CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

You are here: Home / Archives for RiskIQ

RiskIQ

Executive Order Underscores Need For Leadership Accountability In Reducing Digital Risk

The 11 May 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is notable for several reasons. The order is significant as it discusses improvements to the federal government’s (and the nation’s) digital infrastructure, protection of the power grid, replacement of antiquated IT systems, and protection against cyber threats. It also makes it clear that government leadership is accountable for cyber security. Agency heads can no longer delegate responsibility for cybersecurity to their IT staffs. Risk management of assets is now a part of their mission and must be administered with resources (time, budget, and people) to accomplish this.

Many of us in the cybersecurity community see this order as a positive step. Cybersecurity has always been a leadership issue, but something about human nature has made it incredibly hard for many leaders to get that. This has resulted in an observable phenomenon we call “cyber threat amnesia“, where leaders of organizations forget about the cyber threat as soon as the last problem was handled. As evidence that this phenomenon is part of our nature, we have also long documented a problem the community has in considering every new major attack a “wake-up call“.

We have conducted cybersecurity assessments of firms across multiple sectors of the economy and the government, and have found one key factor is the most important to assess in any organization: If the leader is aware that reducing digital risk is not just an IT function then there is hope. If the leader does not understand this point then educating that leader becomes the priority.

This brings us back to the cybersecurity executive order. We know for a fact that more leaders today are aware of cyber threats and know they must be treated seriously. But by underscoring that agency heads and cabinet department officials are responsible the executive order makes it clear that leaders must lead, and that is very good.

Another thing we really like about the executive order is the requirement that agency heads leverage the NIST Cybersecurity Framework. We have seen first hand how use of this framework can help organizations form a comprehensive look at their policies, process and technology. One of the benefits of the NIST Cybersecurity Framework is it’s language and approach form a taxonomy of common terms that can greatly help in communication around cybersecurity.

As agency heads move to leverage the NIST Cybersecurity Framework, we urge all to keep in mind that it does NOT adequately address a key component of cyber risk mitigation: the use of external insights to optimize defense. Most in the community are calling this cyber threat intelligence. But what we are really talking about is how to get information from outside the organization that can help defend the organization. This includes subjects like learning what adversaries are doing (so you can optimize defenses against them), learning what your attack surface looks like (so you can spot vulnerabilities and reduce them) or learning successful defense lessons from others in the community.

There are many best practices and solutions that can help address these gaps. One free to use solution in use across government today is the investigative toolset called PassiveTotal by RiskIQ. PassiveTotal makes it easy to discover and proactively block malicious infrastructure and provides analysts with a single view into the data they need for discovering what adversaries are doing.

Other references we recommend for agencies moving out on implementing the executive order include:

Digital Risk Management Leader RiskIQ Raises New Funding To Expand Platform Ecosystem, Sales and Digital Risk Applications

Editor’s note: When I read of a great firm like RiskIQ investing to expand their platform I immediately think of the positive impact to current and future customers. But strategically this also means that large teams of investors believe strongly in the powerful capabilities and strong future of this company. With that in mind we share a RiskIQ press release below -bg

Digital Risk Management Leader RiskIQ Attracts $30.5 Million in Series C Funding

New Capital Infusion to Expand Platform Ecosystem, Sales and Digital Risk Applications

SAN FRANCISCO – November 10, 2016 — RiskIQ, the leader in digital risk management, today announced that it closed $30.5 million in Series C funding led by Georgian Partners. Existing investors Summit Partners, Battery Ventures, and MassMutual Ventures also participated in the round, further validating the company’s leadership position and market opportunity. This financing will enable the company to expand its ecosystem, global sales, and platform applications within the disruptive Digital Risk Management market.

Threats outside the firewall are vast and dynamic. RiskIQ provides organizations access to the widest range of security intelligence and applications necessary to understand exposures and take action – all without leaving the platform. Similar to Google, RiskIQ applies machine learning and data science to continuously improve platform intelligence and broaden functionality by leveraging big data, customer usage and attack activity. With RiskIQ, enterprises can efficiently defend their digital attack surface, pinpoint exposures across their business, and dynamically mitigate cyber threats across web, mobile, and social.

