What is Discovery?

How Does It Work?

To map out all of your organization's assets, our system first intakes something that is known to belong to you as the seed used for discovering the rest. The initial seed may be any of the types of web infrastructure indexed by RiskIQ:

• Website
• Host Name
• Domain
• SSL Cert
• Contact Email Address
• IP Block
• ASN
• Name Server
• Mail Server

Given a seed, RiskIQ uses everything known about that seed in order to build a map of all the other things your organization owns, which make up the org's complete digital footprint. The discovery process uses the seeds as the central nodes and spiders outward towards the periphery of your digital footprint by identifying all the infrastructure directly connected to the seed, and then identifying all the things related to each of the things in the first set of connections, and so on and so forth until we reach the edge of what your organization is responsible for managing.

For example, to discover RiskIQ's infrastructure, you might use the domain, riskiq.com, as the initial keystone seed. Starting with this seed, we could consult the following sources and derive the following relationships:

• WhoIs Records:
  • Other domain names registered to the same contact email or registrant org used to register riskiq.com likely also belong to RiskIQ
  • All domain names registered to any @riskiq.com email address likely also belong to RiskIQ
  • Other domains associated with the same name server as riskiq.com may also belong to RiskIQ
• DNS Records
  • We can assume that RiskIQ also owns all observed hosts on the domains it owns and any websites that are associated with those hostnames 
  • Domains with other hosts resolving to the same IP blocks might also belong to RiskIQ if RiskIQ owns the IP block
  • Mail servers associated with RiskIQ-owned domain names would also belong to RiskIQ
• SSL Certs:
  • RiskIQ probably also owns all SSL certificates connected to each of those hosts and any other hosts using the same SSL certs
• IP Whois Records
  • Other IP blocks belonging to the same organization as the IP blocks in which RiskIQ's hosts are associated might also belong to RiskIQ and lead to more infrastructure RiskIQ owns through associations with other hosts/domains
• ASN Records
  • Other IP blocks associated with the same ASN as the IP blocks to which hosts on RiskIQ's domain names are connected may also belong to RiskIQ--as would all the hosts and domains that resolve to them

Using this set of first-level connections, we would have derived an entirely new set of candidate asset leads to investigate--upon each of which we can perform the same types of automated, recursive searching based on all their available attributes to find second-level and third-level connections--thereby, providing more information RiskIQ can use to build up the full set of infrastructure that an organization controls. 

Discovery returns high confidence "candidate assets" based on conducting these searches and deriving relationships using RiskIQ's data sets. Users may then confirm that those candidates are in fact owned by their organization and add them to their RiskIQ Inventory, or may instead dismiss them as not owned/owned by another entity if the organization does not consider itself responsible for managing those assets, in which case, that information is fed back into the discovery system to help guide future searching. 

Asset details are continuously refreshed and updated over time to maintain an accurate map of asset states and relationships as well as to uncover newly-created assets as they emerge. Once added to Inventory, asset websites also begin continuous monitoring via RiskIQ virtual users, which examine the content and behavior of each page within those sites. RiskIQ's Analytics and Classification technology can then use that data to identify and alert regarding potential security risks or policy violations within the set of assets your organization owns so that you can take appropriate action to remediate them.