Intrigue: Review | Security Weekly Labs

This review is part of the March 2021 assessment of the Attack Surface Management (ASM) product category. If you haven’t read the category overview, you might want to check it out – it explains the category’s basics, use cases and the general value proposition. Our testing methodology explains both how we interact with vendors and how we tested these products. In short, ASM products aim to discover and manage an organization’s external digital assets. This approach extends far beyond assets with an IP address, however, including everything from certificates to S3 buckets to DNS misconfigurations.

Company overview

Intrigue is the brainchild of Jonathan Cran, who formerly held various product and research roles at Rapid7, BugCrowd and Kenna Security. Cran has been quietly working on Intrigue for several years. In November 2020, he made the move to working on Intrigue full time and founded Intrigue as a company in Austin, Texas. On April 13, 2021, Intrigue announced a $2 million seed round led by LiveOak Venture Partners. Along with this funding, new pricing and a roadmap have also been announced (details below).

Product review

While some ASM products left us wondering where the details were and other products buried us in discovered assets with no prioritization, Intrigue strikes a solid balance between the two. If you want details, down to the raw data used to discover an issue, Intrigue has that. If you have three minutes before your next board meeting and need to know where your orgs stand, this tool has your back there as well.

We’re reviewing the Professional Edition of Intrigue here, but it’s worth mentioning that there is also an Enterprise Edition for organizations that need to monitor more than 5,000 external assets. The Enterprise Edition removes the 5,000 asset cap and provides a higher level support plan.

A free open-source Community Edition (also known as Intrigue Core) exists for those on a tight budget or any organization that have a hard “no SaaS” rule when it comes to security products (which seems increasingly rare). This option can be useful for technically savvy folks that only need to run the occasional one-time collection. For example, penetration testers and other consultants that don’t require monitoring, ticketing integration, teams and other enterprise features.

Target market: Intrigue will work well for mid-to-large enterprises that don’t have the time, skills or resources to perform regular reconnaissance manually on their own assets. While the automation helps to monitor and manage exposed assets, it doesn’t replace the recon role on the security team. Someone experienced in understanding and managing the findings is still necessary to manage the tool and its output.

Time-to-value: As a SaaS product, there’s no heavy lifting to get the product up and running. Creating collections (which allow you to logically group results) takes seconds. Expect a few hours before initial results show up and up to a few days for more comprehensive results. The only real deployment work is creating alerts, integrating with external ticketing and communications tools and inviting other team members. All told, this should be less than an hour’s worth of work.

Maintaining value: For a mid-sized Enterprise (hundreds, not thousands of exposed assets), expect to initially spend 8-16 hours digging through the initial results on first use. Once everything is sorted, expect to spend 2-4 hours per week to review new findings as they trickle in. This is ideal work for a junior analyst.

Total cost: For the Professional Edition, the subscription cost is $15,000 annually. In a mid-sized enterprise (100-2,000 employees), we’ve estimated four hours of junior analyst time, two hours of analyst time and one hour of senior analyst time to do the initial analysis of Intrigue results and configuration of the tool. Based on our average salary estimates, this labor totals $302.87. For ongoing analysis work, we’ve estimated two hours of junior analyst time per week, which totals $3,499.60 per year. The total cost to use this product every year, including product cost and labor comes to $18,802.47.

Strengths: Intrigue is a newcomer in this market, making this an ideal time for early customers and investors to weigh in, provide feedback and help shape the future product. Even for an early release, Intrigue is more than capable for production use. Intrigue is one of only two ASM vendors in this space with flexible alerting features.

Weaknesses: As an early product just following a major release, some features aren’t yet available or fully baked. Plenty of room for improvement with regards to asset attribution. This is a challenge all ASM vendors struggle with and is one of the main tasks analysts will undertake when maintaining Intrigue’s findings.

Conclusion: A solid choice from a relative newcomer that is just getting started.

Getting started

As with all ASM products we’re testing (aside from the open source projects), Intrigue is a SaaS application. All the technical, gritty details of collecting data are handled behind the scenes. The benefit, as with any SaaS app, is very little setup time.

