RiskIQ External Threats automates the detection, monitoring, and remediation of fraudulent websites, domains, social profiles, and mobile apps impersonating an organization.
As businesses evolve and move more processes and interactions online, cyber-criminals exploit digital channels to launch new types of attacks. The RiskIQ platform enables security and anti-fraud teams to effectively manage Internet threats, including phishing, domain infringement, rogue mobile apps, social media impersonation, and brand-lure malware impacting their organization its customers.
External Threats leverages information about an organization's legitimate digital presence to inform detection configuration and pricing. Licensing tiers are based on the rough number of unique hostnames under management, which indicates the likely volume of threats targeting the organization's brands. External Threats is an all-in-one package with RiskIQ Managed Intelligence Services. It includes acting as an extension of your team, tuning workspace configurations, and assisting with alert triage and mitigation efforts.
RiskIQ leverages its Internet intelligence datasets and proprietary virtual user technology to automate and streamline the detection and monitoring of threats over time. Virtual users closely simulate human Internet users in the ways they discover, analyze, and interact with web content to uncover previously unknown threats targeting specific user demographics and circumvent cloaking techniques used by criminals to evade detection. RiskIQ enriches the observations captured by virtual users with the full RiskIQ platform's intelligence, including the knowledge of what legitimate assets the organization has and what they look like to contextualize risks and prevent false positives.
When threats are detected, RiskIQ automatically creates alerts in the form of events within the platform and schedules virtual users to re-examine the threat resource at scheduled intervals to observe changes over time and track the entire lifecycle of a threat.
RiskIQ’s vast Virtual User network includes:
- A diversified bank of IP addresses from hundreds of geographic locations
- All major browsers, both desktop, and mobile
- Algorithms to initiate crawlers from configurable search queries, API integrations, or on specific pages and follow links to simulate referred traffic
- Algorithms to simulate clicking through a page as an intentioned user would rather than a bot systematically or randomly clicking links
- The ability to extract, normalize and target key attributes from social media profiles and mobile app store pages
Full records of virtual user sessions, including screenshots, the captured document object model of each page, and preserved sequence of links and redirects provide the technical basis of RiskIQ's detection capabilities, upon which layers of analytics are automatically applied to classify each threat and enrich data with additional insights to determine the appropriate response.
External Threats provides detection and workflow for mitigating phishing sites that are impersonating an organization to phish their users, customers, prospects, or partners via the use of one of their brands.
RiskIQ ingests suspected phishing URLs from a broad range of sources, including third-party blacklists, an organization’s internal or external abuse boxes, web server referrer logs, and DMARC data, as well as any customer submissions to streamline detection, review, and mitigation of phish. Phishing simulation campaign URLs are excluded automatically from threat analysis through integrations with popular phishing awareness training products. Machine learning algorithms intelligently sort phishing pages from legitimate sites, automatically validating the vast majority of phish and leaving a small fraction, if any, left for human review. Full crawl metadata and user sessions are recorded as forensic evidence.
Integrations with Google Safe Browsing and Microsoft SmartScreen to automatically submit phish for browser blocking for 98% of Internet users, and pre-configured templates to generate and send takedown notices for phishing sites email or web form or API integrations dramatically reduce mean time to mitigation and overall lifetime of phish.
External Threats detect and monitor suspicious domain and subdomain names that contain or are confusingly similar to an organization's official domains and brand names.
RiskIQ analyzes Whois registrations and passive DNS data to identify newly created third party owned domain names and subdomain names exploiting brand names. Domains are analyzed for similarity to official asset domains via a proprietary algorithm developed by the RiskIQ data science team and for homographic similarity/Punycode obfuscation and regular expression matching to optimize accuracy and detection coverage.
Automatic analysis of the domain's threat level, including any web content hosted on the domain, the domain's capability to send or receive an email, related infrastructure, and detection of Whois and DNS changes allows users to quickly identify high priority threats and determine the proper response and mitigation strategy using pre-configured templates and built-in workflow.
External Threats provide visibility into an organization's presence throughout the global mobile app ecosystem and identifies unauthorized download locations of official applications, mobile spoofs impersonating or leveraging the organization's brands to commit fraud, and mobile malware targeting the organization's users.
RiskIQ searches hundreds of official and unofficial app store sites worldwide with native-level integrations, including a unique source of "feral app" files found outside of dedicated app stores to extract app details download mobile binaries automatically. Analysis of app store attributes, app posting details, and app code and files enable RiskIQ to automatically categorize legitimate app assets and monitor for new version releases, identify old or modified versions of official apps available for download in unauthorized stores, and detect third-party apps posing as official branded apps or otherwise packaged with malware targeting an organization and its users.
Pre-configured templates for reporting violations to contacts at each app store via email or web form integration allow users to quickly and effectively mitigate mobile threats across all stores.
External Threats provides visibility into an organization's presence on all major social networks, including Facebook, Twitter, LinkedIn, Instagram, YouTube, Pinterest, and workflow to mitigate social media accounts impersonating the organization.
RiskIQ uses a combination of API integrations and unique virtual user technology to search social networks and analyze profile details for unofficial social media accounts claiming to represent customer organizations. Through this analysis, RiskIQ categorizes official social channels, unauthorized social profiles set up by various business units throughout the organization that may be out of compliance with company policies, as well as fake third party social accounts, such as fake customer support channels phishing for customer data, fake job recruiters asking applicants for personal information or job application fees, or social accounts associating a brand with offensive or illegal content.
Pre-configured templates for reporting violations to contacts at each social network via email or web form integration allow users to quickly and effectively mitigate social threats.
External Threats provides detection and workflow for official branding such as product names or logos in web pages delivering malware.
RiskIQ virtual users search for web content using a combination of threat feeds and configured search engine searches for brand keywords to encounter threats the same way real users targeted by them do. RiskIQ analyzes each webpage observed by virtual users for text or logos and leverages machine learning, RiskIQ's own proprietary malware research, third party blacklist reputation, and other advanced analytics to identify the presence of threats leveraging official brands.
Pre-configured templates for reporting violations to hosting providers and registrars of sites via email or API integration allow users to quickly and effectively mitigate impersonation and malicious web content.
Event Management & Mitigation
RiskIQ provides both a web interface and API access to customers and their support teams to submit and investigate detected events. The web interface is designed to provide users with all the necessary details for each type of threat in a single view to facilitate fast review and investigation.
For each threat event, users can take the following workflow actions:
- Confirm: Validate event without sending an enforcement notice
- Enforce: Generate and send a notice to initiate takedown, content removal, or other types of threat mitigation
- Monitor: Automatically alert on any changes in content or behavior of a suspicious event that raises its threat-level and could trigger future enforcement
- Review: Set aside for discussion/review to decide on a proper response
- Dismiss: Label event as a false positive
- Assign a specific user to manage this event
- Tag an event with a custom label for searching or reporting
- Send the details of this event to a specified email address.
Continuous monitoring of online resources lets customers know when threats have been successfully remediated. RiskIQ’s post-resolution monitoring automatically re-opens events and alerts users to any tenacious threats posing a recurring risk to the organization.
RiskIQ provides robust reporting options including pre-made as well as customizable dashboards, email alerts, data exports, webhooks, APIs, and integrations with popular SIEM and other tools to extract and interact with our data. Schedulable PDF reports also provide External Threat Management program performance metrics related to event detection, management, and enforcement over time.
Add-Ons & Related Services
External Threats - Advanced
The External Threats - Advanced add-on enables organizations to adapt the broad capabilities of the RiskIQ platform and the expertise of RiskIQ Solutions Architect and Managed Intelligence Services (MIS) teams to automate detection and monitoring for use-cases that require a deeper understanding of the business to identify and respond to appropriately, including:
- Data Leakage: Search a broad range of known sources for compromised data, ex. Pastebin, GitHub, SlideShare, forums, and blogs, along with source-agnostic searches to detect stolen customer data, such as credit card numbers, or leaked company data, including employee emails or source code being posted in the open, offered for sale, or otherwise made available to third parties outside the organization.
- Scams: Monitor major social platforms or other sources for MoneyFlipping, giveaway scams, or other forms of financial fraud outside of traditional phishing and report abuse to social networks or site operators as appropriate.
- Trademark Infringement: Detect and mitigate web content misusing brand logos or other trademarks and associating them with illegal or offensive content, including malware, pornography, liquor, tobacco, weapons, drugs, or gambling. Mitigation requires a representative trademark chart and description of the tarnishment relevant to the Internet presence location, as well as customer approval after performing a fair-use analysis.
- Executive Social Impersonation: Monitor major social networks for social profiles impersonating specific individuals, such as executives or other VIPs in your organization.
- Executive PII Exposure: Monitor for exposed personally identifiable information regarding highly-sensitive-access individuals that pose a security risk to the individuals and the companies in which they work. All customer-provided data and events detected by RiskIQ concerning Executive PII Exposure are securely stored in a PCI-compliant environment isolated from the rest of RiskIQ's products and functions and accessible only to authorized RiskIQ employees.
- Custom Detection: Other use-cases can be supported if the technical aspects and services/support workflow are mutually agreed upon by both the customer and RiskIQ. Ask your RiskIQ Solutions Architect about any potential custom use-cases.
Use of External Threats - Advanced requires a concurrent subscription to External Threats. Monitoring and detection are limited to threats targeting the customer organization and its subsidiaries as defined for RiskIQ External Threats coverage.
External Threats - Deep and Dark Web
The External Threats - Deep and Dark Web add-on provides customers visibility into mentions of their company names or other keywords of interest on the deep and dark web. Data is sourced via Flashpoint, a RiskIQ partner organization specializing in monitoring the deep and dark web, and sent to the RiskIQ platform so that it can be viewed side-by-side with threats on the open web. Viewing different pieces of the puzzle together enables organizations to draw additional insights from connections in the data and track a threat from planning and discussion stages in forums to the actions taken and infrastructure used on the open web to launch the attack.
This add-on is available for free to mutual customers of RiskIQ and Flashpoint with an existing valid Flashpoint API key. API access can be purchased through RiskIQ, provided the customer has not terminated a contract with Flashpoint within the last 12 months.
I3 - Advanced Investigations
RiskIQ knows its data best, but RiskIQ customers know which investigations are most impactful to them. Advanced Investigations allows customers to submit requests for information (RFIs), tasking RiskIQ analysts to undertake a deeper investigation in efforts to uncover threats and threat actors using RiskIQ data in combination with OSINT and/or hand-selected third-party platforms, depending on the requested topic. In some cases, these investigations can be anonymized and leveraged to educate on various threats or analytical methodologies.
A yearly Advanced Investigations subscription provides an organization 1 RFI "Token" per calendar month. Each “Token” represents up to 4.5 hours of i3 Advanced Investigation Services devoted to specific projects they request. To redeem a Token, the customer and RiskIQ shall agree in writing on the deliverable and completion of the services performed for each Token.
I3 - Dispute Resolution Proceedings (DRP)
DRPs allow customers to elect remedies to protect top-level domain names, including domain transfer, deletion, suspension, or cancellation. The remedies provided by each DRP are governed by the applicable policies, domain registration agreements and/or mechanisms of each domain. RiskIQ DRPs are administrative proceedings where the customer has appointed RiskIQ as an authorized representative of the customer pursuant to a Letter of Authority signed by the customer.