Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
To state a few universal truths in Digital Threat Management:
Despite common knowledge of these facts, practitioners of Digital Threat Management still often find themselves faced with a choice that, in reality, they don’t have to make. A., a comprehensive approach to digital threat detection at the risk of unleashing a flood of alerts or B., a limited, narrowly focused approach that reduces alerts to a manageable trickle but at the expense of visibility into the big picture and the ability to detect and react to what’s coming tomorrow.
The truth is, it’s not a binary choice. The most effective Digital Threat Management programs don’t just balance the perils of both extremes and learn to live with something in the middle. Instead, they create a third path that optimizes the benefits of each approach. With the right tools in place, casting a wide net doesn’t have to mean biting off more than you can chew or letting important alerts get lost in the noise. Conversely, acknowledging the realistic day-to-day workload your cyber security team can handle doesn’t have to mean putting on blinders and completely ignoring vast swaths of data on potential digital threats.
The key is leveraging automation to group threats by key risk factors so that cyber security analysts can dedicate their time to issues with the highest impact to the business. By coupling priority-driven filtering and sorting with automated, continuous monitoring of digital threats, you can both have your cake and eat it too.
RiskIQ’s Digital Threat Management platform is designed to facilitate this third path:
The result is that your team uses automatically gathered data about digital threats to intelligently and efficiently work through alerts according to their current importance to the business, rather than just working through them in the order they were received.
To illustrate this approach in action, I will show how we use our own products at RiskIQ to manage our digital presence, including monitoring for domain threats. The sheer number of suspicious domains and subdomains exploiting brand names out there is one of the biggest challenges for any organization to manage. This problem has grown worse in recent years due to the opening of thousands of new gTLDs, the growth of free and extremely cheap domain registration services, and the increasing popularity of subdomain infringement and cyber attack techniques like domain shadowing . Because of the potentially high volume of alerts, being able to drill down from a large set of candidates to quickly identify which domain threats truly demand your time and attention is crucial.
Logging into our RiskIQ workspace, I see in the dashboard that there are 165 domain threats I have not yet investigated. Clicking on that number takes me to view those domain infringement events.
Fig-1 Domain threats in the RiskIQ dashboard
Before I click on any events in the list, I use the quick filters to help me narrow my search to high priority risks. The first attribute I look for is look-a-like domains that are not only registered, but also currently have live website content associated with them, and thus, maybe being used for phishing or other fraudulent purposes.
That filter cuts my list from 165 to 109. I can go further, however, by also excluding generic parking pages from that list. Of the 109 pages that had an http response, only 61 of them resolved to a page with something other than a generic parking page.
Fig-2 Narrowing it down to “priority risks”
Left with 61 more domains to look at, I quickly check if any of the domains contain my logo in the content of the page, but no domains fit that criterion.
Fig-3 61 pages resolving to something other than a generic parking page
Instead, I open another quick filter on the left to check how many of those domains or hostnames contain an exact match to one of my brand names (as opposed to either an exact match or a close misspelling).
Fig-4 Only my top risks are left
From 165 all the way down to 2 in a couple of clicks—I have now identified my top risks to review.
After I investigate these two digital threats, I can then move on to other threat groups of interest, including:
RiskIQ continuously detects new infringing domains and subdomains related to my brands and automatically updates and tracks changes to all of them over time. Automated discovery and monitoring give me both top-level visibility into my organization’s overall domain threats risk posture, as well as the context I need about how each domain is being used by the third parties who own it to intelligently prioritize digital threats and effectively dedicate resources.
Click here to learn more about how RiskIQ can actively defend your organization against digital threats.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
“(...) RiskIQ has been able to track much more of the bad guy’s infrastructure used in their scam operations. We’ve identified around 400 domains so far that are all tied to these scams.” - @ydklijnsma
WHAT JUST HAPPENED? Security pros offered a range of opinions about the breach. All agreed the fault did not lie with each hacked account's owner. Some say it may have come from inside @Twitter.
@BradyDale and @benjaminopowers report
Targeted #cyberthreats are spiking during #COVID19. We provide one source for information to simplify and accelerate your investigation process #ThreatHunting https://bit.ly/3c9xKoq
RiskIQ researchers just doubled the number of IoCs in the Pastebin. Please continue to monitor it for updates as this situation evolves https://pastebin.com/h64CK3CG #twitterhack #twitterhacks #ThreatIntel #IOCs
Just in case my last tweet got lost in the thread storm, @RiskIQ's list of domains apparently tied to this scam gives us a pretty good idea of who was targeted here. https://pastebin.com/h64CK3CG
This is developing very quickly, but seems to have been staged well in advance. Take a look at some these domains set up to support this scam. H/T @RiskIQ https://twitter.com/ydklijnsma/status/1283508384335925248
Leveraging @RiskIQ's datasets we have identified more infrastructure tied to the current cryptocurrency scammers impacting @elonmusk , @billgates, etc. This is research data, validate before taking action, it might identify new targets also.
At this point we can just assume the entire platform compromised. https://twitter.com/ydklijnsma/status/1283503695796162560
And they've just crossed the cryptocurrency boundary https://twitter.com/ydklijnsma/status/1283501318917611521