External Threat Management

External Threat Management

Understanding and Preventing Cyber Fraud and Cyber Attacks with Advanced Big Data Cyber Security Analytics

My friend Aamir Lakhani, AKA Dr. Chaos, posted this blog recently on his website, The topic is on combining big data analytics with software-defined networking in order to build anomaly-based detection and mitigation systems for internal networks.

In the blog, he discusses the reasons why traditional security doesn't work and why innovations are necessary. He argues that in cases where attacks cyber leverage legitimate applications, protocols and user credentials to gain unauthorized access, traditional security protections prove useless.

However, using advanced analytics, along with modern security tools, security teams can identify anomalous behavior even if the attacker has valid credentials. The key is establishing baselines and running a sophisticated analysis of large data sets.

As he points out, "Data science experts will tell you that no matter how often an abnormal behavior occurs -- whether it's one hundred times or just once -- it's still abnormal behavior and can be categorized once a baseline is established."

It's a fantastic read and very provocative. It ties back into our firmly held belief at RiskIQ that innovative detection methods are going to be the best defense for organizations, their brands, and their customers in the modern world. RiskIQ also leverages large data sets and data analytics as inputs into our technology to manage external threats. It is a key factor in ensuring we provide accurate and timely data, which we strongly believe can make the difference in protecting an enterprise profile online.

Continue Reading
External Threat Management

What Happens When Consumers No Longer Trust Retailers to Protect Their Data

The spotlight has been on the retail industry ever since the infamous Target breach over last year's holiday season. While Target has become the poster child for high profile data breaches, several other retail organizations since and prior to that incident have suffered breaches as well.

When it comes to retail breaches, customers are the ones who tend to suffer most. The criminals are targeting their private data, and a new study completed by the National Consumers League (NCL) found that 72% of breach victims were also victims of fraud.

The study also shows that consumers are increasingly losing faith in businesses to protect their identities. They're demanding more government involvement and fraud prevention measures.

"Data insecurity is leading to real consumer harm and this report confirms consumers are at a loss for where to turn in the face of this national problem," said NCL's John Breyault. "As consumers share vast amounts of personal data with businesses, government and other entities, they expect their information to be protected from malicious hackers."

Businesses need to take this study seriously. The report found that 6 in 10 victims whose information was compromised in a retail breach said their level of trust in the retailer declined significantly. In fact, nineteen percent of victims whose data was breached said they'd avoid doing business with those organizations in the future.

Continue Reading
External Threat Management

Open Source Vulnerabilities and the Detection vs. Prevention Argument

Open source application vulnerabilities are a hot topic in the modern information security discourse, mainly because of incidents like Heartbleed. Heartbleed was an interesting case not because it was an OpenSSL vulnerability but because of the unsuspected prominence of OpenSSL among the enterprise. OpenSSL actually has a history of vulnerabilities, dating as far back as 2003 when it was discovered that OpenSSL didn't automatically enable RSA Blinding.

In an article posted on SecurityWeek July 23rd sites a report published by Sonatype, it is reported that, "One in ten of the roughly 3,300 software developers, architects and application security pros who took part in the survey admitted that an open source component was, or it was suspected of being, the cause of a breach within the last year."

Furthermore, they contend that 43% of organizations don't have an open source policy. Of the 67% who do have an open source policy, 38% admit their open source policy doesn't include security. The article points out findings from 2014 Verizon Breach Report identifying applications as the leading attack vector in breaches.

Compounding the issue as the SecurityWeek article points out, "most developers don't track component vulnerabilities over time." Apparently only 40% of the survey respondents believe that the development department is responsible for tracking and resolving newly discovered vulnerabilities in existing production applications. Only 18% believe it's the responsibility of the application security department -- another 18% believe it falls under IT Operations.

This grey area of control and responsibility provides perfect cover for cyber criminals searching for ways to infect websites and mobile applications. The staggering increase in breaches point to the need for improved security in this area, which is a significant challenge leveraging standard controls designed to prevent malware from getting in.

Continue Reading
External Threat Management Drive-by Compromise Activity Continues

In July 2014, RiskIQ observed continuation of attack activity against the website and their visitors, with injected code redirecting browsers to exploits served from Nuclear Pack.

In April 2014, Cyphort published an analysis of a drive-by download attack traced to malicious code injection on the website of, a leading online Men's magazine portal. The attackers had compromised the site to inject encoded JavaScript into the site in order to redirect site visitors to exploits served from a Fiesta exploit kit installation. In this attack, victims were served a variant of the Miuref malware, known as a common clickfraud and ad-hijacking trojan.

