RiskIQ External Threats®

Detect and Respond to Targeted Digital Threats Across Web, Social, and Mobile Channels

What are External Threats?

External threats are malicious campaigns and threat actors that attempt to exploit security exposures in your attack surface that exist outside the firewall. All organizations with a digital presence are exposed to external threats by attackers who attempt to impersonate your brand and official communications channels on the internet, social media, and through mobile apps.

Targeted external threats that can compromise your employee or customer data security include:

  • Deep and dark web discussions about your organization
  • Phishing
  • Rogue and feral mobile apps
  • Social media impersonation of VIPs and support channels
  • Domain and subdomain infringement
  • Brand tarnishment and abuse
  • Data leakage
  • Phone & SMShing
  • Card cracking and remote deposit capture (RDC) fraud
  • Email spoofing and business email compromise (BEC)

Successful exploitation of these threats allows threat actors to steal customer or company data, distribute malware, divert user traffic, or otherwise exploit trust in your brand.

The RiskIQ External Threats® solution sets enable security teams to detect and respond to these myriad threats as they appear in the wild, mitigating the impact that they have on your organization, employees, and customers. By combining the largest internet data sets available with the most comprehensive monitoring of digital channels, RiskIQ enables effective digital threat management.

How does RiskIQ External Threats work?

RiskIQ External Threats uses virtual user technology as it crawls the internet, experiencing websites, paste sites, social media profiles, mobile apps, and mobile app stores just like a real user does. Our virtual users visit websites from thousands of IP addresses originating from around the world on residential, commercial, and mobile networks, while using different browser and device types, and software versions. This advanced internet reconnaissance technique evades detection from threat actors who are watching for automated crawling technology.

Sophisticated analysis, detection techniques, and fine-tuned policy controls turn a sea of data into discrete, actionable events and workflows that reduce your digital risk and eliminate threats. Utilizing in-app mitigation, correspondence tracking, and takedown capabilities, security teams can block threats and submit them directly to the platform that is hosting the threat, shutting down threats targeting your customers and employees.

Ovum Research: RiskIQ provides external digital threat defense

Critical Capabilities for Detection and Response to External Threats

Your organization needs to understand attack vectors used against your organization and customers, like phishing, brand use in third-party domains and subdomains, rogue mobile apps, and social media impersonation. This information helps your security teams respond quickly and remove the threats as they’re detected.

RiskIQ uses virtual user technology to detect threats and experience them like a real user does, allowing you to accurately detect, monitor, enforce, and report on digital threats.


detection The internet is a big place and offers criminals lots of room to hide, which makes it easy for anyone to spin up a website or register a cheap domain and pretend to be you. External Threats helps your organization detect these threats and:

  • Find targeted attacks and threat actors before it’s too late to preserve customers’ trust in your organization in digital channels
  • Know how safe your customers are or are not by having visibility into what their online experience is like
  • Understand how you appear in the wild, and the content associated with you that customers encounter online


monitoring As new digital threats are found, security teams must be alerted to them in an actionable, prioritized way. External Threats provides security teams and incident responders with:

  • Sorting, filtering, and scoring, which allow users to prioritize the most urgent threats for immediate attention
  • Presentation of all essential information (platform, threat type, and even screenshots) in a single, actionable event summary to facilitate efficient review, triage, and response
  • Seamless collaboration with teammates to prevent duplicated efforts or tasks falling through the cracks
  • Built-in workflow actions to immediately mitigate threats, seek feedback from teammates, mark as potentially suspicious, and automatically monitor and alert on future changes


enforcement Once threats are detected and confirmed, teams must mitigate them as quickly as possible.
To do that, External Threats provides:

  • Automatically generated, customizable enforcement requests to appropriate parties at the push of a button
  • Simultaneous enforcements of  related incidents for efficient action
  • Tracking of all correspondence and message threads with hosting platforms in a single screen
  • Enforcement performance metrics, replies, and automatic reminder and follow-up notices for unresolved issues
  • Continuous monitoring to alert when enforced threats have been successfully remediated, and post-resolution monitoring for tenacious threats that pose recurring risk to the organization


reporting Organizations with compliance controls in place need accurate reporting on the existence of digital threats and the mitigation efforts to resolve them. External Threats tracks these and provides:

  • Intuitive dashboards and drill down reporting for current threats and overall state of affairs, tracking trends and benchmarking performance and risk over time, and detailed incident breakdowns by type, brand, status, and other attributes
  • Exportable and interoperable data that can be exported to CSV or accessed via our REST-based API

Dive Deeper into the External Threats Solution Set

External Threats is based on a workflow engine that enables organizations to manage threats against them in a central location, with workflows, APIs, and tracking and auditing capabilities. The workflow engine is required for External Threats, but does not require the purchase of additional detection modules if workflow and event management is all that is needed as the basis of an organization’s digital threat management workflow.

