External Threat Management
July 30, 2020
When the Covid-19 pandemic forced businesses to shift overnight, even companies with robust cybersecurity measures were caught unprepared.
A massive influx in remote employees, coupled with a boom in hacker activity, forced businesses to overlook best practices in the name of immediate convenience. In some cases, that meant connecting employees to networks without proper safety precautions. Wider digital attack surfaces presented a bounty of opportunities to unscrupulous actors looking to steal money, data, or both.
By now, most organizations have taken steps to reduce their exposure to threats and have educated employees on the importance of staying vigilant while working from home. These short-term measures will not last forever, though, nor do they replace the need for sweeping change. The pandemic changed the face of cybercrime overnight. Now, businesses must not only round out their responses to the current crisis but start preparing for what comes next.
The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need
July 23, 2020
Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evolved right alongside the digital presence of businesses and remains in flux as attackers continuously adopt new tools and tactics. With the paradigm for keeping organizations secure ever-changing, security teams have no choice but to adapt to the perpetual evolution of both the organizations they defend and the adversaries from which they protect it.
In this new dynamic age of cybersecurity, knowledge and context are power, and being mobile ensures survival. The security solutions that matter are automatic and integrate with existing investments. They also include a game-changing amount of context. The RiskIQ Intelligence Connector, the integration linking RiskIQ's Internet Intelligence Graph and Microsoft Sentinel, was built for this.
RiskIQ and Microsoft Sentinel Enable Next-Gen Security Teams
Microsoft Sentinel is a cloud-native, next-gen SIEM that transforms how security teams triage incidents in their organization. It's a force-multiplier for security teams that gives them unprecedented context and mobility. With just a few clicks, a business can be up, operating, and processing alerts to supercharge threat investigations and automate incident response to deal with threats at scale.
For RiskIQ, context and knowledge are everything. Our Internet Intelligence Graph absorbs internet data on a massive scale to continuously map the billions of relationships between internet-exposed infrastructure worldwide, providing in-depth knowledge of the internet and how organizations and threat actors fit into it. When this outside-the-firewall intelligence combines with firewall and endpoint telemetry data in Microsoft Sentinel, security operations teams have a full view of their organization's attack surface and unparalleled context around threats and security incidents.
July 17, 2020
The discussions in the coming days and weeks surrounding yesterday's large-scale compromise of verified Twitter accounts, including those of Joe Biden, Barack Obama, and Bill Gates, will likely be about how the attackers gained access to so many high-profile accounts at once. The sheer breadth of digital landscape this breach covered in such little time shocked the world and is sure to stoke concerns about who can access the means of disseminating information—or disinformation—to the masses.
However, while examining Twitter's internal security practices and controls is an important focus, it's also worth looking at the #Twitterhack from an external angle. Who were these actors, and why did they go through so much trouble to access those accounts? What did their cryptocurrency scam campaigns look like outside of the Twitter spotlight?
RiskIQ's Passive DNS data gives us our first clue. It shows us that domains belonging to these attackers were registered months or years ago, which means pretending to be famous brands and people to trick victims into giving up their cryptocurrency has been their MO far before the fall of the blue checkmarks. Hacking Twitter was simply their latest—albeit their most successful—tactic to access a massive pool of potential victims and lend credibility to their phishing scheme. Before hacking verified accounts, this group may have been leaning on other dependable vehicles for scam victim acquisition, such as fake social media accounts, spam emails, and scam ads.
Next, tying together the phishing domains belonging to the attacker shows us the overall scope of the attack and which brands were getting impersonated. The Twitter hack itself made the most headlines, but RiskIQ researchers observed only one attacker-owned domain tweeted from a hacked verified account. However, from that one domain, we mapped out hundreds more that attackers didn't use on Twitter. They were likely using these in other attack vectors.
July 09, 2020
The average organization's digital presence has exploded in size. Even before COVID-19 spread their staff and operations outside the firewall, businesses were rapidly migrating to the cloud and increasing their use of web, mobile, and social platforms. This digital transformation expanded their attack surface beyond the scope of network security controls like firewalls, DLP, and network monitoring—and enabled attackers to exploit them in ways not possible before.
