RiskIQ Illuminate App in the CrowdStrike Store Combines Unmatched External Telemetry with Endpoint Intelligence | Attack Surface Management
February 20, 2020
It's incredible to think how far organizations have come in gaining visibility into their enterprise in just the last five years. Analysts used to have conversations about how and where to enable logging. One quantum leap later, and these conversations are now about how optimizing queries to get the most out of the vast amounts of internal data available to them.
Today, analysts operate with an extreme amount of context, but their own collection is just one side of what their organization looks like. The most successful businesses recognize that they must pair this internal data collection with external intelligence to have real visibility into their attack surface—and how it appears to would-be attackers.
RiskIQ has worked to provide this external view for over a decade, collecting and storing internet data to feed technology that functions like a TIVO for the Internet, giving security teams the ability to look back at attacks and understand why and how they happened, as well as to detect new ones. Over that time, RiskIQ has built unmatched data sets found nowhere else that power several defense-based products and enables a community of over 85,000 security practitioners to conduct thorough investigations into cyber security threats.
Although it fuels threat investigations worldwide, RiskIQ’s data becomes even more powerful when combined with endpoint telemetry. That’s why RiskIQ, the global leader in attack surface management, is excited to announce that we’ve partnered up with CrowdStrike to deliver RiskIQ Illuminate for Falcon, a solution that offers truly unique visibility into cyber security threats by pairing unmatched external intelligence with leading endpoint-visibility data sets.
February 18, 2020
Perhaps no organization is entrusted with more highly sensitive consumer data than the credit bureau Equifax. So when it suffered one of the most massive data breaches in history in 2017, the result was catastrophic for its millions of customers, their trust in Equifax—and consumer trust in credit reporting agencies in general.
The breach, which led to the theft of 147 million people's personal information, left us asking how something on that scale and with such far-reaching implications could happen. There seemed to be an illusion that because Equifax is so big, so ubiquitous, and holds so much data that they were taking better care than most organizations to protect it. They were invincible, right?
With the recently-released Senate Committee on Homeland Security and Governmental Affairs' report on its investigation into the breach, the reason is painfully clear. Equifax, like most organizations, was unaware of the scope of its attack surface—especially that which resides outside the firewall—and therefore was unable to maintain an adequate patch-management policy.
It seems to be a terrifying trend, as many of the large-scale breaches that now surface in the news all too regularly are a result of compromised external assets that organizations weren't aware existed. According to Senators Rob Portman and Tom Carper, who authored the report, that is precisely what happened to Equifax. What's even more terrifying? The audit report mentioned that Equifax lacked a comprehensive IT asset inventory and did not fully understand the scope of the digital assets it owned.
Equifax was hacked via a consumer complaint web portal with a widely known vulnerability their security team should have patched. Once the attackers moved laterally into their network, they exfiltrated encrypted data for months because Equifax did not renew an encryption certificate on one of their internal security tools--which meant that this encrypted traffic wasn't being inspected.
Magecart Group 12’s Latest: Actors Behind Cyberattacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign
February 07, 2020
A recent blog post by Jacob Pimental and Max Kersten highlighted Magecart activity targeting ticket re-selling websites for the 2020 Olympics and EUFA Euro 2020, olympictickets2020.com and eurotickets2020.com respectively. These sites were compromised by a skimmer using the domain opendoorcdn.com for data exfiltration. With RiskIQ data, our researchers built on the previous reporting to identify more skimming domains used by the attackers, as well as additional compromised sites. RiskIQ can also now attribute all these cyberattacks to Magecart Group 12.
The obfuscation and skimming code we observed on opendoorcdn.com matches that used by Magecart Group 12, whose skimmer and obfuscation techniques we analyzed in our blog posts, "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" and "Magento Attack: All Payment Platforms are Targets for Magecart Attacks." However, there are differences in the techniques employed by Group 12 in these more recent compromises, which we'll break down here.
In those blog posts, we noted that Group 12 employed base64 encoded checks against the URL looking for the word "checkout" to identify the proper page on which to load their skimmer code. This encoding masked both the check itself and the skimmer URL. Quoting from our May 1st, 2019 report:
January 31, 2020
What concerns keep CEOs and other business leaders up at night? What doesn't?
Financial results and competitive challenges are top of mind for sure. Still, today's c-suiters also face more modern anxieties like the chance of a cyberattack on the company - or the executives themselves.
In the new economy, business executives are more and more digitally connected to family, colleagues, and work through mobile devices and social platforms. Like everyone, each leader's digital interactions and online behaviors leave cyber breadcrumbs across the internet. Hackers can easily search for these digital clues, leaving executives susceptible to having their net worth, intellectual property, and personal reputation exploited. For example, hackers tend to follow the social media feeds of executives to learn about their activities and the colleagues with whom they regularly interact – from personal assistants to other company leaders. A hacker may be able to "crack" the credentials of these trusted colleagues, then begin impersonating them to lure the victim into sharing sensitive corporate or personal information.
