Security Intelligence Services

Product Description

As security operations become more advanced, they will require more data to power their capabilities and instantly enrich incidents.  Security Intelligence Services provides direct, high volume access to RiskIQ data, allowing mature customers the ability to use this data to programmatically defend against threats to their environment.

The Security Intelligence Services offering provides proactive threat intelligence in the form of various blacklist and reputation feeds based on RiskIQ's data gathering to defend against evolving threats, as well as URL Intelligence, which offers customers programmatic access to direct RiskIQ's raw URL crawling capabilities on URLs of their choosing and ingest the results.

Customer Challenges

  • Enabling Operations - Many top tier security operations groups have built internal systems to process, correlate, and respond to suspicious events within their organizations.  These systems need access to high scale reliable data sets to power detection, correlation, and enrichment.
  • Artifact Enrichment - Security enterprises today are overloaded with alerts from all their products. It’s difficult for them to identify where to focus their efforts and what items to action first. 
  • Hunting - As security operations mature, they want to proactively hunt through internal data to identify possible suspicious activity.  This hunting requires triaging hundreds of thousands of IPs and domains on a weekly basis - most of which are legitimate

Attack Analytics Feeds

Access to proprietary insights based on RiskIQ's observations across real-time Internet data sets. As attacks evolve and propagate outside of your network, RiskIQ behavioral analytics identifies cyber threats and provides customers with filtered lists of risky or known bad hosts, domains, IPs and URLs. Delivered results can be accessed from a provisioned Amazon S3 bucket.

  • Newly Observed Domains - New domains as soon as they are registered and/or resolve in PDNS (bad.com); These observables are provided in a file-based format (CSV) on an hourly basis and as a daily 24-hour roll up
  • Newly Observed Hosts - New hosts as they appear in our data sets (super.bad.com); These observables are provided in a file-based format (CSV) on an hourly basis and as a daily 24-hour roll up
  • Malware Blacklist -  Domains, IPs, and URLs associated with malicious code
  • Phish Blacklist - Domains, IP addresses, and URLs associated with phishing campaigns
  • Scam Blacklist - Domains, IP addresses, and URLs associated with Internet scams, including fake software, tech support, banking, scareware, etc.
  • Content Filtering List - Domains and URLs categorized according to illegal or objectionable content that organizations may wish to block, such as gambling, weapons, fake pharmaceuticals, drugs, adult content, liquor, counterfeit, fake news, tobacco, etc. 

URL Intelligence

Web User Simulation

RiskIQ’s global network of virtual users simulate the customer's audience to draw out malicious ads.  The following user attributes are supported:

User AttributeDescription
IP Address / Geo - LocationRiskIQ’s Global Proxy Network provides IP addresses from 60 countries and 34 U.S. metros.
User Agent
 Browser / OS Combinations
Chrome 58.0.3029.110 Windows (Default, Primary Recommendation for Desktop)
Chrome 57.0.2987.133 Mac
Chrome 41.0.2228.0 Windows
Chrome 41.0.2227.1 Mac
Firefox 2 (Retired)
Firefox 3
Firefox 36 Windows
Firefox 33 Mac
Internet Explorer 6 (Retired)
Internet Explorer 7
Internet Explorer 8
Safari 7.0.3 Mac

Mobile User Simulation

RiskIQ’s mobile virtual users simulate the customer's audience to draw out malicious ads.  The following user attributes are supported:

User AttributeDescription
Cellular Network IPs
(Premium Tier)
Currently providing cellular egress from 29 countries and continuously adding support for more countries.
User Agent
Browser / OS Combinations
Android Mobile
Android Mobile 4.4 (Primary Recommendation for Mobile)
iPad Mobile 7
iPhone Mobile (iOS 7)
iPhone Mobile 8 (Primary Recommendation for Mobile)
Safari 7.0.3 Mac
User Agent & Device VariablesRiskIQ supports a range of user agent and device variables that are commonly used to target mobile users or are checked by bad actors to ensure the user is real.  These include but are not limited to:
  • Connection status:  cellular or wifi
  • GPS coordinates and metro location
  • Battery status
  • Touch events

Ad Formats

RiskIQ supports the following ad formats:

FormatDetails
WebSupports detection for all basic banner ad types
VideoSupports VAST and HTML5 detection.  Flash has been deprecated.
MobileSupports MRAID for mobile ads

Policies

RiskIQ provides a robust API that enables customers to submit Ad Tags and Pages for scanning across the following categories:

Malware Policies

PolicyDescription
Drive-By DownloadBinary file is a forced download or if a webpage contains exploit code in the HTML
User Initiated MalwareMalware binary file is the result of a user interaction such as a click
Malware BinaryTriggers when a binary file containing malware is detected
Fake AV DownloadTriggers if page prompts a fake AV download
Fake Flash UpdateTriggers if page prompts a fake Flash Update
ReputationURL, Host, or Domain is found on a blacklist provided by an external vendor (e.g. GSB, GSBPhishing, VirusTotal)
Internally VerifiedURL, Host, or Domain matched against an internal RiskIQ blacklist
Known Image / Image Blacklist
(Fake AV, etc)
Matches ads and pop-ups against known images of fake anti-virus solutions and other scams
Inconsistent SSLDetects any SSL page where secondary resources are loaded over a non-secure connection (http)
Browser Locker SignalsDetects signals for common browser locker attacks:  keywords for common browser locker attacks. java script popups, history stuffing and backbutton location modifications, and suspicious domains associated with browser locker attacks.