For External Threats, each module can be setup to monitor threats against Brands. A brand is any discrete business entity, line of business, department, agency, or division. External Threats Premium includes two brands per module. External Threats Enterprise includes five brands per module. Additional brands can be purchased as add-ons. In the case of the Social Executive Threats module, one brand is equivalent to 10 executive names.

External Threats Workflow Engine

External Threats Workflow EngineRiskIQ provides both a web interface and API access to clients and their support teams to submit and investigate events. The web interface is designed to provide users with all the necessary details for each type of threat in a single view to facilitate fast review and investigation.

For each threat event, users can take the following workflow actions:

  • Confirm: Validate event without sending an enforcement notice
  • Enforce: Generate and send a notice to initiate takedown, content removal, or another type of threat mitigation
  • Monitor: Automatically alert on any changes in content or behavior of a suspicious event that raise its threat-level and could trigger future enforcement
  • Review: Set aside for discussion/review to decide on proper response
  • Dismiss: Label event as a false positive
  • Assign a specific user to manage this event
  • Tag an event with a custom label for searching or reporting
  • Send the details of this event to a specified email address

Continuous monitoring of online resources lets customers know when threats have been successfully remediated, and RiskIQ’s post-resolution monitoring automatically re-opens events and alerts users to any tenacious threats posing a recurring risk to the organization.

This is required for any External Threats customer.

Phishing Threats

Phishing ThreatsPhishing Threats provides detection and workflow for mitigating phishing sites targeting an organization’s brand and customers.

RiskIQ ingests suspected phishing URLs from a broad range of sources including third-party blacklists, an organization’s abuse boxes, web server referrer logs, and DMARC data, as well as direct client submissions to streamline detection, review, and mitigation of phish. Machine learning algorithms intelligently sort phishing pages from legitimate sites, automatically validating the vast majority of phish and leaving a small fraction, if any, left for human review.

Integrations with Google Safe Browsing and Microsoft SmartScreen to automatically submit phish for browser blocking for 98% of internet users and pre-configured templates to generate and send takedown notices for phishing sites dramatically reduce mean time to mitigation and overall lifetime of phish.

Domain Threats

Domain ThreatsDomain Threats provides detection and workflow for mitigating domain and subdomain names that contain or are confusingly similar to client brands.

RiskIQ analyzes daily new and updated WHOIS registrations and leverages its large repository of passive DNS data to identify newly observed and updated host records with subdomain names exploiting brand names. Domains are analyzed on multiple dimensions of similarity, including edit distance, homographic similarity, PUNYcode obfuscation, and regular expression matching to increase coverage and reduce false positives vs. using any one detection method alone.

Automatic analysis of the domain’s threat level, including any web content hosted on the domain and the domain’s capability to send or receive email allow users to quickly identify high priority threats and determine the proper response and mitigation strategy using pre-configured templates and built-in workflow.

Mobile Threats

Mobile ThreatsMobile Threats provides visibility into a brand’s presence throughout the global mobile app ecosystem, identifying unauthorized download locations of official applications as well as mobile spoofs impersonating or claiming false affiliation with a brand.

RiskIQ searches 180+ app stores around the world with native-level integrations as well as unique source of “feral app” files found outside of dedicated app stores to automatically extract app details and download mobile binaries. Analysis of app store attributes, app posting details, and all app code and files enable RiskIQ to automatically categorize official apps, old or modified versions of official apps, and third-party apps posing as official branded apps to divert downloads, harvest user credentials, distribute malware, or engage in other fraudulent behavior.

Pre-configured templates for reporting violations to contacts at each app store allow users to mitigate mobile threats across all stores quickly and effectively.

Social Brand Threats

Social Brand ThreatsSocial Brand Threats provides detection and workflow for mitigating social media accounts impersonating brands in all major social networks, including Facebook, Twitter, LinkedIn, Instagram, YouTube, Pinterest, and Google+.

RiskIQ uses a combination of API integrations and unique virtual user technology to search social networks and analyze account details for unofficial social media accounts claiming to represent client organizations. Examples include fake customer support channels phishing for customer data, fake job recruiters asking applicants for personal information or job application fees, social accounts associating a brand with offensive or illegal content, or employee-created accounts out of compliance with company social media use policies.

Links to each social network’s web form or other channel for reporting abuse are provided within each event alert to facilitate efficient mitigation.

Social Executive Threats

Social Executive ThreatsSocial Executive Threats provides detection and workflow for mitigating social media accounts impersonating company executives or employees in all major social networks (Facebook, Twitter, LinkedIn, Instagram, YouTube, Pinterest, and Google+).

RiskIQ uses a combination of social media API integrations and unique virtual user technology to search social networks and analyze account details for illegitimate social media accounts claiming to represent company executives or employees–typically for purposes of using social engineering to phish for sensitive data or to embarrass specific, high-profile individuals affiliated with a company.

Links to each social network’s web form or other channel for reporting abuse are provided within each event alert to facilitate efficient mitigation.

