External Threat Management Analyst

RiskIQ Illuminate App in the CrowdStrike Store Combines Unmatched External Telemetry with Endpoint Intelligence | Attack Surface Management

It's incredible to think how far organizations have come in gaining visibility into their enterprise in just the last five years. Analysts used to have conversations about how and where to enable logging. One quantum leap later, and these conversations are now about how optimizing queries to get the most out of the vast amounts of internal data available to them. 

Today, analysts operate with an extreme amount of context, but their own collection is just one side of what their organization looks like. The most successful businesses recognize that they must pair this internal data collection with external intelligence to have real visibility into their attack surface—and how it appears to would-be attackers. 

RiskIQ has worked to provide this external view for over a decade, collecting and storing internet data to feed technology that functions like a TIVO for the Internet, giving security teams the ability to look back at attacks and understand why and how they happened, as well as to detect new ones. Over that time, RiskIQ has built unmatched data sets found nowhere else that power several defense-based products and enables a community of over 85,000 security practitioners to conduct thorough investigations into cyber security threats.

Although it fuels threat investigations worldwide, RiskIQ’s data becomes even more powerful when combined with endpoint telemetry. That’s why RiskIQ, the global leader in attack surface management, is excited to announce that we’ve partnered up with CrowdStrike to deliver RiskIQ Illuminate for Falcon, a solution that offers truly unique visibility into cyber security threats by pairing unmatched external intelligence with leading endpoint-visibility data sets.

RiskIQ data beside CrowdStrike data in the Illuminate app. Customers can now trial functionality through the CrowdStrike app store.

Continue Reading
External Threat Management

The Equifax Breach and the Case for Next-Gen Vulnerability Management

Perhaps no organization is entrusted with more highly sensitive consumer data than the credit bureau Equifax. So when it suffered one of the most massive data breaches in history in 2017, the result was catastrophic for its millions of customers, their trust in Equifax—and consumer trust in credit reporting agencies in general. 

The breach, which led to the theft of 147 million people's personal information, left us asking how something on that scale and with such far-reaching implications could happen. There seemed to be an illusion that because Equifax is so big, so ubiquitous, and holds so much data that they were taking better care than most organizations to protect it. They were invincible, right? 

With the recently-released Senate Committee on Homeland Security and Governmental Affairs' report on its investigation into the breach, the reason is painfully clear. Equifax, like most organizations, was unaware of the scope of its attack surface—especially that which resides outside the firewall—and therefore was unable to maintain an adequate patch-management policy. 

It seems to be a terrifying trend, as many of the large-scale breaches that now surface in the news all too regularly are a result of compromised external assets that organizations weren't aware existed. According to Senators Rob Portman and Tom Carper, who authored the report, that is precisely what happened to Equifax. What's even more terrifying? The audit report mentioned that Equifax lacked a comprehensive IT asset inventory and did not fully understand the scope of the digital assets it owned. 

Equifax was hacked via a consumer complaint web portal with a widely known vulnerability their security team should have patched. Once the attackers moved laterally into their network, they exfiltrated encrypted data for months because Equifax did not renew an encryption certificate on one of their internal security tools--which meant that this encrypted traffic wasn't being inspected.

Continue Reading
Labs Magecart

Magecart Group 12’s Latest: Actors Behind Cyberattacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign

A recent blog post by Jacob Pimental and Max Kersten highlighted Magecart activity targeting ticket re-selling websites for the 2020 Olympics and EUFA Euro 2020, and respectively. These sites were compromised by a skimmer using the domain for data exfiltration. With RiskIQ data, our researchers built on the previous reporting to identify more skimming domains used by the attackers, as well as additional compromised sites. RiskIQ can also now attribute all these cyberattacks to Magecart Group 12. 

The obfuscation and skimming code we observed on matches that used by Magecart Group 12, whose skimmer and obfuscation techniques we analyzed in our blog posts, "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" and "Magento Attack: All Payment Platforms are Targets for Magecart Attacks." However, there are differences in the techniques employed by Group 12 in these more recent compromises, which we'll break down here.

