Cran, Head of Research at Kenna Security. Here’s what Jonathan had to say about his side project, Intrigue, and how security professionals are spending their time while on coronavirus lockdown.
Intrigue is a framework oriented toward discovering organizational attack surface and asset intelligence. Early in Jon's penetration testing career, he had the idea for Intrigue. At the time, the pen testers had automation platforms they could use, like Maltego, and they also often wrote their own scripts. But what was missing was a framework to wrap around all of the different OSINT tools.
The vision for Intrigue began with Jon’s idea about a data-driven OSINT platform, similar to Maltego but with the plugability and openness of the Metasploit Framework. From there, it evolved. Today, Intrigue uses over 130 different OSINT sources. Just plug in a domain and press a button, and you’ll get a graph built around an organization with all the pieces of attack surface that are interesting to attackers, such as applications, hosts, people, email addresses, and more—and automation makes it all simple.
It’s completely open,[ available on GitHub, and easy to deploy with Docker.
In the early years of Intrigue, Jonathan was working alone, with others occasionally coming and going from the project. Recently, Intrigue has been somewhat commercialized, leading to a hosted version and a team of contractors working and helping to build fingerprinting.
The fingerprinting library, which is called Ident, is standalone and also open source. While many consider application fingerprinting a “solved problem,” Jonathan found that there was no good BSD, Apache, or MIT licensed software out there that was easy to write fingerprints for.
Ident is written in Ruby and fingerprints as much as possible in a first page grab. You can run 500 checks with a single page grab—in other words, it’s fast. In addition to running standalone, Ident is built into the Intrigue engine so that whenever you scan a web server, it'll fingerprint it automatically
COVID-19 scam domains
The podcast also delved into some things that are happening in the security world due to the current situation with the novel coronavirus.
New scam websites exploiting the COVID-19 pandemic are springing up every day. Jonathan talked about the initiative within the security community to hunt down these domains.
When people on a Slack channel share coronavirus or COVID-related domains, Jonathan will pull those down and load them into an engine. An automation pipeline scans them and grabs a screenshot of any application or application endpoint. It discovers the services, fingerprints it, and comes back with an information set. That can then be tied into Intrigue’s pre-collected information to determine whether a given endpoint is likely to be associated with a given threat actor.
Intrigue has the ability to scan for certain vulnerabilities, including a recent remote code execution vulnerability for Microsoft Exchange known as CVE-2020-0688. A remote attacker can exploit this vulnerability to take control of an affected system that is unpatched. Jonathan said that according to his data, only about 15% of these vulnerabilities have been patched at the time of recording. The patch has been available for a couple months, so that’s way behind schedule.
Organizations may be reluctant to patch Exchange because it’s likely to involve an outage. Even a few minutes of downtime can be a lot for email. But Microsoft patches are usually deployed much faster than what we've seen with this Exchange patch. In fact, Microsoft server patches tend to be among the fastest of the vendors—within 30 days, at least 50% is usually patched.
Some of that involves desktop patches, which are faster and often automatic. But Jonathan and the hosts also discussed the possibility that during the pandemic, with many people struggling just to figure out how to work from home, Exchange patches may not be a priority, and avoiding email downtime that can result in a walk to the data center to manually reboot is more critical than it once was.
The Golden Age of open source
Jonathan also talked about what’s next for Intrigue. He’s working on lightly pre-scanning organizations. He’s added the Crunchbase database and a few other big databases of companies, which helps improve the Intrigue engine. Jonathan hopes to have more people using and contributing to Intrigue. Fingerprinting is an easy way to get started with the project.
He did add the caveat that the open engine will be relatively inaccurate at first. It has to be guided a bit. The hosted service is more accurate, because scans have already been done to learn which domains belong to which companies.
Podcast host Tod Beardsley suggested that, with the “global lockdown of nerds around the world,” this might be a golden age of open source. Jonathan talked about the value of open source projects for learning and experimenting. He suggested starting with Golang or Python. Learn to solve your own problems, and contribute to other people’s projects as well.
“Here’s a good piece of advice,” Jonathan said. “If you help other people with their project, they will help you.”
Want to hear more about Jonathan and Intrigue? Give our podcast a listen here.