Technical Details
The brAIn-box forms one part of a distributed system for high-grade passive security monitoring (Intrusion Detection System), active vulnerability scanning, as well as remote analysis through threat intelligence.
The physical brAIn-box is a network device constructed from solid state components. Network connectivity is provided by a performant network switch with port mirroring capabilities. The processing of monitored traffic and vulnerability scanning is performed on a dedicated hardware module. Network availability is paramount -- both the switch and the processing module are designed for high availability. The switch will maintain network traffic in the unlikely event of the processing module failure.
The passive security monitoring provided by the brAIn-box is processing the network traffic constantly. The brAIn-box data is used to generate a report for each type of network traffic. We also log this securely to provide forensic data for determining your GDPR or Mandatory Breach notification obligations as well as determining impact to assist recovery in either an incident or day to day clean-up of security risks.
Network traffic type
Description
Network Connections
Network connection type and parameters of connections between two endpoints.
Directory lookups
Requests mapping Internet names to endpoint addresses.
File transfers
Cryptographic fingerprints of files (NB: No content is collected).
Web requests
HTTP request/response URLs and parameters (no content).
Hosts observed
The internal network addresses of hosts that have been passively
observed.
Services observed
The internal hosts that have been passively observed offering a
service (e.g. DHCP).
Device status request
Simple Network Monitoring Protocol interactions.
Observed software
Software that can be passively determined to be running on internal devices (e.g. OpenSSH_7.2p2 Ubuntu-4ubuntu2.1).
Malformed interactions
Network interactions that don't fit the expected pattern (e.g. DNS unmatched reply)
Public Key Certificate interactions
Parameters of observed encryption certificate interactions.
Vulnerabilities are defects in software that impact the security of the software and or the host system it is running on. Some defects can be determined by interacting with the software --typically by actively sending to it and receiving from its messages (bytes). The brAIn-box contains a large knowledge base of software, vulnerabilities, and the sequence of messages required to determine the existence of the particular vulnerability on the particular host.
There is always a risk that any scanning will cause vulnerable software to fail, potentially hanging up the host so that it needs to be reset. The brAIn-box scans are set to be least aggressive so as to reduce that likelihood. However, this may mean that not every vulnerability will be found. For example, some network printers can hang on being scanned -- when the brAIn-box encounters a printer in a detailed scan (see below), it does the lightest scanning possible for that device.
The brAIn-box has a two-tier scanning system. A light-weight radar-like sweep-scan of all devices it can see on the local network -- to provide a list of target hosts for further investigation. A focused, more thorough, vulnerability scan that provides detailed information about the vulnerabilities discovered, their severity, and potential remediations (if remediation is known).
All scanning activities can be triggered by a remote interface. As well as being remotely triggerable, the sweep-scan is automatically run after a reboot of the brAIn-box. All other scans need to be triggered remotely.
Requested scans are only performed during normal office hours. This is to ensure the maximum number of devices are visible for scanning. Each scan produces a technical report.
We utilise over fifty of the best global threat intelligence capabilities. These consist of the latest information on all the latest 0-day vulnerabilities, ransomware, banking malware, phishing sites, command and control servers. We have can tailor our service based on your business locations and employ relevant intelligence of specific campaigns targeting organisations in those regions.
Data collected by the brAIn-box is periodically transferred to secure cloud storage. Amplify Intelligence’s cloud provider is Amazon Web Services.
The brAIn-box does not set out to collect and record personally identifiable or other sensitive data. However, some of the summary data it records could possibly contain such data. For example, if a user is searching the internet for their own name, this name will be recorded in the URL of the web search.
On cessation of using the Service, all recorded data from the respective brAIn-box is deleted from the data store to which it is connected.
One element of the Service is the search for known security issues (e.g. compromise, vulnerabilities, hacking attempts). This process includes searching data from brAIn-boxes and comparing them to other security sources (e.g. previously seen indicators of compromise). Some of these sources are provided to Amplify Intelligence by third parties.
Amplify Intelligence will apply analytical and machine learning technologies to extract novel patterns of security issues that have yet to be recorded in other sources. These patterns will be applied beyond the brAIn-box(es) that recorded the original observations. For example, if one brAIn-box observes a new attack, the attack pattern itself will be tested on data emanating from other brAIn-boxes so as to provide early warning to those brAIn-box service users. This syndication of new emerging threats provides benefits to the whole community of brAIn-box users.