Glossary

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A

A Record

Mainly for mapping hostnames to a host IP address (IPv4)

Adware

A form of software that downloads or displayed unwanted ads when a user is online, collects marketing data and other information without the user’s knowledge or redirects search requests to certain advertising websites.

Affiliate

An app store that does not offer direct downloads of applications, but directs visitors to Official App Stores to get the download. Affiliates make money by advertising to people who visit their site, and sometimes by getting a small percentage of apps purchased through their referrals.

Android Application Package (APK)

The package file format used by the Android operating system for distribution and installation of mobile apps and middleware. The file extension is also a .apk file.

App Permissions

App permissions are declarations to the devices what permissions the application needs in order to operate.

Application Id

A unique identifier for Apple apps at a mobile app store, which serves a similar function as a package name for the Android platform except that instead it is represented as a number. In iTunes, this ID is typically listed in the URL where an app can be downloaded (e.g. itunes.apple.com/us/app/usps/id339597578?). RiskIQ also lists out the application ID in the RiskIQ Mobile database.

Application Program Interface (API)

A set of routines, protocols, and tools for building software applications.  An API specifies how software components should interact and APIs are used when programming graphical user interface (GUI) components.

ASN

Autonomous System Number is a network identification for transporting data on the Internet between Internet routers. An ASN will have associated public IP blocks tied to it where hosts are located.

Attack Surface

The sum of the different points (“attack vectors”) where an unauthorized user can try to enter data into or extract data from an environment. Examples of “attack vectors” include user input fields, protocols, interfaces and services.

B

Botnet

Botnet – A network of private computers infected with malicious software and controlled as a group without the owners’ knowledge (e.g. to send spam messages).

C

Candidate

A digital asset state that represents a non-confirmed digital asset which is related to the target organization.

CIDR Notation

This is the representation of an IP block and the associated network mask (e.g. 192.168.1.1/24). This is shortened way to list out a set of contiguous IP addresses.

Classifiers

Classifiers work in conjunction with a RiskIQ policy to generate an event. Each classifier provides a list of allowed fields per target and weighting for a match to a field term or other non-taxonomy factors. Logo classifiers are an example of a non-taxonomy based classifier.

Client Side Coding

Source code is transferred from the web server to the user’s computer over the Internet and run directly in the browser. The processing takes place on the end user’s computer. JavaScript is a client-side script.

CNAME Record

Alias of one hostname to another hostname (think telephone call forwarding).

Content Delivery Network (CDN)

A globally distributed network of proxy servers deployed in multiple data centers.  The goal of a CDN is to serve content to end-users with high availability and high performance.

Content Management System (CMS)

A category of frameworks designed for organizing, categorizing, and structuring information resources such as text, images, documents, audio and video files, so that they can be stored, published, and edited with ease and flexibility. In broad terms, the CMS acts as middleware between the database and the user through the browser. Some common examples of these would be:

Crawl

A generic term used for a when a program or script browses the web in a methodical or automated manner. RiskIQ’s Virtual Users crawl the public Internet doing full-page analysis and collection of the client-side document object model (DOM). You may also hear the term spidering, which is somewhat synonymous with crawling.

Crawled page

Each time a RiskIQ virtual-user interacts with a single webpage, collects the content and actions, and analyzes the page for event creation.

D

Dark Web

Internet content that exists on darknets, overlay networks which use the public Internet but which require specific software, configurations or authorization to access.  The dark web forms a small part of the “Deep Web”.

Deep Web

Parts of the Internet whose contents are not indexed by standard search engines for any reason.

Denial-of-Service (DoS) Attack

An attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

Development Language

This is the programming language the developer used to build a website or component of the site. Some common examples of these would be:

Digital Assets

The generic RiskIQ term for a component that makes up a firm’s digital footprint / a discrete pieces of infrastructure owned by an organization. These cross all digital channels on the Internet, social media, and mobile app stores.

Digital Certificate

Certificates are used to secure the communications between a browser and a web server via Secure Sockets Layer (SSL). This ensures that sensitive data in transit cannot be read, tampered with or forged. They have other uses, but this is the primary use case at RiskIQ.  

