Blog

Attackers are more active than ever before, taking advantage of organizations' expanded attack surfaces outside the corporate firewall and across the internet. Phishing attacks, typosquat registrations, and disinformation campaigns aiming to take advantage of COVID-19 and political turmoil are running rampant. Security teams lacking visibility into this new attack surface are coming up dangerously short. 

RiskIQ has been collecting internet data for more than a decade to help organizations meet the challenge of this new generation of threats. The RiskIQ PassiveTotal App puts petabytes of this external Internet security intelligence into Splunk's Data-to-Everything Platform, giving security teams the visibility they need in a platform and workflow they already use. 

The app enables teams to investigate and respond to threats across their organization's attack surface by laying the RiskIQ Internet Intelligence Graph on top of Splunk data—all in one location—to show how internal assets interact with external infrastructure. With this 360-degree view of their attack surface, analysts have unparalleled context and intelligence to detect, investigate, and remediate IoC's and security events.

During major global events, threat actors take advantage of charged political environments and a prevailing overload of information to help lend credence to the delivery mechanisms they use to carry out malicious activity. This tactic has proven especially effective during the COVID-19 pandemic as scams purporting to contain information, news, and remedies related to the virus—many with a political lean—have saturated the internet. 

In "ScamNation," RiskIQ's latest research report, RiskIQ researchers leveraged our internet-wide visibility and unique data sets to identify and explicitly define scam ecosystems exploiting the pandemic for monetary gain through the spread of false information and the sale of fraudulent products online. The report identifies a network of "content farm" websites publishing misleading, highly partisan articles that have lately focused on COVID-19. Scammers use these sites to promote ads that lure users into "subscription traps," which, through misleading messaging and hidden language in the fine print, trap buyers into making monthly payments that are difficult, if not impossible, to escape.

Earlier this month, RiskIQ announced our Interlock Partner Program, making our Internet Intelligence Graph—RiskIQ's unique global view of the internet comprised of data from more than ten years of crawling the web—available in cybersecurity platforms around the world.

One of our first key integrations was the RiskIQ Illuminate app for CrowdStrike, which enriches CrowdStrike Falcon Insight detections with our internet-wide telemetry, enhancing internal alerts with external context. When automatically correlated with CrowdStrike Intelligence, RiskIQ's internet data sets boost incident response by enabling researchers to quickly search across an organization's endpoints for indicators of compromise or find activity related to suspicious indicators they observe on an endpoint.

During an investigation, the RiskIQ app automatically identifies impacted endpoints so analysts can understand all the related infrastructure belonging to a given threat actor. This way, companies can stay a step ahead of their adversaries and optimize their attack surface management.

Over the past several months, the enterprise attack surface has changed radically, and many security teams are struggling to catch up. The recent scramble to patch a dangerous security flaw in F5 Networks' BIG-IP product marked the beginning of a new reality facing the enterprise in the post-COVID world: network controls are coming up dangerously short. 

Organizations are lacking visibility into the external network of internet-connected services and devices growing wildly outside their firewalls to support a workforce that will be remote for the foreseeable future. However, these IP-connected assets aren't in the purview of most security controls. In fact, most organizations don't have any security controls for the new IT needed to enable remote employees, such as remote access devices, VPNs, and perimeter network devices.

The F5 hack wasn't the first critical vulnerability to come to light since widespread remote work began, and it's certainly won't be the last. Recent headlines have been full of dozens of new vulnerabilities found in these devices, including Cisco, Microsoft, Citrix, and IBM products. Each of these vulnerabilities can take down an organization, whether or not its security team knows it's part of its attack surface. 

Realizing they're invisible to many security teams, threat actors note these security flaws and use them as inroads for attacks. Both the US and Australian governments have advised companies to immediately address the recent spike in critical vulnerabilities, with US Cyber Command recommending that organizations patch both the F5 and PAN-OS vulnerabilities.

When the Covid-19 pandemic forced businesses to shift overnight, even companies with robust cybersecurity measures were caught unprepared.

A massive influx in remote employees, coupled with a boom in hacker activity, forced businesses to overlook best practices in the name of immediate convenience. In some cases, that meant connecting employees to networks without proper safety precautions. Wider digital attack surfaces presented a bounty of opportunities to unscrupulous actors looking to steal money, data, or both.

By now, most organizations have taken steps to reduce their exposure to threats and have educated employees on the importance of staying vigilant while working from home. These short-term measures will not last forever, though, nor do they replace the need for sweeping change. The pandemic changed the face of cybercrime overnight. Now, businesses must not only round out their responses to the current crisis but start preparing for what comes next.