What’s the end game for hackers? There could be any number of motives behind a cyber crook’s endeavors to manipulate or sabotage an executive—financial gain, political aims, even revenge, are all examples. A hacker may also target executives to sell their information to others. For example, an executive may post her workout metrics on a fitness app. Cyber-crooks can use this information to uncover the woman’s home address, which they can pass along to known buglers. Or the hacker may follow a person’s notification about attending events, knowing they will not be home at a certain time.
The critical need for executive protection
January 30, 2020
This holiday shopping season was a boon for retailers, who raked in a record $1 trillion, an incredible increase of nearly $300 billion from 2018. Meanwhile, overall online sales increased 13%, while Black Friday and Cyber Monday saw 17% and 19% increases, respectively.
But online holiday shopping is a goldmine for more than just e-commerce businesses—threat actors try to get a piece of every dollar that consumers spend. Over the 2019 holiday shopping frenzy, these cyber-crooks used the brand names of leading e-tailers, as well as the poor online security hygiene of consumers, to pocket some of these earnings for themselves.
January 23, 2020
RiskIQ agrees with most experts that Iran is likely planning additional cyber-attacks in the coming months to punish the U.S. for the airstrike that killed the Iranian Islamic Revolutionary Guard Corps (IRGC) Commander, Qasem Soleimani.
Below, RiskIQ's managed intelligence services team, comprised of former intelligence officers, assesses how state-sponsored threats from Iran can affect your business.
So far—in keeping with its modus operandi—Tehran's response to the attack has been measured and proportional. Four days after the strike, the IRGC launched numerous ballistic missiles at U.S. airbases in Iraq, inflicting minor casualties. According to the Washington Post, on January 8th, the head of Iran's Aerospace Force, stated they "did not intend to kill... [instead, they] intended to hit the enemy's military machinery."
Historically, Iran has also conducted retaliatory attacks calibrated to maintain plausible deniability and avoid escalation. Attribution for cyber attacks is difficult, making it a useful—and frequently used—countermeasure for Tehran.
Iran has a first-world cyber-attack capability
January 22, 2020
December 20, 2019
Imagine you were responsible for the protection of a building.
You'd probably start by analyzing its entire interior and exterior, mapping every square foot to determine what defenses you need to put in place and where. Along with your locks and alarms, you'd want to install a network of surveillance cameras positioned to give you real-time visibility of the entire structure, i.e., anywhere a burglar could possibly show up. It's a pretty clear-cut formula that, once implemented, ensures you're ready to defend against intruders.
Securing a building is a metaphor that's used in corporate cybersecurity often, and for a good reason—it's a straightforward way of characterizing network security controls. Your firewalls and proxies are your locks, and your scanners are your security cameras, letting you know everything that's going on within your network. Traditionally, these things would leave you in good shape cybersecurity-wise. However, the world is rapidly changing, and so is the threat landscape targeting businesses.
Due to cloud server migration, hosting, and other digital media initiatives, a business's digital presence no longer fits neatly behind its tightly secured perimeter. Its attack surface sprawls out across the open internet, outside the scope of firewalls and endpoint protection, as a collection of millions of digital assets laid bare for all to see, including hackers, as they research their next threat campaigns.
This new reality for security teams means that the building metaphor must take a turn for the absurd to still represent what they need to protect. Now, imagine that building you're guarding is not only growing larger every day, but also its rooms are changing, rotating, and reorientating in real-time. The map you made of your building yesterday is no longer relevant today—you’ve lost track of many of the rooms, and new, hidden rooms have sprung up.
It’s Time to Rethink Vulnerability Management. Welcome to the Age of Digital Attack Surface Management
December 18, 2019
For years, vulnerability management was synonymous with vulnerability scanning and pen-testing. These were the keys to understanding which of your organization's digital assets are susceptible to threats and where its vulnerabilities lie. However, widespread cloud migration and the explosive growth of the average business's online presence fundamentally changed what security teams need to protect, making scanning and pen-testing not nearly sufficient.
Vuln management has been an exercise in navel-gazing, looking at our asset's weak spots to close the shields. But once the whole IT footprint became a digital footprint—web, social, mobile, etc.—vulnerability scanning and pen-tests showed just how incomplete they were, unable to see beyond into that digital sphere. What was once a small area to defend is now an expansive digital attack surface, a universe of digital assets scattered across the web, cloud, and apps. It's only natural for exposures to go unnoticed on this fluid, digital attack surface.
Unfortunately, breaches via these internet-connected assets are happening at an unprecedented rate, many of them a result of assets compromised that organizations weren't aware even existed. How do we mitigate exposures and risks, when those exposures and risks are hidden in digital assets we cannot see? There must be an easier way.
It's time to think bigger than vulnerability management. Welcome to the age of digital attack surface management.