RiskIQ virtual users closely simulate human Internet users in the ways they interact with web content and capture everything that a human user sees as well as what the browser sees happening behind the scenes in order to provide a 360-degree record of any observed threat activity. For high-value target sites, virtual users will visit a site as often as every couple of hours. Whenever a virtual user crawl completes, RiskIQ analyzes the observed data for malicious or suspicious activity, noting all newly added or changed resources, as well as checking for any threat indicators based on either RiskIQ's proprietary malware research or third-party blacklists in the site.
- Blacklist host reputation
- Newly added or changed resource URL or content uses a bare IP address
- Newly added or changed resource URL or content uses a non-standard/new gTLD
- Newly added or changed resource URL or content uses a newly registered / observed domain or hostname
- Newly added or changed resource hash does not match expected SRI hash
Full records of virtual user sessions, including screenshots, user agent metadata, the captured document object model of each page, and preserved sequence of links and redirects provide the technical basis of RiskIQ's detection capabilities, upon which layers of analytics are automatically applied in order to classify each threat and enrich data with additional insights to determine the appropriate response.
Alerting & Threat Management Workflow
RiskIQ provides a web interface, email alerts, and API access to customers and their support teams to view and investigate events. Events are designed to provide users with all the necessary details for each type of threat in a single view to facilitate fast review and investigation.
Users can take the following workflow actions via either UI or API:
- Confirm: Validate event as a true positive
- Enforce: Note that action has already been taken to correct the problem
- Review: Set aside for discussion/review to get feedback and decide on the proper response
- Dismiss: Label event as a false positive
- Assign: Make a specific user the owner in charge of managing this event
- Tag: Add a customizable label to an event for searching or reporting
- Email: Send the details of an event to a specified email address (recipient need not have a RiskIQ user account)
- Note: Annotate an event with additional context or details
RiskIQ provides live dashboards, CSV data exports, and an API and integrations with popular SIEM and other tools to extract and interact with our data.
RiskIQ will configure crawl infrastructure to follow a specific website path, based on Customer and website specific information, such as dummy/sample customer login, adding products to the shopping cart, and/or making a payment using Customer provided (test) credit card details;
RiskIQ crawlers will follow this path at least once per day;
RiskIQ will work with the Customer to define the specific details of the Journey; and
RiskIQ will make up to twelve (12) changes to the initial defined User Journey, based on changes to the website/path during the yearly Subscription Term.
It should be noted that each User Journey is custom configured, if the website or journey changes, the Customer will need to inform RiskIQ of all changes so RiskIQ can implement the same for crawls to continue.