In those blog posts, we noted that Group 12 employed base64 encoded checks against the URL looking for the word "checkout" to identify the proper page on which to load their skimmer code. This encoding masked both the check itself and the skimmer URL. Quoting from our May 1st, 2019 report:

"Most of Group 12's injections occur with a pre-filter on the page—a small snippet of JavaScript that checks to see if they want to inject their skimmer on the page. Here's what it looks like:"

Magecart Group 12's script tag from RiskIQ's May report

Continue Reading
External Threat Management

Executive Protection Plans Differ, but Internet Vigilance Against Cyber Threats Should Be Constant

What concerns keep CEOs and other business leaders up at night? What doesn't

Financial results and competitive challenges are top of mind for sure. Still, today's c-suiters also face more modern anxieties like the chance of a cyberattack on the company - or the executives themselves. 

In the new economy, business executives are more and more digitally connected to family, colleagues, and work through mobile devices and social platforms. Like everyone, each leader's digital interactions and online behaviors leave cyber breadcrumbs across the internet. Hackers can easily search for these digital clues, leaving executives susceptible to having their net worth, intellectual property, and personal reputation exploited. For example, hackers tend to follow the social media feeds of executives to learn about their activities and the colleagues with whom they regularly interact – from personal assistants to other company leaders. A hacker may be able to "crack" the credentials of these trusted colleagues, then begin impersonating them to lure the victim into sharing sensitive corporate or personal information.   

What’s the end game for hackers? There could be any number of motives behind a cyber crook’s endeavors to manipulate or sabotage an executive—financial gain, political aims, even revenge, are all examples. A hacker may also target executives to sell their information to others.  For example, an executive may post her workout metrics on a fitness app. Cyber-crooks can use this information to uncover the woman’s home address, which they can pass along to known buglers. Or the hacker may follow a person’s notification about attending events, knowing they will not be home at a certain time.

The critical need for executive protection

Continue Reading
External Threat Management

2019 Holiday Shopping Season E-Commerce Threat Review

This holiday shopping season was a boon for retailers, who raked in a record $1 trillion, an incredible increase of nearly $300 billion from 2018. Meanwhile, overall online sales increased 13%, while Black Friday and Cyber Monday saw 17% and 19% increases, respectively. 

But online holiday shopping is a goldmine for more than just e-commerce businesses—threat actors try to get a piece of every dollar that consumers spend. Over the 2019 holiday shopping frenzy, these cyber-crooks used the brand names of leading e-tailers, as well as the poor online security hygiene of consumers, to pocket some of these earnings for themselves.

According to RiskIQ research, the success of their e-commerce threats relied heavily on targeting shoppers who were eagerly searching for deals, sales, and coupons with fake mobile apps and landing pages. These rogue assets trick users into unknowingly downloading malware, using compromised sites, or giving up their login credentials and credit card information. Magecart actors, who compromise e-commerce websites with JavaScript credit card skimmers, were also active over the holidays hoping to turn increased e-commerce site traffic into a larger pool of victims.

To understand the methods threat actors employed and where they focused their efforts, RiskIQ analysts using RiskIQ Illuminate®—our platform housing petabytes of internet intelligence collected over the past decade. They efficiently surface malicious findings across several data sets, including mobile applications, domain registrations, JavaScript Threat detections, and hosting infrastructure. RiskIQ's crawling technology covers more than 2 billion daily HTTP requests, hundreds of locations across the world, 40 million mobile apps, and 600 million domain records.

Example of malicious holiday app

Continue Reading
External Threat Management

State-sponsored Social Engineering: How You Can Protect Your Business From Iranian Cyber Threats

RiskIQ agrees with most experts that Iran is likely planning additional cyber-attacks in the coming months to punish the U.S. for the airstrike that killed the Iranian Islamic Revolutionary Guard Corps (IRGC) Commander, Qasem Soleimani. 

Below, RiskIQ's managed intelligence services team, comprised of former intelligence officers, assesses how state-sponsored threats from Iran can affect your business. 

So far—in keeping with its modus operandi—Tehran's response to the attack has been measured and proportional. Four days after the strike, the IRGC launched numerous ballistic missiles at U.S. airbases in Iraq, inflicting minor casualties. According to the Washington Post, on January 8th, the head of Iran's Aerospace Force, stated they "did not intend to kill... [instead, they] intended to hit the enemy's military machinery."

Historically, Iran has also conducted retaliatory attacks calibrated to maintain plausible deniability and avoid escalation. Attribution for cyber attacks is difficult, making it a useful—and frequently used—countermeasure for Tehran.

