Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
The days are long gone when cybersecurity simply involved watching your internal networks behind the firewall. As businesses grow online and in the cloud in the name of innovation, their attack surface has exploded. Although the increasingly sophisticated online landscape puts more powerful tools into the hands of businesses, it also creates powerful opportunities for innovative hackers to exploit.
A modern business’s digital environment is highly interconnected with other services, often influenced by multiple internal actors, and open to ever more creative forms of manipulation. Welcome to the era of the attack surface. From now on, question all assumptions and remember that your targets are moving.
To outwit malicious actors, your enterprise security needs to evolve more than just its tactics. It needs to change its perspective on the whole by considering the reality that your digital environment consists of more elements than those you’ve created and have under control. Thinking in terms of perimeters no longer works.
Here are three things you’re responsible for in your digital environment that you may not have considered because they’re not based on actions that you, or your IT group, perform.
To operate effectively on the internet, you must work with code, libraries, software, and plugins built and maintained by third-parties. These third-party components don’t belong to you but are nonetheless a part of your attack surface.
There are many advantages to using these third-party components, and often they form a vital part of your website—your business may even rely on them to operate. In fact, most companies cannot realistically avoid using them as they streamline development and facilitate efficiency.
Third-party components take many forms. On a typical website, this might include:
However, a widespread assumption in IT exists that third-party components, especially proprietary ones, are not a part of the attack surface. After all, when they’re acquired from a trusted source, installed correctly, and kept up to date, then there’s nothing to worry about, right?
Not exactly. Third-party components often fall prey to attacks because hackers understand that we’re taking for granted the security of these assets on account of our trust in the source. And the assumption that the security of third-party components is the problem of that organization’s developers.
While this last part is technically true, what happens once that asset is installed in our digital environment is very much our problem. When an attack infiltrates one of these third-party components in a way that renders your site vulnerable, we refer to it as a supply chain attack. Such attacks have very real consequences for businesses that choose to use these components.
While a lot of things will naturally be out of your hands, knowing which third-party components you’re using and where, and staying proactive about how these components interact with your assets goes a long way to keeping your digital environment secure.
How to Use Enterprise Security to Manage Third-Party Threats
The Magecart hackers showed us that major breaches could sometimes go undetected for a while, leaving your site vulnerable for a period of time while your customers’ data is stolen. It is also suspected that Magecart is injected into a site during development, or through the use of third-party e-commerce plugins. This underscores the necessity for a proactive stance on the use of third-party assets in your digital environment.
Third-party components all have one thing in common: they need to be installed. This means that responsibility for the ways these components affect your site begins when you choose to implement them in your digital environment.
Here are some recommendations for reducing the attack surface which third-party assets create:
Make sure that anyone who touches the backend of your website is clear on what may be installed, when, where, and by whom. Implement access controls for accessing code on a by-needs basis. This ensures that the acquisition process is kept tight and observable and that no unsafe or unauthorized installations occur.
In a large, dynamic website, you may have a dozen or more third-party components installed. Keeping an up-to-date log regarding when a component is acquired, installed, and updated will keep you in the loop concerning potential threats.
Updates often provide proactive security measures and the elimination of vulnerabilities before a malicious actor discovers them. Likewise, staying up to date on the news around the assets you’ve installed on your website will help you spot trouble early.
Analyzing your digital footprint for changes in site activity or behavior can help you spot these threats and take appropriate action. RiskIQ offers powerful tools to accomplish this.
The dynamic nature of cyberspace demands taking an engaged and proactive approach to the use of third-party components. They are part of your attack surface, even if the breach isn’t occurring directly on your site.
Malicious actors never cease to come up with ways to get their hands on credit card numbers, login credentials, or PII. Rogue threats are actions undertaken by individuals designed to undermine businesses’ security.
Like third-party threats, rogue threats often occur outside your immediate sphere of control. Most use social engineering, mimicry, or deception to trick users into handing over valuable data. They often occur by going after your employees, prospects, or customers directly on the internet.
When these attacks happen, you may find yourself facing an onslaught of complaints, lost business, and even lawsuits without realizing why. We’ll take a look at many of the ways these attacks can occur without your knowledge but still irrevocably damage your image. Early detection and takedown of infringing assets are one of the most effective ways of disrupting one of these targeted campaigns.
Phishing Pages Prey on the Distracted and Unobservant
Phishing is the art of creating an interface which mimics a brand to trick unwitting users into handing over credentials or data. While the tactic used to be associated with email scams, last year we detected an increase in the diversity of phishing deployments and targets. Rogue actors are getting more creative in their application of phishing, making this part of your attack surface even more nebulous.
Your enterprise security should consider phishing pages directed at both your employees and your customers.
Protect your employees: Provide training on how to spot phishing and develop a security culture which emphasizes minimal data exposure.
Protect your customers: Develop a policy for when you will and will not ask customers for certain information. Indicate this policy clearly in all communications and provide resources to help customers identify potential attacks.
Domain Infringement Fools Your Customers
Ever clicked on a link, you thought went to a brand, but then it took you somewhere unexpected?
