HackerTrans
TopNewTrendsCommentsPastAskShowJobs

neochris

no profile record

Submissions

Show HN: Tracecat – Open-source security alert automation / SOAR alternative

github.com
264 points·by neochris·2년 전·65 comments

Show HN: Generate malicious CloudTrail logs with AI agents

simulation.tracecat.com
2 points·by neochris·2년 전·1 comments

comments

neochris
·9개월 전·discuss
Hi HN, has anyone tried: https://github.com/TracecatHQ/tracecat

We got workflows, tables and case management. Focused on SecOps, ITOps, and prod eng / infra use cases.

Even if you’re on Jira or SNOW, having even a basic ticketing system built in turned out to be a very productive persistence layer for our users to prototype with.

Copy left AGPL 3.0 license.
neochris
·2년 전·discuss
Help us out? I really would like to hear your advice / thoughts / experience in private. Please find me via email (no getting making this public unfortunately)!
neochris
·2년 전·discuss
I am curious though. Have you ever seen an attack path from a personal device compromise to full Cloud account takeover (or something along those lines like an exfil job or cryptojacking).

I haven't?

Usually compromised personal devices at the startup level comes from a spray-and-pray watering hole campaign. Likely to be used as part of a botnet, where your device is 1 in a million. Nothing really targeted where the end goal is to compromise a seed / series A's crown jewels.

Once again, please share stories if I should be more worried.
neochris
·2년 전·discuss
Dude. I do not trust Lambdas. I've seen way too many CTFs and Cloud privesc paths to know how one even slightly misconfigured Lambda can led to full admin access.

We have a more local solution to query our security logs.
neochris
·2년 전·discuss
This all makes a lot of sense. I agree that SOC2 can be security theatre (I mean a lot of the language of the standard is suggestive, not a requirement). But a lot of your points about having MDM and EDR set up is covered by that cert. It's just how you implement it. And we intend to do it well. The cert and the "trust page" is a signal of our security practices, but at least we wouldn't have to go through it over at HN...

Maybe because I did cryptography at a mathematical level in college, I never really bought into the idea of security through obfuscation. Also the empirical evidence behind whether hiding your tech stack makes you more secure as a non-state level actor / software company actually leans towards the side of "it doesn't really matter".

We obviously do a lot more in our infra/corp sec side that I'm not sharing. But really everything I listed are well known best practices that any attacker should assume a relatively non-stupid security-aware startup should have.

I mean I guess I do believe a bit in security through obfuscation. Not sharing our password manager and IdP as many providers haven't had (as you mentioned) great track record in this space.

I do think it might be a difference of where we learned security. I found folks like yourself from your certain gov/military background to buy into security via obfuscation a lot more. I guess we can agree to disagree.
neochris
·2년 전·discuss
D&R at startup scale = set up billing alerts for different resources. Get a good CSPM. Run Trufflehog every pre-commit.
neochris
·2년 전·discuss
We are building out an OSS startup security program: Prowler as the CPSM, Trufflehog for secrets scanning, for code scanning...I personally think GitHub CodeQL is good enough, but please tell me otherwise. Our security model for our AWS infra definitely relies a lot on having fine-grained ACLs and security groups. The stack is all in AWS CDK and open source (of course, I'm not a fan when OSS security platforms claim to support self-hosted but it's only a docker-compose file). Supply chain attacks. We keep dependencies light and also rely on GitHub's dependency scanner.

I believe you're a fan of Panther? I find that funny because their out-of-the-box detection rules are limited. Once again, a good CSPM and SSO will do a lot more than a SIEM for startup security. Unless you are really telling me we need a 24/7 blue team monitoring our 10-15ish alerts. Oh by the way, we use AWS SSO and org, only role based permissions for everything, fine-grained GitHub SSO for CICD (down to the repo level because we know about that sneaky privesc path when you use *), and isolated SCPs for prod and staging (of course).

You mentioned phishing two technical founders as some real security threat. That might FUD someone with no security experience and don't have FIDO2 or device MFA set up. But turns out, my cofounder and I have both those things!

