Monitoring Certificate Transparency Logs

What is Certificate Transparency?

Wikipedia defines it as:

Certificate Transparency (CT) is an Internet security standard and open source framework for monitoring and auditing digital certificates. The standard creates a system of public logs that seek to eventually record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates.

Essentially what this means is that whenever a Certificate of Authority (CA) issues a SSL certificate for a website, they must submit those certificate details to at least two public logs.

Why should my organization monitor CT Logs?

By monitoring CT logs, your organization can quickly identify any rogue certificates issued for your domain(s).  With simple monitoring, your defenders will be able to detect malicious or fraudulent certificates and take the appropriate actions to have them revoked before they can be used in attacks. 

Some providers, such as Cloudflare, how offer this as a service.  However, there are several drawbacks with this.  Firstly, your domain must be hosted and managed by Cloudflare.  Second, unless you have upgraded to a paid plan, the notifications are limited to the email address of the primary account holder.  And lastly, notifications are limited to email only.

However, there is a very simple way to achieve the same results, leveraging a couple freely available services, without having to make any changes to your DNS infrastructure. 

How can we do this on the "cheap"?

The first step is to use the crt.sh tool, provided by Sectigo. Simply navigate to this site, enter the domain you would like to monitor, perform the search, and then click the RSS feed button.  Then copy the resulting URL.

Next you will want to sign up for a free account on If This Then That.  Once that is completed, the next step is to create a new applet.   You will select "RSS Feed" and create a "New feed item" trigger.   Use the URL you previously copied from the crt.sh tool and create the trigger.

Now the fun part begins.  The IFTTT tool provides a plethora of notification options.  You can send Alerts into a Slack channel, a Microsoft Teams chat room, or email your security team.   For demonstration purposes, I will simply send an email to myself:

Finally, provide a memorable name so the purpose of the applet is clear, and you are all set!

What to do if a rogue certificate is detected?

Luckily, Cloudflare has very helpfully provided a list of support contacts for the major Certificate of Authorities.  

The Resurrection

 

Blogs have always been a vibrant space for individuals to express their thoughts, share experiences, and build communities. However, sometimes life takes unexpected turns, and our beloved blogs end up abandoned and forgotten. Today, I embark on a journey to resurrect my blog site that has been dormant since October 11, 2012. I started this blog 16 years ago and blogged fairly steady for five years.   But life happened and I haven’t posted in a long 11 years now.   During this time I have leading security in multiple high pressure startup environments.

One thing I’ve learned over the years is that is REALLY challenging to implement an effective Cyber Security program in startups and small & midsize businesses (SMB).  An SMB environment, where both budget and staff resource are highly constrained, presents a unique set of challenges that most security vendors and security “thought leaders” tend to overlook.

So going forward, some key areas I will cover in my blog include:

1. Practical Security Measures for SMBs: Startups and SMBs often operate on limited resources and tight budgets. We will explore affordable yet effective security practices, tools, and techniques that these companies can implement to protect their sensitive data and intellectual property.

2. Threat Intelligence and Detection: Keeping up with the latest threats is essential for any organization, but it can be particularly challenging for startups and budget-conscious companies. We will delve into the world of threat intelligence, sharing strategies to identify and mitigate potential risks within a constrained environment.

3. Incident Response and Recovery: In the unfortunate event of a security incident, a swift and efficient response is crucial. Our blog will provide guidance on building incident response plans, handling breaches, and minimizing the impact on business operations, even with limited resources.

4. Compliance on a Budget: Regulatory compliance is a significant concern for companies across various industries. We will explore cost-effective approaches to achieve compliance with relevant standards, such as GDPR, HIPAA, or PCI DSS, while minimizing the financial burden.

5. Security Awareness and Training: Educating employees about cybersecurity best practices is vital for maintaining a strong defensive posture. We will discuss strategies for creating comprehensive security awareness programs tailored to the specific needs of startups and budget-conscious companies.

6. Leveraging Open Source Solutions: Open source tools and technologies can be a valuable asset for organizations with budget limitations. We will highlight reliable and cost-effective open source security solutions that can help bolster defense capabilities.

By focusing on the unique challenges faced by startups and budget-conscious companies in the realm of cybersecurity, my blog aims to provide actionable insights, practical advice, and relevant case studies. I hope to empower my readers with the knowledge and tools necessary to safeguard their digital assets and protect their businesses from evolving threats, all while working within their financial constraints.

Join us as I embark on this journey to explore the world of blue team/defensive security, catering specifically to the needs of startups and budget-conscious companies. Together, we will navigate the complex realm of cybersecurity defense, fostering a safer digital landscape for all.   My plan is to blog at least once per month (more on that later).