Know Your Assets: Talking with Jonathan Cran from Intrigue
Reading time: 14 minutesThe constant risk of cyberthreats on organizations and their digital landscapes makes knowing your assets and the extent of your attack surface crucial. Reconnaissance is one of the first steps attackers will take to discover any unprotected and unmonitored assets, and use them as means to gain access to your network.
To be truly protected against malicious actors, organizations need to know assets that are deployed in the environment and what attackers see. You can't protect something you don't know you have. Knowing your assets is the foundation of effective security.
Guided by this thought, Jonathan Cran started Intrigue, an API-first framework oriented towards discovering organizational attack surface and asset intelligence. Whether you're a security researcher working on enterprise networks, pen tester discovering vulnerabilities, or a bug bounty hunter looking to automate your strategies, this automated OSINT and reconnaissance framework can help you.
Jonathan Cran is an information security expert with over 10 years of experience in network and application security. Currently working as Head of Research at Kenna Security and running Intrigue, we caught up with him in Austin to talk about the joys of having too many ideas and not enough time, why he left San Francisco, benefits of data-driven security, and more.
SecurityTrails: You've just moved from the Bay Area. What was your experience with the tech startup scene there, and why did you decide to leave for Austin?
Jonathan Cran: Oh wow. San Francisco has the largest and most vibrant startup scene in the world. Living there was like living in the future. New products and services are all available in the Bay Area first, and I loved being part of that. It's such a destination, folks are always coming into town, and there's no shortage of opportunities to grab coffee. Everyone should live there once.
We made the move to Austin primarily because of the economic growth happening here. There's an incredible security and startup scene in Austin and quality of life is actually a little higher here for us - our burn rate is lower than in the bay, which means we can be more flexible with our time. Having spent a couple years in Austin previously, we knew this was a good place to be able to lower our burn while incubating Intrigue.
How did you get into information security?
Jonathan: Probably like many SecurityTrails users, I played a lot of games growing up - Diablo, Age of Empires, and Counterstrike. What I'd give for those hours back, hah. I guess what really put me on the path to security was my time at Iowa State University. I was a student but in order to make ends meet, i took a job as a helpdesk person. I guess I got lucky, it turned out that in the specific college I worked for - the students ran everything. Which meant a lot of responsibility and opportunity fast. But also a real lack of architecture and long-term thinking. Everything was directly exposed to the Internet - no network or OS layer firewalls, no NAT, no real protective controls at all. We felt a lot of pain because of that lack of control - and went through a series of incidents - the Sasser and Blaster worms stick out as some of the most painful. Those worms exploited core Windows service (SMB) bugs on 139 and 445 - which were effectively ubiquitous. It was a real eye-opener to see how much effort it takes to build and maintain secure systems.
After school, you worked as a pen tester?
Jonathan: I did. There was a small group of us at Rapid7 in the early days (2007). Jim Patterson, who's the current CEO of Eaze, Zach Lanier (Atredis), and Josh Abraham (Praetorian). We were probably at odds with the product organization a lot. It was definitely a lesson in startup focus - it's very difficult to manage incentives between product and services in the same firm. Generally, a VC backed firm must keep service revenue below 15% of overall revenue in order to prevent lowering their valuation. I'm super proud of what we did there. We were educating folks on attack techniques that are still in use today. Back then, Active Directory was almost always hosted internally, and literally everyone struggled with the basics of application security and vulnerability management. Pass the hash worked pretty much everywhere. After a while, you grow weary of explaining the same attack techniques that work everywhere, and you realize you need to build products to make prevention easier. The lessons learned during that time made me get serious about building product.
What was it like to land a job at Bugcrowd, one of the largest bug bounty and vulnerability disclosure companies on the Internet today, and what was your experience working there?
Jonathan: Yeah, Bugcrowd was very clear as a solution to those earlier lessons. After participating in a few of the early Bugcrowd programs, it was obvious how powerful the model really could be. I reached out, and Casey invited me out to San Francisco to see what I could do to help grow the business. They had just raised seed funding and were in the midst of moving the team from Australia to San Francisco. Ultimately, they needed a conduit to the startup and security scene in the US. I've always been the type to jump in and get my hands dirty, so I started calling a few CISOs in my trusted network and talked to them about the possibilities - explaining why I thought it would help them, and ensuring that I'd do everything I could to help them be successful. In the early days, it's a mixture of product, sales, operations, and just all around do-what-it-takes. I love that stage.
Data-driven security is something you have an interest in. Besides helping to build more resilient and automated infrastructure, what are some other benefits of data-driven security when it comes to incident response and threat detection?
