Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Online security measures to protect organizations on the Internet were shown to be wanting again in 2018 – the same bad news about security outside the firewall that we’ve received the year before, and the year before that.
It took just 22 lines of malicious code to expose customer payment data for 380,000 British Airways booking transactions. Hackers accessed the personal data of millions of Starwood guests. And these were only two of the 21 major hacks in 2018.
All this leads to one conclusion: The traditional approach to online security is dead. In the past, cybersecurity focused on inward-facing strategies and solutions—everything inside the firewall. However, this approach ignored the Internet-facing attack surface: everything beyond the firewall, a varied collection of client-facing assets that hackers can and will discover as they research their next threat campaigns, as well as impersonating assets created to dupe users into giving up sensitive personal and corporate information.
A more outward-facing approach utilizing attack surface management (ASM) is now required to protect your business.
So, what exactly is ASM? How will it improve your cybersecurity efforts? We’ll go over three ways you can modernize your online security and mitigate cyber threats in the new year with ASM.
ASM deals with two overarching areas of cybersecurity:
This may sound simple enough, but the ramifications are momentous.
Traditional cybersecurity is like a wall around a castle: A hard perimeter is created as the primary means to identify and deal with intrusions. This is a reactive approach as threats are identified either at your network’s firewall or by internal security scans.
However, today we have more Internet-exposed assets than ever before across web, mobile, and social channels. Many are hosted on platforms that sit outside the organization’s control and therefore outside the scope of existing security investments. Many are unknown to the security team and therefore not under management from a security perspective. The result is plenty of low hanging fruit on which cyber-criminals can feast.
While defending what you own is essential, it’s not sufficient in and of itself. Many successful cyber-attacks don’t try to exploit weaknesses in your assets but instead, take advantage of the behaviors of your employees and customers. Cyber-criminals create rogue assets that look like you to deceive employees and customers into giving up sensitive information or downloading malware.
Cybersecurity must be both more proactive and far-reaching in its approach to identifying and mitigating potential threats before they can attack. That could involve proactively addressing the security weaknesses in the things you own or identifying and taking down rogue assets before they can be used in a campaign. These two needs form the fundamental basis for ASM.
The first step in understanding your attack surface is to discover and inventory all your exposed digital assets. While many of these assets are known to the security team and sit firmly within their security program, there is often a significant percentage of assets that don’t.
These unknown assets could be as a result of what is known as shadow IT, where the business creates or outsources the creation of their own digital assets, or they could be assets a business acquires from mergers and acquisitions. Occasionally, internal assets are inadvertently exposed through misconfiguration or old assets are forgotten and drop off the radar. In any event, these unknown assets represent a real risk to the business, as they are unmonitored and unmanaged from a security perspective. We see time and time again in high-profile breaches that the way in was through one of these unknown unmanaged assets.
Once inventoried, assets must be assessed for compromise or potential weakness with the most severe issues prioritized and subsequently addressed. Over time, this process will harden your attack surface, making you a less attractive target.
Once you have a “white list” of owned assets, you can more easily detect and distinguish rogue assets impersonating your brand. While not all instances of brand infringement are malicious, all must be identified and assessed in a timely fashion. Examples of rogue assets include infringing domains, phishing pages, fake websites, fake mobile applications, and fake social media accounts and profiles.
Of course, all the front-end security work you do will not eliminate the need for an ongoing assessment of your attack surface. Attack surfaces are continually changing—RiskIQ finds on average a five percent change in an organization’s owned Internet-facing assets per month. Rogue assets are often created to support a malicious campaign and taken down by threat actors only a few days, or even a few hours, later. Without continuous monitoring and assessment, your situational view can be markedly different from reality. In the past, IT security risk has been calculated by undertaking an evaluation at a point in time. While that may be sufficient for assets inside the firewall, it is wholly inadequate for assessing the risk of your Internet attack surface.
It’s a similar story for company-created mobile applications. Organizations place security tested apps in the primary app stores and assume their job is done. Most fail to understand the complexity of the app store ecosystem with its hundreds of app stores and the movement of inventory that takes place across those stores. Those apps you placed in two stores can overtime be found in dozens of stores. Along the way, some of those apps can be modified by malicious actors. Without regular policing and inspection of your mobile apps, there is no guarantee that your users are getting the experience you intended.
