These materials are © 2019 John Wiley & Sons, Inc. Any ... · thriller with clever investigators...

These materials are © 2019 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

www.intsights.com


Digital Risk Protection

IntSights Special Edition

by Nick Hayes, VP Strategy, IntSights with Steve Kaelble


Digital Risk Protection For Dummies®, IntSights Special Edition

Published byJohn Wiley & Sons, Inc.111 River St.Hoboken, NJ 07030-5774www.wiley.com

Copyright © 2019 by John Wiley & Sons, Inc.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. IntSights and the IntSights logo are registered trademarks of IntSights. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services, or how to create a custom For Dummies book for your business or organization, please contact our Business Development Department in the U.S. at 877-409-4177, contact [email protected], or visit www.wiley.com/go/custompub. For information about licensing the For Dummies brand for products or services, contact BrandedRights&[email protected].

ISBN: 978-1-119-58192-5 (pbk); ISBN: 978-1-119-58190-1 (ebk)

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

Publisher’s Acknowledgments

Some of the people who helped bring this book to market include the following:

Project Editor: Carrie A. Burchfield

Editorial Manager: Rev Mengle

Acquisitions Editor: Ashley Coffey

Business Development Representative: Sue Blessing

Production Editor: Magesh Elangovan

http://www.wiley.com

http://www.wiley.com/go/permissions

mailto:[email protected]

http://www.wiley.com/go/custompub

mailto:BrandedRights&[email protected]

Table of Contents iii

Table of ContentsINTRODUCTION ............................................................................................... 1

About This Book ................................................................................... 1Foolish Assumptions ............................................................................ 2Icons Used in this Book ....................................................................... 2

CHAPTER 1: What is Digital Risk Protection? ....................................... 3Understanding Cyber Threat Intelligence ......................................... 3Generating Actionable Intelligence .................................................... 5Moving to DRP ...................................................................................... 7

Building a foundation of actionable intelligence ........................ 8The four quadrants of DRP ............................................................ 9

CHAPTER 2: Mapping Your Digital Footprint ..................................... 11Identifying the Attack Vectors ........................................................... 11Inventorying Assets ............................................................................ 12Checking the Details .......................................................................... 14

CHAPTER 3: Monitoring For Threats ......................................................... 15Understanding the Threat Landscape ............................................. 15Monitoring Different Sources ........................................................... 16Recognizing Common Threat Types ................................................ 17Uncovering Industry-Specific Threats .............................................. 18

CHAPTER 4: Mitigating the Threat ............................................................. 21Integrating Internal Remediation ..................................................... 21Expediting External Remediation ..................................................... 22Making it Automatic ........................................................................... 22Extending Intelligence to Other Departments ................................ 22

CHAPTER 5: Managing the Process ............................................................ 23Prioritizing Your Efforts ..................................................................... 23Tailoring Your DRP Solution .............................................................. 24


iv Digital Risk Protection For Dummies, IntSights Special Edition

CHAPTER 6: Ten Use Cases for Digital Risk Protection .............. 25Phishing Detection ............................................................................. 25Vulnerability Prioritization ................................................................. 26Dark Web Visibility.............................................................................. 26Brand Protection ................................................................................ 26Fraud Detection .................................................................................. 26Malicious Mobile App Identification ................................................. 27VIP and Executive Protection ............................................................ 27Automated Threat Mitigation ........................................................... 27Leaked Credentials and Sensitive Data Monitoring ....................... 28Third-Party Cyber Risk Assessment ................................................. 28


Introduction 1


Introduction

You can hardly visit a news source these days without hear-ing another frightening story about cybersecurity risks. A huge hack here, big fraud attack there, thousands or

millions of people’s credentials and personal information exposed. It’s a wonder cybersecurity professionals can sleep at night. It’s like the Wild West out there, except that the bad guys don’t have to gallop into town and kick in the saloon doors to threaten you. They’re using back alleys, hidden tunnels, and secret networks of the Internet to coordinate their attacks, and they could be any-where in the world.

But just as their numbers are increasing and their weapons becoming more sophisticated every day, you’ve got new weapons in your own holster, too. The bad guys have more vectors than ever before to attack you and your customers, but they’re leaving behind data of their own — breadcrumbs of clues that can help you find out about their plans before they can put them into play. Digital risk protection (DRP) is all about proactively protecting your organization from cyber threats in today’s digital age, no matter the motive, attack vector, or threat actor.

About This BookDigital Risk Protection For Dummies, IntSights Special Edition, is your introduction to this new solution for your organization’s cyber-security strategy. This book explains how, by choosing the right tools and solution, you can get out ahead of the ever- growing threats that have come about in today’s digital world.

Your organization must map its digital assets to understand its vulnerabilities and how various threats pose a risk to you. This book details strategies for monitoring the cyber landscape for potential threats. It spells out how to manage and distill all the information, so you can focus your attention on threats that are most relevant to your organization, and the most severe. Finally, it discusses how to automatically mitigate those threats after they’re identified to quickly and effectively combat potential attacks and reduce your risk of exposure.

