As product owner / technical lead, this project has been my core focus at Qintel. The goal of this platform is to provide a unified search and analysis interface for threat analysts to perform cyber investigations. The product is used by a number of different agencies/companies to collaborate on and further their investigations.

If you are familiar with cybersecurity, you probably know that there are a wide variety of data types used for analysis. These include whois records, pDNS records, account registrations, communications, exposed credentials, netflow data and more. Cases usually involve finding a trail by combining these different entities left by a criminal actor into a more cohesive picture.

crosslink landing

An investigation typically starts with a selector or indicator of compromise. For example, you might see a malicious domain being used. In CrossLink, you could search that domain to find the whois and pDNS records associated with it. The whois records might give you an email or name if they weren't privacy- protected. The pDNS records could lead you to more domains registered by the same actor which you could pivot on for more whois information. You might also see an actor discussing that domain in their communications. Once you've obtained an email or domain that you're confident in, you start looking for the actor's account registrations which will likely have more solid attribution information.

Along the way, you would build an investigation by saving every entity that seems linked to your initial selector. Within the investigation, you have the ability to revisit entities, see high-level summaries of everything it contains, add additional external links and selectors, or export everything.

crosslink investigation

I've learned an inordinate amount working on this project. We've been through 4 major iterations of the API and GUI since I've been on board, and cut countless minor and patch releases. We've taken it from a simple ReSTful API to a fairly advanced API and GUI used both internally and externally. My primary responsibilities include ui/ux design, ui engineering and architecture, working with stakeholders to determine priorities, and coordinating with the other core developers to deliver fixes and features.

Due to the sensitive nature of the application, I can't share too much in terms of screenshots.