External Threats Overview

RiskIQ External Threats automates the detection, monitoring, and remediation of fraudulent websites, domains, social profiles, and mobile apps impersonating an organization.

As businesses evolve and move more processes and interactions online, cyber-criminals exploit digital channels to launch new types of attacks. The RiskIQ platform enables security and anti-fraud teams to effectively manage Internet threats, including phishing, domain infringement, rogue mobile apps, social media impersonation, and brand-lure malware impacting their organization its customers.

External Threats leverages information about an organization's legitimate digital presence to inform detection configuration and pricing. Licensing tiers are based on the rough number of unique hostnames under management, which indicates the likely volume of threats targeting the organization's brands. External Threats is an all-in-one package with RiskIQ Managed Intelligence Services. It includes acting as an extension of your team, tuning workspace configurations, and assisting with alert triage and mitigation efforts. 

Threat Detection

RiskIQ leverages its Internet intelligence datasets and proprietary virtual user technology to automate and streamline the detection and monitoring of threats over time. Virtual users closely simulate human Internet users in the ways they discover, analyze, and interact with web content to uncover previously unknown threats targeting specific user demographics and circumvent cloaking techniques used by criminals to evade detection. RiskIQ enriches the observations captured by virtual users with the full RiskIQ platform's intelligence, including the knowledge of what legitimate assets the organization has and what they look like to contextualize risks and prevent false positives. 

When threats are detected, RiskIQ automatically creates alerts in the form of events within the platform and schedules virtual users to re-examine the threat resource at scheduled intervals to observe changes over time and track the entire lifecycle of a threat.

RiskIQ’s vast Virtual User network includes:

• A diversified bank of IP addresses from hundreds of geographic locations
• All major browsers, both desktop, and mobile
• Algorithms to initiate crawlers from configurable search queries, API integrations, or on specific pages and follow links to simulate referred traffic
• Algorithms to simulate clicking through a page as an intentioned user would rather than a bot systematically or randomly clicking links
• The ability to extract, normalize and target key attributes from social media profiles and mobile app store pages

Full records of virtual user sessions, including screenshots, the captured document object model of each page, and preserved sequence of links and redirects provide the technical basis of RiskIQ's detection capabilities, upon which layers of analytics are automatically applied to classify each threat and enrich data with additional insights to determine the appropriate response. 

Threat Event-Types

Phish

External Threats provides detection and workflow for mitigating phishing sites that are impersonating an organization to phish their users, customers, prospects, or partners via the use of one of their brands.

 RiskIQ ingests suspected phishing URLs from a broad range of sources, including third-party blacklists, an organization’s internal or external abuse boxes, web server referrer logs, and DMARC data, as well as any customer submissions to streamline detection, review, and mitigation of phish. Phishing simulation campaign URLs are excluded automatically from threat analysis through integrations with popular phishing awareness training products. Machine learning algorithms intelligently sort phishing pages from legitimate sites, automatically validating the vast majority of phish and leaving a small fraction, if any, left for human review. Full crawl metadata and user sessions are recorded as forensic evidence. 

Integrations with Google Safe Browsing and Microsoft SmartScreen to automatically submit phish for browser blocking for 98% of Internet users, and pre-configured templates to generate and send takedown notices for phishing sites email or web form or API integrations dramatically reduce mean time to mitigation and overall lifetime of phish. 

Domain Infringement

External Threats detect and monitor suspicious domain and subdomain names that contain or are confusingly similar to an organization's official domains and brand names.

RiskIQ analyzes Whois registrations and passive DNS data to identify newly created third party owned domain names and subdomain names exploiting brand names. Domains are analyzed for similarity to official asset domains via a proprietary algorithm developed by the RiskIQ data science team and for homographic similarity/Punycode obfuscation and regular expression matching to optimize accuracy and detection coverage. 

Automatic analysis of the domain's threat level, including any web content hosted on the domain, the domain's capability to send or receive an email, related infrastructure, and detection of Whois and DNS changes allows users to quickly identify high priority threats and determine the proper response and mitigation strategy using pre-configured templates and built-in workflow.