Discovery

Process by which RiskIQ automatically maps out all of the websites and web infrastructure associated to an organization within that organization’s workspace.  Discovery “sources” and “runs” represent specific searches that return “candidate assets”, or websites and infrastructure that are related to assets known to belong to that company/brand. 

Distributed Denial-of-Service (DDoS) Attack

A type of DoS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a DoS attack.

DNS Record Types

Each record is a mapping in the “digital phone book”. There are several types of entries that serve different purposes. Here are some of the most common you will need to understand:

DNS Record Types 

Each record is a mapping in the “digital phone book”. There are several types of entries that serve different purposes. Here are some of the most common you will need to understand: A Records – Mainly for mapping hostnames to a host IP address (IPv4) AAAA Records map hostnames to IPv6 addresses. CNAME Record - Alias of one hostname to another hostname (think telephone call forwarding). MX Record - Maps a domain name to a list of mail server agents for that domain. NS Record - The NS record specifies an authoritative name server for given host or DNS zone. Think of multiple phone books and this tells the computer which book has the listing in it, in order to do the lookup. PTR Record - Pointer to a canonical name. The most common use is for implementing reverse DNS lookups, IP address to hostname(s). SOA Record - Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.

Document Object Model (DOM)

A set of rules implemented by the browser client and not part of the HTML or JavaScript. The DOM specifies how a browser application should create the model of an HTML page and how JavaScript and update & access the page contents. RiskIQ collects the DOM and the HTML/JavaScript from a browser via RiskIQ’s Virtual Users.

Domain

A domain is concatenated using the full stop (dot, period). Domains run from right to left starting with the TLD and the unique domain label.

Domain Keys Identified Message (DKIM)

DKIM is a signature-based email authentication technique, which provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

Domain Name Registrar

An organization or commercial entity that manages the reservation of Internet domain names.  A domain name registrar must be accredited by a generic top-level domain (gTLD) registry and/or a country code top-level domain (ccTLD) registry. 

Domain Name Servers (DNS)

The service that manages the translation from host name to IP address or from IP address to host name so that devices on the internet can access the relevant data which is desired. (Think of a digital corporate directory, but for servers)

Domain-based Message Authentication, Reporting & Conformance (DMARC)

This is an email authentication protocol, which builds on SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.

E

Event

A RiskIQ Event is a single item that is matching or violating the logic defined in the relevant policy and/or classifiers. Events are displayed in the RiskIQ interface under the events tab if properly setup and configured. Events exist across all digital channels and are unified in the same interface tab.

Event Status

New, Dismissed, Review, Confirmed, Enforced, Resolved, Tenacious, and Monitor. More Reading: https://info.riskiq.net/help/event-user-actions

Exploit Kit

Type of malicious toolkit used to exploit (manipulate) security holes found in software applications for the purpose of spreading malware.  These kits come with pre-written exploit (malicious) code and target users running insecure or outdated software applications on their computer.

F

Fearl App

A feral app is a RiskIQ term for a loose mobile file that is accessible on the Internet, but is not in a mobile app store that RiskIQ monitors. These feral apps could be on a website, file server, blog, or a small app store that RiskIQ does not directly monitor at this time.

Firewall

A network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules.  A firewall typically establishes a barrier between a trusted, secure internal network and another outside network, such as the Internet, that is assumed not to be secure or trusted.

Framework

Web Application Frameworks allow for easier website development, management and code reuse with common libraries and templates. There are many framework types and models with different strength and caveats. Some common examples of these would be:

H

Hash

A one-way mathematical process of producing a unique identification string for a file. RiskIQ hashes mobile apps to determine if there are any changes or differences between two files. There are several hashing algorithms, RiskIQ uses MD5 & SHA1.

Homepage

A “homepage” is the  default webpage that is offered up by a webserver when a  host is entered into a client browser. Typically, the resource ID will end in “index.htm”

Host

A host is a unique computer with a Web server (for RiskIQ purposes) that serves the pages for one or more Web sites. Without diving too deep, the host includes the full canonical name (www.domain.com) or a “naked domain” (domain.com). These are two unique hosts since they can be unique web servers.