And because we know what are doing, CloudTrail is set up in a separate OU to avoid log tampering in case of a breach.
neochris
·2년 전·discuss
[dead]
neochris
·2년 전·discuss
Thanks for the comment Ross. Folks seem to have strong opinions about integrating or separating workflows and ticketing ala alert inbox. We like integrations a lot, but of course there needs to be security specific innovations on top of "just" an inbox that will make us the no-brainer choice.
neochris
·2년 전·discuss
Really appreciate the advice here. I also hate security theatre. We will make it triple clear that our Cloud version is JUST for preview, not production.

Repeat (as we mentioned in our README) for anybody reading this thread: Cloud is just for preview! Upload a known malware SHA-256 sample, send it off to VirusTotal, then pass the JSON response into a LLM action to summarize. There are plenty of workflows you can run to test our platform without exposing sensitive data.

Excited to work on securing our platform though. Thanks for the basic checklist. We have a lot more work to do and will find the best security professionals to work with. There are plenty of scary good practitioners, folks who have seen and responded to APTs in their previous work, within the YC network. The first thing we did when we got into YC was network with the YC security community.

Here are some shout outs who are helping YC companies and beyond truly improve their security posture: - Oneleet: 10 year+ experienced red teamers, now building an all-in-one pentest, vCISO, vSOC, and compliance platform and service - 0Pass: FIDO2 keys as service (ex-SpaceX, Amazon Cognito security engineers) - Infisical: open source secrets management
neochris
·2년 전·discuss
We're going to work with these guys: https://www.oneleet.com/. They are awesome.
neochris
·2년 전·discuss
Appreciate the Tines comparison.
neochris
·2년 전·discuss
Startups win by questioning every assumption from first principles. We look forward to the fight.
neochris
·2년 전·discuss
Cloud version. No SSO tax. We're doing a Show HN as we had strong conviction our message would resonate without the "sticky" Launch HN board. Looks like we were right!
neochris
·2년 전·discuss
Glad to hear we are on the right track.

Tracecat is still in alpha, but would be great to have your thoughts / opinions / feedback in our Discord community. We are anon-friendly. There's still a lot more we can innovation on.
neochris
·2년 전·discuss
Save time and money. That's what we are here for.

Any thoughts on our analysis regarding case management and log storage? These are two technical decisions we made before writing a single line of code to bring down cost and increase value-for-money.
neochris
·2년 전·discuss
Will post an updated demo with the output and share it here later today! But here is what one response looks like:

"Thank you for your report. the AI labelled this email as malicious. It contained the url https://to58gnrroh2pot.pages.dev/smart89/. The summary: The URLScan report indicates a high likelihood of phishing activity associated with the analyzed URL. The overall score is 100, with identified categories including "phishing" and specific branding as a "tech support scam." The report highlights the presence of malicious intent, with tags such as "phishing" further supporting this classification. The analysis involved IPs from Germany and the Netherlands, associated with the domains "to58gnrroh2pot.pages.dev" and "ipwho.is," and servers named "cloudflare" and "ipwhois." Various URLs, domains, certificates, and hashes were examined during the scan, pointing towards a comprehensive evaluation of the webpage's content and its potential threat level. The verdicts from URLScan and the community reinforce the malicious nature of the webpage, emphasizing the need for caution."
neochris
·2년 전·discuss
Great question! Unlike a pure infrastructure tool (MongoDB, Elastic, Terraform), UI/UX is a critical factor for adopting a SOAR.

Even if other companies fork / host Tracecat, we believe we can out iterate the incumbents in building the best SOAR experience. And I think we are just getting started with UI/UX for AI features in security products. It's definitely not a clippy chatbot...

My cofounder and I wrote every line of code for the frontend, design, data pipeline, docs. I don't think the incumbents can build as quickly and accurately (from customer feedback to implementation) as we can.
neochris
·2년 전·discuss
As for the MSP program, absolutely 100% yes. Would love to hear your use-case / pain points regarding existing SOARs (both oss and close sourced). Shuffle is the OG of FOSS SOARs, but the momentum behind that project seems to have stalled...
neochris
·2년 전·discuss
We plan to add integrations and pre-built workflows in the coming weeks. Would love your input in our Discord channel! https://discord.gg/n3GF4qxFU8

We're building a motley crew of blue teamers, security engineers, and data folks.