Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
Detect and Respond to Targeted Digital Threats Across Web, Social, and Mobile Channels
External threats are malicious campaigns and threat actors that attempt to exploit security exposures in your attack surface that exist outside the firewall. All organizations with a digital presence are exposed to external threats by attackers who attempt to impersonate your brand and official communications channels on the internet, social media, and through mobile apps.
Targeted external threats that can compromise your employee or customer data security include:
Successful exploitation of these threats allows threat actors to steal customer or company data, distribute malware, divert user traffic, or otherwise exploit trust in your brand.
The RiskIQ External Threats solution sets enable security teams to detect and respond to these myriad threats as they appear in the wild, mitigating the impact that they have on your organization, employees, and customers. By combining the largest internet data sets available with the most comprehensive monitoring of digital channels, RiskIQ enables effective digital threat management.
RiskIQ External Threats™ uses virtual user technology as it crawls the internet, experiencing websites, paste sites, social media profiles, mobile apps, and mobile app stores just like a real user does. Our virtual users visit websites from thousands of IP addresses originating from around the world on residential, commercial, and mobile networks, while using different browser and device types, and software versions. This advanced internet reconnaissance technique evades detection from threat actors who are watching for automated crawling technology.
Sophisticated analysis, detection techniques, and fine-tuned policy controls turn a sea of data into discrete, actionable events and workflows that reduce your digital risk and eliminate threats. Utilizing in-app mitigation, correspondence tracking, and takedown capabilities, security teams can block threats and submit them directly to the platform that is hosting the threat, shutting down threats targeting your customers and employees.
Get the Analyst Report
Your organization needs to understand attack vectors used against your organization and customers, like phishing, brand use in third-party domains and subdomains, rogue mobile apps, and social media impersonation. This information helps your security teams respond quickly and remove the threats as they’re detected.
RiskIQ uses virtual user technology to detect threats and experience them like a real user does, allowing you to accurately detect, monitor, enforce, and report on digital threats.
The internet is a big place and offers criminals lots of room to hide, which makes it easy for anyone to spin up a website or register a cheap domain and pretend to be you. External Threats helps your organization detect these threats and:
As new digital threats are found, security teams must be alerted to them in an actionable, prioritized way. External Threats provides security teams and incident responders with:
Once threats are detected and confirmed, teams must mitigate them as quickly as possible.
To do that, External Threats provides:
Organizations with compliance controls in place need accurate reporting on the existence of digital threats and the mitigation efforts to resolve them. External Threats tracks these and provides:
Phishing's New Frontier: Rogue Apps What You Don't Know Can Hurt You
External Threats is based on a workflow engine that enables organizations to manage threats against them in a central location, with workflows, APIs, and tracking and auditing capabilities. The workflow engine is required for External Threats, but does not require the purchase of additional detection modules if workflow and event management is all that is needed as the basis of an organization’s digital threat management workflow.
For External Threats, each module can be setup to monitor threats against Brands. A brand is any discrete business entity, line of business, department, agency, or division. External Threats Premium includes two brands per module. External Threats Enterprise includes five brands per module. Additional brands can be purchased as add-ons. In the case of the Social Executive Threats module, one brand is equivalent to 10 executive names.
External Threats Workflow Engine
RiskIQ provides both a web interface and API access to clients and their support teams to submit and investigate events. The web interface is designed to provide users with all the necessary details for each type of threat in a single view to facilitate fast review and investigation.
For each threat event, users can take the following workflow actions:
Continuous monitoring of online resources lets customers know when threats have been successfully remediated, and RiskIQ’s post-resolution monitoring automatically re-opens events and alerts users to any tenacious threats posing a recurring risk to the organization.
This is required for any External Threats customer.
Phishing Threats provides detection and workflow for mitigating phishing sites targeting an organization’s brand and customers.
RiskIQ ingests suspected phishing URLs from a broad range of sources including third-party blacklists, an organization’s abuse boxes, web server referrer logs, and DMARC data, as well as direct client submissions to streamline detection, review, and mitigation of phish. Machine learning algorithms intelligently sort phishing pages from legitimate sites, automatically validating the vast majority of phish and leaving a small fraction, if any, left for human review.
Integrations with Google Safe Browsing and Microsoft SmartScreen to automatically submit phish for browser blocking for 98% of internet users and pre-configured templates to generate and send takedown notices for phishing sites dramatically reduce mean time to mitigation and overall lifetime of phish.
Domain Threats provides detection and workflow for mitigating domain and subdomain names that contain or are confusingly similar to client brands.
RiskIQ analyzes daily new and updated WHOIS registrations and leverages its large repository of passive DNS data to identify newly observed and updated host records with subdomain names exploiting brand names. Domains are analyzed on multiple dimensions of similarity, including edit distance, homographic similarity, PUNYcode obfuscation, and regular expression matching to increase coverage and reduce false positives vs. using any one detection method alone.
Automatic analysis of the domain’s threat level, including any web content hosted on the domain and the domain’s capability to send or receive email allow users to quickly identify high priority threats and determine the proper response and mitigation strategy using pre-configured templates and built-in workflow.
Mobile Threats provides visibility into a brand’s presence throughout the global mobile app ecosystem, identifying unauthorized download locations of official applications as well as mobile spoofs impersonating or claiming false affiliation with a brand.
RiskIQ searches 180+ app stores around the world with native-level integrations as well as unique source of “feral app” files found outside of dedicated app stores to automatically extract app details and download mobile binaries. Analysis of app store attributes, app posting details, and all app code and files enable RiskIQ to automatically categorize official apps, old or modified versions of official apps, and third-party apps posing as official branded apps to divert downloads, harvest user credentials, distribute malware, or engage in other fraudulent behavior.