2 Digital Risk Protection For Dummies, IntSights Special Edition


Foolish AssumptionsIn creating this book, we’ve made a few quick assumptions about you, the reader:

» You’re a professional in the field of cybersecurity or perhaps an executive of a company facing increasing cyber threats.

» You’re increasingly concerned about your ability to protect yourself against the latest cyber threats out there.

» You’d benefit from a primer on the concept of DRP, using actionable intelligence to keep your organization safe.

Icons Used in this BookYou see them in the margins. They’re icons, and their purpose in life is to help guide you through the information in this book. Here’s what they mean:

There aren’t all that many words in this book, but if your time is limited, be sure to at least read these vital paragraphs.

If you’re hoping to come away with some actionable ideas for improving your cybersecurity posture, don’t miss these tips.

What isn’t technical about this topic or anything related to cyber-security? That said, these paragraphs have some extra info that might interest you if you like the techie details.

Cyber risks are real and scary. Pay extra attention to these caveats.

CHAPTER 1 What is Digital Risk Protection? 3


Chapter 1

IN THIS CHAPTER

» Understanding cyber threat intelligence

» Generating actionable intelligence

» Moving to digital risk protection

What is Digital Risk Protection?

Who doesn’t like to pick up a book or watch a show for a bit of escapism? And who doesn’t love a good crime thriller with clever investigators tracking and catching

the bad guys before they can get their dastardly way? No one, though, wants to be part of his or her own real-life crime thriller.

This chapter explores cyber threat intelligence and digital risk protection (DRP), which is kind of like your business’ own spy thriller. As more and more of your business moves online, DRP becomes an increasingly vital business solution to help ensure you’re safe. In this chapter, you discover how DRP can protect your company in the digital age, how data is gathered and turned into intelligence, and how solutions have evolved to make sure you’re really getting the most of your intelligence without drown-ing in the details.

Understanding Cyber Threat IntelligenceAnybody who spends even a little time in front of the television or in a movie theater knows something about gathering intelligence. Police departments and government agencies gather intelligence



all the time, cultivating sources and keeping an eye on threats. The whole point is to try to prevent some kind of harm in the future, and keep one step ahead of the bad guys.

That’s the objective of cyber threat intelligence, too. Google that term, and you’ll find varying definitions for the practice known as CTI, but the general idea is collecting intelligence that can provide advance warning and detection of cyberattacks. With that kind of intelligence in hand, your organization can take protective action before a cyberattack happens.

What a lot of people don’t realize about cyberattacks is that they don’t happen out of the blue all that often. People are behind these attacks, searching black markets, hanging around in chat rooms, exchanging data, and using collaboration tools. Before these cybercriminals launch an attack, they’re busy preparing, for days or even weeks. Their activities can be used as warning signs of an impending attack, if you’re on the lookout. Here are a couple of simplified examples of how that can play out:

» Domain name registration: A phishing attack relies on the cybercriminal fooling an email recipient into thinking a message is legitimate, when it really contains some sort of malware or trap. So if you were able to spot a newly registered domain name that may be attempting to mimic one of yours, you just might have found an indication of a phishing attack about to happen.

» Credential and/or data leakage: Across the Internet, cybercriminals sell and post stolen credentials and financial information, typically using black markets, paste sites or recycled data from previous breaches. What if a new listing includes email addresses and passwords from your com-pany? It would be useful to identify that leakage early so you can validate if those credentials are active and reset their passwords.

These examples of cybercriminal activity are out there if you know where to look. But that’s really just the tip of the iceberg. Millions of interactions can be monitored daily, and these threats can evolve over time. So how do you transform these raw data points into finished intelligence that you can act on? The answer to that question involves a variety of new job functions and new intelligence tools.



Generating Actionable IntelligenceThe goal of cyber threat intelligence is to provide advance warn-ing and detection of cyberattacks so you can take proactive protection measures. That second part, the part about taking action, is key. Intelligence isn’t much good if you can’t act on it. Therefore, strong, actionable intelligence is the foundation of DRP.

No one needs to tell you that the Internet is an astonishingly big place, with an ever-expanding collection of data and information. The total number of websites out there is right around 2 billion. And that’s just the part of the Internet that people want you to see.

Beyond that lies the dark web, a much more secretive part of the Internet that allows users to access websites anonymously. Plenty of legitimate activity takes place there, but it’s also the home of the cybercriminal underworld. Their part of the dark web hosts all kinds of nefarious activities, hidden more or less in plain sight, if you know where to look. Meanwhile, social media has become a popular attack vector for cybercriminals, paste sites are openly accessible to any browser, and app stores allow cybercriminals to target users on their mobile devices.

So, let’s say you know where to look, and you have an intelligence tool that helps you seek out the threats that are out there. There’s a good chance that what you find won’t be all that helpful. Or per-haps just a little too helpful — as in, drinking-from-a-firehose helpful. Indeed, millions of data points might be useful. But most organizations need that data to be processed, analyzed, and filtered for it to be useful.

