Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
The days are long gone when cybersecurity simply involved watching your internal networks behind the firewall. As businesses grow online and in the cloud in the name of innovation, their attack surface has exploded. Although the increasingly sophisticated online landscape puts more powerful tools into the hands of businesses, it also creates powerful opportunities for innovative hackers to exploit.
A modern business’s digital environment is highly interconnected with other services, often influenced by multiple internal actors, and open to ever more creative forms of manipulation. Welcome to the era of the attack surface. From now on, question all assumptions and remember that your targets are moving.
To outwit malicious actors, your enterprise security needs to evolve more than just its tactics. It needs to change its perspective on the whole by considering the reality that your digital environment consists of more elements than those you’ve created and have under control. Thinking in terms of perimeters no longer works.
Here are three things you’re responsible for in your digital environment that you may not have considered because they’re not based on actions that you, or your IT group, perform.
To operate effectively on the internet, you must work with code, libraries, software, and plugins built and maintained by third-parties. These third-party components don’t belong to you but are nonetheless a part of your attack surface.
There are many advantages to using these third-party components, and often they form a vital part of your website—your business may even rely on them to operate. In fact, most companies cannot realistically avoid using them as they streamline development and facilitate efficiency.
Third-party components take many forms. On a typical website, this might include:
However, a widespread assumption in IT exists that third-party components, especially proprietary ones, are not a part of the attack surface. After all, when they’re acquired from a trusted source, installed correctly, and kept up to date, then there’s nothing to worry about, right?
Not exactly. Third-party components often fall prey to attacks because hackers understand that we’re taking for granted the security of these assets on account of our trust in the source. And the assumption that the security of third-party components is the problem of that organization’s developers.
While this last part is technically true, what happens once that asset is installed in our digital environment is very much our problem. When an attack infiltrates one of these third-party components in a way that renders your site vulnerable, we refer to it as a supply chain attack. Such attacks have very real consequences for businesses that choose to use these components.
While a lot of things will naturally be out of your hands, knowing which third-party components you’re using and where, and staying proactive about how these components interact with your assets goes a long way to keeping your digital environment secure.
How to Use Enterprise Security to Manage Third-Party Threats
The Magecart hackers showed us that major breaches could sometimes go undetected for a while, leaving your site vulnerable for a period of time while your customers’ data is stolen. It is also suspected that Magecart is injected into a site during development, or through the use of third-party e-commerce plugins. This underscores the necessity for a proactive stance on the use of third-party assets in your digital environment.
Third-party components all have one thing in common: they need to be installed. This means that responsibility for the ways these components affect your site begins when you choose to implement them in your digital environment.
Here are some recommendations for reducing the attack surface which third-party assets create:
Make sure that anyone who touches the backend of your website is clear on what may be installed, when, where, and by whom. Implement access controls for accessing code on a by-needs basis. This ensures that the acquisition process is kept tight and observable and that no unsafe or unauthorized installations occur.
In a large, dynamic website, you may have a dozen or more third-party components installed. Keeping an up-to-date log regarding when a component is acquired, installed, and updated will keep you in the loop concerning potential threats.
Updates often provide proactive security measures and the elimination of vulnerabilities before a malicious actor discovers them. Likewise, staying up to date on the news around the assets you’ve installed on your website will help you spot trouble early.
Analyzing your digital footprint for changes in site activity or behavior can help you spot these threats and take appropriate action. RiskIQ offers powerful tools to accomplish this.
The dynamic nature of cyberspace demands taking an engaged and proactive approach to the use of third-party components. They are part of your attack surface, even if the breach isn’t occurring directly on your site.
Malicious actors never cease to come up with ways to get their hands on credit card numbers, login credentials, or PII. Rogue threats are actions undertaken by individuals designed to undermine businesses’ security.
Like third-party threats, rogue threats often occur outside your immediate sphere of control. Most use social engineering, mimicry, or deception to trick users into handing over valuable data. They often occur by going after your employees, prospects, or customers directly on the internet.
When these attacks happen, you may find yourself facing an onslaught of complaints, lost business, and even lawsuits without realizing why. We’ll take a look at many of the ways these attacks can occur without your knowledge but still irrevocably damage your image. Early detection and takedown of infringing assets are one of the most effective ways of disrupting one of these targeted campaigns.
Phishing Pages Prey on the Distracted and Unobservant
Phishing is the art of creating an interface which mimics a brand to trick unwitting users into handing over credentials or data. While the tactic used to be associated with email scams, last year we detected an increase in the diversity of phishing deployments and targets. Rogue actors are getting more creative in their application of phishing, making this part of your attack surface even more nebulous.
Your enterprise security should consider phishing pages directed at both your employees and your customers.
Protect your employees: Provide training on how to spot phishing and develop a security culture which emphasizes minimal data exposure.
Protect your customers: Develop a policy for when you will and will not ask customers for certain information. Indicate this policy clearly in all communications and provide resources to help customers identify potential attacks.
Domain Infringement Fools Your Customers
Ever clicked on a link, you thought went to a brand, but then it took you somewhere unexpected?