We're really living in an age of information security where we're "data rich and signal poor." It's not just an information security challenge - pretty much every industry is experiencing this to some degree or another. It's an effect of the explosion of computing power and storage space. There are many other factors, but those are underlying. We just have much better structured data about what attackers are doing today. Mitre ATT&CK is a great example. There's a small number of techniques that are being used everywhere.
And those techniques often rely on a small number of vulnerabilities, in an even smaller set of software. That's really where this idea of data-driven is focused for me right now. Let's use everything we know about what attackers are doing in the wild and tie it back to the root cause, and make it as simple as possible for folks to prevent those techniques.
So to do what you're talking about, threat intelligence is a popular buzzword we see everywhere. How do you really put it into practice with the vulnerability management process?
Jonathan: Great question. There's a variety of different categories of intelligence, and only some of those categories are useful in vulnerability management. There's been a real transition in the last few years in this space. It's impossible to fix everything, you have to prioritize. Intelligence must drive that prioritization, and help focus attention on the configuration issues or vulnerabilities that enable attackers to act with impunity.
There's a variety of ways to correlate intelligence, but it boils down to making sure that intelligence can be clearly tied back to a set of vulnerabilities or misconfigurations that the practitioner can chase up. This can be done using a CVE, CWE, or CPE. ATT&CK is also proving to be quite useful as a way to tie problems to attacker behavior. At Kenna, we published a series of reports over the last 18 months called the "Prioritization to Prediction" series, that dive into just how few vulnerabilities end up being used in the wild. I recommend reading it, but if you're in a hurry: less than 5% of all vulnerabilities end up being detected in the wild. Sure, there's caveats to that number, but it's an astounding number nonetheless.
Common Externally-Detected Vulnerablities by Prevalence across the 500
Intrigue detects software versions of applications as it surveys attack surface, and can infer vulnerabilities. This is a list of the most prevalent across the Fortune 500.
| Vulnerability | Count |
|---|---|
| CVE-2013-6438 | 6864 |
| CVE-2014-0098 | 6864 |
| CVE-2014-0231 | 6729 |
| CVE-2014-0118 | 5013 |
| CVE-2014-0226 | 5013 |
| CVE-2018-1301 | 4926 |
| CVE-2018-1302 | 4926 |
| CVE-2018-1303 | 4926 |
| CVE-2017-9798 | 4682 |
| CVE-2017-9788 | 4462 |
| CVE-2016-8612 | 4456 |
| CVE-2017-7679 | 4378 |
| CVE-2016-5387 | 4197 |
| CVE-2013-2249 | 4155 |
| CVE-2016-4975 | 3986 |
| CVE-2015-3183 | 3775 |
| CVE-2015-0228 | 3775 |
| CVE-2012-0883 | 3676 |
| CVE-2013-1896 | 3439 |
| CVE-2018-1312 | 3267 |
You just mentioned Kenna Security. If you could tell us a little bit about your role there, what are you helping them build?
Jonathan: I joined Kenna a little over a year ago. It's a platform that brings together information about attack surface, the threats that are relevant to that attack surface, and the ability to easily distribute that information. The data driven approach is key, but so is getting out of the way and enabling the business to make better decisions. Kenna's approach to the problem is data provider agnostic, which is another way of saying the platform will integrate with many sources, and has a common ontology (language & structure) for security data.
One trend I've been watching closely is the move to zero trust. Which is another way of saying "everything's just software", often deployed in the public cloud. The fundamentals of attack surface change in this world, and vulnerability management changes with it. OSINT is going to have a big role to play.
So tell us about Intrigue. You've been building Intrigue while working at Kenna Security. Are you just an amazing multitasker or was there a learning curve to having a 9-5 job and running your own company?
Jonathan: I wish. I'm spending a lot of time in front of a screen these days, but Intrigue is a passion project. It's really a couple disparate technologies.
The engine, Intrigue Core, has been around for about 10 years in a variety of iterations, though not widely promoted. Ultimately, my goal with core is to provide an open platform to collaborate with the OSINT and security communities. It's BSD licensed and free for commercial use for that reason. You can think of it as an API for performing OSINT data collection. Most OSINT tools are designed to run one-off jobs with a human in the loop. With Core, you can build out workflows that make it possible to remove that human and automate a lot more of the process. It's still early, but you can learn about it at https://core.intrigue.io. It's primarily designed for pen testers, but we have a number of organizations building asset and vulnerability discovery products on top of it, which is exciting.
The hosted site (Intrigue.io) is brand new. It grew out of my interest in automating collection of security data for organizations and my own experience as a bug bounty hunter. It automatically collects vulnerability and asset data on a per organization basis. Essentially you walk in, type in the name of an organization and you get a bunch of data about the technologies, the security issues, and the third parties of any given organization.
The hosted site is built on top of the open engine, and a bunch of OSINT data sources. Security Trails is a key source for me and has replaced a bunch of disparate apis and scrapers i previously used to gather organization data.