The security implications of the enterprise's digital footprint exploding beyond the firewall's friendly confines are clear. According to the Verizon Data Breach report, external-facing web applications, into which network security tools lack visibility, comprised the vector category most commonly exploited in hacking-related breaches. To defend against the now rampant phishing attacks, typosquat registrations, and misinformation spreading through websites, security teams need to think beyond cybersecurity. Instead, they should be taking a holistic view of defense, focusing on attack surface management.
Together, RiskIQ and Splunk Deliver Attack Surface Management
Attack surface management means having the technology to collect enough data to cover the entire scope of where your organization can be attacked—from the corporate network to the cloud to the edges of the open internet—and the technology to put it to use. The nexus of these two imperatives are RiskIQ's Apps and add-ons for Splunk.
RiskIQ has long held integrations with Splunk but has brought our full suite of offerings to the Data-to-Everything platform. These s integrations give SecOps teams several ways to access RiskIQ's Internet Intelligence Graph, which extracts terabytes of internet data to map the billions of relationships between internet-exposed infrastructure worldwide. This comprehensive data now combines with Splunk's search, monitoring, and analysis capabilities to deliver a best-in-class attack surface management.
June 21, 2020
In 2020, threat prevention alone won't be enough. The COVID-19 pandemic has revealed cybersecurity cracks in thousands of companies, which won't go away now that the world—and the way we work—has changed forever.
The recent surge in cyberattacks in the wake of the COVID-19 pandemic exploit global anxiety around the pandemic and the patchwork work-from-home setups of suddenly-remote staff to hack organizations, infect them with ransomware, and attack their customers.
This unprecedented increase in opportunity for digital criminals has ushered in a new era of security, responsibility, and expectations for technical leaders. With breaches and other security incidents causing multi-million dollar losses, digital intelligence and cybersecurity have evolved from something of a maintenance cost into a full-fledged business input. CEOs and boards must know how their security postures affect their companies' trajectories.
CISOs now find themselves as acting generals in a new kind of war, one in which the digital revolution—and the coronavirus that has sent it into overdrive—have created a surge of new combatants. Advanced nation-state actors are prowling digital attack surfaces of western businesses. Iran's cyberattacks in response to U.S. strikes, Russia's ongoing digital intrusions, and China's ever-looming digital armies—American companies lose more than $57 billion per year as a result of Chinese attacks—are just a few examples. Meanwhile, large organized cyber syndicates, more about making money than gathering intelligence or stealing IP, are growing in scale and sophistication and continually probe businesses for weakness.
These bad actors work from home, too, and they are more than happy to take advantage of vulnerable or misconfigured remote access points and cloud assets, as well as shadow IT stood up outside the purview of security teams. To win this war and act as valuable assets to their companies, CISOs must become more proactive about threat detection and incident investigation—and be able to explain much more than the time and date of the attack.
May 15, 2020
As attack surfaces grow outside the corporate firewall, cybersecurity teams need to be able to do two things well and at-scale: discover unknowns and investigate threats across their organization's digital presence. The basis of these two capabilities is always-on detection.
Reliable threat detection has never been more critical now that COVID-19 has changed the way we do business, spreading our operations and entire staff outside the corporate perimeter to the open internet and cloud. The rush to stand up new assets and systems to enable a remote workforce has led to an increase in shadow IT activities and potential access points for hackers—a 112% boost in VPN usage and 26.11% increase in Microsoft Remote Access Gateway instances, to name a couple.
With attack surfaces expanding quicker and more radically than ever before, and the threat landscape growing along with them, organizations need proactive threat detection that sees their entire digital presence for what it really is and, as importantly, never takes a break.
This post is the second of an eight-part blog series exploring what makes RiskIQ different in a crowded, noisy market. Today we'll outline RiskIQ's always-on detection.
