Intrigue FAQ

Whether you're new to Intrigue or you’re a long-time customer and want to find out about how to optimize use of our platform, this FAQ will attempt to provide the answers.

If you’ve got a question that you don’t see listed here, please feel free to reach out, hello@intrigue.io, we’d be glad to help.

Start Free Trial

Business Use Cases

How Will Intrigue Discover, Classify, And Assess The Security Risk Of Known And Unknown External Facing Assets?

Intrigue has a high level of confidence in our platform's ability to help your organization comprehensively discover, classify, and assess the security risk of unknown external facing assets.

The 3 step process the Intrigue platform follows:

Pivot
Starting with known seeds we first identify assets and then automatically pivot off these results to find previously unknown and known assets.

Identify
Our global intelligence and our “Ident” engine examines features across all layers of these assets to identify the technology stack and configuration of each asset.

Expose
Through inference and automated confirmation we report on immediately actionable issues.

Following are some of the reasons why Intrigue is the most comprehensive platform for discovering, classifying and assessing unknown external facing assets:

Discover
    •  Largest number of integrated data sources.
    •  Normalized asset model across many sources.
    •  Automated pivoting built into the collection process. This uses a broad range of “seeds” (domains, netblocks, unique keywords, etc.) to start the collection process.
    •  Data collection on a weekly, daily, hourly basis, depending on requirements.

Classify
    •  Unique global intelligence enables the most comprehensive, accurate asset identification.
    •  Deepest technology identification capabilities using Intrigue Ident

Assets
    •  Largest number of automated external vulnerability checks.
    •  Actionable intelligence as issues automatically created and surfaced to users.
    •  Validation provided to users (where applicable) as well as remediation and triage resources.

Discover
    •  Largest number of integrated data sources.
    •  Normalized asset model across many sources.
    •  Automated pivoting built into the collection process. This uses a broad range of “seeds” (domains, netblocks, unique keywords, etc.) to start the collection process.
    •  Data collection on a weekly, daily, hourly basis, depending on requirements.

Can Intrigue Incorporate Third Party Data Sources and Security Tools to Provide A Unified View of External Assets?

Intrigue leverages over 250 external data sources and third party security tools to find and analyze assets.  We then integrate, correlate and normalize data from these sources to provide a much more realistic perspective that a threat actor would take while examining an organization.  Some of the types of sources we leverage include the following:

    •  Classes of integrations & data sources
    •  BGP Routing Tables
    •  On-demand DNS Lookups
    •  Cloud Providers
    •  Cloud Asset Repositories
    •  Historical DNS
    •  Historical Passive DNS
    •  Internet-Wide Port Scanning & Service Identification
    •  On Demand Port Scanning & Service Identification
    •  Reverse Whois
    •  Historical Reverse Whois
    •  Internet-Wide Web Scraping
    •  Social Media Account Lookups
    •  Github and Gitlab Repositories
    •  Threat IoC Repositories

How Can Intrigue Effectively Help An Organization Manage Their  Perimeter Risk Profile?

Intrigue’s unique approach of leveraging a comprehensive list of data sources; then Integrating, correlating and normalizing this data; and finally pivoting off this data, allows us to take a much more realistic perspective (similar to one that a threat actor would take) while examining an organization.  This makes the Intrigue platform particularly adept at giving an organization the ability to effectively manage its perimeter risk profile.

Some of the different aspects of perimeter risk Intrigue enables an organization to manage are:

Accidental
    •  Identification of CVE vulnerabilities through vulnerability inference.
    •  Identification of non-CVE vulnerabilities through exposure checks.
    •  Identification of cloud and device misconfigurations through exposure checks.
    •  Identification of database leaks and open databases.
    •  Identification of developer leaks on sites such as GitHub and GitLab.

By Force
    •  Identification of open network services and their technology profile.
    •  Identification of application authentication configurations (basic, NTLM, 2FA, etc.).
    •  Identification of weak passwords in application and network services.

Stealth
    •  Identification of typosquats through per-domain analysis.
    •  Identification of phishing site candidates through analytic ID pivoting.
    •  Identification of compromises, and other known malicious actors through integrated threat data and exposure checks.

Can Intrigue Help An Organization Classify Owned vs Third Party Assets?

Asset classification within Intrigue occurs through automated scoping ,which determines which assets are relevant for a specific collection and which are out-of-scope.  We use a multi-step, self-learning, process, detailed below, to determine asset attribution.


Automated scoping can be broken down into the following:

1. User provided seeds allowing users to provide a list of domains, network ranges, unique keywords and other seeds to inform the collection process
2. Heuristic-based scoping is automatically performed on per-asset-type basis, for instance:
    •  Whois data is checked for domains that are as-yet unscoped
    •  RIR data is checked for network ranges
3. Global intelligence checks are made on a per-asset basis to determine if this asset’s profile fits that of the organization or one of its partners
4. (Optional) workflows that collect based on the preferences of the user (consider, the case of network ranges vs domains)•  Identification of non-CVE vulnerabilities through exposure checks.

