JavaScript Threats

Product Description

JavaScript Threats protects customer trust in online interactions by monitoring an organization's critical web applications for malicious JavaScript attacks, such as Magecart, intent on stealing site users' sensitive information. 

Organizations are increasingly moving core business transactions and functions online, making third party JavaScript within high priority web assets, such as payment pages or personal data entry forms, into a major security risk but nearly unavoidable business practice. Because of this, malicious JavaScript injection is on the rise as a tactic for cyber-criminals, resulting in an on-going series of extremely high profile data breaches impacting hundreds of thousands of customers, and costing hundreds of millions of dollars in fines, and lost customer business and trust for major companies across industries such as Retail, Professional Services, Finance, and Manufacturing. 

JavaScript Threats leverages RiskIQ’s Internet intelligence datasets and proprietary virtual user crawling technology to provide unique visibility into which third-party resources are in-use across an organization's web assets, how those resources change when rendered in a browser and served to a client, and near real-time monitoring and alerting for newly added or changed resources that are malicious, suspicious, or SRI (sub-resource integrity) violations, thereby enabling the to detect JavaScript attacks and preserve the integrity of customers' interactions with their web assets.

JavaScript Threats is available for purchase either as a stand-alone solution for a given set of covered asset hosts / pages to scan, or as an add-on fully integrated into the RiskIQ Digital Footprint product suite, which automatically discovers and maps an organization's entire online attack surface, providing a dynamically updated view into all the web infrastructure owned by an organization, and including where all web forms and logins can be found across the web asset inventory to potentially inform the selection of covered hosts for JavaScript attack monitoring.

Threat Detection

RiskIQ virtual users closely simulate human Internet users in the ways they interact with web content and capture everything that a human user sees as well as what the browser sees happening behind the scenes in order to provide a 360-degree record of any observed threat activity. For high value target sites, virtual users will visit a site as often as every couple hours. Whenever a virtual user crawl completes, RiskIQ analyzes the observed data for malicious or suspicious activity, noting all newly added or changed resources, as well as checking for any threat indicators based on either RiskIQ's proprietary malware research or third party blacklists in the site. 

Detection Policy-Types:

  • Malicious 
    • Observed malicious JavaScript injection (ex. Magecart)
    • Blacklist host reputation
  • Suspicious
    • Newly added or changed resource URL or content uses a bare IP address
    • Newly added or changed resource URL or content uses a non-standard /  new gTLD
    • Newly added or changed resource URL or content uses a newly registered / observed domain or hostname 
  • SRI
    • Newly added or changed resource hash does not match expected SRI hash

Full records of virtual user sessions, including screenshots, user agent metadata, the captured document object model of each page, and preserved sequence of links and redirects provide the technical basis of RiskIQ's detection capabilities, upon which layers of analytics are automatically applied in order to classify each threats and enrich data with additional insights to determine the appropriate response. 

Alerting & Threat Management Workflow

RiskIQ provides a web interface, email alerts, and API access to clients and their support teams to view and investigate events. Events are designed to provide users with all the necessary details for each type of threat in a single view to facilitate fast review and investigation.

Users can take the following workflow actions via either UI or API: 

  • Confirm: Validate event as a true positive
  • Enforce: Note that action has already been taken to correct the problem
  • Review: Set aside for discussion/review to get feedback and decide on proper response
  • Dismiss: Label event as a false positive
  • Assign: Make a specific user the owner in charge of managing this event
  • Tag: Add a customizable label to an event for searching or reporting
  • Email: Send the details of an event to a specified email address (recipient need not have a RiskIQ user account)
  • Note: Annotate an event with additional context or details

Reporting

RiskIQ provides live dashboards, CSV data exports, and an API and integrations with popular SIEM and other tools to extract and interact with our data.