Defacement Events

Defacement events are available to customers who have purchased RiskIQ Enterprise Digital Footprint (view product description). They alert customers to any sites within their inventory that have been defaced by hackers.

When a defaced site is found, a Defacement event is created in the workspace which can be viewed in the the events dashboard and events list inside the RiskIQ web application, in an email alert, or via the RiskIQ events API.

Outlined below are tips on:

  1. How to read and interpret the information presented in a Defacement event
  2. Suggested best practices for Defacement event management, including user workflow and  tagging

Example: a defaced site promoting the hackers' contact information on Facebook


Reading Defacement Events - Field Definitions

Event List Item

This is how Defacement events are represented in the Events section of the RiskIQ web application. Clicking on a list item brings up details for the event and user-initiated workflow actions. 

  • Event-Type: What kind of event it is.
  • Active: Defacement events are considered active if the page is live (has a 200 response code) and triggers the defacement policy.
  • Status: current status of the event.
  • Domain: the domain of the web page associated to the event.
  • First Seen: date the event was generated.
  • Active For: (if applicable) how much time has passed between the first and most recent crawl of this page where the violation was active. 
  • Tags (if any have been applied)

Event Header

At the top of each event's details is a header containing high-level information, as well as workflow actions.



  • Status: current event status and the ability to change the status of this event.
  • Tags: Tags applied to this event and the ability to add or remove tags (if any tags are configured for this event-type).
  • Owner: current event owner responsible for reviewing or tracking the event and the ability to assign a new owner for this event. 
  • Priority: current event priority and the ability to assign a new priority for this event.
  • Email Event Details (via envelope icon at top right)

Summary Tab

The Summary provides screenshots of the first and most recent crawls of the page and other information for assessing the event and deciding how to act on it. The Summary tab is organized into multiple sections:

ATTRIBUTES

  • Alexa: degree of web traffic indicated by the site’s Alexa rank (High = Top 1,000, Medium = Top 10,000, Low = 10,000+).
  • Asset:  Website Asset associated to this event.
  • Cause: Type(s) of detection that labeled this page as defaced (Similarity to Known Defacement orThreat Words)

HISTORY

  • Timeline of changes made to the event with the date, time, and name of the user who took each action, including:
    • Status changes 
    • Emails sent (with recipients)
    • Notes added
    • Tags added/removed

Site Details

This section provides more information about the website associated to this event beyond what is shown in the summary tab, including:

  • CName
  • Nameserver Information
  • ASN Information
  • Metro Code Information
  • Alexa Category and Exact Rank
  • Full WhoIs Record
  • Full IP WhoIs Record
  • Host Details
  • SSL Information
  • File Information

Classify Tab

This section details what about the page was flagged by the RiskIQ system in relation to the hacking classifier or the machine-learning-based, RiskIQ Minhash Defacement Classifier.


Crawls Tab

This section houses information on each instance this page was analyzed by RiskIQ. Users can select from any of the times that RiskIQ analyzed the page associated to this event to see details about the virtual user's interaction with the event page and user session overall at that point in time (a red arrow next to the timestamp indicates, active, while grey signals inactive).


Details provided about the crawl include: 

  • An overview providing metadata on the crawl and the screenshot taken by the virtual user
    • Date and time
    • Initial URL where the virtual user began the crawl
    • Browser used
    • Geographic location of the virtual user
    • Total number of pages visited during the user session
    • Total number of pages visited that returned error messages
    • URL of the event page
    • IP address
    • Response code and message returned by the event page
    • Page Content-type
    • Page Content length
    • Page response time
    • Window name
  • The original HTML response of the page
  • The rendered document object model after the page loaded in the user's browser
  • Files
  • Cookies
  • Links
  • Headers


Managing Defacement Events - User Review Decision Workflow and Tagging Best Practices

  • Green represents steps taken automatically by the RiskIQ system
  • Pink represents steps taken by a human user
  • Blue represents a status and/or tag label




Tag Set

(Custom--there is typically no need to use tags for Defacement events, but custom labels can be made as needed)

Monitoring and Resolution

  • Defacement events are re-crawled roughly every 48 hours. Additional samples can occur outside of this schedule based on normal/non-monitoring-related virtual user activity (if, for example the same pages also show up in searches for new pages). 
    • Monitoring times are somewhat rough--to balance load across the entire system, so crawls may be slightly advanced or delayed to prevent road spikes.
  • Upon the first inactive sample of an event, an additional crawl will be scheduled 12 hours later to confirm whether it should resolve or the first crawl was an anomaly
  • An event will automatically resolve after 2 consecutive inactive samples and at least 1 hour of continuous inactive time.
  • Events change from Resolved to Tenacious if the next crawl is found to be active.