November is just the month that keeps on giving for Cali Dog Security — first CertStream, and now today we’re taking PhishFinder out of beta and into full general availability! Go check it out and start finding the bad today!
We’re also releasing our product roadmap publicly so you can get an idea of what to expect in the coming months, and give us feedback on the features you’d like to see.
This article goes into the why and how of PhishFinder, so if you’re not interested in that, feel free to just go visit PhishFinder and start playing with it! It’s 100% free for the first month and we’ve tried to make the login and setup process as painless as possible!
How We Got Here
PhishFinder started, like any decent idea, as a solution to a problem I’d encountered many times before. In a previous life I worked as a security engineer for a larger organization, which meant it was my job to clean up and conduct forensics on more phishing campaigns than I care to remember. These varied significantly, ranging from adversaries who are hilariously bad to absolutely terrifying. Our size was a bit of a doubled-edged sword — being large meant we were able to build out analytics and alerting pipelines to help find “the bad”, and it also meant we had a healthy budget to buy things like FireEyes and email gateways to harden our defenses. Unfortunately, it also meant that we had a never-ending deluge of products marketed towards us — the majority of which were ludicrously expensive, mind-numbingly annoying to use, or generally just some people selling snake oil using the buzzwords-du-jour to peddle their wares.
Then I moved to a much smaller company, and boy were things different. We were about 6 people, so we barely had time to worry about anything other than staying in business and whether we had enough Club-Mate stocked up to fuel our efforts. About 9 months in, we had an enterprising young black hat email us from a homoglyph squatted domain (replacing an
i with an
l). They were attempting to get one of our non-technical employees to wire money to an account overseas (a fairly common tactic for blackhats). As it turns out we were just one stop in a larger string of attacks specifically targeting YC-funded startups, many of which were varying levels of successful. The good news is that we all worked together in the same room, so it was just a matter of this employee poking his head over his monitor and saying “Hey $CEO, did you send this?” I shudder to think what would’ve happened if we were all working remotely though 🤔.
I think that was really the first day I truly grasped that the economy of being small meant that we were part of an enormous amount of companies who are tasked with protecting their business assets with what essentially amounts to praying to Santa Muerte for protection.
Unfortunately, once discovered, there was very little we could do. As a startup we were big fans of throwing money at problems to make them go away, but we couldn’t seem to find something that would solve this for us and leave us alone. We decided to basically just move on with our lives and get back to business, not because we wanted to, but because we didn’t have much of a choice.
Over the years I’ve come to realize that this is actually par for the course for quite a few companies, especially smaller ones without anyone dedicated to thinking about security. Most know that they have security issues that are real threats to business continuity, but generally don’t have the time or money to fix these issues themselves. When there aren’t any decent products that help them solve these sorts of issues (or when those products are cost-prohibitive), they just end up ignoring them and moving on.
It’s Time For Something New
We have a grand idealistic vision of an ecosystem of security products built to be affordable for anyone, in a way which offers real protection, and enables you to get back to whatever it is your organization is doing. We, like any good security team, are here to help you succeed, and the first iteration of this idea is PhishFinder, a platform that aims to bring practical and affordable phishing protection to any organization that needs it.
PhishFinder operates on a simple principal — a decent chunk of phishing campaigns have a common genesis point — the registration of a domain name, usually visually similar to one of your company’s assets. Once an attacker has that, they’ve gained a fairly powerful tool with which to start targeting employees, or even attacking your customers directly, most of whom will never be able to spot the difference between
arnazon.com no matter how much training you give them.
The problem is really that even technical companies fall victim to this problem as well, which is why it’s a pervasive problem still in the employ of everyone from the most amateur of black-hats all the way up to heavily motivated nation states. Most other security issues tend to ramp up as your business grows in size, but even 1–2 person companies can be a target for a nasty phishing attack, with little recourse.