New Remote Ecosystems

Companies should take this opportunity to invest in permanent remote work changes rather than using Band-Aids until employees can return to offices. Many employees may find that remote work suits their lifestyles better, and if one company won't honor their wishes, another will.

The age of remote work, recently in its infancy, hit a coronavirus-inspired growth spurt and has now become an awkward teenager. More businesses will soon reconsider what types of work employees can do remotely as the market demands a shift away from traditional environments. As that happens, companies will face sustained pressure from threat actors at new remote weak points.

Technology leaders can combat the repercussions of larger attack surfaces by investing in cybersecurity tools and better communication practices. IT departments should work with internal marketing teams and HR to develop regular reminders to keep employees' attention on good security habits while working remotely.

Short emails with actionable advice can help, but many employees don't fully internalize one-off communications. Companies should also conduct regular tests, and practice runs on dealing with potential bad actors to keep employees on their toes.

Executives and their teams should also use this chance to formalize layers of protection. Remote workers should use VPNs when working in company systems. Some employees may not welcome mandatory two-factor authentication, but they must be ready to embrace additional security for the convenience of remote work.

More Practiced Threat Actors

Threat actors typically seek the least effort for the highest return. Before the pandemic, that meant probing for weaknesses in company systems or using basic social manipulation on unsuspecting employees. In the future, threat actors will be able to review their most successful practices from pandemic times and adapt their strategies.

Think of hackers and opportunists as their own type of business. They A/B test different strategies, perform cost/benefit analyses on opportunities, and generally try to make more money than they lose. State-sponsored actors, with greater resources and a wider variety of motivations, may act differently. For the most part, though, companies can avoid becoming prey by making themselves as unappealing a target as possible.

In the face of more capable thieves, the safest businesses will be the ones with the least to steal. Businesses should only keep the customer information they need, so they don't lose that data (and take a big PR hit) in a breach. To combat more severe threats, technology leaders should rely on the latest cybersecurity tools, stay updated on industry trends, and conduct regular checks to patch vulnerabilities.

Back To Social Basics

To stay safe in a post-pandemic world, technology leaders must develop workforces prepared to act as the first line of defense against all manner of threats.

Social manipulators infiltrate secure systems by taking advantage of obvious human flaws. You can prevent the most straightforward attacks with basic rules, such as no writing passwords on sticky notes and mandatory two-factor authentication. Train employees to feel more comfortable with their technology, so they don't rely on unsafe and outdated practices.

Leaders are not exempt from these rules. A CEO may be a brilliant negotiator, but that same person may keep a small book of passwords in a desk drawer. A thief who knows the right address could slip through a window and gain access not only to cash and valuables but also to company logins with millions of dollars on the line. Even a simple Twitter password in the wrong hands could lead to crashing stocks, as evidenced by Elon Musk's latest comment.

Get buy-in from everyone, from the C-suite to the greenest employee. The future of cybersecurity is about cooperation and shared responsibility. Practice social manipulation avoidance, and stay updated with tools and technologies. Keep team members vigilant. Every remote and in-office worker should feel comfortable playing a role in a broader cybersecurity strategy.

Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evolved right alongside the digital presence of businesses and remains in flux as attackers continuously adopt new tools and tactics. With the paradigm for keeping organizations secure ever-changing, security teams have no choice but to adapt to the perpetual evolution of both the organizations they defend and the adversaries from which they protect it.

In this new dynamic age of cybersecurity, knowledge and context are power, and being mobile ensures survival. The security solutions that matter are automatic and integrate with existing investments. They also include a game-changing amount of context. The RiskIQ Intelligence Connector, the integration linking RiskIQ's Internet Intelligence Graph and Microsoft Sentinel, was built for this. 

RiskIQ and Microsoft Sentinel Enable Next-Gen Security Teams

Microsoft Sentinel is a cloud-native, next-gen SIEM that transforms how security teams triage incidents in their organization. It's a force-multiplier for security teams that gives them unprecedented context and mobility. With just a few clicks, a business can be up, operating, and processing alerts to supercharge threat investigations and automate incident response to deal with threats at scale. 

For RiskIQ, context and knowledge are everything. Our Internet Intelligence Graph absorbs internet data on a massive scale to continuously map the billions of relationships between internet-exposed infrastructure worldwide, providing in-depth knowledge of the internet and how organizations and threat actors fit into it. When this outside-the-firewall intelligence combines with firewall and endpoint telemetry data in Microsoft Sentinel, security operations teams have a full view of their organization's attack surface and unparalleled context around threats and security incidents. 

