Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
To keep up with the breakneck speed of modern business, organizations are moving customer and partner interactions online.
Unfortunately, increased risk of cyber attack and the associated consequences like data theft, operational disruption, brand erosion, and employee and customer compromise have become a natural side effect of this digital transformation.
With the boundaries between what’s inside the firewall and what’s outside becoming less and less discernible, an organization’s attack surface—everything it needs to worry about defending— now begins inside the corporate network and extends all the way to the outer reaches of the internet.
Internet visitors taking advantage of all these new digital touchpoints available to engage with brands are also in the crosshairs of hackers, who view their clicks, traffic, credentials, and computers as commodities to be harvested and traded and often use the brands they love as bait.
For security teams, the sheer depth and breadth of what they need to defend may seem daunting, but thinking about the Internet from an attacker’s perspective —a collection of digital assets that are discoverable by hackers as they research their next campaigns—can put the massive scope of their organization’s attack surface into perspective.
Here are five areas that we feel help to better frame the challenges faced in keeping the Internet a safe environment, all of which underline a need to broaden awareness of the potential risks involved to foster a more informed approach to cyber defense.
We deployed our web-crawling infrastructure, which each day executes and analyzes more than 2 billion HTTP requests, takes in terabytes of passive DNS data, collects millions of SSL Certificates, and monitors millions of mobile apps, to map the scope of this attack surface over two weeks.
Modern websites are made up of many different elements—the underlying operating system, frameworks, third-party applications, plug-ins, trackers, etc., all designed to deliver a user experience that people have come to expect, as well as reduce the time to market and derive maximum value from user interactions.
As in the PC environment, this commonality of approach is attractive to malicious actors as a successful exploit written for a vulnerability or exposure on one site can be reused across a large number of sites.
As an example, Content Management Systems (CMS) are popular amongst web developers for creating dynamic sites that are easy to maintain and update. Their ubiquity makes them a popular target for hackers as we’ve seen many times in the past.
Common Vulnerabilities and Exposures (CVE’s) are classified by severity on a scale of 1 to 10 using the Common Vulnerability Scoring System (CVSS), where 7 to 8.9 represent high vulnerabilities and 9 to 10 represent critical vulnerabilities.
While some of these instances will have patches or other mitigating controls to prevent the identified vulnerabilities and exposures from being exploited, many will not.
Most organizations lack a complete view of their Internet assets. In our dealings with new customers, we typically find 30 percent more assets than they thought they had. There are two contributors to this lack of visibility many organizations don’t think about; shadow IT and mergers and acquisitions (M&A).
Where IT can’t keep pace with business requirements, the business looks elsewhere for support in the development and deployment of new web assets. The security team is frequently in the dark with regards to these shadow IT activities and as a result, cannot bring the created assets within the scope of their security program.
Unmanaged over time, orphaned assets form an Achilles heel of an organization’s attack surface. They are not regularly patched or security tested and the operating systems, frameworks, and third-party applications of which they are comprised can quickly age and become vulnerable to common hacking tools. When you merge with another company, their vulnerabilities become your vulnerabilities.
Mergers and acquisitions often bring with them incomplete and inaccurate lists of public facing digital assets that further exacerbate the problem. Digital assets can be broken down into many different types, each with associated risks that must be understood and managed. Some of the key asset types are hosts, domains, websites, certificates, third-party applications, and third-party components.
To highlight the scope of the challenge large organizations face in defending their digital assets, we conducted research on the FT30 basket of companies.
These assets comprise a large and complex attack surface that needs to be understood and actively managed to reduce the low-hanging fruit available for cybercriminals to exploit.
Social engineering through impersonation remains a top tactic for threat actors. Impersonating domains, subdomains, landing pages, websites, mobile apps, and social media profiles are all used, many times in combination, to trick consumers and employees into giving up credentials and other personal information or installing malware.
Apart from their own assets, organizations must be on the lookout for impersonating or affiliating assets created to target their customers and employees. Early detection and takedown of infringing assets are one of the most effective ways of disrupting targeted campaigns.
The general perception is that there are a small number of mobile app stores but the reality is somewhat different. There are a large number of secondary and affiliate stores primarily serving the Android market which provide an opportunity for malicious actors to compromise legitimate apps and launch fake apps while hiding in the vastness of the app store ecosystem.
Organizations must do more to monitor the app store ecosystem for stores hosting their apps without permission and for apps impersonating their brand(s). Users should stick to the primary app stores where possible and be vigilant in researching apps they wish to download. They should question whether the developer looks legitimate, whether the user reviews indicate anything concerning, and whether the permissions being asked for seem excessive for the functionality the app needs to provide its service.
While spyware, ransomware and other forms of malware still proliferate, cybercriminals are augmenting their cyber attacks by stealing computer resources rather than information. With the exponential growth in the value of cryptocurrencies, crypto mining is now a lucrative pursuit.
The primary challenge facing cryptocurrency prospectors is that mining requires an extreme level of computing power, which can be prohibitively expensive — Fundstrat reported that the cost of mining a single Bitcoin reached about $8,038, and the cost of mining other coins are not far behind.
To get around it, actors are siphoning computing resource from unwitting users across the internet; hosting crypto mining scripts on the websites of highly visited sites which then execute in the web browsers of visitors to those sites.
Some of the crypto mining scripts we found have been active for over 160 days, suggesting that organizations are failing to detect them.
Traditionally, the security strategy of most organizations has been a defense-in-depth approach starting at the perimeter and layering back to the assets that should be protected. However, there are disconnects between that kind of strategy and the attack surface as presented in this report. In today’s world of digital engagement, users sit outside the perimeter along with an increasing number of exposed corporate digital assets—and the majority of the malicious actors. As such, companies need to adopt security strategies that encompass this change.
RiskIQ provides comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. RiskIQ’s platform delivers unified insight and control over external web, social, and mobile exposures.
Thousands of security analysts use RiskIQ to expedite investigations, monitor their attack surface, assess risk, and remediate threats. Learn how RiskIQ could help protect your digital presence by scheduling a demo today.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
RiskIQ's #COVID19 Daily Update for 4/8:
➡️The lockdown in Wuhan, China has been lifted for residents
➡️Twitter CEO Jack Dorsey gives $1 billion to COVID-19 relief
➡️Nearly 1/3 of U.S. apt. renters haven't paid any April rent
Read the full update here: https://bit.ly/2Uv3CMV
.@CrowdStrike Store partner @RiskIQ is offering a free Digital Footprint Snapshot report for businesses transitioning to working remotely. It's a quick, easy way to understand the assets connected to your organization. Learn more: http://ow.ly/R1Mp50z3qnk #remotework #wfh
As RiskIQ finds a spike in potentially malicious infrastructure using #COVID19, the UK’s domain name registrar has suspended 600 suspicious #coronavirus websites. Read more via @daphneleprince, @ZDNet https://zd.net/2XgfOUJ
Register for RiskIQ's latest webinar to learn how #COVID19 changed the threat landscape for both the attacker and defender. RiskIQ's Fabian Libeau will explore this rapid transformation and outline steps security teams must now take: https://bit.ly/2Xi81pq
RiskIQ's #COVID19 Daily #Cybercrime Update for 4/7:
➡️NASA suffers huge increase in #malware attacks
➡️Hackers are spoofing Zoom and other tools to deploy malware
➡️#Interpol issues alert on #ransomware attacks on hospitals
Read the full update here: https://bit.ly/2QwfRHS