Domain infringement occurs when an actor uses a domain name that is similar enough to your own that it confuses your users. The purposes for this may vary from malicious (credential stealing) to leveraging your brand to sell knock-off products. Either way, domain infringement siphons users from your site while exposing their data in insecure environments and costing you money.
US trademark law charges trademark owners with the responsibility to remain diligent about the protection of their marks. Therefore, you should make web crawls to identify and remove third-party-owned domain infringements a regular part of your security enterprise strategy. Quickly removing spoofs and look-alikes diminishes the chances that your customers will be fooled. It also helps maintain the integrity of your trademark in the eyes of the law.
Brand Abuse Takes Advantage of Hard-Earned Customer Loyalty
If you aren’t thinking about your brand as part of your attack surface, you should be. Many of the attacks we’ve covered so far rely on misusing the trust and loyalty your brand builds with your customers. Brand abuse is an up-and-coming tactic with many creative ways to target your customers and fans. It’s difficult to counter because it can take so many forms, including:
Brand protection tools can help you identify the many ways your brand might be exploited and retake control of your brand’s identity online.
Rogue Mobile Apps Are Wolves in Sheep’s Clothing
Rogue mobile apps are an important vector for malicious code and comprise 28 percent of all security breaches. Rather than attacking their targets directly, hackers develop these apps to masquerade as other, legitimate products. They are then submitted to Google Play or Apple Store where they’re downloaded by users.
Once installed, these apps have free access to your data – which is what they were after. These malicious apps have been and remain a huge problem, often reappearing in numerous guises.
Sometimes, they’re quickly identified and removed. Sometimes, a half-million people are exposed before someone figures it out.
Methods for dealing with rogue mobile apps belong in your enterprise security strategy for two reasons:
The prevalence of smartphones means that even if your company doesn’t have devices where employees might install things, they become part of your attack surface the moment an employee checks his or her work email on a personal device.
While we commonly see this in the banking industry, any brand which uses apps may fall prey to malicious look-alikes.
The independent actions of individuals inside your organization also create vulnerabilities. A growing area of the modern digital footprint involves the rise of Shadow IT. This is defined as the creation or use of digital assets outside the purview of your company’s IT security staff. In other words, it’s the pieces of your digital footprint you don’t know about which create the attack surface here.
Shadow IT takes many forms from microsites and subdomains to social media profiles and subscriptions to cloud-based services. When neglected or poorly constructed, it has the potential to become a significant vulnerability in your digital environment. For example, a piece of software that is installed may have security flaws.
On its own, shadow IT is not malicious. Rather, its presence indicates that your company’s internal tech needs are not being met. Shadow IT may develop when:
Shadow IT can be hard to track down, so we recommend the DIME approach: discover, inventory, manage and enforce security policy.
A comprehensive assessment of your digital footprint will identify the presence of unauthorized or unknown digital assets.
Taking inventory informs your enterprise security plan to accommodate the attack surface newly discovered assets may have created. Digital asset types include hosts, domains, websites, certificates, and third-party applications.
Manage by first understanding what assets exist and why. Then, either bring the asset under the purview of IT or remove it. Shadow IT forms when employees cannot rely on your IT group to achieve the solution they need. Therefore, create and implement procedures for efficiently and effectively introducing new IT element in your digital footprint.
Ultimately, Shadow IT is an opportunity to reveal the areas where your IT policy and digital environment need to evolve to better meet the needs of your team.
Your digital footprint reflects the nature of the modern online landscape: interconnected, shifting, and the aggregate of many people’s actions. The largest security vulnerabilities occur when organizations fail to consider how their digital assets are being impacted by other players. Whether propagated by internal or external actors, things like third-party threats, rogue threats and shadow IT create three often-missed faces of the modern digital footprint.
The shifting nature of cyberspace presents an unparalleled challenge to visualizing a company’s attack surface fully.
We encourage you to check out our webinar on Understanding and Taking Action on Risks Associated with Your Digital Footprint.
You’ll also find our guide on the anatomy of a digital footprint useful in evolving your company’s IT security paradigm.
Finally, got questions? Reach out and let us know what we can do for you.
Get your #RSAC 2020 party started by joining RiskIQ at IGNITE, hosted by @FlashpointIntel! Register now: https://t.co/XhmW7kUCY8
Now you can see why we named it Magecart 🙃 it’s where it started in 2014. A group normally skimming data through Mage.php when a cart checkout is done, started pioneering a client-side JS skimmer.
The rest of the story can be read in our 2018 report: https://t.co/aGlU984pTU https://t.co/AwDlwdb36p
Based on data from @riskiq it appears this campaign by the Russian GRU to hack and breach Burisma in Ukraine started around 11-11-2019 (and possibly earlier) with the registration of the domain kub-gas[.]com cc @Ushadrons @file411 @IdeaGov #infosec #phishing #malware #disinfo
RiskIQ is excited to announce that growth expert Christophe Culine has joined our team as Chief Revenue Officer, leading our sales organization to great things in 2020 and beyond https://t.co/DYCAOfYeIa
RiskIQ's @ydklijnsma was on @DarknetDiaries to talk about the global phenomenon of #Magecart. Listen in on how credit card skimming on online purchases is happening—and happening often.