Data Leakage Detection

Data Leakage DetectionData Leakage Detection provides detection and workflow for mitigating stolen user credentials and other leaked sensitive company data being posted in the open, offered for sale, or otherwise made available to third parties outside the organization.

RiskIQ searches various websites and forums for such data, including Pastebin, GitHub, SlideShare, and open hacker forums and blogs to monitor what data related to an organization is available in each of these locations.

Pre-configured templates and content removal procedures for various different sites and types of posts facilitate enforcement to remove detected data leakage.

Brand Tarnishment

Brand TarnishmentBrand Tarnishment includes the detection and mitigation of web content infringing on client brand trademarks by attacking the brand reputation and/or associating the brand with illegal or objectionable content.

RiskIQ virtual users search for such content, analyzing webpages for brand related text or images and leverage machine learning and other advanced analytics to identify the presence of threat content that may constitute tarnishment of the brand. Dependent on the client brand’s industry and policies, such content can include malware, plus such categories as pornography, liquor, tobacco, weapons, pharma, and gambling.

Mitigation is based on a representative trademark chart and description of the tarnishment relevant to the internet presence location, as well as customer approval after performing a fair-use analysis.

Deep and Dark Web Monitoring

Deep and Dark Web MonitoringThe Deep and Dark Web (DDW) module provides visibility into mentions of your organization, key executives, brand, or other keywords of interest across deep and dark web forums.

Data is sourced from Flashpoint, a RiskIQ partner specializing in monitoring the deep and dark web. When a mention or keyword is detected on the deep and dark web, an event is created in External Threats and viewed side-by-side with threats detected on the open web. Viewing different pieces of the puzzle together, you can draw additional insights from connections in the data and track a threat from planning and discussion stages in forums through to the actions taken and infrastructure used on the open web to launch the attack.

This module does not include mitigation or remediation due to the nature of the deep and dark web, however, Flashpoint has skilled, multi-lingual analysts who can provide expert language translation in cases where that service is required to interpret the data found on the dark web.

Remote Deposit Capture Fraud / Card Cracking

Remote Deposit Capture FraudRemote Deposit Capture (RDC) Fraud and Card Cracking are popular forms of financial fraud that typically involve recruiting victims through social media posts to use as mule bank accounts. This module provides detection and workflow for mitigation of such posts related to client brands in order to prevent these types of fraudsters from recruiting new victims with the promise of making quick cash as a reward for helping the scammer move a larger sum of money.

RiskIQ virtual users monitor major social media channels most used (Facebook, Twitter, Instagram, and YouTube) for this type of recruiting to detect such activity in dedicated accounts and/or individual posts. Scams typically target one or more specifically mentioned financial institutions, often including mention of a real or fictitious friend or relative who works at the institution in order to convince victims of the authenticity and viability of the scam.

Event alerts contain all the necessary evidence to report abusive posts to each social network and request removal.

Phone Phish

Phone PhishPhone Phish includes mitigation of phishing threats carried out via phone calls impersonating a brand or service (sometimes called voice phishing or Vishing).

Mitigation of phone phish consists of reporting fraudulent phone numbers to the associated telecommunications company through which they are operating in order to get them deactivated.

This module is only available in conjunction with RiskIQ’s Managed Security Services to assist with the mitigation of Phone Phish threats.

Email Spoof

Email SpoofEmail Spoof includes the mitigation of email addresses used to send messages forged to appear as though it was sent by someone else for purposes of carrying out fraud. This category includes email account compromise (EAC) attacks as well as business email compromise (BEC) attacks and the phishing emails that typically precede such attacks.

Email Spoof mitigation consists of reporting fraudulent email senders to the associated mail provider along with full mail headers and message bodies demonstrating the fraud in order to get them deactivated.

This module is only available in conjunction with RiskIQ’s Managed Security Services to assist with the mitigation of Email Spoof threats.

Custom Monitoring

Custom MonitoringCustom Monitoring modules allow customers to adapt the capabilities of the RiskIQ platform automate the detection of any additional External Threat-related use-cases not listed as modules above. All proposed Custom Monitoring use-cases will be subject to review to evaluate the technical feasibility.

The detection each custom module will vary per use-case, and each sufficiently different use-case such as to require its own unique configuration shall be counted as a separate Custom Monitoring module.

Part of the review process will include defining mitigation procedures and configuration of associated templates as appropriate. For clients using RiskIQ’s Managed Security Services, mitigation of threats detection through custom monitoring will be limited to the capabilities available from the RiskIQ Incident Response Team.

RiskIQ External Threats Managed Security Services (MSS)

RiskIQ’s Incident Response Team (IRT) will operate the RiskIQ External Threats Enterprise on behalf of Customer, including:

  • Triage and review of External Threat Events by RiskIQ personnel
  • Taking actions to mitigate threats on behalf of Customer in accordance with Customer-defined direction and policies
  • Activity reporting and regular cadence meetings

RiskIQ Enterprise Managed Security Services covers all purchased modules and brands.