Blog

Ransomware defense is a perpetual cat and mouse game between incident responders and attackers who are continuously evolving their tactics, tools, and strategy. With Ransomware attacks on the rise and costing the US a whopping $7.5 billion in 2019, SOCs and threat hunters must maintain full situational awareness to protect their organization and customers' data—and avoid massive material loss. However, ransomware defense is no easy task and requires a 360-degree view of your organization's attack surface. 

Attackers are more active than ever before, taking advantage of organizations' expanded attack surfaces outside the corporate firewall and across the internet. Phishing attacks, typosquat registrations, and disinformation campaigns aiming to take advantage of COVID-19 and political turmoil are running rampant. Security teams lacking visibility into this new attack surface are coming up dangerously short. 

RiskIQ has been collecting internet data for more than a decade to help organizations meet the challenge of this new generation of threats. The RiskIQ PassiveTotal App puts petabytes of this external Internet security intelligence into Splunk's Data-to-Everything Platform, giving security teams the visibility they need in a platform and workflow they already use. 

The app enables teams to investigate and respond to threats across their organization's attack surface by laying the RiskIQ Internet Intelligence Graph on top of Splunk data—all in one location—to show how internal assets interact with external infrastructure. With this 360-degree view of their attack surface, analysts have unparalleled context and intelligence to detect, investigate, and remediate IoC's and security events.

During major global events, threat actors take advantage of charged political environments and a prevailing overload of information to help lend credence to the delivery mechanisms they use to carry out malicious activity. This tactic has proven especially effective during the COVID-19 pandemic as scams purporting to contain information, news, and remedies related to the virus—many with a political lean—have saturated the internet. 

In "ScamNation," RiskIQ's latest research report, RiskIQ researchers leveraged our internet-wide visibility and unique data sets to identify and explicitly define scam ecosystems exploiting the pandemic for monetary gain through the spread of false information and the sale of fraudulent products online. The report identifies a network of "content farm" websites publishing misleading, highly partisan articles that have lately focused on COVID-19. Scammers use these sites to promote ads that lure users into "subscription traps," which, through misleading messaging and hidden language in the fine print, trap buyers into making monthly payments that are difficult, if not impossible, to escape.

Earlier this month, RiskIQ announced our Interlock Partner Program, making our Internet Intelligence Graph—RiskIQ's unique global view of the internet comprised of data from more than ten years of crawling the web—available in cybersecurity platforms around the world.

One of our first key integrations was the RiskIQ Illuminate app for CrowdStrike, which enriches CrowdStrike Falcon Insight detections with our internet-wide telemetry, enhancing internal alerts with external context. When automatically correlated with CrowdStrike Intelligence, RiskIQ's internet data sets boost incident response by enabling researchers to quickly search across an organization's endpoints for indicators of compromise or find activity related to suspicious indicators they observe on an endpoint.

During an investigation, the RiskIQ app automatically identifies impacted endpoints so analysts can understand all the related infrastructure belonging to a given threat actor. This way, companies can stay a step ahead of their adversaries and optimize their attack surface management.

Over the past several months, the enterprise attack surface has changed radically, and many security teams are struggling to catch up. The recent scramble to patch a dangerous security flaw in F5 Networks' BIG-IP product marked the beginning of a new reality facing the enterprise in the post-COVID world: network controls are coming up dangerously short. 

Organizations are lacking visibility into the external network of internet-connected services and devices growing wildly outside their firewalls to support a workforce that will be remote for the foreseeable future. However, these IP-connected assets aren't in the purview of most security controls. In fact, most organizations don't have any security controls for the new IT needed to enable remote employees, such as remote access devices, VPNs, and perimeter network devices.

The F5 hack wasn't the first critical vulnerability to come to light since widespread remote work began, and it's certainly won't be the last. Recent headlines have been full of dozens of new vulnerabilities found in these devices, including Cisco, Microsoft, Citrix, and IBM products. Each of these vulnerabilities can take down an organization, whether or not its security team knows it's part of its attack surface. 

