Infrastructure Events

Infrastructure events are available to customers who have purchased RiskIQ Enterprise Digital Footprint (view product description). They alert customers to any configurations of the asset infrastructure in your RiskIQ inventory that violate security or compliance policies and/or to unexpected changes that might indicate compromise. Tracking infrastructure changes is fundamental to knowing your evolving attack surface and identifying new vulnerabilities.

When a policy violation is found, an Infrastructure event is created in the workspace which can be viewed in the the events dashboard and events list inside the RiskIQ web application, in an email alert, or via the RiskIQ events API. For a general introduction to events and other parts of the RiskIQ system, please see RiskIQ Platform Architecture.

Outlined below are tips on:

  1. How to read and interpret the information presented in a Infrastructure event (field definitions)
  2. Suggested best practices for Infrastructure event management, including user workflow and tagging
  3. How it works: Infrastructure Event detection and system overview

Example: an Infrastructure event alerting to the fact that the website https://www.passivetotal.org had begun redirecting to https://community.riskiq.com (In this case, the change was planned and intentional, but the new website had not yet been confirmed into Inventory to reflect that). 

Reading Infrastructure Events - Field Definitions

Event List Item

This is how Infrastructure events are represented in the Events section of the RiskIQ web application. Clicking on a list item brings up details for the event and user-initiated workflow actions. 

  • Policy: what kind of Infrastructure policy the event is for.
  • Asset: name of the asset that triggered the policy.
  • Status: current status of the event.
  • Created: date the event was generated.
  • Updated: date the event last changed status or was otherwise edited (most recent update recorded in the event history).
  • Tags (if any have been applied)

Event Header

At the top of each event's details is a header containing high-level information, as well as workflow actions.

  • Status: current event status and the ability to change the status of this event.
  • Tags: Tags applied to this event and the ability to add or remove tags (if any tags are configured for this event-type).
  • Owner: current event owner responsible for reviewing or tracking the event and the ability to assign a new owner for this event. 
  • Priority: current event priority and the ability to assign a new priority for this event. Infrastructure events are generally assigned a priority automatically based on the "type" of policy (e.g. a policy tripped just based on observing that any change occurred is usually denoted as trivial in priority, whereas more specific policies triggered by only certain types of changes that are more indicative of security risk are given a medium or higher priority)
  • Email Event Details (via envelope icon at top right)

Summary Tab

The Summary provides basic information for assessing the event and deciding how to act on it. The Summary tab is organized into multiple sections:

ATTRIBUTES

  • Asset: The asset that triggered the policy.
  • Type: Which category of policies was violated, e.g. the current state of the asset constitutes a violation ("policy"), or a change occurred, and it is the change rather than the end state which triggered the alert ("change policy").
  • Cause: The name of the specific policy violated. See detection section below for more information on polices.
  • Cause Description: (If applicable, otherwise blank) If the policy has a description further describing the cause, this field contains that text.
  • Change: (If applicable, otherwise blank) If the policy involves a change, as opposed to an asset simply being an improper state, then this field will show what the prior and new values of fields on the assets were. 

HISTORY

  • Timeline of changes made to the event with the date, time, and name of the user who took each action, including:
    • Status changes 
    • Emails sent (with recipients)
    • Notes added
    • Tags added/removed

Site Details

(If the type of asset involved in the event is a website) this section provides more information about that website beyond what is shown in the summary tab, including: 

  • CName
  • Nameserver Information
  • ASN Information
  • Metro Code Information
  • Alexa Category and Exact Rank
  • Full Whois Record
  • Full IP Whois Record
  • Host Details
  • SSL Information
  • File Information

Managing Infrastructure Events - User Review Decision Workflow and Tagging Best Practices

The flow chart below describes a decision tree encompassing best practices for reviewing infrastructure events. It describes in more detail the 'User Review' step in the system overview diagram at the end of this article.