By their nature, cyber threats are multidimensional, coming from places all across the Internet, not confined to siloes. There are many variables to monitor and correlate, and numerous dots to connect. What’s more, those dots may be drawn not just across the humongous Internet but across a wide span of time — days or even weeks — and you won’t visualize the big picture of the threat without connecting them.

Getting a handle on all these challenges is how you consider the context and determine the relevancy of the data. If you don’t understand how particular threats relate to your customers and your business, what good is that intelligence?



SOURCES AND TYPES OF INTELLIGENCEIntelligence comes in many different forms and from a variety of sources. Each of these has value in uncovering the motives driving cybercriminals, as well as their tactics and tools. Here are some of the types of intelligence on the menu:

• Open source intelligence: Known as OSINT for short, this is the kind of intelligence you can derive from publicly available or open sources. Web pages are open sources, as are many online forums and intelligence feeds. They’re out there for any user, including you.

• Signals intelligence: This refers to collecting intelligence by way of signals from communications and electronic sources. You’ll see it referenced as SIGINT, and some people call it machine intelli-gence. Cell phones and computers are the most common sources of SIGINT.

• Social media intelligence: You may view intelligence gathering via social media channels and networking sites to be a subset of open source intelligence. A lot of organizations see SOCMINT as its own unique kind of intelligence, because social media plays such a big role in the major threats of customer phishing and brand impersonation.

• Human intelligence: Also known as HUMINT, this is what it sounds like — intelligence gathered by contacting and engaging with actual people, rather than automatic monitoring or digging through feeds and technical processes. Human intelligence gath-ering takes just the right knowledge and skills to gather intelli-gence without raising suspicion.

• Dark web intelligence: This is what you gather when you monitor the various dark web sources, such as black markets, private chat rooms, dark web forums, and other anonymous and villainous places.

As you can see, some of these types of intelligence overlap. Social media intelligence is related to open source intelligence, and a fair amount of human intelligence gathering takes place in dark web places. Despite the overlaps, there may be differences in the intent of the research.



Surveys of the people who use cyber threat intelligence tools have found that many are overwhelmed by the information they get. For those who are using traditional or first-generation tools, there’s just so much data to process, normalize, and determine whether it’s relevant to their operations and brand. These users are hit with what they feel are excessive and generic alerts. There’s just a lot of noise, and it’s hard to make sense of that noise.

Newer, more advanced tools understand the multidimensional nature of threats and use your digital footprint to provide con-text and relevancy. That gives organizations a much better ability to understand if and how a specific threat impacts them, which means they can act much more promptly to mitigate the threat.

Moving to DRPIt sure is nice having a warning that something bad is going to happen. When it comes to cyber threats, though, it’s not nearly as simple as having a popup dialog box on your screen that says “you’re about to be attacked!” The practice of monitoring threats has evolved significantly from where it began, and today’s best options help turn noise into intelligence, and most importantly, action.

Early generations of this kind of solution have focused on threat feeds, which deliver to subscribers indicators of compromise, or IOCs. These IOCs are evidence that something malicious has hap-pened somewhere. You should certainly block any malicious indi-cators from the IOC, but it’s not sufficient for complete digital risk protection. IOCs are often generic and are reactive by nature. Just look at the name! That last word is key because something must already be compromised for an IOC to be generated.

To be proactive, organizations must be monitoring for a new type of indicator, called indicators of attack (IOAs), which show an attack may be imminent, instead of an attack already happening. The more specific and actionable these IOAs can be, the better.

By using both IOCs and IOAs, organizations can get a good idea of which threats might be targeting them. The next logical step is to add integration and automated mitigation features, partnerships



that provide open-source intelligence, and take-down service providers. Further advances include the addition of deep web intelligence and perimeter device integrations.

That ultimately leads to what has become known as DRP. That’s a term that Forrester Research introduced to describe an emerging segment of solutions that really bring the big picture together. These solutions help enterprise organizations find, monitor, and mitigate threats that target their business operations and digital assets.

Other research and consulting firms have been referencing digital risk, and the need for solutions that monitor that risk. They’re warning clients about the risks that go hand-in-hand with cloud technologies and digital transformation. Their reports point to threats that happen outside the firewall and involve exploitation of such things as social media, digital branding, VIP exposure, and cyber fraud.

The question is, how well do DRP solutions fare when it comes to generating high-quality intelligence that enables organizations to take security actions and solve business challenges? Not all are up to the task, and not all are expanding to account for new risk areas, such as third-party risks. The more threats grow, and the more complex they become, the more essential it is to find a solu-tion that is broad and complete in coverage of the various DRP criteria.