We outlined the risks associated with rogue assets earlier. Rogue assets are created by cybercriminals to support a campaign; i.e., a typosquatting domain hosting a fake website, fake social media accounts, mobile apps and malicious ads all directing users there. By detecting these assets promptly and taking them down, campaigns of this type can be disrupted in the setup phase or the early stages of the execution phase. The challenge is to find these assets promptly across the vastness of the internet. The days when this could be done by people has passed – today organizations require solutions using infrastructure and advanced machine intelligence along with timely processes to assess the generated events and take action.
Online security solutions monitoring your network and endpoints are continually serving up suspicious indicators pointing to assets residing on the Internet. Threat Intelligence reports regularly detail threat actors and their tactics along with details of some of their infrastructure. The rogue assets that we covered earlier are hosted on infrastructure that is connected to other adversary owned infrastructure. The challenge for most organizations is how to quickly assess what they are dealing with so they can take appropriate action. It’s not enough to take defensive action against one URL or IP address when that is only a small part of what could hurt you. It’s important to know what else that asset is connected to – in other words, the entire bad neighborhood.
Because hackers can’t avoid interacting with core components of the internet, they leave a trail over time. Fortunately, there are organizations like RiskIQ that monitor those changes to create global Internet datasets that threat hunters can use to connect the dots to map out adversary infrastructure.
As much as this requires the right technology and tools, to modernize your online security also means implementing the philosophy and mindset necessary for today’s threat hunter.
You can no longer wait behind a firewall for your enemies to come to you. Instead, you must take the fight to them.
Thankfully, big data sets will help identify emerging security threats before they find you. Sophisticated web crawlers can interact with thousands of websites every day and, by employing virtual user emulation, collect massive amounts of data for analysis.
Advanced correlation algorithms can then detect patterns of malicious behavior undetectable by the manual processes used in the past. Also, these breadcrumb databases of internet activities will produce more effective incident reports to help avoid future problems.
Just as your digital assets are spread across a wide area, the same is often true for IT security departments. When staff becomes increasingly disparate, the tendency to silo information can be even more pronounced.
Effective communication is key on a variety of fronts including security updates and threat identification.
These lines of communication extend beyond just IT personnel. News about emerging threats must be continually disseminated throughout the organization. After all, each employee is also a network entry point which creates the potential for anyone to become an unwitting attack vector. The proper training must be implemented to help everyone avoid phishing, spear phishing, and other attacks utilizing human assets.
The internet landscape will continue to be dynamic. This means that waiting for threats to come to your firewall perimeter is no longer a viable option.
Your cybersecurity must constantly be evolving and include all three elements of an effective threat-hunting strategy:
This proactive approach to ASM is not a luxury; it’s a necessity.
Ready to modernize your security? Contact RiskIQ today to learn more about proactively planning and executing your company’s digital threat management.
Get your #RSAC 2020 party started by joining RiskIQ at IGNITE, hosted by @FlashpointIntel! Register now: https://t.co/XhmW7kUCY8
Now you can see why we named it Magecart 🙃 it’s where it started in 2014. A group normally skimming data through Mage.php when a cart checkout is done, started pioneering a client-side JS skimmer.
The rest of the story can be read in our 2018 report: https://t.co/aGlU984pTU https://t.co/AwDlwdb36p
Based on data from @riskiq it appears this campaign by the Russian GRU to hack and breach Burisma in Ukraine started around 11-11-2019 (and possibly earlier) with the registration of the domain kub-gas[.]com cc @Ushadrons @file411 @IdeaGov #infosec #phishing #malware #disinfo
RiskIQ is excited to announce that growth expert Christophe Culine has joined our team as Chief Revenue Officer, leading our sales organization to great things in 2020 and beyond https://t.co/DYCAOfYeIa
RiskIQ's @ydklijnsma was on @DarknetDiaries to talk about the global phenomenon of #Magecart. Listen in on how credit card skimming on online purchases is happening—and happening often.