Iran has a first-world cyber-attack capability

Continue Reading
External Threat Management

A New Decade Of Javascript Threats

Just a decade ago, the world's Javascript was a nearly untapped wellspring of victims and cash for attackers, a new frontier for cybercrime that covered 95% of all websites on earth. It was ripe for the picking. 

Because they execute in the victim's browser, Javascript threats were outside the corporate network and beyond the purview of traditional security controls. Realizing they were operating in a blind spot for security teams, innovative threat actors seized the opportunity and started picking apart the Javascript of websites worldwide. 

E-commerce was particularly vulnerable to this onslaught, with web-skimmers intercepting consumer credit card numbers across a massive swath of websites. With the rise in the value of cryptocurrency, actors also went to work stealing users' CPUs to mine coins, stealthily placing their cryptominers in the Javascript of thousands of victimized websites. 

Soon, entire underground economies grew around the spoils of Javascript threats, and the pool of threat actors grew. More novice threat actors took advantage of pre-packaged cryptominers and skimming tools and pre-hacked websites. At the same time, advanced attackers kept raising the bar for innovation by finding new ways to breach websites and maximize profits. 

Eventually, mega breaches resulting from Magecart attacks, such as the hack of British Airways, brought Javascript threats to the public consciousness. The hack of a renowned Fortune Global-500 company and the subsequent exfiltration of thousands of customer records shattered consumer trust. It also drew the ire of the GDPR, which proposed a fine against the company of £183m, or 1.5% of British Airways' 2017 revenues.

Continue Reading
External Threat Management

The Internet Is Growing, and so Is Your Attack Surface

Imagine you were responsible for the protection of a building. 

You'd probably start by analyzing its entire interior and exterior, mapping every square foot to determine what defenses you need to put in place and where. Along with your locks and alarms, you'd want to install a network of surveillance cameras positioned to give you real-time visibility of the entire structure, i.e., anywhere a burglar could possibly show up. It's a pretty clear-cut formula that, once implemented, ensures you're ready to defend against intruders.

Securing a building is a metaphor that's used in corporate cybersecurity often, and for a good reason—it's a straightforward way of characterizing network security controls. Your firewalls and proxies are your locks, and your scanners are your security cameras, letting you know everything that's going on within your network. Traditionally,  these things would leave you in good shape cybersecurity-wise. However, the world is rapidly changing, and so is the threat landscape targeting businesses. 

Due to cloud server migration, hosting, and other digital media initiatives, a business's digital presence no longer fits neatly behind its tightly secured perimeter. Its attack surface sprawls out across the open internet, outside the scope of firewalls and endpoint protection, as a collection of millions of digital assets laid bare for all to see, including hackers, as they research their next threat campaigns. 

This new reality for security teams means that the building metaphor must take a turn for the absurd to still represent what they need to protect. Now, imagine that building you're guarding is not only growing larger every day, but also its rooms are changing, rotating, and reorientating in real-time. The map you made of your building yesterday is no longer relevant today—you’ve lost track of many of the rooms, and new, hidden rooms have sprung up. 

Continue Reading
External Threat Management

It’s Time to Rethink Vulnerability Management. Welcome to the Age of Digital Attack Surface Management

For years, vulnerability management was synonymous with vulnerability scanning and pen-testing. These were the keys to understanding which of your organization's digital assets are susceptible to threats and where its vulnerabilities lie. However, widespread cloud migration and the explosive growth of the average business's online presence fundamentally changed what security teams need to protect, making scanning and pen-testing not nearly sufficient.

Vuln management has been an exercise in navel-gazing, looking at our asset's weak spots to close the shields. But once the whole IT footprint became a digital footprint—web, social, mobile, etc.—vulnerability scanning and pen-tests showed just how incomplete they were, unable to see beyond into that digital sphere. What was once a small area to defend is now an expansive digital attack surface, a universe of digital assets scattered across the web, cloud, and apps. It's only natural for exposures to go unnoticed on this fluid, digital attack surface. 

Unfortunately, breaches via these internet-connected assets are happening at an unprecedented rate, many of them a result of assets compromised that organizations weren't aware even existed. How do we mitigate exposures and risks, when those exposures and risks are hidden in digital assets we cannot see? There must be an easier way. 

It's time to think bigger than vulnerability management. Welcome to the age of digital attack surface management.

Vulnerability Management, Beyond Scanning

Continue Reading