Technical Details

Cyber Safety Service Description

The brAIn-box forms one part of a distributed system for high-grade passive security monitoring (Intrusion Detection System), active vulnerability scanning, as well as remote analysis through threat intelligence and proprietary machine learning (AI).


Hardware Capabilities

The physical brAIn-box is a network device constructed from solid state components. Network connectivity is provided by a performant network switch with port mirroring capabilities. The processing of monitored traffic and vulnerability scanning is performed on a dedicated hardware module. Network availability is paramount -- both the switch and the processing module are designed for high availability. The switch will maintain network traffic in the unlikely event of the processing module failure.


Continuous Network Monitoring & IT Forensics

The passive security monitoring provided by the brAIn-box is processing the network traffic constantly. The brAIn-box data is used to generate a report for each type of network traffic. We also log this securely to provide forensic data for determining your GDPR or Mandatory Breach notification obligations as well as determining impact to assist recovery in either an incident or day to day clean-up of security risks.

Network traffic type

Description

Network Connections

Network connection type and parameters of connections between two endpoints.

Directory lookups

Requests mapping Internet names to endpoint addresses.

File transfers

Cryptographic fingerprints of files (NB: No content is collected).

Web requests

HTTP request/response URLs and parameters (no content).

Hosts observed

The internal network addresses of hosts that have been passively

observed.

Services observed

The internal hosts that have been passively observed offering a

service (e.g. DHCP).

Device status request

Simple Network Monitoring Protocol interactions.

Observed software

Software that can be passively determined to be running on internal devices (e.g. OpenSSH_7.2p2 Ubuntu-4ubuntu2.1).

Malformed interactions

Network interactions that don't fit the expected pattern (e.g. DNS unmatched reply)

Public Key Certificate interactions

Parameters of observed encryption certificate interactions.

Active Vulnerability Scanning

Vulnerabilities are defects in software that impact the security of the software and or the host system it is running on. Some defects can be determined by interacting with the software --typically by actively sending to it and receiving from its messages (bytes). The brAIn-box contains a large knowledge base of software, vulnerabilities, and the sequence of messages required to determine the existence of the particular vulnerability on the particular host.

There is always a risk that any scanning will cause vulnerable software to fail, potentially hanging up the host so that it needs to be reset. The brAIn-box scans are set to be least aggressive so as to reduce that likelihood. However, this may mean that not every vulnerability will be found. For example, some network printers can hang on being scanned -- when the brAIn-box encounters a printer in a detailed scan (see below), it does the lightest scanning possible for that device.

The brAIn-box has a two-tier scanning system. A light-weight radar-like sweep-scan of all devices it can see on the local network -- to provide a list of target hosts for further investigation. A focused, more thorough, vulnerability scan that provides detailed information about the vulnerabilities discovered, their severity, and potential remediations (if remediation is known).

All scanning activities can be triggered by a remote interface. As well as being remotely triggerable, the sweep-scan is automatically run after a reboot of the brAIn-box. All other scans need to be triggered remotely.

Requested scans are only performed during normal office hours. This is to ensure the maximum number of devices are visible for scanning. Each scan produces a technical report.

Threat Intelligence and Machine Learning

We utilise over fifty of the best global threat intelligence and alongside our unique machine learning analytic capabilities. These consist of the latest information on all the latest 0-day vulnerabilities, ransomware, banking malware, phishing sites, command and control servers. We have can tailor our service based on your business locations and employ relevant intelligence of specific campaigns targeting organisations in those regions.

Data collection and Storage

Data collected by the brAIn-box is periodically transferred to secure cloud storage. Amplify Intelligence’s cloud provider is Amazon Web Services.


The brAIn-box does not set out to collect and record personally identifiable or other sensitive data. However, some of the summary data it records could possibly contain such data. For example, if a user is searching the internet for their own name, this name will be recorded in the URL of the web search.

Data security

  • Data in transit. Data recorded by the brAIn-box (both passively collected, and actively triggered) is transferred periodically to the cloud-based environment. The transfer of each data file is encrypted using SSL. For each SSL connection, the destination SSL certificate is verified before data is transferred.
  • Data at Rest. Data stored in the cloud is encrypted using AES256. Access to data is strictly controlled through strong access controls. The access controls are provided by the AWS hosting environment.
  • Data location. The data stored is stored in one of two physical regions -- Australia or the United Kingdom. If the brAIn-box is located in Australia, then the data it generates will be transmitted and stored in the Australian data centre. If the brAIn-box is located in the United Kingdom, then the data it generates will be transmitted and stored in the United Kingdom data centre.
  • Processing Network security monitoring data versus processing personal data

  • The brAIn-box service is a processor of network security data. It is not a processor of personal data;
  • does not contain reasonably extractable personally identifiable information.
  • Erasing Data

    On cessation of using the Service, all recorded data from the respective brAIn-box is deleted from the data store to which it is connected.


    Cloud Base Data Processing

    One element of the Service is the search for known security issues (e.g. compromise, vulnerabilities, hacking attempts). This process includes searching data from brAIn-boxes and comparing them to other security sources (e.g. previously seen indicators of compromise). Some of these sources are provided to Amplify Intelligence by third parties.
    Amplify Intelligence will apply analytical and machine learning technologies to extract novel patterns of security issues that have yet to be recorded in other sources. These patterns will be applied beyond the brAIn-box(es) that recorded the original observations. For example, if one brAIn-box observes a new attack, the attack pattern itself will be tested on data emanating from other brAIn-boxes so as to provide early warning to those brAIn-box service users. This syndication of new emerging threats provides benefits to the whole community of brAIn-box users.