3CORESec | Blog

Recently we tweeted about some issues we had with 3CORESec Blacklist , a platform that shares - openly and freely - a subset of the information seen and processed by our honeypot network.  While those issues have been addressed, and seeing as significant changes were made to how we monitor the generation of the lists (which is reflected in our status page ) and how we determine if an IP should be listed as an offending IP or not, this felt like a good opportunity to write a bit more about the platform as well as the changes we made.   For regular users of Blacklist 📓 the first thing they’ll notice is an increase on the numbers of IPs we include. That is a direct result of the changes we made and the growth of the honeypot network itself. We have not - and will not - ever increase the period for which we query the honeypot network, as we believe anything higher than 24h (as specified in the project page) for IP addresses can quickly fall into a decaying state that adds little value

Over the last 6 months we have been hard at work on what we believe is the future of enterprise information security, and today we’re excited to lift the curtain - to some extent - on our most recent development: 3CORESec ONE and 3CORESec MDR .  3CORESec ONE When we first got together to establish our product lineup, one thing became clear. If we wanted to make a difference we would require significant development on tools and platforms that worked how we thought information security should work: in a unified experience, with minimal changes to client workloads, pricing that is adjusted to different size companies, the capability to grow without additional purchases or any additional rewiring, and an overall less is more approach.  After two years of building individual components for our products, and some of them finding their way to the public in the form of SaaS platforms (i.e. lawmaker.cloud and dtection.io ) , 3CORESec ONE is the platform that brings it all together under a s

We’re happy to announce that our network security monitoring and analysis platform for AWS Security Hub has successfully completed the AWS Foundational Technical Review .  This review, performed in collaboration between our engineering team and AWS, guarantees that the best practices are in place for users of the platform. Adopting strong standards and best practices is key to all aspects of our development and we are happy with the recognition this review provides.  If you’d like to know more about 3CORESec NIDS for AWS Security Hub, please consult the AWS Security Hubs partner page . Want to see just how easily you can be up and running analysing your network traffic? You'll be up and running in less than 2 minutes: About 3CORESec NIDS for AWS Security Hub 3CORESec NIDS for AWS Security Hub is part of our NTA product lineup for cloud-native workloads. Some of its key features include: Turn-key solution Fully automated deployment Minimal permissions or changes Fully automated ope

This blog post is the second part of our Detection as Code (DaC) challenges series. You can read part one here . The development process of detections by itself doesn't pose a lot of barriers for security engineering teams, as they are typically done in a lab/controlled environment, but after tuning and deploying rules to a SIEM, the work is only starting. Many things can go wrong after this, and a process of continued and automated testing is crucial. Detection Validation In an ideal (and fictional) world, once the datasets are parsed, normalized, and put into production, detections developed by your team would work forever. Still, the reality is quite different. Maintenance is heavy work that needs to be done frequently - especially if you work on an MSP - but the reality is that the ecosystem lacks tooling and processes to do it proactively. Effectiveness is an important metric and crucial to the successful response of incidents in time, and effectiveness is what we aim to ensu

  We're happy to announce the public availability of dtection.io , our detection e-commerce platform. Over the past couple of months we've been working on developing a platform that would allow us to sell detection capabilities with out-of-the-box support for Network Intrusion Detection Systems (NIDS) as well as several backend features aimed at automating distribution of information security detection content. On top of the technical capabilities of the platform, we also wanted to develop a platform and community aimed at empowering researchers interested in selling their research and work. With dtection.io 0% commission and a constantly evolving backend we are ready to provide a good foundation that is capable of integrating with several workflows and procedures while providing the automation needed to make selling and distributing content as easy as possible. dtection.io provides researchers with a fully automatic deployment process of their work, distribution via CDN, no

  Today we are announcing the release of Trapdoor , our AWS-based serverless honeypot.  The idea of a serverless honeytoken isn't new. Adel released his honeyLambda a few years ago and we've been working with it for quite some time. It was because of this experience and the goal of improving on what was already a great idea that we decided to go to the drawing board and see how we would change and tweak the concept.  What is it? Trapdoor is a serverless application that can be deployed in any AWS environment. Its goal is to receive HTTP requests with the intent of identifying, and alerting, on its visitors. The URLs generated by Trapdoor can also be referred to as honeytokens .  While you can get creative on how to use it, one of the goals of a honeytoken is to be hidden or stored in a "safe" place and, if accessed, fire of an alarm, as access to the token would be considered a compromise or unauthorized access.  This example is the passive way of using deception ta

  Over the last few weeks we've been working on improving the user interface of Lawmaker with the intent of making it easier and faster for our users to do their work as well as make the experience more enjoyable.  In this post we will go over those features in more detail.  User Menu In the previous versions of Lawmaker, under some contexts, it wasn't always clear what options were tenant-specific (like the API key) and which options were part of the user account, as they were both listed under Settings.    We've changed that by including a user menu where all user-specific options will be listed, with the added bonus of leaving the sidebar less crowded. The option " My Account " now holds only account-related settings, such as managing your password and subscription. Dark Mode Undoubtedly one of the most anticipated features of Lawmaker UI was the inclusion of a dark theme. This option is now available in the User Menu and we're extremely excited you get t

Developing detection capabilities is something that we’re constantly working on. It equips many of our products and services, either as part of our Managed Detection services or through a subscription service for inclusion in third-party and partner products. While keeping a set of detection rules loaded into a SIEM does not pose a technical challenge, doing it in a way that allows for them to be part of a continuous integration/delivery process (CI/CD) isn’t so straightforward. For the last couple of months we’ve been working on processes and tools to make that process as future-proof and as automated as we possibly can. The goal of this post is to share some of the lessons learned as well as provide some additional use cases and examples that might be useful for anyone trying to accomplish similar tasks. Below we’ll dive into some of the challenges and how we addressed them, as well as highlight some features of SIEGMA , our open-source SIEM consumable creation tool that was relea

Since the release of Lawmaker back in August we've been busy working on additional functionalities, bug fixing and overall improvements in the platform. Today we're announcing those features and going over everything that changed in the platform. All of the features discussed in this post are already available to all users and besides updating the agent, no other changes are needed to start making use of them. Guest User Tenant Switching The tenant aspect of Lawmaker is undoubtedly one of its most interesting - and challenging - aspects. While we aim to provide the maximum functionality through tenants, it's always a fine balance between usability, security and business decisions that aim to reduce abuse of the platform.  In this last update we changed how the tenancy model is applied. While the above model was kept intact, Lawmaker accounts can now invite users to one or more tenants which in turn will allow the users to switch between the tenants for which they were inv