Continue Reading
External Threat Management

New Attack Vectors Targeting the Enterprise Generated by Third-party Connectivity

Based on the success of several high profile attacks (ex. Target & AT&T) over the last year exploiting access points created by enterprises connecting into their third-party associates, there's a growing concern that third-parties present potentially intolerable levels of risk to the enterprise. While the purpose of exploiting third-parties in recent highly publicized breach cases had been gaining access to sensitive areas of affiliated enterprises' internal networks, there's another more insidious threat and this one could be even more dangerous. The threat is malware embedded somewhere along the amalgamation of websites, webpages, ads, mobile apps, etc. that a consumer surfing the web would falsely assume belongs to a given organization. This assumption could result from being directed to the page via search engine, the company name or brand appearing in the URL, and/or logos, trademarks, products and services being present on the website, webpage, or mobile app actually hosted on third-party infrastructure. The problem is that users often mistake these assets -- which generally have fewer security controls in place -- for corporately controlled ones and are willing to share sensitive information, which creates unsafe environment for cyber criminals to exploit.

Adding to the problem is that the modern security discourse around third-party data leaks is more focused on low percentage chance, complex APTs that are costly to carry out, require many moving parts and take years to develop. Organizations should be more concerned with phishing or water holing attacks on an enterprise affiliated website targeting consumers because they are cost effective, relatively low-tech, low-risk and potentially high value. In a recent article on CSO magazine, author Taylor Armerding provides evidence that third-party vendors are weak points. He quotes ZeroPoint Risk Research CEO MacDonnell Ulsch, "almost without exception, a third-party vendor or affiliate is involved (in a successful cyber attack)." Interestingly, MacDonnell wrote about this a year ago, before Target and At&T were breached. Armerding points out that a phishing attack on HVAC led to the leak of millions of Target customer credit cards -- all it took was an employee clicking on a malicious link. Similarly, AT&T disclosed that their mobile customers were breached through their third-party vendor and account information, like social security numbers and dates of birth, was compromised.

Amerdering stresses in his article that no enterprise can live on an island and needs multiple relationships with outside vendors, contractors, affiliates, partners and others to function in a connected world. In the chaos of ever expanding and disparate online public interactions points propped up across enterprise and their associates to serve consumers, the ramifications of varying levels of security controls across the online distribution chain create the perfect hiding place for compromised digital assets embedded with well hidden pieces of malware. It is incredibly difficult to gain visibility into the resulting security grey area. RiskIQ offers technology capable of discovering -- with an automated an ongoing process -- all websites and mobile applications associated in any way with a given enterprise. We provide an outside-looking-in perspective as we crawl assets at Internet scale allowing enterprises to view their network from the vantage of the millions of online users interacting with them on a daily basis. If something malicious exists and can be tied in anyway to a RiskIQ customer, it will be identified and swift action will be taken to remove it before it causes harm.

Peter Zavlaris, Marketing Analyst & Resident Blogger


Continue Reading
External Threat Management

Angler Exploit Kit Detected on High Profile Websites

On May 28th, RiskIQ detected a malvertising (malicious advertising) campaign on several high profile websites (ranked within the top 2,000 websites globally), including the popular humor site eBaum's World. This particular campaign utilized a drive-by download to exploit several different versions of software, including Flash, Silverlight, and Java. In this particular case, the malicious ads were served by AppNexus, but this campaign has been seen in several other ad networks as well.

In this example, a user browsing a cat playing Jenga on eBaum's World would have been delivered an advertisement that contained a drive by exploit through the advertisement. This example is illustrated below. The exploit kit that was utilized in the drive-by malware was Angler Exploit Kit, which has been gaining traction since Blackhole Exploit kit has started to lose criminal users. The migration of this user base is related to the arrest of "Paunch" last October. Predictions of hackers moving to different exploit kits have proven to be true, and Angler seems to be filling the void left by Blackhole.

Angler malware on eBaum's World

As recently as November of last year, Angler authors integrated Silverlight exploits, which is particularly troubling since Netflix requires the Silverlight plugin to stream video on PC browsers. This provides a large user base to target and while it is not as widely deployed as the Adobe Flash plugin, it is estimated that the majority of internet users have this plugin installed.

Continue Reading