Always-on detection requires full visibility
May 13, 2020
A modern organization's digital presence is a mosaic of internet-connected services—hardware, software, and digital supply chains. More internet services mean complexity goes up, and "non-standard" becomes the norm. However, while these digital services boost functionality, they can also unexpectedly change how organizations appear to attackers and, at any time, open up exposures across an attack surface. Just recently, the massive boost in VPN and remote access to enable staff forced to work from home has created an array of new access points for attackers to interrogate.
With your attack surface regularly in flux, keeping tabs on its composition as well as the infrastructure of attackers targeting it is one of the most challenging jobs facing security teams today. However, deep insight across the public internet makes it not only possible but also manageable.
Enterprise digital attack surfaces are dynamic, complicated, and hard to keep under control. They're a tangle of IP-connected devices and third-party dependencies across the web and in the cloud that continuously change, go out of date, and become exposed.
Many of these systems were stood up without the oversight of security teams and then forgotten, so they cannot be evaluated or pen-tested. Some were stood up to accommodate a suddenly homebound workforce, and IT teams, moving quickly, may have mistakenly misconfigured them. Others, like third-party shopping platforms, are entirely outside the purview of most organization's security tools and can become vulnerable without anyone ever knowing.
May 07, 2020
The global response to COVID-19 revealed a host of new opportunities for threat actors, with FBI cybercrime reports quadrupling during the pandemic.
The mad dash by IT teams to stand up new systems outside the firewall to enable a remote workforce has expanded attack surfaces quicker and more radically than ever before. VPN usage surged 112%, and over just six weeks, and RiskIQ noted a 26.11% increase in Microsoft Remote Access Gateway instances (peaking around March 20th when stay-at-home orders took full effect). Many of these access points were stood up outside of the security teams' purview, and two recent remote-code-execution vulnerabilities now make them at risk of being used in attacks.
Meanwhile, as concern over the outbreak was sweeping the globe, attackers got to work to take advantage of it. Phishing attacks immediately grew 350%, and hospitals and other healthcare facilities suffered an onslaught of ransomware attacks, 70% of which targeted smaller providers.
However, no crime technique has flourished during the pandemic quite like scams. RiskIQ noted 317k new websites related to 'COVID-19' or 'coronavirus' in the two weeks between March 9th and 23rd, and Google currently blocks 18 million COVID-19 scam emails daily. Many of these messages promise treatment or a cure for the virus, while others offer promotions, discounts, and free products. In RiskIQ's analysis of scam and spam messages, we encounter such subject lines as "Fight COVID-19 with $100 at Drive Thru!" and "The 3 plants you need to throw in your shopping cart to fight coronavirus." On a typical day, 30k of the emails we analyze send an executable file for Windows machines, which is a reliable indicator of malware.
To take the fight to the scammers, RiskIQ has launched the COVID-19 Internet Intelligence Gateway. The microsite is a one-stop cybersecurity resource center that includes a new crawl submission and lookup service that taps into RiskIQ's massive global crawling infrastructure to analyze and compile malicious URLs related to COVID-19.
April 21, 2020
The internet is like a tapestry that's ever-expanding in all directions. Each of its components—websites, IP addresses, components, frameworks, and code—are individual threads that are all woven together to create the web as we know it. Being a part of this tapestry isn't a choice; if you have an internet presence, you are interwoven with every other entity on the web, including attackers. Those who understand how these connections work, good guy or bad guy, are the ones who win.
This is the first of an eight-part blog series exploring what makes RiskIQ different in a crowded, noisy market. The first differentiator we'll outline is RiskIQ's Internet Intelligence graph.
Graphing the internet and its relationships
Extending security and IT protection outside the firewall requires mapping these billions of relationships between the internet components belonging to every organization, business, and threat actor on Earth. RiskIQ built our Internet Intelligence Graph to prepare enterprises for this reality by enabling them to discover unknowns across their attack surface and investigate threats to their organization.
For more than ten years, RiskIQ has been crawling and absorbing the internet to define the web's identity and composition by fingerprinting each component, connection, service, IP-connected device, and infrastructure to show customers how they—and attackers targeting them—fit within it. Our global sensor network continuously extracts, analyzes, and assembles internet data, updating each customer's unique Intelligence Graph with a current and 10-year history.