External Threat Management

Why We’re Different: The RiskIQ Internet Intelligence Graph

The internet is like a tapestry that's ever-expanding in all directions. Each of its components—websites, IP addresses, components, frameworks, and code—are individual threads that are all woven together to create the web as we know it. Being a part of this tapestry isn't a choice; if you have an internet presence, you are interwoven with every other entity on the web, including attackers. Those who understand how these connections work, good guy or bad guy, are the ones who win.

This is the first of an eight-part blog series exploring what makes RiskIQ different in a crowded, noisy market. The first differentiator we'll outline is RiskIQ's Internet Intelligence graph.

Graphing the internet and its relationships

Extending security and IT protection outside the firewall requires mapping these billions of relationships between the internet components belonging to every organization, business, and threat actor on Earth. RiskIQ built our Internet Intelligence Graph to prepare enterprises for this reality by enabling them to discover unknowns across their attack surface and investigate threats to their organization.

For more than ten years, RiskIQ has been crawling and absorbing the internet to define the web's identity and composition by fingerprinting each component, connection, service, IP-connected device, and infrastructure to show customers how they—and attackers targeting them—fit within it. Our global sensor network continuously extracts, analyzes, and assembles internet data, updating each customer's unique Intelligence Graph with a current and 10-year history.

So, what does it take to build this Graph and know your real attack surface?"

No-agent virtual users: Building the Graph at an enormous scale

RiskIQ's proprietary network of crawlers are "virtual users" that simulate human-web interactions and the full composition of internet assets—no agent required. The human-web simulation is the most scientific method for absorbing internet intelligence, namely causes and effects. By interacting with digital and internet assets, our virtual users can extract every attribute that makes up the asset's behavior, including its edge (relational) behaviors.

Human-like behavior: Act natural to evade detection

To avoid detection, RiskIQ's virtual users deploy from hundreds of rotating proxies worldwide, emanating from a combination of residential, commercial, and mobile egress points. Each of these is highly configurable to emulate a wide range of specific human-like behaviors such as scrolling and clicking. They also imitate popular browsers, devices, applications, and operating systems. For example, having the ability to simulate a mobile phone browser in the region in which it's being targeted means the RiskIQ crawlers have a higher likelihood of observing the full exploitation chain.

Mass scanning: Soaking up the internet to build the Graph

RiskIQ collects data at an unmatched scale. Our systems conduct daily scans of more than 228 unique ports and service banners across the entire IPv4 space to collect host data, including when it was first and last seen, service banners, and much more. Each day, RiskIQ's network of virtual users make billions of HTTP requests, and take in terabytes of passive DNS data, collect millions of components such as SSL Certificates, tracking codes, and cookies. RiskIQ is currently mapping 157 billion relationships across the internet.

Infrastructure chaining: Connecting the dots to illuminate the Graph

Web pages are made up of many different remote resources that get assembled to form a cohesive user experience. RiskIQ collection keeps the full HTML of a web page, saving any dependent file used in its loading process—document object model (DOM), links, console messages, cookies, headers, independent requests, JavaScript, and other files. With this information, RiskIQ can link infrastructure showing the interconnectivity of different entities across the web, identifying dependencies and pathways of each web asset.

This unparalleled collection allows RiskIQ to build unmatched data sets, including some that are entirely unique to us, including:

  • SSL Certificate History
  • Trackers
  • Host Pairs
  • Web Components
  • Cookies

Read more about RiskIQ data sets here.

Having a database of these components enables infrastructure chaining, which leverages the highly connected nature of the internet to expand one IOC into many based on overlapping details or shared characteristics. Building infrastructure chains enables RiskIQ to create an accurate view of our customers' digital presence to define their attack surface and discover unknown assets. It does the same for an adversary's digital presence, letting threat hunters quickly pivot across these data sets to create context around an incident or investigation, allowing for more effective triage of alerting and actioning of incidents within an organization.

Historical data: Looking back to see what's changed—and how

RiskIQ collection preserves what a page looked like each time it was crawled, so we know how pages have changed, including if they've been compromised. Many webpages are fluid and may change hundreds of times after their initial load—some are just shells that only become populated after a user has requested the page. RiskIQ not only keeps the full HTML content from the crawled page but our systems also save any dependent file used in the loading process to be able to

Tap into the Internet Intelligence Graph

The rush to migrate to the cloud and warp-speed adoption of web, mobile, and social platforms badly exposed the limitations of internal network security controls. The COVID-19 pandemic, which has scattered workforces and business operations across the country, has made these controls almost obsolete and an Internet Intelligence graph imperative.

Attackers now have far more access points to probe or exploit, with little-to-no security oversight. Meanwhile, IT is feverishly standing up new systems, new access, and new channels and likely succumbing to human error, such as critical misconfigurations.

Lots of "outside the firewall' security companies claim to give you visibility into this new dispersed and rapidly-growing internet attack surface. Unfortunately, they only have a cursory view of the web and only know about known assets their customers provide them.

RiskIQ deeply understands the internet and how its threads weave together. With RiskIQ's Internet Intelligence Graph, customers have access to a pre-computed relationship database of internet intelligence updated daily. Tapping into the Graph provides a full picture of the entire internet to show your own organization's internet attack surface, including known, unknown, and attacker-owned assets. This view includes external third-party infrastructure and resources your organization, users, and customers depend on.

To learn more about the Internet Intelligence Graph and how RiskIQ can help you understand your attack surface, register for a free demo here.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor