External Threat Management
January 23, 2020
RiskIQ agrees with most experts that Iran is likely planning additional cyber-attacks in the coming months to punish the U.S. for the airstrike that killed the Iranian Islamic Revolutionary Guard Corps (IRGC) Commander, Qasem Soleimani.
Below, RiskIQ's managed intelligence services team, comprised of former intelligence officers, assesses how state-sponsored threats from Iran can affect your business.
So far—in keeping with its modus operandi—Tehran's response to the attack has been measured and proportional. Four days after the strike, the IRGC launched numerous ballistic missiles at U.S. airbases in Iraq, inflicting minor casualties. According to the Washington Post, on January 8th, the head of Iran's Aerospace Force, stated they "did not intend to kill... [instead, they] intended to hit the enemy's military machinery."
Historically, Iran has also conducted retaliatory attacks calibrated to maintain plausible deniability and avoid escalation. Attribution for cyber attacks is difficult, making it a useful—and frequently used—countermeasure for Tehran.
Iran has a first-world cyber-attack capability
January 22, 2020
December 20, 2019
Imagine you were responsible for the protection of a building.
You'd probably start by analyzing its entire interior and exterior, mapping every square foot to determine what defenses you need to put in place and where. Along with your locks and alarms, you'd want to install a network of surveillance cameras positioned to give you real-time visibility of the entire structure, i.e., anywhere a burglar could possibly show up. It's a pretty clear-cut formula that, once implemented, ensures you're ready to defend against intruders.
Securing a building is a metaphor that's used in corporate cybersecurity often, and for a good reason—it's a straightforward way of characterizing network security controls. Your firewalls and proxies are your locks, and your scanners are your security cameras, letting you know everything that's going on within your network. Traditionally, these things would leave you in good shape cybersecurity-wise. However, the world is rapidly changing, and so is the threat landscape targeting businesses.
Due to cloud server migration, hosting, and other digital media initiatives, a business's digital presence no longer fits neatly behind its tightly secured perimeter. Its attack surface sprawls out across the open internet, outside the scope of firewalls and endpoint protection, as a collection of millions of digital assets laid bare for all to see, including hackers, as they research their next threat campaigns.
This new reality for security teams means that the building metaphor must take a turn for the absurd to still represent what they need to protect. Now, imagine that building you're guarding is not only growing larger every day, but also its rooms are changing, rotating, and reorientating in real-time. The map you made of your building yesterday is no longer relevant today—you’ve lost track of many of the rooms, and new, hidden rooms have sprung up.
It’s Time to Rethink Vulnerability Management. Welcome to the Age of Digital Attack Surface Management
December 18, 2019
For years, vulnerability management was synonymous with vulnerability scanning and pen-testing. These were the keys to understanding which of your organization's digital assets are susceptible to threats and where its vulnerabilities lie. However, widespread cloud migration and the explosive growth of the average business's online presence fundamentally changed what security teams need to protect, making scanning and pen-testing not nearly sufficient.
Vuln management has been an exercise in navel-gazing, looking at our asset's weak spots to close the shields. But once the whole IT footprint became a digital footprint—web, social, mobile, etc.—vulnerability scanning and pen-tests showed just how incomplete they were, unable to see beyond into that digital sphere. What was once a small area to defend is now an expansive digital attack surface, a universe of digital assets scattered across the web, cloud, and apps. It's only natural for exposures to go unnoticed on this fluid, digital attack surface.
Unfortunately, breaches via these internet-connected assets are happening at an unprecedented rate, many of them a result of assets compromised that organizations weren't aware even existed. How do we mitigate exposures and risks, when those exposures and risks are hidden in digital assets we cannot see? There must be an easier way.
It's time to think bigger than vulnerability management. Welcome to the age of digital attack surface management.
Vulnerability Management, Beyond Scanning
December 16, 2019
2020 will see organizations continue to shift digital interactions closer to customers and launch innovative methods for marketing, advertising, and selling their products online. While this will continue to bring great rewards for businesses, it will also increase risk over the coming year.
Cybercriminals always move to where the money is, whether it's mass cloud migrations, booming e-commerce, or a hot cryptocurrency market. The cybersecurity industry must respond to this development by working closely with businesses to develop new ways to keep the data of both organizations and consumers secure.
As the cybersecurity industry heads into a new year and a new decade, many of the threats we'll see will be an acceleration of the developments of previous years. Welcome to Infosec 2020, RiskIQ's predictions for the year ahead and beyond.
CISOs who can't attribute threats won't survive.
Security is now a business input, and CEOs want to know how their organization's security posture affects the business as a whole. With breaches and other security incidents causing multi-million dollar losses, the c-suite is asking their security teams for context around incidents. CISOs must invest in the talent and technology to answer questions like, How did we get targeted? Why are we an attractive target, and by whom? What other organizations did these attackers hit, and what about our business made us a target? What can we do to respond?
November 21, 2019
This Thanksgiving weekend, you can be sure that cybercriminals will be getting their fill, too.
In 2018, Black Friday pulled in a record $6.2 billion in online sales, a growth of 23.6% from 2017. Then, Cyber Monday became the most popular day for e-commerce sales ever, amassing $7.8 billion. With online spending this Black Friday and Cyber Monday projected to set yet another record in 2019, cyberattackers are showing that they're out to get a piece of the online shopping pie.
Already, these bad holiday actors are impersonating the brands of leading e-tailers, as well as the poor security habits of consumers, to fool shoppers looking for Black Friday deals, sales, and coupons. They're creating fake mobile apps and landing pages to trick users into downloading malware, using compromised sites, or giving up their login credentials and credit card information.
Meanwhile, Magecart, a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by skimming online payment forms, will thrive over Black Friday and Cyber Monday. Magecart is responsible for placing skimmers on scores of e-commerce sites, and RiskIQ is alerted to new Magecart breaches hourly. With this influx of e-commerce activity, Magecart actors will be working overtime.
To compile crucial intelligence for both consumers and brands around this season's Thanksgiving shopping weekend, RiskIQ developed our 2019 Black Friday E-commerce Blacklist report. The report analyzes the results of keyword queries of our Global blacklist and mobile app database, RiskIQ's extensive repositories of cyber threat data compiled over ten years of crawling and passive sensing the web. Specifically, we looked at the ten most trafficked* e-commerce brands over Thanksgiving weekend.
November 18, 2019
Many executives focus their security efforts and budgets solely on physical cyber threats, but attacks targeting an executive's digital presence can be just as dangerous.
Criminals are looking to exploit the wealth of high-profile and high net-worth individuals—or cause them embarrassment or personal harm—at an unprecedented rate. And, as the most abundant source of company secrets and IP, they're a primary attack vector of their businesses too.
Attacks on VIPs involve attempts at accessing their sensitive information and span both the real world and the web. Because of their digital and physical vulnerabilities, protecting them requires a 360-degree view of their attack surface, i.e., anything related to their physical or digital presence that can be used against them. But to defend an executive's attack surface, you first have to define it.
Today, developing a plan to protect an executive, and in turn, their families and businesses, means understanding what information should be considered sensitive and having the tools to monitor the internet for it. References to names and addresses of the individual and their family and associates on forums, malicious rhetoric toward them, and the presence of leaked sensitive data are all crucial intelligence. This internet-wide visibility provides security teams with invaluable information and context not only about potential cyberattacks, but also attacks that may occur in the real world.
The top historic executive threats demonstrate how seemingly insignificant information has enabled completely preventable incidents. These top-five examples of threats to executives illustrate the overlap between the physical and the digital threat landscapes.
The Q2 2019 Mobile Threat Landscape: Blacklisted Apps Increase 20%, Cyber Attackers Target Tax Season, Surveillance Apps Wreak Havoc
October 24, 2019
The digital revolution is causing businesses to invest significantly in mobile, where they can make more frequent and more meaningful interactions with employees, prospects, and customers. Global app spending hit $101 billion in 2018 and will surpass that this year. In 2018, global app spending hit $101 billion and is expected to surpass that this year. Mobile is a significant portion of the overall corporate attack surface where security teams often suffer from a lack of visibility.
For the past ten years, RiskIQ's discovery platform has mapped the global mobile threat landscape. It now monitors more than 120 mobile app stores around the world and scans nearly two billion resources daily to look for mobile apps in the wild. With this internet-wide telemetry, RiskIQ observes and categorizes the threat landscape as a user would see it, downloading analyzing, and storing every app we encounter while recording changes and new versions.
In our Q2 2019 Mobile Threat Landscape report, we provide an overview of the Q2 2019 Mobile Threat Landscape and dive into emerging trends you need to know for the rest of the year.
For the second-consecutive quarter, blacklisted apps increased with a 20% spike, increased from 44,850 to 53,955, and accounting for over 2% of all apps in RiskIQ's dataset. Blacklisted apps are apps that appear on at least one blacklist such as VirusTotal, which, per its website, inspects files or web pages with over 70 antivirus products and other tools. A blacklist hit from VirusTotal shows that at least one vendor has flagged the file as suspicious or malicious.
The percentage of blacklisted apps relative to the total number of apps known by RiskIQ also increased for the second-straight quarter, jumping from 1.95% to 2.1 %. These blacklisted apps feature a host of familiar threats such as brand imitation, phishing, and malware. The mobile threat landscape also saw cyber attackers leveraging tax season with malicious and fraudulent apps meant to fool consumers filing their taxes into downloading them.
October 23, 2019
For the past decade, RiskIQ has been helping organizations discover and manage risk across their digital attack surface. Since our inception, we've continued to enhance our capabilities and data sets to uncover more of the internet and better understand how attackers interact with it. Now, RiskIQ is proud to have been named a strong performer in The Forrester Wave™: Vulnerability Risk Management, Q4 2019, which recognized our platform as "a strong tool to have in your vulnerability management toolbox."
With breaches of businesses via internet-connected digital assets making headlines every day, the need for organizations to manage their full attack surface, from inside the network to all that lies beyond the firewall, is gaining serious momentum. Today's internet-scale threats can overwhelm the defenses of businesses that lack visibility into their vulnerable digital assets, which makes vulnerability risk management (VRM) a crucial element of attack surface management.
According to the Forrester Wave report, VRM is a four-stage process involving asset management, vulnerability enumeration, prioritization, and remediation. One of the new capabilities evaluated in the Forrester Wave™: Vulnerability Risk Management, Q4 2019, was how well these products help organizations with digital footprinting to understand what internet-exposed assets they may not be aware of. Traditional security scanners, which can only identify and scan a portion of an organization's external attack surface, have failed to help businesses adequately manage their digital risk because they cannot provide a full inventory of internet-facing assets.
With a sophisticated sensor network working in tandem with virtual users, RiskIQ has been assisting customers in finding digital assets connected to their attack surface for over a decade. By building an inventory of digital assets and issuing alerts as soon as someone in the company stands up something new, vulnerability and pen-testing teams can evaluate a better picture of what their organization looks like to attackers. In RiskIQ’s view, it is because of these capabilities that it was described in the Forrester report as "a strong tool to have in your vulnerability management toolbox."