External Threat Management

Space Invaders and Website Security

Traditionally, the most formidable approach to website security has been one akin to the video game Space Invaders. Organizations have a clearly defined space they must protect and they have an ever-upgradeable cannon they can use to repel attacks. As threats evolved, organizations could simply improve their cannons in order to remain secure. It was simple, it was easy; processes and controls could be built around it, and the security folk slept comfortably at night.

However, the problem with this strategy is that the clearly defined space that needs to be protected is no longer crystal clear. Plus, traditional methods that have been evolved to manage website security like web-based firewalls or endpoint management systems are all well and good for static web landscapes but struggle to address today's problems of scale.

In a recent web study completed by RiskIQ, measuring just a sliver of the Internet occupied by five major brands, it was discovered that 500 separate networks were hosting over 27,000 websites tied to just those five organizations! That means that for every individual company, there are on average 100 separate ASNs to keep track of. We found many examples of websites hosted externally on services like Amazon AWS, Softlayer, NTT, etc., as well as on third-party vendor and partner networks.

The real question is: of these 27,000 websites discovered, what percentage is completely unprotected because no one knows it exists? How many were inherited from acquisitions, produced by business units within the enterprise without informing Information Security, or created by fraudsters looking to leverage a marketable brand to steal data or spread malware? How many have missed crucial security updates and exist with old, highly vulnerable versions of software? What kind of data is made available through them? What happens when you include mobile applications into the equation?

It is within these dark areas of enterprise IT infrastructure that cyber criminals can exploit major brands unopposed. Further exacerbating the problem are the attacks targeted towards end users. These threats exist outside of the firewall in the form of malvertising, well hidden exploit kits, drive-by downloads, water-holing attacks and phishing attempts. They are real and they need to be properly addressed.

RiskIQ is powered by a massive scale crawling infrastructure. However, instead of working as an agent-based system or WAF system, RiskIQ crawls the web itself. It pulls sources of information made publically available in order to generate an accurate and dynamic list of digital assets tied to a brand.

The virtual user technology programmed into the crawling architecture imitates real user behavior in order to observe from the perspective of the customer each individual website looking for signs of misbehavior. RiskIQ's full packet capture allows forensics to key in on infected software, and its full DOM capture allows forensics to recreate the infection and identify the location of the malicious URL.

In other words, RiskIQ can turn the relative chaos of modern Internet landscapes into a definable area, allowing organizations to once again train their cannons and fire away!

- Peter Zavlaris

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor