External Threats

Product Description

External Threats automates the detection, monitoring, and remediation of threats posed by malicious actors to your organization, employees, and customers.

As businesses evolve and move more processes and interactions online, cyber-criminals are exploiting digital channels to launch new types of attacks. The RiskIQ platform enables security operations, incident response, threat intelligence, brand protection, legal, and anti-fraud teams to view all types of Internet Threats across web, mobile, social, and email channels, in order to effectively identify, prioritize, and respond to threats impacting their organization and its customers.

External Threats is available for purchase in either the Premium edition, which includes a set of core threat modules, or the Enterprise edition, which includes a larger selection of available threat modules to choose from for advanced use-cases. For modules that are brand-related, the Premium edition of External Threats covers up to 2 brands, whereas Enterprise covers up to 5. 

RiskIQ defines a brand as an official company name, official product name, or revenue-producing product line, which specifically identifies the customer organization. Derivatives of a single brand, such as an abbreviation, acronym, or nickname are counted as a single brand, but any names involving entirely different words must be counted as separate brands.  Coverage for additional brands can be added to either the Premium or Enterprise additions of External Threats.

Workflow Engine for Threat Management & Mitigation

RiskIQ provides both a web interface and API access to clients and their support teams to submit and investigate events. The web interface is designed to provide users with all the necessary details for each type of threat in a single view to facilitate fast review and investigation.

For each threat event, users can take the following workflow actions: 

  • Confirm: Validate event without sending an enforcement notice
  • Enforce: Generate and send a notice to initiate takedown, content removal, or other type of threat mitigation
  • Monitor: Automatically alert on any changes in content or behavior of a suspicious event that raise its threat-level and could trigger future enforcement
  • Review: Set aside for discussion/review to decide on proper response
  • Dismiss: Label event as a false positive
  • Assign a specific user to manage this event
  • Tag an event with a custom label for searching or reporting
  • Send the details of this event to a specified email address

Continuous monitoring of online resources lets customers know when threats have been successfully remediated, and RiskIQ’s post-resolution monitoring automatically re-opens events and alerts users to any tenacious threats posing a recurring risk to the organization.

Threat Detection

RiskIQ leverages its Internet intelligence datasets and proprietary virtual user technology to automate and streamline the detection and monitoring of threats over time. Virtual users closely simulate human Internet users in the ways they discover, analyze, and interact with web content in order to uncover previously unknown threats targeting specific user demographics and circumvent cloaking techniques used by criminals to evade detection. RiskIQ enriches the observations captured by virtual users with the intelligence gathered by the full RiskIQ platform in order to contextualize risks and prevent false positives. 

When threats are detected according to the subscribed set of modules and covered brands, RiskIQ automatically creates alerts in the form of events within the platform and schedules virtual users to re-examine the threat resource at scheduled intervals to observe changes over time and track the entire lifecycle of a threat.

RiskIQ’s vast Virtual User network includes:

  • A diversified bank of IP addresses from hundreds of geographic locations
  • All major browsers, both desktop and mobile
  • Algorithms to initiate crawlers on specific pages and follow links to simulate referred traffic
  • Algorithms to simulate clicking through a page as an intentioned user would rather than a bot systematically or randomly clicking links
  • The ability to extract, normalize, and target key attributes from social media profiles and mobile app store postings

Full records of virtual user sessions, including screenshots, the captured document object model of each page, and preserved sequence of links and redirects provide the technical basis of RiskIQ's detection capabilities, upon which layers of analytics are automatically applied in order to classify each threats and enrich data with additional insights to determine the appropriate response. 


Brand Phishing (Premium or Enterprise)

Brand Phishing provides detection and workflow for mitigating phishing sites impersonating an organization in order to phish their users, customers, prospects, or partners via the use of one of their brands.

 RiskIQ ingests suspected phishing URLs from a broad range of sources including third-party blacklists, an organization’s external abuse boxes, web server referrer logs, and DMARC data, as well as any client submissions to streamline detection, review, and mitigation of phish. Machine learning algorithms intelligently sort phishing pages from legitimate sites, automatically validating the vast majority of phish and leaving a small fraction, if any, left for human review. 

Integrations with Google Safe Browsing and Microsoft SmartScreen to automatically submit phish for browser blocking for 98% of Internet users and pre-configured templates to generate and send takedown notices for phishing sites dramatically reduce mean time to mitigation and overall lifetime of phish.

Employee Phishing (Premium or Enterprise)

Employee Phishing provides detection for phishing sites targeting an organization's employees and are not necessarily leveraging a brand owned by the company in the attempted attack.

RiskIQ extracts and interrogates URLs from emails and attachments reported as potentially fraudulent by employees and/or other submitted sources of suspicious URLs from your environment to automate analysis and orchestrate response. Machine learning algorithms and URL reputation intelligently sort phishing and malware incidents from false positives and cases of the organization's own official sites being reported as phish. 

Full crawl metadata and user sessions are recorded as forensic evidence. Phishing simulation campaign URLs are excluded automatically from threat analysis through integrations with popular phishing awareness training products. This module does not include any remediation or mitigation via RiskIQ's Managed Security Services, but orchestration playbooks could route to corporate blocking solutions for the malicious URLs.

Domain Threats (Premium or Enterprise)

Domain Threats provides detection and monitoring of suspicious domain and subdomain names that contain or are confusingly similar to an organization's official domains and brand names.

RiskIQ analyzes Whois registrations and passive DNS data to identify newly observed and updated domain names and subdomains exploiting brand names. Domains are analyzed for similarity via a proprietary algorithm developed by the RiskIQ data science team, as well as for homographic similarity/punycode obfuscation, and regular expression matching to optimize accuracy and detection coverage. 

Automatic analysis of the domain's threat level, including any web content hosted on the domain, the domain's capability to send or receive email, and detection of Whois and DNS changes allows users to quickly identify high priority threats and determine the proper response and mitigation strategy using pre-configured templates and built-in workflow.

Mobile Threats (Premium or Enterprise)

Mobile Threats provides visibility into an organization's presence throughout the global mobile app ecosystem and identifies unauthorized download locations of official applications, mobile spoofs impersonating or claiming false affiliation with a brand, and mobile malware targeting the organization's users. 

RiskIQ searches hundreds of app stores around the world with native-level integrations including a unique source of "feral app" files found outside of dedicated app stores in order to automatically extract app details and download mobile binaries. Analysis of app store attributes, app posting details, and all app code and files enable RiskIQ to automatically categorize official apps and monitor for new version releases, identify old or modified versions of official apps, and detect third party apps posing as official branded apps or otherwise packaged with malware targeting an organization and its users.

Pre-configured templates for reporting violations to contacts at each app store allow users to mitigate mobile threats across all stores quickly and effectively.

Social Brand Threats (Enterprise)

Social Brand Threats provides visibility into an organization's presence detection in all major social networks, including Facebook, Twitter, LinkedIn, Instagram, YouTube, Pinterest, and Google+ and workflow for mitigating social media accounts impersonating the brand. 

RiskIQ uses a combination of API integrations and unique virtual user technology to search social networks and analyze account details for unofficial social media accounts claiming to represent client organizations. Through this analysis, RiskIQ categorizes official social channels, unauthorized social profiles set up by various business units throughout the organization that are out of compliance with company policy,  as well as fake third party social accounts, such as fake customer support channels phishing for customer data, fake job recruiters asking applicants for personal information or job application fees, and social accounts associating a brand with offensive or illegal content.

Links to each social network's web form or other channel for reporting abuse are provided within each event alert to facilitate efficient mitigation.

Social Executive Threats (Enterprise)

Social Executive Threats provides detection and workflow for mitigating social media accounts impersonating company executives or employees in all major social networks (Facebook, Twitter, LinkedIn, Instagram, YouTube, Pinterest, and Google+).

RiskIQ uses a combination of API integrations and unique virtual user technology to search social networks and analyze account details for illegitimate social media accounts claiming to represent company executives or employees--typically for purposes of using social engineering to phish for sensitive data or to embarrass specific, high-profile individuals affiliated with a company.  

Links to each social network's web form or other channel for reporting abuse are provided within each event alert to facilitate efficient mitigation.

Custom Social Networks (Enterprise)

The Custom Social Networks modules allows customers to add up to 5 additional social media networks beyond the top 7 major networks (Facebook, Twitter, LinkedIn, Instagram, YouTube, Pinterest, and Google+) to their Social Brand Threats and/or Social Executive Threats monitoring.

Suitable social media networks may include regional networks popular in countries where client brands operate or other networks the organization uses and considers important to protecting its brand and customers from abuse. All selected additional networks are subject to technical review to evaluate the technical feasibility and challenges of monitoring the network.

Mitigation procedures may vary according to the network(s) selected. Part of the technical review will include reviewing each network's terms of service and identifying proper communication channels for reporting abuse.

Data Leakage Detection (Enterprise)

Data Leakage Detection provides detection and workflow for mitigating stolen user credentials and other leaked sensitive company data being posted in the open, offered for sale, or otherwise made available to third parties outside the organization.

RiskIQ searches various websites and forums for such data, including Pastebin, GitHub, SlideShare, and open hacker forums and blogs to monitor what data related to an organization is available in each of these locations.

Pre-configured templates and content removal procedures for various different sites and types of post facilitate enforcement to remove detected instances of data leakage.

Brand Tarnishment (Enterprise)

Brand Tarnishment includes the detection and mitigation of web content infringing on client brand trademarks by attacking the brand reputation and/or associating the brand with illegal or objectionable content.

RiskIQ virtual users search for such content, analyzing webpages for brand related text or images and leverage machine learning and other advanced analytics to identify the presence of threat content that may constitute tarnishment of the brand. Dependent on the client brand's industry and policies, such content can include malware, plus such categories as pornography, liquor, tobacco, weapons, pharma, and gambling.

Mitigation requires a representative trademark chart and description of the tarnishment relevant to the Internet presence location, as well as client approval after performing a fair-use analysis.

Remote Deposit Capture Fraud / Card Cracking (Enterprise)

Remote Deposit Capture (RDC) Fraud and Card Cracking are popular forms of financial fraud that typically involve recruiting victims through social media posts to use as mule bank accounts. This module provides detection and workflow for mitigation of such posts related to client brands in order to prevent these types of fraudsters from recruiting new victims with the promise of making quick cash as a reward for helping the scammer move a larger sum of money.

RiskIQ virtual users monitor major social media channels most used (Facebook, Twitter, Instagram, and YouTube) for this type of recruiting to detect such activity in dedicated accounts and/or individual posts. Scams typically target one or more specifically mentioned financial institutions, often including mention of a real or fictitious friend or relative who works at the institution in order to convince victims of the authenticity and viability of the scam. 

Event alerts contain all the necessary evidence to report abusive posts to each social network and request removal.

Phone Phish (Enterprise)

Phone Phish includes mitigation of phishing threats carried out via phone calls impersonating a brand or service (sometimes called voice phishing or Vishing). 

RiskIQ does not natively support detection of phone phish, however, any phone numbers reported by a brand's employees and/or customers can be added to the RiskIQ platform as events for tracking and mitigation purposes. The ability to submit such events is included in the general capabilities of the platform, so this module should only by purchased by clients who would like to use RiskIQ's Managed Security Services to assist with the mitigation of such threats.

Mitigation of phone phish consists of reporting fraudulent phone numbers to the associated telecommunications company through which they are operating in order to get them deactivated. 

Email Spoof (Enterprise)

Email Spoof includes the mitigation of email addresses used to send messages forged to appear as though it was sent by someone else for purposes of carrying out fraud. This category includes email account compromise (EAC) attacks as well as business email compromise (BEC) attacks and the phishing emails that typically precede such attacks. 

RiskIQ does not natively support detection of email spoofing, however, any email addresses reported by a brand's employees and/or customers can be added to the RiskIQ platform as events for tracking and mitigation purposes. The ability to submit such events is included in the general capabilities of the platform, so this module should only by purchased by clients who would like to use RiskIQ's Managed Security Services to assist with the mitigation of such threats.

Email Spoof mitigation consists of reporting fraudulent email senders to the associated mail provider along with full mail headers and message bodies demonstrating the fraud in order to get them deactivated. 

Deep and Dark Web (Enterprise)

The Deep and Dark web module provides clients visibility into mentions of their company or other keywords of interest in deep and dark web forums. 

Data is sourced via Flashpoint, a RiskIQ partner organization specializing in monitoring the deep and dark web, and sent to the RiskIQ platform, so that it can be viewed side-by-side with threats on the open web. Viewing different pieces of the puzzle together, clients can draw additional insights from connections in the data and track a threat from planning and discussion stages in forums through to the actions taken and infrastructure used on the open web to launch the attack.

Up to 200 keywords are supported. This module does not include any mitigation or remediation, however, analysts at Flashpoint can provide up to 24 expert language translations per subscription period in cases where that service is required to interpret the data found on the dark web.

Custom Monitoring (Enterprise)

Custom Monitoring modules allow clients to adapt the capabilities of the RiskIQ platform automate the detection of any additional External Threat-related use-cases not otherwise listed as modules above. All proposed use-cases will be subject to review to evaluate the technical feasibility and configuration challenges.

The detection of each custom module will vary per use-case, and each sufficiently different use-case such as to require its own unique configuration shall be counted as a separate module. 

Part of the review process will include defining mitigation procedures and configuration of associated templates as appropriate. For clients using RiskIQ's Managed Security Services, mitigation of threats detection through custom monitoring will be limited to the capabilities outlined in the RiskIQ Incident Response Team Terms. 


RiskIQ provides dashboards, email alerts, data exports, webhooks, APIs, and integrations with popular SIEM and other tools to extract and interact with our data. PDF reports also provide External Threat Management program performance metrics related to event detection, management, and enforcement over time.