Citadel is a browser agent that detects malware and shadow IT by analyzing and logging security events to syslog in a privacy-respecting way. It is meant to be used by CISO and CIO to secure staff laptops, increase situational awareness and allow DFIR. Citadel comes pre-integrated with the open source EDR Wazuh.
It detects the following events in the browser:
- IP or URL is blacklisted (configurable blacklist)
- the browser has blocked the navigation to the site
- user is using unencrypted protocols (e.g. FTP or HTTP)
- user is using non-standard port numbers (i.e. not 443)
- user is using URL with username or password in the URL
- user has downloaded a file
- the user is warned that the downloaded file is dangerous
- user has accepted downloading of dangerous file
- domain name does not match the SSL certificate
- SSL certificate authority invalid (e.g. self-signed or expired certificate)
- SSL protocol error
It also reports on usage statistics of applications, allowing for detection of shadow IT.
Events and reports are written as syslog entries with a relevant level, and can then be consumed by a SIEM or EDR. Citadel comes pre-integrated with Wazuh.
Citadel inspects internet use and generates daily statistics per site. Citadel attempts to identify sites that are applications by separating authenticated and unauthenticated internet sites.
The interaction analysis is based both on navigation events and on clicks, ensuring that it also works for Single Page Applications.
These usage reports can be aggregated in your SIEM / EDR and used to detect unexpected applications.
Citadel hashes the URL for events that do not indicate immediate threats, and are only logged for digital forensics. The different parts (hostname, path, query, etc) of the URL are hashed separately so that it remains possible to perform analysis after an incident.
The shadow-IT detection only reports on interaction with (authenticated) applications, and only tracks the number of interactions per site, per day.
The data is logged on your computer and is never sent to the cloud.
The design objective of Citadel is to allow a CISO or a CIO to secure staff laptops, increase situational awareness and allow DFIR. There is no benefit for an end-user if the extension is installed without also setting up the Native Messaging (macOS / Windows).
Citadel has privacy-preserving defaults and allows you to reinforce (or reduce) this protection using the configuration. By default:
- shadow IT detection only logs the name of the site, and the number of interactions
- shadow IT detection tries to report only on applications (i.e. websites that require authentication)
- events lower than
INFOlog level are masked (meaning only sensitive events such as downloads and alerts are not masked) - log levels allow you to log events locally but not send them to your EDR, thus allowing post-incident analysis without having everything centrally logged
See the configuration to understand the default settings.
Citadel uses the Chrome Extensions API (V3). This is theoretically compatible with Mozilla and other Chromium-based browsers. However this has not been tested so it is unlikely to work out of the box. Also, the deployment of the Native Messaging is (slightly) different for different browsers. If you nag me I may include support for other browsers.
Citadel is designed to be very efficient. It only runs (very briefly) everytime when you click on a web page. All operations are asynchronous and are designed not to impact your browsing experience. With the default blacklist configuration the extension consumes only 55 Mb of memory and will download approximately 20 Mb every hour (roughly equivalent to 5 minutes of video conferencing)