Host Pairs

Two domains (a parent and a child) that shared a connection observed from a RiskIQ web crawl.

Hybrid Appstore

An app store that is both Secondary and Affiliate, meaning that it offers direct downloads from its own site, as well as links users to Official app stores.

I

Internet Corporation for Assigned Names and Numbers (ICANN)

The governing body that contracts with registrars to manage, submit and act on requests for these Internet resources.

Internet Service Provider (ISP)

An organization that provides services for accessing and using the Internet.  ISPs may be organized in various forms, such as commercial, community-owned, non-profit, or otherwise privately owned.

Inventory

Tracks and indexes all of the assets that users have confirmed belong to their organization, allowing the client to then monitor the current state, number, and relationships of all of the assets in their workspace.

IP Address

The numerical number that computers use to locate a specific entity on the Internet. This can be represented by a host name so users can find things more easily and leverages Domain Name Servers (DNS) to manage that relationship between IP address and Host Name. Full network protocol is TCP/IP.

IP Network

IP addresses can be grouped into networks. This is a block of addresses for computers to directly talk to each other without the need for a network route. (Traffic map)  Each computer in the same IP Network can communicate with others in the same network. This is defined by a subnet mask (e.g. 255.255.0.0). The subnet mask tells a computer if the IP address in conjunction with the mask is in the same network or not. If not, the traffic is sent to the IP gateway for routing to the proper network.

IPv4

32 bit number notated in four octets. I.e. 192.168.1.1

IPv6

128 bit hexadecimal digits notated in eight four digit group (e.g. 2001:0db8:0000:0042:0000:8a2e:0370:7334 (IPv6 is intended to eventually replace IPv4, but it is a slow process)  

K

Keywords

Define the starting point of crawls within specific projects.  They can be search terms to enter into a search network or direct URLs typed in by the virtual users.  Keywords should cast a wide net of potentially relevant results for whatever the project is intending to find that can then be refined with classifiers.

L

Landing page

Landing pages are a particular type of scanned pages that originate as submitted URLs for one-time inspection (typically via the RiskIQ API) as opposed to other means, such as a search engine query, or a crawling project that involves scheduled monitoring of a list of keywords.

Load Balancer

A device that acts as a reverse proxy and distributes network or application traffic across a number of servers.  Load balancers are used to increase capacity (concurrent users) and reliability of applications.

M

Malware

An umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs.  It can take the form of executable code, scripts, active content, and other software.

MX Record

Maps a domain name to a list of mail server agents for that domain.

N

Name Server

A specific server that is providing resolution for a host. There may be multiple name servers that have the record for redundancy.

NS Record

The NS record specifies an authoritative name server for given host or DNS zone. Think of multiple phone books and this tells the computer which book has the listing in it, in order to do the lookup.

O

Official Appstore

The major legitimate app stores which produce their own phone operating system: Google Play, Amazon, Blackberry World, Apple iTunes, Windows Phone.

P

Package Name

A unique identifier for Android apps for a single application, which is used by devices using the Android operating system to determine whether or not an application is installed (you cannot install two apps with the same package name on the same device--the second app would be considered an updated version of the first and replace it). In the Google Play Store, this name is included in the URL where the app can be downloaded (e.g. https://play.google.com/store/apps/details?id=com.wiki.project). By convention, app authors typically make this name reflect their primary website (e.g. org.wikipedia.beta for wikipedia.org) or to contain the company name of the developer or the title of the application somewhere within it, but do not necessarily have to follow this guideline. Because developers provide this information to an app store they post in, there is opportunity for abuse and misrepresentation.

Packet Capture (PCAP)

Collecting network traffic on a computer network and saving into a file for preservation, replay or analysis. RiskIQ collects a PCAP of what a mobile app does when it is “turned on” to see what locations it is connected to for resource access.

Passive Domain Name Service (PDNS)

A collection of resolution records from traffic between an end point and name server that resolves a domain name to an IP address. RiskIQ maintains our own PDNS database and is a key element in our discovery and inventory process.