Building a foundation of actionable intelligenceEffective DRP solutions are based on the premise that organiza-tions can use cybercriminal activity to their advantage to identify attacks before they happen. The other key premise is that your organization needs more specific and proactive intelligence that’s not provided by IOCs and noisy threat feeds. Those serve a pur-pose, but they can distract from the ultimate goal of detecting and mitigating external cyber threats that target your business.

Rather than solely being a threat intelligence repository or data-base, DRP platforms use algorithms and multidimensional recon-naissance capabilities to continuously find, track, and analyze threats. They venture into dark places, mapping and monitoring and mitigating such perils as



» Rogue domains similar to yours

» Malicious IPs in your ranges

» Leaked employee credentials

» Chat room conversations in which your company name comes up

» Malicious mobile apps mimicking yours

» Malicious social media pages impersonating yours

» Vulnerabilities and exploits for your applications in use

The four quadrants of DRPThe next four chapters of this book delve into four distinct activi-ties that together form the backbone of effective DRP. A platform that employs these quadrants is your best bet for proactively detecting and protecting against external cyber threats. Read ahead for more details, but here are the four quadrants, which conveniently all begin with the letter “M”:

» Map: You must understand your digital attack surface to know how and where threat actors might attack your organization. This quadrant includes an assessment of your digital assets that creates a foundation for how you monitor cybercriminal activity for threats.

» Monitor: Here’s where your solution scours the web to monitor sources and uncover threats. Effective DRP solu-tions must be able to translate millions of data points into actionable business intelligence, which can be done through multidimensional threat analysis, digital footprint contextual-ization, and threat evolution tracking.

» Mitigate: Here’s where your DRP solution swings into action to take down and/or block the external threat. A good solution helps you automate the threat mitigation process and allows you to extend your cybersecurity support to other departments and company initiatives.

» Manage: Finally, managing the DRP solution takes place across all three stages (the first three bullets in this list) but is the key to running an effective DRP program. This includes implementing policies, additional threat research and human intelligence, as well as enriching IOCs and prioritizing vulnerabilities.



IMPROVING YOUR THREAT INTELLIGENCE PROGRAMVirtually any process or solution has room for improvement. For your own intelligence program, keep these ideas in mind:

• Apply relevancy and context to your intelligence: If your intelli-gence isn’t relevant, and if it doesn’t include some context, it’s not much use to you. Leverage your digital assets — such as domains, IP ranges, brand names, and loyalty programs — to help you grasp if and how a threat really relates to your organization.

• Leverage automation and integrations: Cybersecurity talent is at a premium these days, and you can’t afford for your team to be bogged down in sifting data. Reduce the time to mitigation by automatically remediating threats as they’re discovered. Your threat intelligence platform must be able to integrate with your existing systems and security devices.

• Protect your customers and your brand reputation: Hackers are always on the lookout for shortcuts. They’ll target the weakest link in your security chain, which often involves your customers. By using web-based channels, application stores, and social media platforms to impersonate your brand, cybercriminals can phish your customers and run scams. Your threat intelligence solution needs to monitor for all types of attack vectors, even ones outside of your firewall that don’t involving “hacking.”

• Target fraud and scams: Financial data is everywhere online, which means the risk of fraud keeps increasing. You can save your organization millions of dollars a year by taking down fraud campaigns and cyber scams early.

• Don’t neglect third-party organizations: You often share data and access with your vendors and partners. You’d better consider them part of your cyber ecosystem. Your threat intelli-gence solution can’t just focus on you. It also must assess the cyber risk of your vendors, partners, and strategic investments, as these all relate to your overall digital risk.

CHAPTER 2 Mapping Your Digital Footprint 11


Chapter 2

IN THIS CHAPTER

» Identifying the attack vectors

» Inventorying your assets

» Checking details on your exposure

Mapping Your Digital Footprint

The first step in effective digital risk protection (DRP) is understanding how you might be attacked. With just a few hours of research, bad actors can create a map of where

your weaknesses lie, so if you don’t already have this mapped, you’re going to be playing catch-up against the cybercriminals.

This chapter outlines the process of mapping your digital foot-print and why it’s critical to effective DRP. Knowing your attack surface enables you to generate specific and actionable intelli-gence, so you can identify your weak points before attackers can.

Identifying the Attack VectorsThink, for a moment, about how you would protect your home from intruders. You need to have a good understanding of the kinds of intruders that threaten you, and the ways in which those intruders may enter your home. You might think of this exercise as identifying the vectors that threat actors may use to attack you.



For example, when you’re considering human intruders such as burglars, they’re likely to enter through a door or a window. Those are your key vulnerabilities, so any security system you devise will focus largely on securing those potential entrances.

If you widen your gaze to include other intruders, such as rodents, your attack surface is quite a bit more complicated. They’d be glad to trot through a door or scamper up and into a window, but they’re also quite satisfied with a small hole in your siding or a crack between some bricks. Their motivations are also differ-ent from what drives burglars, which changes the way you must defend against them. You’re never going to successfully prevent an intrusion unless you fully understand your attack surface and all the ways your home can be breached.