Since 2009, RiskIQ has enabled security staff to reduce the time needed to understand new threats, speed up investigations, and more effectively prevent and remediate incidents. The company helps protect some of largest and most trusted names in financial services, technology, retail, government, healthcare, media and manufacturing around the world, including Facebook, DocuSign, UnderArmour, Lagardere, and Publishers Clearing House. RiskIQ was recently named a leader for Digital Risk Monitoring and received the highest score for the current offering category in The Forrester Wave™: Digital Risk Monitoring, Q3 2016. In the first half of 2016, the company reported year-over-year bookings growth of 80 percent, growing bookings and new customer acquisition for every product in its platform. Through RiskIQ’s revamped channel program, the company has successfully penetrated European and Asian markets. Today, RiskIQ has more than 200 enterprise customers, over 13,000 security analysts using the RiskIQ platform, and hundreds of users subscribing to the RiskIQ PassiveTotal digital threat investigation tool each week.

“We are pleased to have Georgian Partners as part of our strong investment and advisory team. Georgian, like RiskIQ, was founded by entrepreneurs. We share similar business values and philosophies,” said Lou Manousos, CEO and co-founder of RiskIQ. “They know what it takes to develop a business into a customer-focused, long-lasting, and profitable company – values that our entire board of directors shares.”

“RiskIQ has already designed the platform to dominate the Digital Risk Management market, and we are excited to contribute to their success,” said Steve Leightell of Georgian Partners, who will join the Board as part of the transaction. “Our team of experts in applied analytics, applied artificial intelligence and security first could not be better suited to partner with RiskIQ on their next phase of growth,” said Justin LaFayette, managing director at Georgian Partners.

Greg Goldfarb, managing director at Summit Partners, added: “The future of security is connecting the inside and the outside of the enterprise boundary. Threats start outside the firewall, move inside, and exfiltrate data back outside – and all the while malicious actors can compromise a company’s digital assets, vendors, and customers across web, mobile, and social environments. RiskIQ lights up the entire digital world outside of the controlled perimeter and connects that activity to a company’s internal security regime for 360-degree security.”

Michael Brown, general partner at Battery Ventures, added: “You only need to read the headlines to see that cyberattacks are taking their toll on organizations who fail to extend security controls beyond the firewall. While the majority of data breaches are from external sources, addressing the problem with traditional security tools is inefficient. RiskIQ has built the right commercial platform to manage a broad range of digital threats in an agile way that can address future attack vectors.  We believe the company is well positioned to capitalize on this tremendous market opportunity.”

About RiskIQ

RiskIQ is a cybersecurity company that helps organizations discover and protect their external-facing known, unknown, and third-party web, mobile, and social assets. The company’s External Threat Management platform combines a worldwide proxy and sensor network with synthetic clients that emulate users to monitor, detect, and take actions against threats. RiskIQ is used by thousands of security analysts including many from the Fortune 500 and leading financial institutions to protect their digital assets, users, and customers from external security threats. The company is headquartered in San Francisco, California, and backed by Summit Partners, Battery Ventures, Georgian Partners and MassMutual Ventures. Information security professionals can sign up for a fully functioning trial version of PassiveTotal for free by visiting www.riskiq.com/whats-new-passivetotal.

To learn more see the CTOvision Solutions Directory: RiskIQ

Snakes in the Satellites: PassiveTotal provides an update on a massive adversary infrastructure

sat-1

For the last year Passive Total has been providing open analysis on an interesting piece of adversary infrastructure and in doing so are shedding informative light not just on that particular adversary activity but on how multiple sources of information can be pulled together to form a more complete picture of what is going on. For example, by understanding the relationships between datasets including open source intelligence, historical DNS records, known malicious domains, historical SSL certificates and numerous facets within those and other datasets, a more comprehensive understanding of an adversaries attack infrastructure can be built out.  PassiveTotal is a clear master of this approach to “Infrastructure Chaining” for analysis.

In February PassiveTotal provided an update on research into a known adversary campaign that has been reported by Kaspersky as APT Command and Control in the Sky. Commonality with other intrusion sets resulted in this being associated with a group many analysts believe is Russian, but as you can imagine it is hard to find the smoking gun. One of the more interesting elements of this set the way malicious code command and control is being conducted via compromised satellites. Sounds expensive doesn’t it? Well it is not expensive. Attack probably cost the adversaries about $1000.00 in hardware plus engineering time.

