As businesses adapt to the changing digital landscape, more customer and business operations are shifting from being behind the protection of firewalls to being available via the Internet. This has led to a dramatic increase in the attack surface available to hackers. Rather than from compromised systems and applications inside the data center, today's threats are coming across external sources, such as public-facing websites, mobile applications, and social media networks--digital channels where traditional security tools provide little to no visibility or protection.
Defending your organization, customers, and employees in this new environment pose a tremendous technical challenge:
- How do you protect or monitor what you don't know about?
- How do you go about discovering the "unknown unknowns" that could hurt you?
Adapting to this fundamental shift in attack tactics and answering these questions requires a new kind of security tool, a Digital Threat Management tool, to provide the visibility and management capabilities for things on the open Internet that agents and firewalls provide for things in the organization's internal network.
How does RiskIQ help?
RiskIQ was founded with the goal of developing the world's first Digital Threat Management platform and providing a new cornerstone of security capable of addressing threats outside the firewall. The platform is purpose-built to solve the security challenges of detecting and responding to Digital Threats through unique technology and a forward-looking approach.
The basic tenets of Digital Threat Management are as follows:
1. Discovery and Detection: You can't protect what you can't see.
Your organization's digital presence is constantly changing due to a number of factors:
- Day-to-day activities of various teams spread across geographic locations and business units within your company
- Partners, vendors, and third-party web components you work with
- Mergers and acquisitions
- Third parties actors impersonating you or otherwise referencing your brand without authorization
Keeping up with the demands of a modern business comes with these effects, but can also create blind spots in the form of shadow IT--web, mobile, or social media-based properties, which belong to your organization but are unknown and unmanaged by your security, compliance, and IT teams. Moreover, even within known properties, content dynamically loaded via third party code creates yet more blind spots that hackers can exploit, as executing that code drastically changes how your assets appear to end-users experiencing them from the outside vs. how your security team can view them from within. In order to defend yourself and your users, you need to eliminate these blind spots and see what your attackers and their intended victims see.
RiskIQ automatically discovers all the external-facing websites, web infrastructure, mobile applications, and social media profiles that your organization owns--known and unknown--and continuously monitors them from the outside looking in. Having an accurate view of your Internet-exposed attack surface as it appears to hackers at any given point in time not only allows you to bring previously unknown assets under management and reduce risk within the set of things you own, but is also crucial for helping you quickly detect and respond to threats from third party infrastructure--knowing what IS yours also clearly identifies what is NOT yours, and what is instead perhaps a rogue actor targeting your organization, your employees, or your customers.
2. Automation and Scalability: Digital Threat attacks are massively scalable--your defenses must be as well.
The same technological advances that empower all Internet users and which have powered the rise of legitimate Internet services and businesses simultaneously enable cyber-crime to thrive at an unprecedented scale and attack velocity. Due to a variety of factors, it has never been easier for criminals to launch attacks from outside the firewall.
- Attackers have easy access to raw materials for launching attacks--new domain names, websites, mobile apps, and social media accounts--in mass, at little to no cost, and with relative anonymity
- Criminal ecosystems have matured: there are now established black markets and specialization of labor at each stage of the attack production and value chain to distribute risk across multiple parties, increase profitability, and reduce the level of technical skill required to carry out sophisticated attacks
- Organizations spend the vast majority of their security budgets and efforts protecting the network, often leaving large, unprotected blind spots outside the firewall, which creates a profitable path of least resistance for hackers to exploit without ever needing to face the organization's defenses at its strong points, and thus, renders the extra security measures protecting the internal network largely superfluous--adding yet another lock on the front door when the back window is wide open
The open Internet offers vast spaces for criminals to conceal their activities by blending into the surrounding scenery. However, by leveraging the power of big data and advanced detection methods, RiskIQ illuminates those dark spaces--crawling the Internet and aggregating data on a massive scale--to give customers the ability to detect threats that exist in their digital footprint as well as map out the attack infrastructure of their adversaries, leaving the bad guys with nowhere to hide.
3. Covert Data Collection: Observing criminals "in the wild" requires remaining invisible to attackers.
Criminals have advanced techniques for targeting their intended victims based on factors like the browser and device being used, where in the world the user is located, where the user was referred from, etc. These factors, among others, can be used to hide nefarious online activity by producing malicious behavior for only certain users, while appearing harmless to everyone else, including users connected to law enforcement agencies, security companies, or who are otherwise non-valid targets for the attacker's intended purpose. Moreover, when attackers suspect their infrastructure has been discovered by threat researchers despite attempts to conceal it, they are likely to abandon it and continue their activities elsewhere--thereby undermining the work put into discovering and tracking the original threat. Attackers can be tipped off that someone is on to them by observing something like traffic accessing their websites that do not appear to come from a victim or from a referring source that they do not recognize.
RiskIQ uses covert data collection methods in order to remain invisible to attackers and bypass attackers' obfuscation methods. Two important examples of this include:
- Passive DNS
- Virtual User Crawls
PDNS provides a historical repository of DNS data for a portion of the Internet, enabling analysts to see how a particular domain name has changed over time and identify related domains/IP addresses. This information is gathered by installing a sensor on a local network and setting it up to receive DNS requests as they happen. It's worth noting that the sensor will only record DNS traffic that occurs on the local network, and not for the entire Internet, but also that, this observation (as the name 'passive' suggests) does not give any discernible signal to an attacker to let them know when they are being observed. This can be thought of as akin to reviewing security camera footage to see if a suspect was filmed at the scene of a crime.
RiskIQ's virtual users closely emulate the behavior of real users and intended victims targeted by attackers in order to analyze web content. Appearing to be the right kind of user is crucial to get past attackers' selection and targeting methods based on user attributes in order to observe nefarious behaviors that could not be seen with less sophisticated crawling methods and emulation. Virtual user crawls can be thought of as comparable to a 'sting operation' using undercover agents to catch criminals in the act.
4. Holistic View and Advanced Analytics: Data without context is just noise.
The data needed to find, stop, and prevent attacks outside the firewall exists, however, the problem lies in the vast amounts of it that must be sorted, classified, and monitored over time to provide a comprehensive, actionable picture.
Alerts without context across multiple data sets provide no direction or meaningful way for security teams to reduce risk--analysts are still searching for needles in haystacks. Threat actors are skilled at covering their tracks--masking and changing their infrastructure to avoid detection, as well as carrying out attacks across digital channels to distribute risk and take advantage of opportunities to reach large numbers of Internet users quickly. Similarly, a static snapshot in time of an attacker’s infrastructure, even a relatively complete one, leaves security teams always on the defensive, reacting to the moving targets they investigate.
RiskIQ brings together key data sets and leverages automation to keep pace with the shifting threat landscape. Correlating threat data extracted from a broad set of data sources in and across the web, mobile, and social digital channels reveals the true risk posed to the organization by a single piece of infrastructure and how it is being used within a larger context, rather than simply presenting an individual piece of the puzzle in isolation. PassiveTotal simplifies the threat investigation process, provides analysts access to a consolidated platform of data necessary to accurately understand, triage, and address security events, and tracks and alerts on changes in threat infrastructure in order to predict new attack vectors as they emerge.
Where does Digital Threat Management fit in my security program?
Digital Threat Management platforms fulfill a unique function that complements and enhances the other tools in your security stack--it allows you to integrate visibility into your organization's full digital presence (known, unknown, and rogue) with the data and capabilities provided by traditional security tools, including SIEMs, firewalls, endpoint security solutions, web proxies, email gateways, and vulnerability scanners as well as non-security tools such as GRC platforms.