Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
February 8, 2019, Team RiskIQ
To keep up with the breakneck speed of modern business, organizations are moving customer and partner interactions online.
Unfortunately, increased risk of cyber attack and the associated consequences like data theft, operational disruption, brand erosion, and employee and customer compromise have become a natural side effect of this digital transformation.
With the boundaries between what’s inside the firewall and what’s outside becoming less and less discernible, an organization’s attack surface—everything it needs to worry about defending— now begins inside the corporate network and extends all the way to the outer reaches of the internet.
Internet visitors taking advantage of all these new digital touchpoints available to engage with brands are also in the crosshairs of hackers, who view their clicks, traffic, credentials, and computers as commodities to be harvested and traded and often use the brands they love as bait.
For security teams, the sheer depth and breadth of what they need to defend may seem daunting, but thinking about the Internet from an attacker’s perspective —a collection of digital assets that are discoverable by hackers as they research their next campaigns—can put the massive scope of their organization’s attack surface into perspective.
Here are five areas that we feel help to better frame the challenges faced in keeping the Internet a safe environment, all of which underline a need to broaden awareness of the potential risks involved to foster a more informed approach to cyber defense.
We deployed our web-crawling infrastructure, which each day executes and analyzes more than 2 billion HTTP requests, takes in terabytes of passive DNS data, collects millions of SSL Certificates, and monitors millions of mobile apps, to map the scope of this attack surface over two weeks.
Modern websites are made up of many different elements—the underlying operating system, frameworks, third-party applications, plug-ins, trackers, etc., all designed to deliver a user experience that people have come to expect, as well as reduce the time to market and derive maximum value from user interactions.
As in the PC environment, this commonality of approach is attractive to malicious actors as a successful exploit written for a vulnerability or exposure on one site can be reused across a large number of sites.
As an example, Content Management Systems (CMS) are popular amongst web developers for creating dynamic sites that are easy to maintain and update. Their ubiquity makes them a popular target for hackers as we’ve seen many times in the past.
Common Vulnerabilities and Exposures (CVE’s) are classified by severity on a scale of 1 to 10 using the Common Vulnerability Scoring System (CVSS), where 7 to 8.9 represent high vulnerabilities and 9 to 10 represent critical vulnerabilities.
While some of these instances will have patches or other mitigating controls to prevent the identified vulnerabilities and exposures from being exploited, many will not.
Most organizations lack a complete view of their Internet assets. In our dealings with new customers, we typically find 30 percent more assets than they thought they had. There are two contributors to this lack of visibility many organizations don’t think about; shadow IT and mergers and acquisitions (M&A).
Where IT can’t keep pace with business requirements, the business looks elsewhere for support in the development and deployment of new web assets. The security team is frequently in the dark with regards to these shadow IT activities and as a result, cannot bring the created assets within the scope of their security program.
Unmanaged over time, orphaned assets form an Achilles heel of an organization’s attack surface. They are not regularly patched or security tested and the operating systems, frameworks, and third-party applications of which they are comprised can quickly age and become vulnerable to common hacking tools. When you merge with another company, their vulnerabilities become your vulnerabilities.
Mergers and acquisitions often bring with them incomplete and inaccurate lists of public facing digital assets that further exacerbate the problem. Digital assets can be broken down into many different types, each with associated risks that must be understood and managed. Some of the key asset types are hosts, domains, websites, certificates, third-party applications, and third-party components.
To highlight the scope of the challenge large organizations face in defending their digital assets, we conducted research on the FT30 basket of companies.
These assets comprise a large and complex attack surface that needs to be understood and actively managed to reduce the low-hanging fruit available for cybercriminals to exploit.
Social engineering through impersonation remains a top tactic for threat actors. Impersonating domains, subdomains, landing pages, websites, mobile apps, and social media profiles are all used, many times in combination, to trick consumers and employees into giving up credentials and other personal information or installing malware.
Apart from their own assets, organizations must be on the lookout for impersonating or affiliating assets created to target their customers and employees. Early detection and takedown of infringing assets are one of the most effective ways of disrupting targeted campaigns.
The general perception is that there are a small number of mobile app stores but the reality is somewhat different. There are a large number of secondary and affiliate stores primarily serving the Android market which provide an opportunity for malicious actors to compromise legitimate apps and launch fake apps while hiding in the vastness of the app store ecosystem.
Organizations must do more to monitor the app store ecosystem for stores hosting their apps without permission and for apps impersonating their brand(s). Users should stick to the primary app stores where possible and be vigilant in researching apps they wish to download. They should question whether the developer looks legitimate, whether the user reviews indicate anything concerning, and whether the permissions being asked for seem excessive for the functionality the app needs to provide its service.
While spyware, ransomware and other forms of malware still proliferate, cybercriminals are augmenting their activities by stealing computer resources rather than information. With the exponential growth in the value of cryptocurrencies, crypto mining is now a lucrative pursuit.
The primary challenge facing cryptocurrency prospectors is that mining requires an extreme level of computing power, which can be prohibitively expensive — Fundstrat reported that the cost of mining a single Bitcoin reached about $8,038, and the cost of mining other coins are not far behind.
To get around it, actors are siphoning computing resource from unwitting users across the internet; hosting crypto mining scripts on the websites of highly visited sites which then execute in the web browsers of visitors to those sites.
Some of the crypto mining scripts we found have been active for over 160 days, suggesting that organizations are failing to detect them.
Traditionally, the security strategy of most organizations has been a defense-in-depth approach starting at the perimeter and layering back to the assets that should be protected. However, there are disconnects between that kind of strategy and the attack surface as presented in this report. In today’s world of digital engagement, users sit outside the perimeter along with an increasing number of exposed corporate digital assets—and the majority of the malicious actors. As such, companies need to adopt security strategies that encompass this change.
RiskIQ provides comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. RiskIQ’s platform delivers unified insight and control over external web, social, and mobile exposures.
Thousands of security analysts use RiskIQ to expedite investigations, monitor their attack surface, assess risk, and remediate threats. Learn how RiskIQ could help protect your digital presence by scheduling a demo today.