Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
May 17, 2017, Steve Ginty
Today, it’s WannaCry, yesterday it was Struts2, the day before it was Heartbleed, and tomorrow will be a brand new threat to your organization’s attack surface.
While digital threats increase in velocity, volume, and adaptability, two things are certain: organizations need to think about their automating defenses for external threats, and need a complete and continuous inventory of their entire digital footprint from the perspective of the internet, as customers and adversaries see it.
Unfortunately, many security teams have a blind spot comprised of unknown and unmanaged internet-facing assets that often act as inroads for cyber attacks and data breaches from outside the firewall. According to the Ovum “On the Radar” Report, which recognized RiskIQ’s Digital Threat Management Platform, business operations, which are more often positioned outside the sight or management of IT, can prove difficult to control, and put business operations and reputation at risk.
To protect your organization from the next wave of threats, here are three things you need to consider.
Note: Acces the RiskIQ PassiveTotal Public Project for WannaCry here>>
The May 2017 attack leveraged the ETERNALBLUE exploit that was leaked by Shadow Brokers in March of 2017. The specific vulnerability utilized in this attack was found in Microsoft Windows systems, detailed by CVE-2017-0144, and was likely introduced into organizations through a malicious email attachment opened by a user connected to a corporate network. From the point of entry, the malware spread laterally as a worm.
The following are resources we recommend to harden SMB usage in internal networks:
Before last week’s now infamous attack with WanaCrypt0r ransomware, most organizations were mainly concerned with compliance fines, financial liability, and material loss of customer confidence through theft of data or fraud. Now, organizations need to consider the cost of the access to and resumption of their data and systems as well, which can be held hostage by automated ransomware attacks at internet scale.
Attackers performing reconnaissance will often find unknown, unprotected, and unmonitored assets to use as attack vectors. For a large enterprise, these types of assets are typically easy for even novice hackers and threat groups to find, and because they’re unmonitored, provide an easy way in and out. To defend yourself, you need to know what attackers see when they’re looking at your business from outside the firewall. After all, following an attack or breach, saying “we didn’t know that asset existed,” doesn’t alleviate the damage done.
The “On the Radar” report highlights RiskIQ Digital Footprint, which is a digital footprint discovery, generation, and management solution that is responsible for discovering the external web and digital assets associated with an organization. It provides the mapping, monitoring, and management facilities needed to plot an organization’s Internet attack surface accurately, and therefore, its external risk posture. It uses RiskIQ’s volumes of telemetric Internet data to generate a dynamic and evolving picture of an organization’s threat footprint, assessing at-risk domains, websites, applications, URLs, web page content, autonomous system numbers (ASNs), IP addresses, SSL certificates, and other online associations.
Once you have an accurate and current picture of your digital footprint—including the frameworks and web applications running on your external assets—it is far easier to understand and execute problem-resolution techniques to ensure that your external assets remain secure. This inventory of your assets is also critical for compliance with numerous industry and government regulations.
It is useful to have security analysts capable of investigating and working within the security community, as most enterprises were working this issue as it happened throughout the weekend. Those people need the right tools. With RiskIQ PassiveTotal(r), analysts can track indicators such as IPs and SSL certificates related to attacks, which in the case of WannaCry, could have pointed to other infected systems.
The Ovum report cited that RiskIQ offers security analysts detailed access to broad, correlated, and derived data presented in a way that enables faster, more revealing, threat investigations, as well as enabling collaboration and proactive monitoring. As a starting point for incident response teams and threat hunters, we have put together a public project that includes IP addresses and certificates associated with this most recent WannaCry attack that you can use in your to find related infrastructure and investigate across your organization: https://www.passivetotal.org/projects/cc66064c-f94d-4b84-6bcc-4ff3cf51afa9
If you don’t have the right people with the right tools, you don’t have a seat at the table, and that means you find out later—and those couple of hours could have put you at greater risk.