Rogue Mobile App

External Threats provide visibility into an organization's presence throughout the global mobile app ecosystem and identifies unauthorized download locations of official applications, mobile spoofs impersonating or leveraging the organization's brands to commit fraud, and mobile malware targeting the organization's users. 

RiskIQ searches hundreds of official and unofficial app store sites worldwide with native-level integrations, including a unique source of "feral app" files found outside of dedicated app stores to extract app details download mobile binaries automatically. Analysis of app store attributes, app posting details, and app code and files enable RiskIQ to automatically categorize legitimate app assets and monitor for new version releases, identify old or modified versions of official apps available for download in unauthorized stores, and detect third-party apps posing as official branded apps or otherwise packaged with malware targeting an organization and its users.

Pre-configured templates for reporting violations to contacts at each app store via email or web form integration allow users to quickly and effectively mitigate mobile threats across all stores.

Social

External Threats provides visibility into an organization's presence on all major social networks, including Facebook, Twitter, LinkedIn, Instagram, YouTube, Pinterest, and workflow to mitigate social media accounts impersonating the organization. 

RiskIQ uses a combination of API integrations and unique virtual user technology to search social networks and analyze profile details for unofficial social media accounts claiming to represent customer organizations. Through this analysis, RiskIQ categorizes official social channels, unauthorized social profiles set up by various business units throughout the organization that may be out of compliance with company policies, as well as fake third party social accounts, such as fake customer support channels phishing for customer data, fake job recruiters asking applicants for personal information or job application fees, or social accounts associating a brand with offensive or illegal content.

Pre-configured templates for reporting violations to contacts at each social network via email or web form integration allow users to quickly and effectively mitigate social threats.

Content

External Threats provides detection and workflow for official branding such as product names or logos in web pages delivering malware. 

RiskIQ virtual users search for web content using a combination of threat feeds and configured search engine searches for brand keywords to encounter threats the same way real users targeted by them do. RiskIQ analyzes each webpage observed by virtual users for text or logos and leverages machine learning, RiskIQ's own proprietary malware research, third party blacklist reputation, and other advanced analytics to identify the presence of threats leveraging official brands.

Pre-configured templates for reporting violations to hosting providers and registrars of sites via email or API integration allow users to quickly and effectively mitigate impersonation and malicious web content.

Event Management, Mitigation, and Managed Intelligence Services (MIS)

RiskIQ Managed Intelligence Services (MIS) analysts act as an extension of the customer's security organization, helping External Threats customers manage their resources most efficiently and get the most of RiskIQ's data. MIS analysts use deep knowledge of the RiskIQ platform and domain expertise in brand protection and incident response to triage and, where applicable, mitigate events on the customer's behalf according to the customer's workflow preferences. Typically speaking, MIS analysts provide initial triage to of events to remove any false positives, take enforcement actions such as issuing site or content take-down requests in the scenarios that the customer has authorized MIS to act on their behalf, or else pass along true positive findings for the customer's review and instructions on how to proceed.  

RiskIQ provides both a web interface and API access to customers and their support teams to investigate events. The web interface is designed to provide users with all the necessary details for each type of threat in a single view to facilitate fast review and efficient case management.

For each threat event, customer or RiskIQ MIS users can take the following workflow actions: 

• Change the event status:
  • Confirm: Validate event without sending an enforcement notice
  • Monitor: Automatically alert on any changes in content or behavior of a suspicious event that raises its threat-level and could trigger future enforcement
  • Review: Set aside for discussion/review to decide on a proper response
  • Dismiss: Label event as a false positive
• Enforce: Generate and send a notice to initiate takedown, content removal, or other types of threat mitigation
• Assign a specific user to manage this event
• Tag an event with a custom label for searching or reporting
• Send an email containing the details of this event to a specified address
• Pivot to PassiveTotal: Search for related infrastructure or intelligence reporting in RiskIQ's threat intelligence portal using the magnifying glass icon next to searchable indicators in the event details
• Add to Inventory: Claim a website, domain name, mobile app, or social profile as legitimate infrastructure owned by the customer organization (available if a customer is also a user of RiskIQ Digital Footprint)

Continuous monitoring of online resources lets users know when threats have been successfully remediated. RiskIQ’s post-resolution monitoring automatically re-opens events and alerts users to any tenacious threats posing a recurring risk to the organization.