General Ad Quality Policies

PolicyDescription
Auto-Play Audio & VideoAds which auto play upon page load, causing annoyance to users
CloakingInitial landing page redirected to another URL. Different from the redirect score in that it actually ensures the redirect goes to a different domain
Frame CloakingTop-level page contains a full-page IFrame or frame wrapping another page
Frame BustingPage contains an auto-redirect
Lost ReferrerInitial sequence of requests from the initial landing page URL to the final top-level page URL resulted in the browser dropping or otherwise modifying the referrer (generally a sign that the landing page or some entity in the redirect chain wanted to hide the initial source of the traffic)
Auto-JavaScript AlertsPage contains auto-JavaScript alerts
PopupPage resulted in new windows being opened. There are sometimes legitimate reasons for this, but generally it marks the presence of low quality traffic generation — pop-unders and the like.
Ad File SizeFile size of the ad differs from expected size
Heavy AdsDetects Ads > 1 MB

Traffic Quality Policies

PolicyDescription
Low Quality AffiliatePage contains requests to any affiliate networks that are known to pay out immediately after traffic generation (often used in scams)
ArbitrageClick tracking request is not the first element in the sequence

Brand Safety & Content Policies

PolicyDescription
PhishingURL, Host, or Domain was found on a Phishing blacklist.
SpamURL, Host, or Domain was found on a Spam blacklist
Newly Registered DomainPage domain is newly registered
Scam ContentContent matches that of known scams
Brand Safety in ContentGambling, Adult Content, Illegal Content, etc.
 R-ListURL, Host, or Domain was found within the RiskIQ list of complaint URLs from Social Media sources (Note: this list has been deprecated due to poor results and may be removed in the future)

If a specific type of event is not listed here, please check with your Account Manager or Sales Representative for more information

Remediation

Once RiskIQ flags a malicious ad, a customer can block the ad tag until the issue is resolved.  RiskIQ provides an online portal for investigating incidents in detail including the delivery sequence of the ad, full attribution of all parties involved, and details into the nature of the incident. RiskIQ’s portal supports the mapping of ad entities to the hostnames used to serve ads.  This is crucial for communicating evidence of infringement, and promotes quicker resolution. RiskIQ provides the capability to automatically export all collected data into a customer’s own reporting system.

Customer Alerts & Partner Reporting

RiskIQ provides email alerts for each malware event detected for a customer and generates a public report at a non-indexed, anonymous URL that can be referenced by partners without a login when investigating an incident.  

Details include:

  • Auto-Redirect Sequence
  • Blacklist Incident
  • Traffic Quality Incident
  • Binary Incident
  • Causes
  • Whois

Dashboards

RiskIQ dashboards provide intuitive reporting options for customers to analyze event generation and enforcement. Benefits include:

  • High-Level Summary Report and a snapshot of the current health of an organization’s digital environment
  • Tracking of trends and benchmarking improvements over time
  • Landing Page Summary page displaying the total pages crawled by date, the crawl success rate, and the number of events detected by type

Incident Response

RiskIQ provides a web user interface for customers to monitor the service and investigate specific incidents.  Highlights include:

  • Dashboard of all events across all products with event state and origin across a global map
  • Screen Captures show the web page as the virtual user session rendered it both on the first crawl and the most recent crawl to confirm the latest status
  • Link Attributes show the characteristics of the link, including its online status, the source, whether it was cloaked (re-directed), the domain, and country of origin
  • Incident History tracks the history of how the incident has been actioned by the support team
  • WhoIs Data to aid in investigating the site associated with an incident
  • Site Crawl Data including both the original response, fully rendered Document Object Model (DOM), extracted links, and file details
  • Review Page of individual landing pages that have triggered a security or compliance event with the option to action each page as Dismissed, Review, Confirm, Enforced, or Resolved
  • Landing Page Details page with crawl details and a summary of the reasons for the event triggered
  • Initial Sequence page with details of the sequence of ad tags that led to the malware delivery and attribution of the party at fault
  • Blacklist, Binary, and Traffic Quality Incident pages providing full details into the triggers for the event and the nature of the threat
  • WhoIs details on the registrant for additional background
  • History of actions taken on the page by the customer or their RiskIQ support team

API

In addition to the web application login, RiskIQ offers a REST-based API, which customers can use to access services programmatically.  Full documentation of the API can be provided on request.