In the February update, PassiveTotal showed how they could kick off an analysis armed just with Kaspersky’s open source intelligence report, then dive deep into their datasets on known adversary infrastructure, historical DNS records and current and historical security certificates, and then combine that to produce new knowledge and insights. Their reporting make it clear that this adversary had been operating in this way since at least 2013, and was also penetrating many other adjacent targets. Turla could be shown to have compromised an extensive  network of satellite providers and was leveraging a large network of command and control servers as part of this operation.

Perhaps more interesting was an update in August 2016 where PassiveTotal revealed that before publishing their report they set up alerts in their datasets to see if their report would cause any action by the adversary. Smooth move there PassiveTotal, that is great tradecraft. It was interesting to see that yes the adversary did adapt and could be traced as they did. PassiveTotal could watch as an entirely new infrastructure was brought online. They then manually followed and assessed compromised IP addresses and continued to correlate and link across multiple datasets to flesh out what the new adversary infrastructure looked like.

For more see: Snakes in the Satellites: On-going Turla Infrastructure

 

screen-shot-2016-08-17-at-12-45-57-pm

For more see:

Risk IQ Launches Groundbreaking Security Intelligence Services Product That Enables Automated Defenses

28 July  2016–SAN FRANCISCO–(BUSINESS WIRE)–RiskIQ, the leader in external threat management, today announced general availability for its Security Intelligence Services, a ground-breaking new product that uses the Internet itself as a detection system to automatically defend a network from cyber attacks. Attackers use automation and can launch sophisticated attacks at very low cost by rotating and reusing undetected infrastructure. RiskIQ has provided defenders with access to Internet datasets, advanced analytics and machine learning to stay one step ahead. With Security Intelligence Services, RiskIQ now detects unknown threats at the source and tracks how attacks change and spread—in real-time.

“The security team’s visibility is mostly based on what they see on the corporate network but once they detect a threat locally, the attacker has already moved —this fact limits defenders’ efficacy—they are always playing catch up,” said Arian Evans, VP of Product Strategy at RiskIQ. “Using the Internet as a replacement for the corporate network, we provide real-time information on the attacker as soon as their attack goes live or moves.”

With thousands of customers and processing petabytes of Internet datasets daily, RiskIQ is a pioneer in expanding the reach of the security program to prevent attacks. The comprehensive service includes:

Passive DNS (PDNS) data, a system of record that stores DNS resolution for a given domain or IP address, provides security analysts with insight into how a particular domain name or IP address changes over time. RiskIQ’s implementation of PDNS enables programmatic links between related domains/IP addresses and, when researching an event, can provide context to an attack or additional malicious domains/IP addresses. PDNS helps identify the indicator of compromise through correlation of historical resolution lookups, time-based analysis, and fully qualified domain name lookups.

WHOIS data, an internet database of ownership information about a domain, IP address or subnet, can give an organization insight into those behind an attack campaign. WHOIS data helps determine the maliciousness of a given domain or IP address based on ownership records. Using domain registration information, an organization can unmask an attacker’s infrastructure by linking a suspicious domain to other domains registered using the same or similar information.

RiskIQ Attack Analytics, a proprietary RiskIQ dataset, is based on malicious observations inside of real-time Internet datasets. As attacks evolve and propagate outside of your network, RiskIQ behavioral analytics identifies cyber threats and provides customers with filtered lists of known bad hosts, domains, IPs and URLs. These feeds allow any enterprise security organization to leverage RiskIQ’s vast Internet datasets and expertise to proactively defend their environment’s networks or endpoints from threats.

Newly Observed Domains, the first of our attack analytics feeds, is a proprietary enriched RiskIQ dataset containing newly resolving domains. Threat actors often programmatically use different domains for their attack campaigns, therefore newly active domains can serve as a guide to whether a domain is legitimate or not. RiskIQ’s continually updated Newly Observed Domains provides customers with near real-time intelligence of domains seen for the first time. Organizations can proactively defend against new domains that could be hosting phishing sites, distributing or operating malware or posing other cyber threats by blocking newly observed domains for a specified time period based on policy and risk tolerance.

“To solve this incredibly difficult problem, RiskIQ has assembled the only complete source of real-time Internet datasets combined with the machine learning and analytics capable of generating truly predictive results,” continued Arian Evans, VP of Product Strategy at RiskIQ.