Pre-configured templates for reporting violations to contacts at each app store allow users to mitigate mobile threats across all stores quickly and effectively.
Social Brand Threats
Social Brand Threats provides detection and workflow for mitigating social media accounts impersonating brands in all major social networks, including Facebook, Twitter, LinkedIn, Instagram, YouTube, Pinterest, and Google+.
RiskIQ uses a combination of API integrations and unique virtual user technology to search social networks and analyze account details for unofficial social media accounts claiming to represent client organizations. Examples include fake customer support channels phishing for customer data, fake job recruiters asking applicants for personal information or job application fees, social accounts associating a brand with offensive or illegal content, or employee-created accounts out of compliance with company social media use policies.
Links to each social network’s web form or other channel for reporting abuse are provided within each event alert to facilitate efficient mitigation.
Social Executive Threats
Social Executive Threats provides detection and workflow for mitigating social media accounts impersonating company executives or employees in all major social networks (Facebook, Twitter, LinkedIn, Instagram, YouTube, Pinterest, and Google+).
RiskIQ uses a combination of social media API integrations and unique virtual user technology to search social networks and analyze account details for illegitimate social media accounts claiming to represent company executives or employees–typically for purposes of using social engineering to phish for sensitive data or to embarrass specific, high-profile individuals affiliated with a company.
Data Leakage Detection
Data Leakage Detection provides detection and workflow for mitigating stolen user credentials and other leaked sensitive company data being posted in the open, offered for sale, or otherwise made available to third parties outside the organization.
RiskIQ searches various websites and forums for such data, including Pastebin, GitHub, SlideShare, and open hacker forums and blogs to monitor what data related to an organization is available in each of these locations.
Pre-configured templates and content removal procedures for various different sites and types of posts facilitate enforcement to remove detected data leakage.
Brand Tarnishment includes the detection and mitigation of web content infringing on client brand trademarks by attacking the brand reputation and/or associating the brand with illegal or objectionable content.
RiskIQ virtual users search for such content, analyzing webpages for brand related text or images and leverage machine learning and other advanced analytics to identify the presence of threat content that may constitute tarnishment of the brand. Dependent on the client brand’s industry and policies, such content can include malware, plus such categories as pornography, liquor, tobacco, weapons, pharma, and gambling.
Mitigation is based on a representative trademark chart and description of the tarnishment relevant to the internet presence location, as well as customer approval after performing a fair-use analysis.
Deep and Dark Web Monitoring
The Deep and Dark Web (DDW) module provides visibility into mentions of your organization, key executives, brand, or other keywords of interest across deep and dark web forums.
Data is sourced from Flashpoint, a RiskIQ partner specializing in monitoring the deep and dark web. When a mention or keyword is detected on the deep and dark web, an event is created in External Threats and viewed side-by-side with threats detected on the open web. Viewing different pieces of the puzzle together, you can draw additional insights from connections in the data and track a threat from planning and discussion stages in forums through to the actions taken and infrastructure used on the open web to launch the attack.
This module does not include mitigation or remediation due to the nature of the deep and dark web, however, Flashpoint has skilled, multi-lingual analysts who can provide expert language translation in cases where that service is required to interpret the data found on the dark web.
Remote Deposit Capture Fraud / Card Cracking
Remote Deposit Capture (RDC) Fraud and Card Cracking are popular forms of financial fraud that typically involve recruiting victims through social media posts to use as mule bank accounts. This module provides detection and workflow for mitigation of such posts related to client brands in order to prevent these types of fraudsters from recruiting new victims with the promise of making quick cash as a reward for helping the scammer move a larger sum of money.
RiskIQ virtual users monitor major social media channels most used (Facebook, Twitter, Instagram, and YouTube) for this type of recruiting to detect such activity in dedicated accounts and/or individual posts. Scams typically target one or more specifically mentioned financial institutions, often including mention of a real or fictitious friend or relative who works at the institution in order to convince victims of the authenticity and viability of the scam.
Event alerts contain all the necessary evidence to report abusive posts to each social network and request removal.
Phone Phish includes mitigation of phishing threats carried out via phone calls impersonating a brand or service (sometimes called voice phishing or Vishing).
Mitigation of phone phish consists of reporting fraudulent phone numbers to the associated telecommunications company through which they are operating in order to get them deactivated.
This module is only available in conjunction with RiskIQ’s Managed Security Services to assist with the mitigation of Phone Phish threats.
Email Spoof includes the mitigation of email addresses used to send messages forged to appear as though it was sent by someone else for purposes of carrying out fraud. This category includes email account compromise (EAC) attacks as well as business email compromise (BEC) attacks and the phishing emails that typically precede such attacks.
Email Spoof mitigation consists of reporting fraudulent email senders to the associated mail provider along with full mail headers and message bodies demonstrating the fraud in order to get them deactivated.
This module is only available in conjunction with RiskIQ’s Managed Security Services to assist with the mitigation of Email Spoof threats.
Custom Monitoring modules allow customers to adapt the capabilities of the RiskIQ platform automate the detection of any additional External Threat-related use-cases not listed as modules above. All proposed Custom Monitoring use-cases will be subject to review to evaluate the technical feasibility.
The detection each custom module will vary per use-case, and each sufficiently different use-case such as to require its own unique configuration shall be counted as a separate Custom Monitoring module.
Part of the review process will include defining mitigation procedures and configuration of associated templates as appropriate. For clients using RiskIQ’s Managed Security Services, mitigation of threats detection through custom monitoring will be limited to the capabilities available from the RiskIQ Incident Response Team.
RiskIQ External Threats Managed Security Services (MSS)
RiskIQ’s Incident Response Team (IRT) will operate the RiskIQ External Threats Enterprise on behalf of Customer, including:
RiskIQ Enterprise Managed Security Services covers all purchased modules and brands.