Peer-to-peer (P2P)

A computing or networking distributed application architecture that partitions tasks or workloads between peers.

Phish Kit

A collection of tools assembled to make it easier for people with little technical skill to launch a phishing exploit.  They generally include Web site development software, complete with graphics, coding, and content that can be used to create convincing imitations of legitimate sites, and spamming software to automate the mass mailing process.

Phishing

A type of Internet scam in which the perpetrator sends out spoofed email that appears to come from some legitimate source, in an effort to gather useful data, such as credit card information, PINs, and passwords.

Policy

A RiskIQ policy reviews all configured classifiers and adds logic and decision options via programmatic scripting to determine if an Event is to be created in a workspace.

Port

For computers to communicate over a network, the computer IP address must be known. The computers then communicate on a port between each computer. Webservers announce that they are listening on a default port of 80 and a secure sockets layer (SSL) port of 443. Web servers can be configured to listen on any port, but the client device must know the specific port, if the standard well known port is not being used.

Projects

Groups of crawls with a specific purpose.  They are defined by the workspace they belong to and shared configured settings such as the starting point, browsing location and type, preferences of types of links to click on, and other virtual user behaviors and attributes.  Projects can be “public”, meaning their crawls are potentially analyzable for use in other workspaces, or to “private”, meaning that no other workspace can see them.

Protocol

The protocol identifies the method (set of rules) by which the resource is transmitted. All Web pages use HyperText Transfer Protocol HTTP or HTTPS and these are what RiskIQ web browsers leverage.

Proxy

Proxy acts as a shield between you and the site you are looking at; in other words, it is a middleman. When you use a Web proxy, you are not actually connecting to your intended site, instead, the Web proxy is connecting to the site, therefore hiding any trace of your presence. This can exist at a corporate perimeter or on the Internet.

Proxy Network

The RiskIQ Proxy Network is a collection of proxy servers that RiskIQ has established in different locations around the world. This allows the virtual user to interact with the Internet and appears to come from these IP addresses and network locations as their point of origin.

PTR Record

Pointer to a canonical name. The most common use is for implementing reverse DNS lookups, IP address to hostname(s).

R

Ransomware

A type of malicious software designed to block access to a computer system until a sum of money is paid.

Redirect

When a company wants to automatically forward traffic to some other host/IP address, it is what is referred to as a redirect. It can be accomplished in several ways. A DNS CNAME record can resolve the host name to another record or the same IP, a web server can forward traffic to a different host, or a script can take action on the client side, to have the browser go to a different host.

Resource ID

The name of the file for the page and any directories or subdirectories under which it is stored on the specified computer. The resource ID is the part to the right following the TLD starting with the “/” that defines the file for a web browser to open.

S

Scareware

Malicious computer programs designed to trick a user into buying and downloading unnecessary and potentially dangerous software, such as fake antivirus protection.

Secondary Appstore

App stores that offer direct download of applications from their site, but are not official stores.

Security Information and Event Management (SIEM)

A complex set of technologies brought together to provide a holistic view into a technical infrastructure.  At its core, a SIEM provides: event and log collection, layered centric views, normalization, correlation, adaptability, reporting and alerting, and log management.

Sender Policy Framework (SPF)

SPF is a path-based email authentication technique.  It is an open standard specifying a technical method to prevent sender address forgery.  SPFv1 allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send email from their domain.

Server Side Coding

Code that lives on the server and responds to HTTP requests. Running a script directly on the web server to generate dynamic HTML pages fulfills the user’s request. This HTML is then sent to the client browser.

SOA Record

Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone.

Spyware

Software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive.

Sub-Domain

A domain can have unique hosts on a parent domain. To uniquely distinguish these devices, the full qualified domain name (FQDN) is leveraged to identify these hosts. These are represented in the hierarchy like: subdomain.domain.TLD being read from right to left. These unique hosts are RiskIQ digital web assets.

Sub-Domains

A domain can have unique hosts on a parent domain. To uniquely distinguish these devices, the full qualified domain name (FQDN) is leveraged to identify these hosts. These are represented in the hierarchy like: subdomain.domain.TLD being read from right to left. These unique hosts are RiskIQ digital web assets.

