Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
Civil society groups such as journalists, humanitarians, and activists face the same level of threat from targeted digital espionage as major companies and governments but have fewer resources to defend themselves. The Citizen Lab, an interdisciplinary research group based at the Munk School of Global Affairs, University of Toronto, is their guardian.
Often, threat actors that target civil society groups also go after well-resourced governments and businesses and are equipped accordingly. But their civil society victims are usually limited in their capacity to identify and mitigate threats, even when the consequences can mean imprisonment or physical harm.
RiskIQ PassiveTotal™ helps the Citizen Lab enrich its investigations of targeted espionage operations by mapping their infrastructure and noting how it changes. The unique Internet data sets in PassiveTotal—such as Host Pairs, WHOIS, and DNS—are sorted, classified, and monitored over time to provide a complete picture of digital adversaries. Infrastructure chaining, a process that leverages the relationships between these highly connected data sets to build out a thorough investigation, allows the Citizen Lab to surface new connections, group similar attack activity, and substantiate assumptions.
Starting with a single point, these analysts can look at any connected data sets to find more indicators. As they branch out at each stage of the investigation, they form a link back to the original starting point. This process uses the highly connected nature of internet data to expand one indicator into many based on overlapping details or shared characteristics, and is self-documenting in the sense that any other analyst can see how connections were made from one data set to the next.
One of the first steps Citizen Lab researchers take when examining a new sample of malware or phishing is quickly looking for related infrastructure inside PassiveTotal’s web interface and Maltego Transforms, which can provide unmatched insight into the behavior of the threat actors they’re tracking:
Fig-1 Domains linked to Scarlet Mimic identified with a PassiveTotal search graphed in Maltego
Pivoting across PassiveTotal datasets lets Citizen Lab researchers identify changes in attacker behavior that can help them anticipate and prevent future attacks. For example, finding repurposed parts of known malware command and control infrastructure in phishing attacks indicates a shift in tactics from targeted malware campaigns to conventional phishing. This intelligence would then help the Citizen Lab recommend defensive measures such as using two-factor authentication and avoiding sending and receiving file attachments by email.
With PassiveTotal, the Citizen Lab recently linked an intrusion attempt on UAE civil rights activist Ahmed Mansoor to infrastructure operated by NSO Group, a vendor of commercial spyware for governments. The investigation led to Apple releasing an out of band patch for IOS, as well as international media coverage of how some commercial surveillance products sold exclusively to governments are being used against civil society:
Fig-2 A Citizen Lab public project inside RiskIQ Community for operation “Stealth Falcon”
Since 2009, RiskIQ has been collecting data from web pages, global sensors, and a robust proxy network to provide analysts with a look back in time at how a given part of the internet once appeared. PassiveTotal supports the concept of infrastructure chaining and extracts all RiskIQ data into one single platform, so analysts can spend their time focusing on threats to their organizations and not data collection/processing.
For more about how the Citizen Lab researchers use PassiveTotal to enrich the analysis of targeted threats against civil society, including images and links to their public projects, visit the Citizen Lab’s case study. To visit the Citizen Lab’s public projects and to start pivoting for yourself, sign up for a free RiskIQ Community account today.
RiskIQ PassiveTotal has data sets found nowhere else that can take investigations to the next level. Register for our next PT Thursday Webinar to learn how to use our #MarkOfTheWeb data set to track phish https://t.co/BzPDkWmY79 #phishing #ThreatHunting
VIA Adam Hunt @RiskIQ
Closing the gap between Innovation & Security
More 👉 https://t.co/1PROm7LEEx
@ChuckDBrooks @mclynd @digitalcloudgal @fogle_shane @TmanSpeaks @antgrasso @HaroldSinnott @DrJDrooghaag @AlaricAloor @sbmeunier @cybersecboardrm @gvalan @edingle
Webcast: Learn how #webskimming attacks work and what organizations can do to protect themselves with @RiskIQ | 4/18 @ 3:30PM ET | https://t.co/1Qe36D9NW1
Today is the deadline to file your taxes, but threat actors didn’t procrastinate. Download @RiskIQ’s 2019 #TaxSeason Threat Roundup for data and analysis around the threat landscape facing taxpayers this year https://t.co/ALAepevk15 #phishing #mobilethreats
Tax Hacks: How Seasonal Scams Cause Yearlong Problems https://t.co/QuqeibM9Xl by @kellymsheridan #taxday #taxtips #fraud #cybercrime