RiskIQ Digital Footprint continuously discovers and maps your digital attack surface to provide an ‘outside-in’ view. This visibility enables security and IT teams to identify unknowns, prioritize risk, eliminate threats, and extend vulnerability/exposure control beyond the firewall.
Digital Footprint is priced based on tiers counting the number of unique hostnames in an organization's inventory as a measure of the organization's attack surface size and complexity. Hostnames in Approved Inventory, Dependency, and Monitor Only statuses are counted for the purposes of licensing. Use of Digital Footprint is limited to the digital footprint of Customer and their Affiliates and is not for the digital footprint of third parties, such as suppliers or vendors.
Discovery & Inventory
RiskIQ’s proprietary discovery technology recursively search for infrastructure with observed connections to known legitimate assets (discovery "seeds") over time in order to make inferences about that infrastructure's relationship to the organization and uncover previously unknown and unmonitored properties.
Digital Footprint includes the discovery of the following types of assets:
- Domain Names
- Web Pages
- IP Blocks
- IP Addresses
- SSL Certificates
- WHOIS Contacts
- Mobile Apps
- Social Media Profiles
Discovered assets are indexed and classified in a RiskIQ Inventory, providing a dynamic system of record of all web infrastructure under the organization's management currently or historically, including web applications, third party dependencies, and other asset connections.
All assets are labeled as one of the following states:
- Approved Inventory: Asset is part of your owned attack surface; an item that you are directly responsible for.
- Dependency: infrastructure is third-party-owned, but is part of your attack surface because it directly supports the operation of your Approved Inventory assets. (For example, you might depend on an IT provider to host your web content. Thus, while the domain, hostname, and pages would be part of your Approved Inventory, you may wish to treat the IP Address the host is running on as a Dependency.)
- Monitor Only: An asset that is relevant to your attack surface but is neither directly controlled nor a technical dependency. (For example, independent franchisees or assets belonging to companies you are in the process of divesting from or acquiring might be labeled as Monitor Only rather than Approved Inventory in order to separate the groups for reporting purposes.)
- Candidate: An asset that has some relationship to your organization's Approved Inventory, but where the relationship is not deterministic enough to infer that it necessarily belongs in Inventory.
- Requires Investigation: Similar to Candidate except that this status is manually rather than automatically set. It does not indicate the infrastructure's exact relationship to the organization as much as it denotes that this asset has been flagged as requiring additional review or input to determine how it should be categorized.
Digital Footprint detects malware being hosted on, linked to, or embedded in a web page that is part of the organization's Inventory. Each event is defined by malware occurring on a unique combination of the affected host (host in Inventory) and observed threat host. Full crawl metadata and user sessions are recorded as forensic evidence.
When a threat is detected, a Malware event is created in the workspace which can be viewed in the events dashboard and events list inside the RiskIQ web application, in an email alert, or via the RiskIQ events API. All hosts and URLs are also linked to PassiveTotal and RiskIQ's raw crawl data for further investigation. The detection criteria for generating an event can be based on either third-party blacklist reputation (ex. VirusTotal, Google Safe Browsing, etc.) or proprietary malware signatures developed by the RiskIQ Research team.
Digital Footprint Advanced detects web pages within an organization's inventory that has been defaced by hackers along with the screenshot of the page as it is displayed to site visitors. Full crawl metadata and user sessions are recorded as forensic evidence.
When a defaced site is found, a Defacement event is created in the workspace which can be viewed in the events dashboard and events list inside the RiskIQ web application, in an email alert, or via the RiskIQ events API. All hosts and individual URLs are also linked to PassiveTotal and RiskIQ's raw crawl data for further investigation. The detection criteria for generating an event is based on proprietary machine learning algorithms looking for the similarity between analyzed pages and known examples of previously defaced pages from threat actors coupled with keyword detection in the page response body that is indicative of defacement.
RiskIQ provides a range of dashboards to help customers dig into specific use cases, including an overall summary of your digital footprint, footprint changes and trends over time, as well as dashboards to dig into specific aspects of your attack surface (for example, secure cloud expansion, services, applications, and devices, malware and defacement events, and threat intelligence from the RiskIQ research team overlaying topics from the news or from threat research into insights about your footprint), Risk Reporting, which includes an overall risk posture summary score for the organization as a whole and on a broad range of security and compliance metrics with the ability to drill into specific affected assets and segment scores by brand and business unit with trending built-in, and a GDPR report digging into potential violations of the European General Data Protection Regulation, which can are difficult to detect using traditional tools and can carry extremely heavy fines if not addressed quickly.
Custom dashboards can also be built for specific customer needs and PDF reports based on any dashboard can be scheduled on a weekly, monthly, or quarterly basis to automatically generate and email to specified recipients. Email alerts, data exports, webhooks, APIs, and integrations with popular SIEM, SOAR, and other tools to extract and interact with inventory or event data are all also available tools to fulfill reporting needs.
Digital Footprint - Advanced
The Digital Footprint - Advanced add-on to RiskIQ Digital Footprint provides a deeper level of analysis for an organization's highest priority assets. With this coverage, RiskIQ virtual users go beyond the daily homepage crawling for all sites provided in Digital Footprint to also click through and monitor all linked webpages within sites on specified hostnames at least once per month, providing more comprehensive threat event detection and web component and content analysis associated to those hosts.
Pricing is defined per host asset enabled with augmented crawling coverage, and hosts eligible for coverage must be included in the host count defined in the Digital Footprint subscription tier. As used herein: a “Host” refers to a hostname, and for the avoidance of doubt, a host with secure HTTPS and/or unsecured HTTP protocols would represent one Host. (Example: https://www.riskiq.net and http://www.riskiq.net together would represent one Host).