T

Taxonomy

The supported fields and context for utilization in a taxonomy based classifiers. These support matching of terms and patterns within a scanned page or in a mobile app.

TLD

Top level domain – a three or two letter extension that ends a domain. If the TLD is different, then the domain is different and the host will be unique. Common TLDs are .com, org, .gov, .mil, .edu, .net. There are also county code TLDs (ccTLD) that may be leveraged too as: .us, .mx, .uk, etc. There is a newer TLD category called generic top-level domains (gTLD).

Top Level Domain (TLD)

Top level domain – a three or two letter extension that ends a domain. If the TLD is different, then the domain is different and the host will be unique. Common TLDs are .com, org, .gov, .mil, .edu, .net. There are also county code TLDs (ccTLD) that may be leveraged too as: .us, .mx, .uk, etc. There is a newer TLD category called generic top-level domains (gTLD). These are adding thousands of new TLDs into the mix and can be viewed here:

Trackers

Unique codes or values found within web pages and often used to track user interaction, such as Google Analytics IDs or social media embeds.  These can be used to correlate a disparate group of websites to a central entity and show common ownership or control over properties without any obvious shared connections otherwise. 

Trojan

A program that claims to rid your computer of viruses but instead introduces viruses onto your computer.

U

URL

Uniform Resource Locator is the full path to where the unique resource (webpage) is located on the Internet.

V

Virtual User

The RiskIQ technology for when the platform interacts with Internet properties. The Virtual Users provide instrumentation to simulate real-user activities, and behaviors while collecting all activities in the DOM for analysis and review.

Virus

A piece of code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data.

W

Wateringhole Attack

A computer attack strategy, in which the victim is a particular group (organization, industry, or region).  In this attack, the attacker guesses or observes which websites the group often uses and infects one of more of them with malware.  Eventually, some member of the targeted group gets infected.

Web Application Firewall (WAF)

An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation.   Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.  By customizing the rules to your application, many attacks can be identified and blocked.

Web Browser

An application used by computers to access resources and content on the Internet. Microsoft Internet Explorer & Edge, Google Chrome, Firefox, Apple Safari & Opera are common examples.

Web Components

Details describing a web page or server infrastructure gleaned from performing a web crawl using RiskIQ technology.  These components provide analysts with a high-level understanding of what was used to host the page and what technologies may have been loaded at the specific time of the crawl. 

Web Server Version

The web server software which runs on a server to offer up websites and content via the HTTP protocol for access to web browsers. These run on top of the server operating system on physical hardware or in the cloud. Some common examples of web servers would be:

Web Site

A complete group of webpages that are organized as a comprehensive set. Websites can be designed with all of the pages on one host or many.

Webpage

A webpage is a document being exposed to the Internet that is formatted in HTML (Hypertext markup language) and any related files for scripts and graphics, and often hyperlinked to other documents on the Internet. These files leverage file extensions of .htm or .html

Well Known Ports

Multiple services can be run from a server on different ports (email, FTP, SSH, etc.), all from the same computer with the same IP address. These common ports, known as Well Known Ports, have reserved services so that client devices know which port to reach out to when contacting a server on the Internet.

Whois

A protocol leveraged to query and respond to the databases that store registration and ownership of Internet resources. These will typically be used to define ownership of a domain, IP block or ASN. This is a distributed hierarchical database spread around the world.

Workspaces

Independent divisions of the RiskIQ system.  Every client will have their own workspace in which to house their RiskIQ data and settings (such as inventory, events, projects, etc.).  Workspaces may contain data for a single brand or multiple brands under a larger organizational label, and can also have their own permissions within them to restrict some workspace users’ ability to view and/or edit specific areas of the workspace’s configured functionality.

Worm

A self-replicating computer program that penetrates an operating system with the intent of spreading malicious code.  Worms utilize networks to send copies of the original code to other computers, causing harm by consuming bandwidth or possibly deleting files or sending documents via email.

Z

Zero-day

This vulnerability refers to a hole in software that is unknown to the vendor.  This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it – this exploit is called a “zero day attack”.