Registering for an account is the same as any other SaaS application. A welcome message invites the operator to start a collection on the domain tied to the registration email. (Note: though this screenshot is from the previous Intrigue UI, the process remains the same.)

What results is a grouping of attack surface data Intrigue refers to as a Collection. Each collection can be tied to a team, allowing for some access control between teams that manage different portions of an organization’s assets.

While the examples in these screenshots show collections based on domains, collections can also be based on IP addresses, subdomains, name servers, network blocks, Github accounts or even just a company’s name. Collections can be added in bulk using a simple two-column CSV format (type, value).

Intrigue will send an email once the initial collection is complete (notification via webhook or Slack channel is also an option). Following this initial collection, additional notifications will be sent whenever new assets are discovered or existing assets change.

Configuration

Each Collection has its own individual settings. While the ability to manage notifications at the Collection level is ideal, the lack of an option to manage multiple Collections, er… collectively, means a dozen Collections will require repeating the same configuration process a dozen times.

Aside from creating the initial collections and notification settings, there isn’t much to configure. That’s a good thing – a good ASM product shouldn’t require a ton of settings management or dial-twisting.

Usage

Getting initial results should take less than an hour, even for large organizations. Once collections have been configured, it can take up to 48 hours for collection to complete. While Intrigue does have pre-scanned collections on tens of thousands of companies (that can be queried with an additional license), for most customers, collection will run on-demand.

The initial view we’re presented with is the Issues tab, which makes sense. If you want to maximize your time using this tool, Issues will automatically show you the most critical findings, across all your collections by default. From here, you can filter on one or more collection, on issue status (like a ticketing system, the options are open, in progress or closed), severity or confidence. That las filter option indicates whether the finding is confirmed or if it can’t be fully verified. This is reminiscent of some vulnerability management vendors, which also separate findings into ‘potential’ and ‘confirmed’ categories. For example, if Intrigue finds dev.acme.com, it will create a low severity finding called “Development System Identified” and labeled as “potential”.

The Entities tab is a list of all the individual attack surface elements discovered for a given collection. Entities are further broken down into 16 types, which include AWS S3 Buckets, DNS records, Email Addresses, IP Addresses, GitHub Accounts, SSL Certificates and many more. Finally, the Collections tab can be used to create and manage collections. Collections aren’t limited to your organization, either – they can be used to monitor third parties as well. This tab also includes a summary for each collection. The summary includes the raw number of entities and a breakdown of issues by severity.

Click on any of the Collections to manage the seed values that fuel the discovery engine or to configure notifications.

Performance

While technical performance isn’t a focus of this round of ASM product reviews, it’s worth noting that Intrigue did discover some significant findings we were unaware of, regarding outdated components of web application platforms. The breadth and depth of findings matched other similar tools we tested. False positives were few and easily managed.

As ASM products mature, two performance metrics seem worth tracking: the completeness of discovery results and how quickly changes can be detected.

Support

Intrigue has a multi-faceted support model that scales to different customer sizes and needs. Traditional enterprise phone and email support is available, but for folks that prefer chat, there is an in-app chat option (see screenshot) and a Slack-based community forum. 

Claims

The Intrigue tagline is “Know What You Own, What It’s Running, and What It’s Exposed To”. The website goes on to say, “Intrigue provides you with a comprehensive view of your environment and actionable intelligence to mitigate risk.”

Conclusion: Spot on, Intrigue’s messaging says what it does and doesn’t exaggerate capabilities or methods.

Roadmap

According to Intrigue, following the major release in mid-April 2021, a number of features will be added in the short term. It should be noted that a number of these existed in the previous release, so much of this is likely front-end and UX work, not new development from scratch. Some of these features include:

Following is an example of what the new dashboard will look like (currently, the Dashboard and Technologies tabs are missing.)

Security program fit

Intrigue, like other products focused on discovering vulnerabilities and misconfigurations, fits solidly within the Identify column of the Cyber Defense Matrix.