Realizing they're invisible to many security teams, threat actors note these security flaws and use them as inroads for attacks. Both the US and Australian governments have advised companies to immediately address the recent spike in critical vulnerabilities, with US Cyber Command recommending that organizations patch both the F5 and PAN-OS vulnerabilities.

When the Covid-19 pandemic forced businesses to shift overnight, even companies with robust cybersecurity measures were caught unprepared.

A massive influx in remote employees, coupled with a boom in hacker activity, forced businesses to overlook best practices in the name of immediate convenience. In some cases, that meant connecting employees to networks without proper safety precautions. Wider digital attack surfaces presented a bounty of opportunities to unscrupulous actors looking to steal money, data, or both.

By now, most organizations have taken steps to reduce their exposure to threats and have educated employees on the importance of staying vigilant while working from home. These short-term measures will not last forever, though, nor do they replace the need for sweeping change. The pandemic changed the face of cybercrime overnight. Now, businesses must not only round out their responses to the current crisis but start preparing for what comes next.

Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evolved right alongside the digital presence of businesses and remains in flux as attackers continuously adopt new tools and tactics. With the paradigm for keeping organizations secure ever-changing, security teams have no choice but to adapt to the perpetual evolution of both the organizations they defend and the adversaries from which they protect it.

In this new dynamic age of cybersecurity, knowledge and context are power, and being mobile ensures survival. The security solutions that matter are automatic and integrate with existing investments. They also include a game-changing amount of context. The RiskIQ Intelligence Connector, the integration linking RiskIQ's Internet Intelligence Graph and Microsoft Sentinel, was built for this. 

The discussions in the coming days and weeks surrounding yesterday's large-scale compromise of verified Twitter accounts, including those of Joe Biden, Barack Obama, and Bill Gates, will likely be about how the attackers gained access to so many high-profile accounts at once. The sheer breadth of digital landscape this breach covered in such little time shocked the world and is sure to stoke concerns about who can access the means of disseminating information—or disinformation—to the masses. 

However, while examining Twitter's internal security practices and controls is an important focus, it's also worth looking at the #Twitterhack from an external angle. Who were these actors, and why did they go through so much trouble to access those accounts? What did their cryptocurrency scam campaigns look like outside of the Twitter spotlight?

RiskIQ's Passive DNS data gives us our first clue. It shows us that domains belonging to these attackers were registered months or years ago, which means pretending to be famous brands and people to trick victims into giving up their cryptocurrency has been their MO far before the fall of the blue checkmarks. Hacking Twitter was simply their latest—albeit their most successful—tactic to access a massive pool of potential victims and lend credibility to their phishing scheme. Before hacking verified accounts, this group may have been leaning on other dependable vehicles for scam victim acquisition, such as fake social media accounts, spam emails, and scam ads. 

Next, tying together the phishing domains belonging to the attacker shows us the overall scope of the attack and which brands were getting impersonated. The Twitter hack itself made the most headlines, but RiskIQ researchers observed only one attacker-owned domain tweeted from a hacked verified account. However, from that one domain, we mapped out hundreds more that attackers didn't use on Twitter. They were likely using these in other attack vectors. 

The average organization's digital presence has exploded in size. Even before COVID-19 spread their staff and operations outside the firewall, businesses were rapidly migrating to the cloud and increasing their use of web, mobile, and social platforms. This digital transformation expanded their attack surface beyond the scope of network security controls like firewalls, DLP, and network monitoring—and enabled attackers to exploit them in ways not possible before. 

The security implications of the enterprise's digital footprint exploding beyond the firewall's friendly confines are clear. According to the Verizon Data Breach report, external-facing web applications, into which network security tools lack visibility, comprised the vector category most commonly exploited in hacking-related breaches. To defend against the now rampant phishing attacks, typosquat registrations, and misinformation spreading through websites, security teams need to think beyond cybersecurity. Instead, they should be taking a holistic view of defense, focusing on attack surface management.