RiskIQ uses multiple methods of automated detection that all play off each other to track threat patterns, which enables our customers to protect their digital presence from threats. Every piece of data we collect helps train and optimize the accuracy of our models—even a simple redirector that leads to a run-of-the-mill phishing page.
What’s in a Redirector?
Sometimes, detections are straightforward. During the loading process, RiskIQ's web crawlers gather a web page's full document object model (DOM) and the page sequence of a crawl. For example, the crawl below shows a simple redirection script that sends users to a typical phishing page:
As part of our crawl analysis, we analyze the structure of a rendered web page, looking for indications of foul play. In this case, the phishing page was detected immediately by our machine-learning model. However, not all phishing detections are as straightforward as the one above, so we often rely on layering on additional methods, as we’ll describe below.
With any machine-learning algorithm, active feedback and retraining are crucial to maintaining the quality of the model. RiskIQ uses an active learning feedback loop, whereby humans regularly review pages that are then fed back into our machine learning models. In the course of reviewing pages, a RiskIQ data scientist came across the pages above and labeled each one—a phishing page, and a redirector to a phishing page.
By doing so, these pages were also fed into all of our machine learning models, including our dynamic model that performs a behavioral analysis of a web page as it loads. This behavioral analysis quickly identified several other pages with similar patterns.
Security professionals are often playing a game of whack-a-mole. Once a new threat is detected, threat actors will change their modus operandi, rendering previous detections obsolete. With RiskIQ’s varied detection techniques, however, small changes are not enough to evade detection. If an actor tries to evade signature-based detection by changing URI patterns, we can track them by dynamic analysis of the page or page structure, and vice versa. Even if they obfuscate their code, update their page structure, change their URI patterns, upgrade their web components, and change their scripts (quite a lot of work!), we can still track them through our massive amounts of other data: whois, passive DNS, tracking IDs, cookies, and our proprietary host pairs dataset, to name several. Signing up for RiskIQ Community Edition now will allow you to start pivoting on these data sets today.
Security will always be a game of whack-a-mole, but through large-scale data collection across a variety of data types and automated detection algorithms, RiskIQ continues to make it harder for the moles to hide.
Contact us for more information about how RiskIQ collects internet data and uses it to automate and optimize threat detection.