Attack Surface Intelligence
How can organizations be provided the visibility of their attack surface in order to stay secure and up-to-date against increasingly sophisticated threat actors?
My Role
Senior Product Design Lead
As Senior Product Design Lead, aside from the experience design work I oversaw, my main course of action was a crash course in threat intelligence, using the resources of our company's threat intelligence team and hours outside of work for continuous studying.
​
It's extremely important to me to understand and be able to fluently speak the subject matter of the business I am involved in. Threat intelligence, with its level of complexity, was a formidable challenge, and equally rewarding in the knowledge I gained.
Customer
Threat Researcher / Hunters
SOC Analysts
Security Engineers
Area of business
Threat Intelligence
The team
Product owner
Senior Threat Intelligence SMEs
Data Visualization Specialist
User Researcher
Engineers
THE PROBLEM
With threat actors becoming increasingly sophisticated, risk is complex and constantly evolving, making it difficult for organizations to stay secure and up-to-date on the latest potential threats.
-
Companies have a lack of visibility into their own attack surface, their third and fourth parties.
-
Many organizations—even those with threat intelligence teams—don’t have enough resources or time to conduct threat intelligence analysis.
-
As the global threats evolve and become more sophisticated, organizations struggle to continuously monitor these threats and the impact on their security posture
THE OPPORTUNITY
Global Search UI
A search-driven UI of any IP, port, domain, etc, leveraging a rich database of 12M+ digital footprints, 50+ billion vulnerabilities, and 4.1 billion IPs scanned every 1.5 weeks across 1400+ ports globally.
Harnessing Data
Design how a search result from a single query search is presented, which captures a dense amount of data across multiple groupings of threat intelligence.
Create Confidence
An experience that ensures cybersecurity professionals quick, confident decision-making on all all critical and non-critical threats.
BACKGROUND
in 2023, Attack Surface Intelligence (ASI) is a search-driven threat and risk intelligence tool that brings together deep and relevant data on the global attack surface to help customers identify and prioritize critical vulnerabilities for faster, more efficient risk mitigation.
​
When I joined the ASI team in 2021 though, the tool was in its incubation stage, engineered as a data dump without any true structure or UX effort applied to it. The search capability was limited to just domains.
An early opportunity
I was given free reign to explore ways of better demonstrating the depth of the data, and highlighting the relationships between the various categories of data ASI displays in the results returned, including:
-
Top weaponized vulnerabilities (CVEs)
-
IPs
-
Products
-
Threat actors
-
Malware
-
Vulnerability in vendor ecosystem
Attack Surface Intelligence in 2021
These are just a few examples original search results for a domain search in ASI. The opportunity to include more in-depth data, such as CVSS, products, etc. associated with each search result was absent.
EARLY CONCEPTS
Early design explorations incorporated more data relevant to the customer's organization, including which of their vendors are at risk, illustrated through data visualization.
Searching for a domain in ASI returns a search results page displaying all the available threat intel for that domain, plus which vendors are at risk.
A NEW BEGINNING
In the fall of 2021, ASI was deprioritized and placed on hold until...
​
...the summer of 2022, when our Threat Intelligence team took over the product with the intent of building out all of our threat intelligence data an delivering through a global search UI:
​
"We are really burying all the data we have. We should be able to show all search results for a single port, product, or service and for each result show the IPs and domains its tied to."
The challenge
A search query in ASI, which can include such entities as ports, threat actors, CVEs, etc. can return search results of up to thousands of IPs, with each IP itself having multiple entities connected to it.
​
How can a single IP search result and all its connections be designed in a manner that a threat hunter would be able to understand, recognize, and then conclude what investigative actions need to be taken?
Unique entities being tracked
IP addresses
616.7M
Unique certificates
28M
Ports
1.5K
Threat actors
206
CVEs
13.5K
Breach records
5.5B
Infection families
251
Connections made to digital assets:
Open ports
1.3B
Threat actor links
333.0M
Detected CVEs
1.1B
Breach records
3.8B
Active infections
1.4B
Detected Certificates
71.8M
The immense amount of available data is extremely valuable to customers, but proves a challenge offer in a digestible format.
DESIGN
An example of a search query in ASI would be:
(and has_threatactor:'Wizard Spider' industry: ‘FINANCIAL_SERVICES’ portfolio: ‘My Vendors’ (and (or has_cve:'CVE-2021-40444')))
Below are design options for a single IP search result, displayed in a 'card' format. As shown, each IP has an abundance of other entities connected to it.
A search results view based on a query search. The visualizations on the left offer customers further ways to filter down the results, such as by country, threat actor, organization, or product. The customer can select an IP and taken to a full detailed view of that IP, as seen in the screenshot to the right.
The IP details screen takes the search result 'card' view and expands on it, bringing in more contextualized data.
Selecting any entity, such as a threat actor, displays detailed information about that entity, including Indicators of Compromise.
RETHINKING SEARCH
ASI was launched in Q3 of 2022, and by the end 2022 became our company's "...fastest growing product line".
​
One important discovery: Despite our target customer personas identified as Threat Researchers / Hunters, SOC Analysts and Security Engineers, we learned that less technical roles such as Vendor Risk Managers were also very interested in ASI and its capabilities.
​
A new problem: Unlike our targeted technical personas, VRMs are less familiar with the syntax that makes up a search query, resulting in their abandonment of the product.
An example of a search query in ASI:
(and has_threatactor:'Wizard Spider' industry: ‘FINANCIAL_SERVICES’ portfolio: ‘My Vendors’ (and (or has_cve:'CVE-2021-40444')))
Less technical cybersecurity professionals do not understand the syntax required to perform a search in ASI.
The challenge
Reimagining ASI search capability where customers can 'build' queries without the need understand the complex syntax.
The design solution is inspired by the 'build it as you go' model where customers choose what they want to search for and apply conditions to their selections.
In addition, quick filters are provided, which when selected auto-populate the drop downs. Quick filters are determined by what is deemed the post popular searches as well as any trending topics. The MOVEit breach is an example of a trending topic.
As customers add to their search, the full query is displayed on the far right as a way to visually understand the query in syntax format.
The new search also preserves the syntax option, allowing those who choose to type in the query themselves that capability.
BUSINESS OUTCOMES
$10M
ASI revenue as of Q4 2023
..."fastest growing product line".