For who was Intrigue built? What is your current user base?
Jonathan: The engine is best suited toward pentesters since it's an open source project and requires some work to get set up. The hosted site is useful for them too, but I'm seeing more internal security teams tasked with hygiene and overall security health digging into the hosted site these days.
Like any good research question — you have the best sources in the world, but if you don't know what you're trying to figure out, you'll just spin your wheels
How can analyzing and understanding attack surface help organizations in better cybersecurity planning?
Jonathan: If you can't see it, you can't fix it. Vulnerability and asset visibility remain fundamental challenges for organizations, and with cloud adoption (and consumerization of IT) increasing, visibility is getting even harder. I think one thing that gets forgotten is that security doesn't get baked in without a real culture shift. Often the security person gets hired much later, after there's some success in a given company, and they're forced to figure out all the terrible/amazing things that were done to get the organization to this stage. Not only do they have to find the problems, but they have to figure out how to change the culture to prevent it, all while maintaining awareness of new decisions. It's really one of the most challenging jobs on the planet. It's underestimated how challenging it is to change people, process, AND technology. Practitioners need all the help and data they can get.
It's impossible for any organization to ensure 100% coverage of its attack surface. But what tips would you give to organizations to minimize their attack surface?
Jonathan: Well, using SecurityTrails and Intrigue isn't a terrible place to start. They'll help knock out a lot of the low-hanging fruit. It's a people, process, and technology problem. Technology can't be the first line of defense, but it takes time to change culture and adjust processes. The most successful organizations have spent a ton of time and effort changing these processes that ensure new accounts and services are registered and security has visibility of this data. In the meantime, our technologies offer a form of safety net to these organizations.
Besides good tools, on what else does a true insight from OSINT depend on? What brings more effective OSINT results?
Jonathan: Well, it's a combination of tools, sources, and analysis. And like any good research question — you have the best sources in the world, but if you don't know what you're trying to figure out, you'll just spin your wheels. So I'd suggest exploring all the OSINT sources out there, but once you have an understanding of what's possible, focus on those key sources that bring you clarity to the problem you're focused on.
For instance, with Intrigue, I'm super focused on helping internal security teams get a deep understanding of unknown assets and vulns. Anything that can give me a broader asset base is interesting. That's common stuff like SSL certs, active and passive dns queries, but I'll spider websites, request files and parse for metadata. If I get an email address, I'll look it up and keep iterating until I've exhausted my graph. The iteration model is very powerful.
How has OSINT evolved over the years since you got into its world?
Jonathan: For starters, there's a lot more sources and APIs available vs 5-10 years ago. Many folks are building their own automated collection and enrichment systems because of Bug Bounty. OSINT is now playing a part in most internal security programs too. SHODAN and Rapid7's OpenData project, in addition to Censys, BinaryEdge, and others have all popularized the idea of collecting internet-wide asset data, which is incredibly helpful for security teams. Nobody's cracked Ipv6 yet though.
I think when you're starting out, you should aim to get as much experience as possible, and follow what interests you. That's the most surefire way I know to stay focused
I think Bug Bounty and the continuing emphasis on recon has also had a big effect on OSINT, at least as it relates to security-oriented sources. The widespread use of Certificate Transparency Logs are a great example of that. Bug bounty hunters have used that source to great effect by being notified on-demand and automatically kicking off tests, in some cases before a system can even be provisioned by its original owner.
The legal landscape has also evolved. Most clearly due to the Linkedin vs HiQ case, a landmark in the OSINT world. HiQ essentially won an injunction against Linkedin, which was eventually upheld in the US Ninth Circuit. For researchers building scraping tools, at least for the purposes of OSINT, this is a really positive step.
You are an information security expert with many years of experience. What advice would you give to someone looking into starting their career in infosec, but because of the overwhelming magnitude of resources, are kind of lost?
Jonathan: The more you know, the more you realize you don't know. That rings very true for me. The industry's expanding and there's a lot more specializations. That said, I think when you're starting out, you should aim to get as much experience as possible, and follow what interests you. That's the most surefire way I know to stay focused - it's got to keep your interest.
One piece of advice I mentioned above in my own choices, and I think I mentioned above is, just "follow the data." If you have access to data, you can continuously improve whatever process you're working on, and often to monetize that data in a variety of useful ways.
Make sure you check out Intrigue if you haven't already and follow Jonathan on Twitter to stay tuned for all updates about his amazing tool.
Listening to experts and getting tips from industry leaders is something we are always interested in. If you know a security expert you would like to see featured in our interview series, send a tip to: {{ '[email protected]'|safe_email }}.
In the meantime, follow our blog to catch up on all the new infosec research and other interviews we have coming your way.
