Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
To state a few universal truths in Digital Threat Management:
Despite common knowledge of these facts, practitioners of Digital Threat Management still often find themselves faced with a choice that, in reality, they don’t have to make. A., a comprehensive approach to digital threat detection at the risk of unleashing a flood of alerts or B., a limited, narrowly focused approach that reduces alerts to a manageable trickle but at the expense of visibility into the big picture and the ability to detect and react to what’s coming tomorrow.
The truth is, it’s not a binary choice. The most effective Digital Threat Management programs don’t just balance the perils of both extremes and learn to live with something in the middle. Instead, they create a third path that optimizes the benefits of each approach. With the right tools in place, casting a wide net doesn’t have to mean biting off more than you can chew or letting important alerts get lost in the noise. Conversely, acknowledging the realistic day-to-day workload your cyber security team can handle doesn’t have to mean putting on blinders and completely ignoring vast swaths of data on potential digital threats.
The key is leveraging automation to group threats by key risk factors so that cyber security analysts can dedicate their time to issues with the highest impact to the business. By coupling priority-driven filtering and sorting with automated, continuous monitoring of digital threats, you can both have your cake and eat it too.
RiskIQ’s Digital Threat Management platform is designed to facilitate this third path:
The result is that your team uses automatically gathered data about digital threats to intelligently and efficiently work through alerts according to their current importance to the business, rather than just working through them in the order they were received.
To illustrate this approach in action, I will show how we use our own products at RiskIQ to manage our digital presence, including monitoring for domain threats. The sheer number of suspicious domains and subdomains exploiting brand names out there is one of the biggest challenges for any organization to manage. This problem has grown worse in recent years due to the opening of thousands of new gTLDs, the growth of free and extremely cheap domain registration services, and the increasing popularity of subdomain infringement and cyber attack techniques like domain shadowing . Because of the potentially high volume of alerts, being able to drill down from a large set of candidates to quickly identify which domain threats truly demand your time and attention is crucial.
Logging into our RiskIQ workspace, I see in the dashboard that there are 165 domain threats I have not yet investigated. Clicking on that number takes me to view those domain infringement events.
Fig-1 Domain threats in the RiskIQ dashboard
Before I click on any events in the list, I use the quick filters to help me narrow my search to high priority risks. The first attribute I look for is look-a-like domains that are not only registered, but also currently have live website content associated with them, and thus, maybe being used for phishing or other fraudulent purposes.
That filter cuts my list from 165 to 109. I can go further, however, by also excluding generic parking pages from that list. Of the 109 pages that had an http response, only 61 of them resolved to a page with something other than a generic parking page.
Fig-2 Narrowing it down to “priority risks”
Left with 61 more domains to look at, I quickly check if any of the domains contain my logo in the content of the page, but no domains fit that criterion.
Fig-3 61 pages resolving to something other than a generic parking page
Instead, I open another quick filter on the left to check how many of those domains or hostnames contain an exact match to one of my brand names (as opposed to either an exact match or a close misspelling).
Fig-4 Only my top risks are left
From 165 all the way down to 2 in a couple of clicks—I have now identified my top risks to review.
After I investigate these two digital threats, I can then move on to other threat groups of interest, including:
RiskIQ continuously detects new infringing domains and subdomains related to my brands and automatically updates and tracks changes to all of them over time. Automated discovery and monitoring give me both top-level visibility into my organization’s overall domain threats risk posture, as well as the context I need about how each domain is being used by the third parties who own it to intelligently prioritize digital threats and effectively dedicate resources.
Click here to learn more about how RiskIQ can actively defend your organization against digital threats.
Get your #RSAC 2020 party started by joining RiskIQ at IGNITE, hosted by @FlashpointIntel! Register now: https://t.co/XhmW7kUCY8
Now you can see why we named it Magecart 🙃 it’s where it started in 2014. A group normally skimming data through Mage.php when a cart checkout is done, started pioneering a client-side JS skimmer.
The rest of the story can be read in our 2018 report: https://t.co/aGlU984pTU https://t.co/AwDlwdb36p
Based on data from @riskiq it appears this campaign by the Russian GRU to hack and breach Burisma in Ukraine started around 11-11-2019 (and possibly earlier) with the registration of the domain kub-gas[.]com cc @Ushadrons @file411 @IdeaGov #infosec #phishing #malware #disinfo
RiskIQ is excited to announce that growth expert Christophe Culine has joined our team as Chief Revenue Officer, leading our sales organization to great things in 2020 and beyond https://t.co/DYCAOfYeIa
RiskIQ's @ydklijnsma was on @DarknetDiaries to talk about the global phenomenon of #Magecart. Listen in on how credit card skimming on online purchases is happening—and happening often.