The discussions in the coming days and weeks surrounding yesterday's large-scale compromise of verified Twitter accounts, including those of Joe Biden, Barack Obama, and Bill Gates, will likely be about how the attackers gained access to so many high-profile accounts at once. The sheer breadth of digital landscape this breach covered in such little time shocked the world and is sure to stoke concerns about who can access the means of disseminating information—or disinformation—to the masses. 

However, while examining Twitter's internal security practices and controls is an important focus, it's also worth looking at the #Twitterhack from an external angle. Who were these actors, and why did they go through so much trouble to access those accounts? What did their cryptocurrency scam campaigns look like outside of the Twitter spotlight?

RiskIQ's Passive DNS data gives us our first clue. It shows us that domains belonging to these attackers were registered months or years ago, which means pretending to be famous brands and people to trick victims into giving up their cryptocurrency has been their MO far before the fall of the blue checkmarks. Hacking Twitter was simply their latest—albeit their most successful—tactic to access a massive pool of potential victims and lend credibility to their phishing scheme. Before hacking verified accounts, this group may have been leaning on other dependable vehicles for scam victim acquisition, such as fake social media accounts, spam emails, and scam ads. 

Next, tying together the phishing domains belonging to the attacker shows us the overall scope of the attack and which brands were getting impersonated. The Twitter hack itself made the most headlines, but RiskIQ researchers observed only one attacker-owned domain tweeted from a hacked verified account. However, from that one domain, we mapped out hundreds more that attackers didn't use on Twitter. They were likely using these in other attack vectors. 

The average organization's digital presence has exploded in size. Even before COVID-19 spread their staff and operations outside the firewall, businesses were rapidly migrating to the cloud and increasing their use of web, mobile, and social platforms. This digital transformation expanded their attack surface beyond the scope of network security controls like firewalls, DLP, and network monitoring—and enabled attackers to exploit them in ways not possible before. 

The security implications of the enterprise's digital footprint exploding beyond the firewall's friendly confines are clear. According to the Verizon Data Breach report, external-facing web applications, into which network security tools lack visibility, comprised the vector category most commonly exploited in hacking-related breaches. To defend against the now rampant phishing attacks, typosquat registrations, and misinformation spreading through websites, security teams need to think beyond cybersecurity. Instead, they should be taking a holistic view of defense, focusing on attack surface management. 

Together, RiskIQ and Splunk Deliver Attack Surface Management 

Attack surface management means having the technology to collect enough data to cover the entire scope of where your organization can be attacked—from the corporate network to the cloud to the edges of the open internet—and the technology to put it to use. The nexus of these two imperatives are RiskIQ's Apps and add-ons for Splunk. 

RiskIQ has long held integrations with Splunk but has brought our full suite of offerings to the Data-to-Everything platform. These s integrations give SecOps teams several ways to access RiskIQ's Internet Intelligence Graph, which extracts terabytes of internet data to map the billions of relationships between internet-exposed infrastructure worldwide. This comprehensive data now combines with Splunk's search, monitoring, and analysis capabilities to deliver a best-in-class attack surface management. 

In 2020, threat prevention alone won't be enough. The COVID-19 pandemic has revealed cybersecurity cracks in thousands of companies, which won't go away now that the world—and the way we work—has changed forever.

The recent surge in cyberattacks in the wake of the COVID-19 pandemic exploit global anxiety around the pandemic and the patchwork work-from-home setups of suddenly-remote staff to hack organizations, infect them with ransomware, and attack their customers. 

This unprecedented increase in opportunity for digital criminals has ushered in a new era of security, responsibility, and expectations for technical leaders. With breaches and other security incidents causing multi-million dollar losses, digital intelligence and cybersecurity have evolved from something of a maintenance cost into a full-fledged business input. CEOs and boards must know how their security postures affect their companies' trajectories. 

CISOs now find themselves as acting generals in a new kind of war, one in which the digital revolution—and the coronavirus that has sent it into overdrive—have created a surge of new combatants. Advanced nation-state actors are prowling digital attack surfaces of western businesses. Iran's cyberattacks in response to U.S. strikes, Russia's ongoing digital intrusions, and China's ever-looming digital armies—American companies lose more than $57 billion per year as a result of Chinese attacks—are just a few examples. Meanwhile, large organized cyber syndicates, more about making money than gathering intelligence or stealing IP, are growing in scale and sophistication and continually probe businesses for weakness. 

These bad actors work from home, too, and they are more than happy to take advantage of vulnerable or misconfigured remote access points and cloud assets, as well as shadow IT stood up outside the purview of security teams. To win this war and act as valuable assets to their companies, CISOs must become more proactive about threat detection and incident investigation—and be able to explain much more than the time and date of the attack.