The same concept holds true in protecting your organization from cyberattacks. You must view your organization like attackers would in order to figure out how they might target you. Mapping your digital footprint is key to understanding how certain threats relate specifically to your organization and what action is needed to mitigate them.

It sounds like a simple enough concept, but it’s not so simple in practice. Your attack surface is constantly evolving, continually growing, and contributed to by many. The more digital your oper-ation becomes, the broader that attack surface becomes.

That’s what some have called the “double-edged sword” of using digital technologies. By increasing our use of web-based technol-ogies, we’ve built new avenues for reaching customers, increased employee productivity, and enabled faster product development. But in that expansion of our digital usage, our digital attack sur-face has expanded, too. Organizations have been thrust into this new digital age, but they often aren’t considering the risks that accompany these new digital opportunities.

Inventorying AssetsIt’s more challenging than ever to keep track of your digital foot-print. There are the traditional assets that you’ve long dealt with, of course, such as desktops and servers. But they are increasingly interconnected with the outside world.

CHAPTER 2 Mapping Your Digital Footprint 13


Cloud connections represent a prime example of that intercon-nectedness. If your organization is like most, you’re connected with a lot of offsite servers that are beyond what used to be your perimeter. You probably are also maintaining a wide range of web outlets and mobile applications, social media accounts, databases, IP ranges, repositories, Internet-facing assets, ASNs, and the like.

You’ve got a long list to keep track of, and your list is not likely the whole picture, either. Growth in e-commerce has enabled organizations to reach more customers, which is a great thing. But it has also provided cybercriminals with new opportunities to run scams and fraud.

As you get a handle on your digital footprint, pay attention to the following areas:

» IT/corporate assets: This includes your domains, IPs, technologies in use, login pages, as well as executive and VIP names and data.

» Customer-facing and e-commerce assets: This includes brand names, social media activities, customer login pages, and mobile apps.

» Sensitive data: You’ll be taking stock of login credentials, secret projects, and data loss prevention indicators.

» Industry-specific assets: These assets vary depending on the business you’re in. Financial services companies, for example, might include BINs and account numbers. Pharmaceutical firms keep an eye on patented drug names, while retailers might include the names of brands or loyalty programs. Leisure companies might pay extra attention to resort property names and travel rewards.

Your IT and security professionals probably don’t even know of many things that contribute to your digital footprint. There are ad hoc sites and services, a whole host of Internet-facing services that former employees may have set up and now no one remembers, perhaps some temporary QA environments that were anything but temporary and often left with default configurations.

And then there’s shadow IT. That’s the assortment of IT proj-ects that were set up totally outside of the IT department, typi-cally without IT staffers’ knowledge and likely by someone with no cybersecurity experience. That may seem like a handy way of



doing things for employees who don’t like what seems like red tape, but it steers clear of organizational controls and security protocols.

Beyond that are the third-party assets that may be overlooked. Your vendors and partners are an increasingly interconnected part of your processes and operations, which means they are increasingly part of the risk that you are trying to assess. The inventory of your digital footprint must take third-party assets into account, especially those that you share data and integra-tions with.

Checking the DetailsYour organization may be exposed in many ways and places, which is why you must get a full assessment of that exposure. Your execu-tives and VIPs are tantalizing targets for bad actors, so their names and email addresses are part of that assessment. Threat actors may use this information to create web assets impersonating key employees, which is a useful way to unleash social engineering attacks.

With regard to executives, their personally identifiable informa-tion (PII) can be incredibly valuable if it makes its way to the dark web. These are high-value, high-wealth people, so information on them is a great moneymaking opportunity for the bad guys.

Cybercriminals have an interest in your brand, too, just as you do. You’ve extended your brand into the digital world, which has done remarkable things for your business, but it’s also opened up new risks and attack vectors. Impersonating your brand is an entry point for customer phishing, which can be a significant exposure.

Cyber actors may try to impersonate your CEO on Twitter. They may make inroads through malicious apps that pretend to represent your brand. They may put up a Facebook page using your logo. Doing so can provide access to sensitive customer information, often through phishing expeditions. That’s clearly bad for them, but it’s a likely hit for your brand reputation, as well.

CHAPTER 3 Monitoring For Threats 15


Chapter 3

IN THIS CHAPTER

» Understanding the threat landscape

» Monitoring different sources

» Recognizing common threat types

» Uncovering industry-specific threats

Monitoring For Threats

After you’ve fully mapped your digital assets, as we outline in Chapter 2, you must begin monitoring for threats. Your digital risk protection (DRP) solution has an idea where to

look and what to look for — now it’s time to start looking, all day, every day, around the world.

This chapter explores how you develop that intimate understand-ing of the threat landscape, describes the areas of the Internet where you’ll be looking, outlines some of the common types of threats, and discusses the challenges of protecting your brand.