Enforcement actions are typically performed according to built-in workflow to auto-generate emails or other communications to the relevant parties using information derived from the event populated into a template. RiskIQ MIS provides recommended enforcement language and templates, including follow-up and escalation paths, but templates and procedures can also be customized according to the preferences of the customer and/or their legal department.

Reporting

RiskIQ provides robust reporting options including pre-made standard reports as well as customizable dashboards, email alerts, data exports, webhooks, APIs, and integrations with popular SIEM and other tools to extract and interact with our data. Schedulable PDF reports also provide External Threat Management program performance metrics related to event detection, management, and enforcement over time.

Add-Ons & Related Services

External Threats - Advanced

The External Threats - Advanced add-on enables organizations to adapt the broad capabilities of the RiskIQ platform and the expertise of RiskIQ Solutions Architect and Managed Intelligence Services (MIS) teams to automate detection and monitoring for use-cases that require a deeper understanding of the business to identify and respond to appropriately, including: 

• Data Leakage: Search a broad range of known sources for compromised data, ex. Pastebin, GitHub, SlideShare, forums, and blogs, along with source-agnostic searches to detect stolen customer data, such as credit card numbers, or leaked company data, including employee emails or source code being posted in the open, offered for sale, or otherwise made available to third parties outside the organization.
• Trademark Infringement: Detect and mitigate web content misusing brand logos or other trademarks and associating them with illegal or offensive content, including malware, pornography, liquor, tobacco, weapons, drugs, or gambling. Mitigation requires a representative trademark chart and description of the tarnishment relevant to the Internet presence location, as well as customer approval after performing a fair-use analysis.
• Executive Social Impersonation: Monitor major social networks for social profiles impersonating specific individuals, such as executives or other VIPs in your organization.
• Executive PII Exposure: Monitor for exposed personally identifiable information regarding highly-sensitive-access individuals that pose a security risk to the individuals and the companies in which they work. See Executive PII Exposure for additional details.
• Custom Detection: Other use-cases can be supported if the technical aspects and services/support workflow are mutually agreed upon by both the customer and RiskIQ. Ask your RiskIQ Solutions Architect about any potential custom use-cases.

Use of External Threats - Advanced requires a concurrent subscription to External Threats. Monitoring and detection are limited to threats targeting the customer organization and its subsidiaries as defined for RiskIQ External Threats coverage.

External Threats - Deep and Dark Web

The External Threats - Deep and Dark Web add-on provides customers visibility into mentions of their company names or other keywords of interest on the deep and dark web. Data is sourced via Flashpoint, a RiskIQ partner organization specializing in monitoring the deep and dark web, and sent to the RiskIQ platform so that it can be viewed side-by-side with threats on the open web. Viewing different pieces of the puzzle together enables organizations to draw additional insights from connections in the data and track a threat from planning and discussion stages in forums to the actions taken and infrastructure used on the open web to launch the attack.

This add-on is available for free to mutual customers of RiskIQ and Flashpoint with an existing valid Flashpoint API key. API access can be purchased through RiskIQ, provided the customer has not terminated a contract with Flashpoint within the last 12 months.

I3 Services

Incident, Investigation, and Intelligence (I3) services augment best-in-class technology with expert human analysis from former national security and intelligence officers and trained analysts, acting as force-multipliers to maximize the value customers get from their investment in RiskIQ.

• Advanced Investigations
• Analyst on Demand
• Dispute Resolution Proceedings (DRP)
• Risk & Vulnerability Reports (RVR)

Threat Desk

RiskIQ Threat Desk is a package of software and services delivered by a dedicated team of experienced analysts who work as an extension of the customer’s in-house cyber and physical security teams. Led by former U.S. government intelligence analysts, each Threat Desk provides dedicated service and support, to include: monitoring, threat attribution, incident investigation, counter-intelligence assessments, DDW research, and finished intelligence products. Built first and foremost to be flexible, the Threat Desk adapts to each customer’s specific needs, e.g. 24/7 threat alerts, rapid response, and crisis mitigation.