If an asset originally scoped as internal, is later determined to be a third-party asset (which inevitably happens), the user has the ability to unscope their asset and related assets from their collections within Intrigue.

Can Intrigue Assess And Monitor Subsidiary Or Acquisition Risk?

Yes, Intrigue customers manage visibility of subsidiaries as well as the risk posture of potential acquisitions or mergers by creating additional collections. Each acquisition or subsidiary can be easily created as a new collection with groups and users assigned appropriately.

Additionally Intrigue's discovery and pivoting capabilities allow us to go deeper through an acquisition hierarchy than most other platforms (i.e. identify subsidiaries of subsidiaries, and so on).

How Can Intrigue Help Customers Assess Their Security Effectiveness Over Time?

Most customers collect daily, giving organizations a point in time view of the attack surface, thus, Mean Time To Discovery (MTTD) is less than 24 hours.  However other customers prefer to run some or all of their collections hourly, giving them a MTTD of less than one hour.

Issues are automatically created and automatically rated with a severity system that accounts for real-world threats.  Issues can be toggled off if they are considered low risk for the organization.

Issues can be classified through their lifecycle using issue status settings, enabling easy and accurate measurement of time to remediate, by category.  All remediation instructions are provided directly in the platform, further decreasing MTTR.

Discovered assets and issue counts are snapshotted over time - each time a refresh is run on a collection.  A forthcoming release will provide a dashboard to monitor trends over time.

How Often Is The Data In The Intrigue Dashboard Refreshed?

Users can determine the data refresh rate. Most refresh on an hourly basis.

What Are Your False Positive Rates? False Positives Defined As External Assets Being Incorrectly Labeled As Owned By The Customer.

Because of the scoping process the Intrigue platform uses, asset false positive rates are extremely minimal.  Specifically, our false positive rate is below .0001 across all customers all time.  This is a number we track on an ongoing basis.  We treat false positives as bugs.

What Does Your Support Model Look Like? What Is Included?

Enterprise tier customers receive phone, email and chat support.  Access to the community forum, online documents and videos are also provided.  Enterprise tier customers will also receive custom onboarding and a dedicated account manager

Excluding scheduled maintenance windows, Intrigue will use commercially reasonable efforts to maintain 99.8% availability of the hosted portion of the Service for each calendar month during the term of this Agreement. The Service will be deemed “available” so long as Authorized Users are able to login to the Service interface and access their data.

Although no response times are guaranteed, Intrigue will use commercially reasonable efforts to respond to such support requests within 48 hours

How Quickly Can A Customer Get Started With Intrigue?

A customer can be fully configured and seeing results in 4-8 hours

Technical Requirements

Which Of The Following Cloud Providers Do You Have Direct Integration Or Cloud Connectors Into?

    •  Amazon Web Services (AWS)

The Following are currently in progress: 
    •  Microsoft Azure

Can Intrigue Discover Misconfigured/Expiring Certifications?

Yes, Intrigue has checks for expiring and misconfigured certificates enabled by default.

How we do this today is through a number of ways.  Some of those ways are:

    •  Check the algorithm.
    •  Check the expiration and creation dates.
    •  Check for the authority chain.

We continue to add new features related to certificates such as CAA checking, which was recently added to the platform.

Do You Require Any Agents On Devices For Telemetry?

No

What Type Of Asset Enrichment Are You Able To Include About Discovered Assets?

Enrichment is done on a "per asset type" basis with many attributes added to each entity type.  (Application and IP address being some of the most enriched).

All assets are enriched to include information about the asset itself, the network it resides on, the technology and configuration profile, and the vulnerability and exposure profile of the asset itself.  All assets are checked for scope.

In Addition To Common Vulnerabilities And Exposures (Cves) What Does Your Misconfiguration Visibility Look Like?

Misconfigurations are discovered on a "per asset" basis, based on the technology profile.

They include:

    •  Cloud misconfigurations
    •  Device misconfigurations
    •  System misconfigurations
    •  Developer misconfigurations
    •  Operating system misconfigurations
    •  Application misconfigurations

Where appropriate, a user can provide input to the collection (scan) process to inform misconfiguration checking (i.e. to set a pre-expiration date for certificates).

Some misconfiguration examples include:

    •  Elmah.axd
    •  Wordpress leaked passwords
    •  ASP.net web configuration exposure.

See https://explorer.intrigue.io for more examples!

Are You Able To Provide Us With Compliance Posture Visibility? SOC/HIPAA/CMMC etc.

No

Do You Have A Native Splunk App Or API Only?  Are Business Units Able To Work Directly From Splunk With Your Platform?

Intrigue has a native Splunk app that enables users to work directly from Splunk

What Alerting Capabilities Are Available In Intrigue?u Have A Native Splunk App Or Api Only?  Are Business Units Able To Work Directly From Splunk With Your Platform?

We provide email and Slack alerting natively.  We integrate with other alerting  technologies through our API.

How Does Intrigue Integrate With Correlation Or Automation Technologies?

Yes, we can integrate with all major SIEM platforms (Splunk, Zabbix, Tenable, etc) and other SOAR tools through our API.