  • Green represents steps taken automatically by the RiskIQ system
  • Pink represents steps taken by a human user
  • Blue represents a status and/or tag label


Tag Set

  • Requires Remediation
  • Acceptable Risk

Infrastructure Event System Overview

Detection

Infrastructure events are created via the process of refreshing the metadata of each asset in your RiskIQ inventory that automatically occurs once per day (a.k.a asset "detailing"). By looking at the current state of each asset and whether any changes have occurred to update metadata fields today vs. yesterday, the system determines whether any infrastructure policies should generate alerts. Policies are broken into 3 categories and any combination of the available policies may be enabled in a workspace according to client preferences: 

  1. Indicator of Compromise /IOC: specific changes that are suspicious or potentially indicate that an asset could be compromised
  2. Infrastructure: policies related to assets being misconfigured or in some other non-allowed state without a change necessarily occurring
  3. Infrastructure Change: general change policies for any changes in the described field, not only the specific changes deemed IOCs  

*Note that in the case of host and website asset-policies, only hosts and websites labeled as Enterprise Assets are considered for Infrastructure events. Changes to other hosts and websites assets are ignored.

**Note also that currently the website asset-based policies are limited to detailing on the homepage of the website, not on crawls of any sub-pages within the asset.

Available Policies:

AssetIOCInfrastructureInfrastructure Change
ASN

  • Peers Changed
Domain
  • Domain Registrant Changed to Non-Asset Contact
  • Domain Admin Contract Changed to Non-Asset Contact
  • Domain Technical Contact Changed to Non-Asset Contact
  • Domain Registration Expired
  • Domain Registration Expiring (30 Days)
  • Domain Registration Expiring (60 Days)
  • Domain Registration Expiring (90 Days)
  • Domain Whois Contact Invalid
  • Domain Registrar Details Changed
  • Domain Registrant Details Changed
  • Domain Admin Details Changed
  • Domain Technical Details Changed
  • Domain Name Servers Changed
  • Domain Status Changed
  • Domain Registrar Updated
Host
  • IP Block Changed to Non-Asset IP Block
  • Non-production Hostname
  • IP Block Changed
  • CNAME Changed
IP Block
  • ASN Record Changed to Non-Asset ASN
  • IP Block Registrant Changed to Non-Asset Contact
  • IP Block Admin Contact Changed to Non-Asset Contact
  • IP Block Technical Contact Changed to Non-Asset Contact

  • ASN Record Changed
  • IP Block Registrant Changed
  • IP Block Admin Contact Changed
  • IP Block Technical Contact Changed
  • IP Block Country Changed   

SSL Cert


  • SSL Cert Expired
  • SSL Cert Expiring (30 Days)
  • SSL Cert Expiring (60 Days)
  • SSL Cert Expiring (90 Days)

Website 

  • SSL Certificate Changed to Non-Asset Cert
  • Final URL Changed To URL on Non-Asset Site
  • Website Language Changed


  • Blacklisted Final URL
  • Response Body Changed > 20%
  • SSL Certificate Changed
  • Final URL Changed
  • Redirection Response Changed
  • Initial Response Error
  • Final Response Error
  • Response Time Changed
  • Live Status Changed
  • Framework Changed
  • HTTPS Usage Changed
  • Site Title Changed

System Overview

The following diagram follows an Infrastructure event through the RiskIQ system from detection through review and monitoring. 

  • Green represents steps taken automatically by the RiskIQ system
  • Pink represents steps taken by a human user
  • Blue represents a status and/or tag label

Monitoring and Auto-Resolution

  • Infrastructure policies that do not require changes are monitored daily when the metadata of the associated asset in Inventory is refreshed and will automatically resolve if the condition that triggered the event is no longer true. Thus, the check to see whether the issue has been remediated and changing the status to Resolved, can be performed by either automatically by the system or manually by a user.
  • Infrastructure events based on change policies do not automatically resolve because they are based on a point in time change, which cannot be "re-observed" for resolution purposes. Such events must be manually resolved by a user.