A Peek At The Pipeline
We feel that transparency is important, especially when it comes to security products, and how PhishFinder finds malicious actors is no different. We want to give you more technical folks more detail on how we operate with the hope that you can make the decision to subscribe based on a clear understanding of what value we bring to the table, not some marketing material designed to BS you into forking over your credit card.
Our backend is a 4-phase analytics pipeline, which runs multiple times a day for each and every domain we watch:
- Synthesis: The first thing we need is raw seed domains to analyze, so we comb through our constantly updated data stores looking for similar domains to yours, and couple that with a synthesis engine that uses your base domain to generate IDN homoglyphs, typosquatting, bitsquatting, and many other potentially malicious variants of your domain.
- Enrichment: Next, for any domains that we’ve generated, we gather as much data as we can about it. We scour the internet looking for indicators of malicious activity, fingerprinting services, parse and store page content, and whois information, and also solicit multiple RBL/spam lists and apis to help inform our analysis engine. We also get a screenshot of the page so you never have to visit the page in question to see what’s going on with it.
- Analysis: We then take all the data we’ve gathered and feed it into our analysis engine, which scores the overall footprint of the domain with a multitude of indicators, producing an aggregate score we track over time.
- Action: Once we’ve either found something new that we can confirm with a degree of certainty is malicious, or the risk score has passed a specified threshold for a domain we already know about, we trigger an action. As of right now this is only in the form of alerting, but the next big push on our public roadmap is to do active prevention as well, targeting Google Apps and Exchange as the first two integrations.
That, in a general sense, is how PhishFinder works to detect (and eventually prevent) malicious threats to your organization. There are some things intentionally left out (like some of our content matching and correlation), but I’m happy to answer any questions! I won’t tell you that PhishFinder will catch every threat targeting your company, because it simply won’t. What we can say confidently, though, is that your organization is going to be miles more secure with us watching over you than without us.
One of the pieces of feedback I’ve received thus far in talking with people about PhishFinder is that my initial target pricing is far too low for the value we’re providing, especially juxtaposed with the current market of security products. This is done with great intention. Our top goal isn’t just to shake money out of people, instead we measure our success based on the impacts we have with businesses and the greater security community as a whole. I’m sick of companies being phished and not being able to do anything about it, and much more sick of people selling products for a small fortune that vastly over-promise, and under-deliver.
Jeff Bezos once famously said “Our goal with Amazon Prime, make no mistake, is to make sure that if you are not a Prime member, you are being irresponsible”. That’s always struck a chord with me, and that has become a core tenet to the pricing for the products we build. We want this protection to be so valuable for such a small time and money ask that companies would be simply irresponsible to not buy our products. It keeps us honest, and puts real security tooling squarely in the hands of people who need it the most. In my mind that only leads to better products and safer people, which has vastly more value to us than what we’d ever get nickel-and-diming our customers.
Make no mistake, I’ve poured thousands of hours of my own blood, sweat, and tears into my company and by extension this product so far, and I’m nowhere near stopping. I do understand the value these products are bringing to the table in the context of the larger market, but the bet I’m making is that people are just as sick of snake-oil security vendors as I am, and PhishFinder can be used as a catalyst for a new type of security product where we strive for practicality and affordability over anything else.
With That, We’re Officially Launched!
Today is a great day (even if it is a Monday) for us at Cali Dog Security. This has been a lot of hours in the making, and while we have a lot more work to do, we’ll be taking at least a few minutes today to just say “hell yes” and look back at what we’ve built.
If you’re in the bay area, we’re going to be holding a small launch party in Palo Alto, CA later this week. Email me if you’re interested in coming to say hello!
Of course I also have to give shout-outs to those without whom Cali Dog Security simply wouldn’t exist. Mad props to Jessica Weiller for making everything always look so damn good, Philip Martin for giving me great feedback and advice (as always), my beta testers for coming out in droves after the release of CertStream, and most of all my family for not only inspiring me to set out on my own, but for providing a backdrop of moral support and encouragement so strong they’ve convinced me I’m capable of accomplishing anything I set my mind to.