Domain infringement occurs when an actor uses a domain name that is similar enough to your own that it confuses your users. The purposes for this may vary from malicious (credential stealing) to leveraging your brand to sell knock-off products. Either way, domain infringement siphons users from your site while exposing their data in insecure environments and costing you money.
US trademark law charges trademark owners with the responsibility to remain diligent about the protection of their marks. Therefore, you should make web crawls to identify and remove third-party-owned domain infringements a regular part of your security enterprise strategy. Quickly removing spoofs and look-alikes diminishes the chances that your customers will be fooled. It also helps maintain the integrity of your trademark in the eyes of the law.
Brand Abuse Takes Advantage of Hard-Earned Customer Loyalty
If you aren’t thinking about your brand as part of your attack surface, you should be. Many of the attacks we’ve covered so far rely on misusing the trust and loyalty your brand builds with your customers. Brand abuse is an up-and-coming tactic with many creative ways to target your customers and fans. It’s difficult to counter because it can take so many forms, including:
Brand protection tools can help you identify the many ways your brand might be exploited and retake control of your brand’s identity online.
Rogue Mobile Apps Are Wolves in Sheep’s Clothing
Rogue mobile apps are an important vector for malicious code and comprise 28 percent of all security breaches. Rather than attacking their targets directly, hackers develop these apps to masquerade as other, legitimate products. They are then submitted to Google Play or Apple Store where they’re downloaded by users.
Once installed, these apps have free access to your data – which is what they were after. These malicious apps have been and remain a huge problem, often reappearing in numerous guises.
Sometimes, they’re quickly identified and removed. Sometimes, a half-million people are exposed before someone figures it out.
Methods for dealing with rogue mobile apps belong in your enterprise security strategy for two reasons:
The prevalence of smartphones means that even if your company doesn’t have devices where employees might install things, they become part of your attack surface the moment an employee checks his or her work email on a personal device.
While we commonly see this in the banking industry, any brand which uses apps may fall prey to malicious look-alikes.
The independent actions of individuals inside your organization also create vulnerabilities. A growing area of the modern digital footprint involves the rise of Shadow IT. This is defined as the creation or use of digital assets outside the purview of your company’s IT security staff. In other words, it’s the pieces of your digital footprint you don’t know about which create the attack surface here.
Shadow IT takes many forms from microsites and subdomains to social media profiles and subscriptions to cloud-based services. When neglected or poorly constructed, it has the potential to become a significant vulnerability in your digital environment. For example, a piece of software that is installed may have security flaws.
On its own, shadow IT is not malicious. Rather, its presence indicates that your company’s internal tech needs are not being met. Shadow IT may develop when:
Shadow IT can be hard to track down, so we recommend the DIME approach: discover, inventory, manage and enforce security policy.
A comprehensive assessment of your digital footprint will identify the presence of unauthorized or unknown digital assets.
Taking inventory informs your enterprise security plan to accommodate the attack surface newly discovered assets may have created. Digital asset types include hosts, domains, websites, certificates, and third-party applications.
Manage by first understanding what assets exist and why. Then, either bring the asset under the purview of IT or remove it. Shadow IT forms when employees cannot rely on your IT group to achieve the solution they need. Therefore, create and implement procedures for efficiently and effectively introducing new IT element in your digital footprint.
Ultimately, Shadow IT is an opportunity to reveal the areas where your IT policy and digital environment need to evolve to better meet the needs of your team.
Your digital footprint reflects the nature of the modern online landscape: interconnected, shifting, and the aggregate of many people’s actions. The largest security vulnerabilities occur when organizations fail to consider how their digital assets are being impacted by other players. Whether propagated by internal or external actors, things like third-party threats, rogue threats and shadow IT create three often-missed faces of the modern digital footprint.
The shifting nature of cyberspace presents an unparalleled challenge to visualizing a company’s attack surface fully.
We encourage you to check out our webinar on Understanding and Taking Action on Risks Associated with Your Digital Footprint.
You’ll also find our guide on the anatomy of a digital footprint useful in evolving your company’s IT security paradigm.
Finally, got questions? Reach out and let us know what we can do for you.
The #Magecart supply-chain attack frenzy continues with AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS, and Picreel falling victim https://t.co/b7UWqL2PzW #BrowserThreats
Regarding Forbes: the skimmer was customized for Forbes, it wasn't an automated attack. Here's the rest of the infrastructure (not just for Forbes) they've been setting it up since January:
Fascinating learning about the cyber attacker's playbook from Yonathan Klijnsma: step 1: gain entry. 2. more reconnaissance 3. Theft, then profit #transportsecurity #TSC
Today at the #TransportSecurityCongress, RiskIQ's
@ydklijnsma spoke about the #Magecart breach of British Airways, which you can read more about here: https://t.co/cPqEqVVllj (Photo credit @SmartRailNews)
Context is everything! Here's how using Tags and Classifications in @RiskIQ PassiveTotal can get your team aligned and supercharge your investigations https://t.co/Wk5OfBZPu2 #ThreatHunting