ShadowTrackr

Log in >
RSS feed

Threat intelligence

15 July 2019
If you just ticked the intel box for messages on your timeline it has been a bit empty lately. This is because I had to remove some boring stuff. The interesting events that remained under intel did not occur very often. This weeks update includes an attempt to improve that.

I find myself checking multiple security blogs regularly to see if there are any new reports available on particular APTs. As often when browsing the internet, I found a lot of other news as well and only hours later I'm back to work. I figured more people have this problem and I should automate it in ShadowTrackr.

Under traps you'll see a new tab: Intel. You can select which APTs you're interested in and when there is new information available it will appear on your timeline. Alerts to your email address or smartphone are also possible of course, and you'll notice something new there too.

In bigger organizations you'll have more specialized functions and some (the threat intel people) will likely want alerts pushed. The other security people might not. So, you can now set alerts just for yourself or for all ShadowTrackr users on your account. I'm guessing that this is very useful for other traps as well and I'll start working on implementing this feature for all traps.

Port change notifications

01 July 2019
Last month has seen lost of small changes in existing notifications. The goal is to cleanup the timeline and make it more useful. Some messages are more concise, some are grouped, and some contain more context so you don't have to look things up manually (what was on that ip?).

The biggest one of these changes is in the way port notifications are handled. Each port was a separate event and only showed the port number and ip. Only when showing the timeline where these event grouped, which unnecessarily slowed down the page buildup. And this didn't really work well when scrolling. Port events are now grouped when the event is generated and nicely formatted with proper context. Much better than it was, except for ports that are actively checked (like those with STARTTLS). Active checks produce a lot more information than just checking if a port is open. I still have to figure out a way to integrate those without messing up a nice timeline.

Another problem solved is the different lists of bad ports and advice on what to do. These where different lists on the nodes where the events are generated and on the webservers. Multiple lists are cumbersome to maintain and error prone. If some attacks are spotted more often you want to change the message of the corresponding notification on the bad port list, and maybe the level too. The list is now centrally maintained on the server and automatically pushed to all nodes. From now on you'll get consistent advice on port changes.

Improved discovery and UX

03 June 2019
This weekend ShadowTrackr has undergone a quite noticable update. There are a few extra sources to discover urls and ip addresses. If you see previously unknown assets appear on your timeline, this is the reason.

The messages for these new assets have improved too. Instead of spamming your timeline with multiple messages related to the new asset, we now try to put this all in a "details" box in the message that you can expand or close. This keeps the timeline neat and more relevant.

Since the user interface had to be updated for this anyway, it was time to fix some serious UX problems that have been creeping in as well. With any software system that grows organically over time you always run the risk of loosing some consistency with every new feature. A lot of these issues have been fixed now. I'll mention the most important ones.

On most of the internet, blue links are clickable. In ShadowTrackr this was mostly true too. Except for the timestamp. Somehow this ended up being blue and unclickable. It was also in the wrong location. If you look at the place where most timeline-like systems display the timestamp, you'll notice it's near the left top. That's we're users are trained to expect it. We had it at the top right. Oops. That's fixed now.

Eating your own dog food is always a good idea. This will make you feel the pain users are feeling. One of the majotrpain points for me was not being able to copy ip addresses and urls from the timeline in order to investigate them further in other tools. That is fixed now. Any part of the message can be copy-pasted. The link to view the asset, or suggestion, is now displayed in blue at the right top.

About those links, up until now it was sort of a surprise what would happen if you clicked something on the timeline. Would you stay on site and get more details? Or would you end up on an external site to view the source? The new-style links will show you what is going to happen. If the link leads off site, you will see which site you'll be opening. A keyword hit on pastebin.com will have a link that says "open pastebin.com".

If you have any thoughts on the new user interface, I'd be happy to hear them.
Older posts >

Overview
Use cases
Plans and pricing
FAQ
Resources
API
Blog
Documentation
Integrations
Shodan
OpenCTI
Company
About
Contact us
Legal & Policy