“Security Intelligence Services is a major innovation for threat detection—finding threats first using the Internet as a sensor and then using automation to inform the corporate network to block, thereby freeing up resources and increasing the cost to attackers to launch further attacks—in this current state of rapidly morphing threats.”

Customers can access RiskIQ Security Intelligence Services through a sandbox to test data structures and explore information via a user-friendly interactive application programming interface (API) and documentation. Data from RiskIQ Security Intelligence Services can then be easily integrated with commonly used security platforms to investigate and protect against threats such as:

Advanced persistent threats (APT)/Malware hosting and distribution
Phishing, spear phishing and whaling
Domain name abuse/Copycat domains
Email abuse
Watering holes
Malvertising
For pricing inquiries, please contact sales at RiskIQ. Security Intelligence Services is available on the RiskIQ website at

http://www.riskiq.com/products/security-intelligence-services.

About RiskIQ

RiskIQ is a cybersecurity company that helps organizations discover and protect their external facing known, unknown and third-party web, mobile and social digital assets. The company’s External Threat Management platform combines a worldwide proxy and sensor network with synthetic clients that emulate users to monitor, detect and take actions against threats. RiskIQ is being used by thousands of companies including F500s and leading financial institutions to protect their web assets and users from external security threats. It is headquartered in San Francisco and backed by growth equity firms Summit Partners and Battery Ventures.

To learn more about RiskIQ, visit www.riskiq.com.

To learn more see the CTOvision Solutions Directory: RiskIQ

Discovering and proactively blocking malicious infrastructure

RiskIQ’s PassiveTotal leverages the power of a well engineered sensor network and high power/high performance computing, and highly experienced analysts to help enterprise executives proactively block or otherwise disrupt malicious infrastructure.

PassiveTotal is designed to provide analysts with a single view into all the data they need. It is also designed to be easy to use. This post does a fast walk through aimed to underscore how quickly you can get from login to actionable results.

Step One: Join for free and log into PassiveTotal.org

Step Two: Click on the “Learn” menu item. For me the mark of a good solution is one where you can dive as deep as you want into all the features of a capability with little or no assistance. This page lets you do just that. One concept I recommend you review on this site is the concept of passive DNS. This source of information is very useful to analysts and researchers seeking to learn about other participants in the Internet, and the succinct overview here provides a great primer for those new to the concept.

Step Three: Return to the main PassiveTotal.org page by clicking on the Passive Total logo. You will see a simple search box at the top of the screen. Enter any domain you want to research into there. To see how this can benefit you when you are researching domains you know little about, try researching one you believe is compromised. A quick and easy way to do that is find some from your spam folder. I just saw a spam that encouraged me to visit a domain called 2homework dot com. I entered that in the search.

Here is the first thing PassiveTotal.org showed me on this domain:

heatmap

 

This instantly reveals some key information. One, on the heatmap, it is clear that there is not a lot of DNS activity around this domain. There is data in the PassiveDNS data set and records can be viewed by clicking on any date. But it is interesting that there was a break in the ability to route to this DNS. The reason why is explained below. Registration of the domain switched from a Russian site to a Czech network.  We can also see at the top of the heatmap that we can click tabs to see more info from whois and OSINT. There is a bright read dot next to the OSINT tab making me want to check that out first.

Clicking that tab reveals the following:

osint

 

We should also examine the Whois Tab:

whois

 

This approach to Whois is very powerful since you can easily click on any key info and learn more from additional data sources on the entities, organizations and locations referenced. For example, clicking on the Name shows that many other suspect sites are registered by the person of interest.

This is one of the more simple but fast and powerful use cases.  Now imagine what you can do when you leverage the data that is included on every known malicious entity on the net, including what their attack histories and methods are. And think of how you can track the bad guys in context of your own exposure on the Internet. We have really just waded into the very powerful capabilities of PassiveTotal. Explore it your self at: https://passivetotal.org

 

To learn more see the CTOvision Solutions Directory: RiskIQ

Related Reading:

Social Media: Change, Control and Security

Moving Your Decision Science Team from Reactive to Proactive

Main Street Cybersecurity: Can Email Be Safe?

This One Little Configuration Change Will Make It Harder For People To Steal Your Information

 

More Content

Cyber War

SciFi

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]