Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
The recent announcement that Google Chrome will deprecate and remove trust in existing Symantec-issued SSL certificates over failure to properly validate their certs is the latest of several announcements implicating major SSL cert issuers.
SSL certs, data files that digitally bind a cryptographic key to an organization’s details, allow secure connections from a web server to a browser and help users validate the legitimacy of the site that they are using when properly issued. Symantec’s failure to properly validate the certificate owner at time of issuance has resulted in a loss of trust in their certificates by browser makers. As a result, sites currently using certificates issued by one of Symantec’s many authorities will no longer be shown as “trusted” in Google Chrome, resulting in an immediate negative business impact. When end users confront alarming warnings from top web browsers stating “Secure Connection Failed,” their trust in the website can quickly erode.
Typically, announcements denouncing bad certs are years in the making. Here’s a timeline of what led to the one regarding Symantec, according to Google’s investigation:
September 14, 2015: Symantec’s Thawte-branded CA issued an Extended Validation (EV) pre-certificate for the domains google.com and www.google.com. This pre-certificate was neither requested nor authorized by Google.
October 28, 2015: Following Google’s notification, Symantec published a report in response to its inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations. However, Google was still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work. Symantec performed another audit and announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.
Since January 19, 2017: The Google Chrome team has been investigating a series of failures by Symantec Corporation to validate certificates properly. An initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years, a finding that followed a series of failures following the previous set of misissued certificates from Symantec.
For organizations using Symantec-issued SSL certs, it’s time to immediately replace them before Google Chrome users are largely barred from visiting sites using them.
First, Audit all your SSL certs to determine if they were issued by Symantec (you might as well put replacing all of your SHA-1 certs on your to-do list since they are all deprecated as of January 1st). You can do this by logging into RiskIQ Enterprise Digital Footprint and pulling up your Insights Dashboard. You will find a new widget for aggregating Extended Validation Certificates (EV) from Symantec-owned Certificate Authorities. The insight also includes the WoSign and Startcom SSL certs in your enterprise:
Fig-1 Inventory Insights inside RiskIQ’s Enterprise Digital Footprint platform showing all SSL certs associated with an organization.
Once you have an accurate picture of your digital footprint, it is far easier to understand and implement mitigation techniques to ensure that all of your external assets are protected. This inventory of your assets is also critical for compliance with numerous industry regulations.
Using a network of tens of thousands of these virtual users, RiskIQ scans the entire internet millions of times per hour, collecting telemetric data to produce a dynamic index of your web attack surface. This process illuminates websites, mobile apps, URLs, web page content, ASNs, IPs, and nameservers, many of which aren’t currently in your inventory. RiskIQ uncovers all digital assets appearing online that tie back to your organization, enabling your security team to understand the attack surface outside your firewall, bring unknown assets under management, and survey your digital footprint from the view of a global adversary.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
Enrich @Splunk security with attacker-facing asset discovery. Build reports, dashboards, identify vulnerabilities, and enable proactive attack surface management. Learn more and get the app! https://bit.ly/38wV3rm
Security in Google Play is improving, but bad actors can still place mobile apps there. In 2019, RiskIQ detected 25,647 blacklisted apps in the Google Play Store.
'Joker' Android Malware Pulls Another Trick to Land on Google's Play Store http://ow.ly/xniR50AuqJ6 by @jaivijayan #Android #malware #GooglePlay #mobile
Digital change expands what lives outside the firewall. We checked and counted up what we saw. Get the report and take command of your digital attack surface. https://bit.ly/3cOzJ0T
Ready to achieve #ThreatHunting mastery? Check out our most recent threat hunting workshop - we'll show you how to discover unknowns and investigate threats across your organization's attack surface https://bit.ly/2BUDF3V
As the pandemic rages on, we have an election coming up and that brings another round of targeted and themed attacks. RiskIQ Security Intelligence Services Add-on for Splunk helps you extend your program, protecting your organization and constituents. #protect2020 https://twitter.com/RiskIQ/status/1281241793040916483
RiskIQ Security Intelligence Services for @Splunk puts our unmatched internet telemetry at the fingertips of Splunk users, a powerful shield from the onslaught of cybercrime leveraging current events such as #COVID19 and the election. Read more: https://bit.ly/2Oa8ZhH