Understanding the Threat LandscapeImagine your job is in law enforcement and you’re scheduled to work a big event, ensuring safety and security. Perhaps it’s the New Year’s Eve ball drop in Times Square, where more than a million people typically gather. Maybe it’s a victory parade following the World Series — as many as 5 million Chicago Cubs fans turned out in 2016 to celebrate the end of a 108-year drought. How do you possibly gaze out into a crowd like that and discern if there’s a real threat out there, so you can act on it before some-thing bad happens?

That’s the kind of challenge facing cybersecurity teams as they gaze out on the ever-growing universe of threats, except cyber



threats aren’t confined to a single location or point-in-time event. Your aim is to protect your own organization from attack, but the cacophony of activity can leave you overwhelmed and sap your effectiveness. You need to be able to process and correlate large amounts of data to find real, actionable threats.

A better understanding of your attack surface helps you focus on what matters the most — the threats that are specifically aimed at your organization. Effective DRP requires the ability to turn vast amounts of constantly evolving data into actionable and spe-cific threat alerts.

Your DRP solution must be robust in its ability to monitor all sources of web activity, including the deepest and darkest reaches of cyberspace. Then it must be able to correlate that data and compare it to your digital assets to provide context and relevance.

Monitoring Different SourcesSo where do you go when you want to find threats on the Inter-net? Most activity can be broken into three distinct areas based on where they’re found on the web:

» Clear: This refers to anything that’s indexed by search engines (such as Google) and openly accessible on the web. This might include mobile app stores, domain registrars, and paste sites.

» Deep: This section of the web includes sites that aren’t indexed by search engines and typically needs a special link or login to access, such as Google Docs and subscription-based services (for example, Netflix). Your threat search focuses on such things as chat groups, invite-only forums, and the bulk of social media websites.

» Dark: Here you’ll be checking out websites only accessible via special, anonymized browsers (like Tor), such as black markets, hacking forums, credit card shops, and the like.

The Tor network is one of the most common ways to access dark web content. It has tens of thousands of active sites and close to half a million users daily. Other frequently used options for accessing the dark web include I2P and Freenet. Just to under-score the fact that the dark web can be used for both benign and



malign purposes, note that the Tor network was created by the U.S. Naval Research Laboratory and gets much of its funding from the American government.

The following are examples of the key places that you can gener-ate intelligence from:

» Black markets: These are sites that offer a wide range of goods and services (both legal and illegal). Obviously, there’s a lot you don’t need to monitor here, but what’s most useful for businesses is typically listings that include stolen goods for sale, hacking tools, or hackers for hire.

» Instant messaging groups: Internet relay chat (IRC), Telegram, and WhatsApp are all popular communication tools that hackers often use to connect with one another. Many maintain invite-only groups, where you must prove your value to the group in order to be invited in, and are used to share hacking tools, datasets and other information that may be used to coordinate cybercriminal activity.

» Hacking forums: These are essentially social sites, but instead of passing along recipes and pictures of cute kittens, participants are usually sharing info about new malware, hacking tools, and stolen data for sale. Like instant messag-ing groups, these are often invite-only and access must be earned by establishing yourself as a fellow threat actor.

» Paste sites: Anyone can post text on these sites, and what you’ll find there may be anything from stolen credentials, bank account logins, and credit card details.

Recognizing Common Threat TypesIn order to turn data into actionable intelligence, it’s helpful to organize your alerts by threat types. Be on the lookout for the fol-lowing kinds of threats:

» Attack indications: Are there signs that your organization may be in the crosshairs of a current or future attack? Your DRP solution should be on the lookout for clues through dark web chatter, target lists, forum posts, insider threats, and the like.



» Data leakage: Have sensitive data or credentials been exposed online? Your DRP solution should be checking paste sites, data breaches, and other repositories, and it should be watching for leaked databases, credential data dumps, confidential documents, customer account logins (for account takeover attacks), and similar activities.

» Phishing: Are there cybercriminals working on attempts to phish your employees or customers? The clues include suspicious domains being registered, change in domain ownership, DNS activity, and web content updates, which are among the things your DRP solution should be monitor-ing for and correlating to identify malicious intent.

» Brand security: Are there bad people out there impersonat-ing or misusing your brand online? Your DRP solution can find out by monitoring for malicious social media posts, watching for malicious applications, spotting brand infringe-ment, and finding social media scams related to your brand(s).

» Exploitable data: Do you have systems that are compro-mised, exposed, or vulnerable? DRP solutions should understand how hackers search for entry points, such as login pages, expired SSL certificates, and open ports, and help identify those weak points before a bad actor does.

» VIP and executive threats: Has personal data for one of your executives leaked online? Have cybercriminals been targeting or impersonating executives on social media? Protecting executive identities and personally identifiable information (PII) online has become increasingly important for organizational security, and your DRP solution should support this need to protect executives online.

Uncovering Industry-Specific ThreatsYour company is unique, and your industry as a whole has con-cerns and threats that are different from those in other sectors. Certain threats pose a higher risk for you than they might for a company involved in some other pursuit. Your DRP solution needs to be able to identify threats that specifically impact your indus-try. And there’s a lot of interest in your DRP efforts across your organization, well beyond your IT security folks.



Here are some examples of threats that vary from one industry to another, and the additional departments and areas that will want to be plugged into what’s going on:

» Fraud: This is a big deal for companies involved in financial services as well as retailers and insurance providers. The fraud department will have a keen interest in your fraud intelligence and so might the finance department. The legal team may need to be aware of what you uncover, and if there’s brand impersonation going on out there, your marketing group will certainly want to know. Reducing the cost of fraud is one of the easiest ways to prove return on investment (ROI) of your DRP program.

» Prescription drugs sold illegally: Black markets are filled with prescription drugs for sale, which are usually knockoffs. If your business involves pharmaceuticals, these illegal sales can eat into your profits and negatively impact your brand(s). Your DRP solution can help identify your prescriptions for sale on the dark web and even track down illegal production of knockoffs.

» Loyalty program scams: These scams typically involve redeeming a customer’s hard-earned reward points (usually through account takeover) for goods that can then be resold for profit. Threats of this type are of major importance to businesses involved in retailing, aviation, gaming, and leisure, and can cause both financial and brand reputation damages. Your internal fraud experts will be involved, as well as the legal group, and perhaps marketing too.

» Intellectual property leakage: Companies involved in manufacturing, including but not limited to automotive and aviation companies, will have a keen interest in this threat type. Within your organization, this will impact areas that include procurement and R&D.

» PII leaks: This is an especially big deal for healthcare organizations, for whom there are strict regulatory require-ments governing the privacy of health information. Retailers will also want to make sure customer data isn’t being leaked. Areas within the organization that have an interest in your DRP effort will include compliance, legal, and marketing.



You’ll be monitoring for these kinds of threats and also tapping into intelligence feeds, which compile already identified threats. Your intelligence must be able to recognize which of the threats from those feeds are relevant to your organization.

Meanwhile, your brand is an asset of sometimes incredible value. And like an impressive diamond ring, its worth is just as obvious to the bad actors who want a piece of that value.

Your DRP solution should be constantly monitoring external digi-tal channels (for example, social media) for unauthorized use or impersonation of your brand or clues that something is awry. It should monitor for evidence that a brand-targeted attack is in the works. And it must watch carefully for customer phishing cam-paigns, which on one hand aren’t your fault but on the other hand will harm your reputation.

Here’s one of the problems with brand-related threats: Over the past decade, companies have tried to extend their brand to new digital channels, reaching further and further away from their digital control. Yet, they have a responsibility to protect this asset the same way they’d protect their IT infrastructure and corporate data. It’s an excellent example of why you need external digi-tal reconnaissance that extends beyond the closest, most obvious spheres of influence and attention.

CHAPTER 4 Mitigating the Threat 21


Chapter 4

IN THIS CHAPTER

» Integrating internal remediation

» Expediting external remediation

» Making it automatic

» Extending intelligence to other departments

Mitigating the Threat

The third component of digital risk protection (DRP) is action. After mapping your attack surface and monitoring for specificthreats,youneedtotakeactiononthisintelligence

to mitigate the threats you discover. This chapter explores tactics for protecting against external threats and coordinating the appropriate response internally within your network and/or externally through threat takedown.

Integrating Internal RemediationYou likely already have strong perimeter and endpoint security systemsinplace,butyoucanaugmentthembyfeedinginintel-ligence from your DRP solution to strengthen your defense in a streamlined,integrated,andautomatedway.

Ensuring perimeter defenses are up to date with the latest intel-ligence is critical to protecting your organization. Integrate your DRPsolutionwithinternalsystems —suchassendingphishingdomainstoyourMicrosoftExchangeserver —soyoucanproac-tivelyblockthreatsandlockdowncredentials.



Expediting External RemediationInaddition toblocking threats,yourDRPsolutionmustalsobeabletoworkexternallytotakedownthreats.Thesecouldbemali-ciousmobileapplications,socialmediapages,pastesitepastes,or phishing sites and domains. Your solution should facilitate the takedownprocesswithsocialmediaplatforms,appstores,andreg-istrars.Andbecausethreatsevolverapidly,youhavetogetthejobdonequickly,withouttheneedforyourlegalteamtogetinvolved.

Making it AutomaticAutomatically mitigating threats makes life easier and reduces yourtime-to-mitigate(TTM),whichisakeymetricforallsecu-rityandITdepartments.Withpoliciesinplace,whichguideauto-mationandspeedupmitigation,yoursystemcanautomaticallyupdatefirewalls,gateways,proxies,andendpointsecuritytoolswithvalidatedmaliciousindicatorsformonitoringandblocking.

Extending Intelligence to Other Departments

In today’s digital world, the entire organization contributes toyourdigitalfootprint.Therefore,protectingyourorganizationiseveryone’sresponsibility.DRPcanbenefitalldepartmentsacrossthe organization, as well as third-party assets. It’s importantto communicate the use cases for DRP solutions to ensure other departmentsbuy-in.

The rightDRP solution lets you execute strategies andprojectsthatrelatetoregulatorycompliance,brandprotection,andcon-sumer data protection.

Considertheneedtoprotectyourbrand.YourcybersecurityteammaybehandlingDRP,but theworkhasadirect impactonyourmarketing department. Your marketing team will want to know if threat actors are trying to impersonate your company’s social media pages. Similarly, fraud departments can use DRP intelli-gence to proactively identify fraudulent campaigns and reduce their overallfraudcosts.Andtheriskteamwillfinditusefulformoreeffectivelymanagingstrategicvendorsandorganizationalrisk.

CHAPTER 5 Managing the Process 23


Chapter 5

IN THIS CHAPTER

» Prioritizing your efforts

» Tailoring your solution to fit your needs

Managing the Process

The final quadrant in effective digital risk protection (DRP) is managing and enriching the intelligence you’ve gathered. Managing intelligence incorporates other data sources and

IOCs to enrich your findings and help bring additional context and prioritization to your process.

This chapter discusses how you can use other data sources to pri-oritize your efforts in order to focus on the most important issues, adds in the need for proactive strategizing, and reveals how you can make this complicated work much simpler.

Prioritizing Your EffortsCybersecurity troubles are common and often catastrophic. There’s a greater demand for IT security professionals than ever, which makes it difficult to nearly impossible to hire and keep the talent you need. Teams are understaffed and overworked, and that means they need to work smarter. They need to know which threats to place at the top of the list.

That’s why prioritization is such a vital part of digital risk pro-tection. Indicators of compromise (IOCs) and indicators of attack (IOAs) can be an essential part of your monitoring effort, because they can tip off your security teams about active malware



infections, network breaches, and pending cyberattacks. Among many other things, IOCs and IOAs are filled with information about IP addresses, URLs, domains, and file hashes that may be problematic.

But these indicators tend to flood through as if they were com-ing from a firehose, or maybe riding a tsunami. Those monitor-ing threat feeds can’t possibly sift all that data and compare it to known threat sources. They need context to connect the dots and prioritize which indicators are most important. Otherwise, by the time they come up with valid matches and send alerts, attackers will have changed their game plans. And like nurses in the inten-sive care unit surrounded by beeping devices, your security teams quickly become fatigued by false positives.

Comparing IOCs and IOAs to your digital assets helps you bring context and relevance to your threat feeds, helping you priori-tize and enrich your DRP process. Automating that work results in a much more effective response, and minimizes the data model costs within your security information and event management.

Tailoring Your DRP SolutionYour business is successful in part because it’s unique, deliver-ing your own product or service, in your own particular way. But it also means that your cybersecurity needs are specific to your organization, too. Your intelligence needs are not the same as those of another company in another industry, or even those of your direct competitors.

Because of that, there’s no such thing as a one-size-fits-all DRP strategy. Your DRP solution should help you process, analyze, and pinpoint specific threats. But you have to be able to adjust the monitoring algorithms to tailor to your unique needs. It’s the only way to take that firehose of data on potential threats and hone it into actionable intelligence that keeps your organization safe.

Your DRP solution needs to make it as simple as possible for you to manage, too. It must dynamically configure, ingest, and enrich threat feeds and IOCs from community, agency, commercial, open source, and industry sources. And the right DRP solution will compile all of that into a single platform and dashboard.

CHAPTER 6 Ten Use Cases for Digital Risk Protection 25


Chapter 6

IN THIS CHAPTER

» Detecting phishing and prioritizing vulnerabilities

» Monitoring the dark web

» Detecting fraud and protecting your brand

» Unplugging fake apps

» Mitigating threats

» Securing credentials

» Assessing cyber risks

Ten Use Cases for Digital Risk Protection

The threat landscape continues to grow all the time, which means cybersecurity teams have ever-more on their plates as they work to protect their organizations. In this chapter,

we give you some of the use cases for which digital risk protection (DRP) can create tailored threat intelligence, making life a bit easier for security professionals.

Phishing DetectionPhishing is an insidious problem, and attackers love it because it’s so effective. DRP includes proactive measures that can iden-tify and cut off these attacks before they can cause damage. By tracking a variety of key phishing indicators — such as registered domains, MX record changes, and DNS reputation — DRP can pinpoint malicious domains and quickly take down imposter sites.



Vulnerability PrioritizationIt’s not possible anymore to manually correlate data about threats with your organization’s vulnerabilities. There’s just too many technologies in use and too much data. You need a solution that collects vulnerability and exploit data from all over and analyzes it in real time to see what poses the biggest risk to you. That gives you real-time assessments of vulnerabilities, so you can prioritize which ones need attention right away.

Dark Web VisibilityAttackers are smart and usually anonymous, but they aren’t invis-ible. DRP is on the lookout for their activities across all areas of the web, as they scout targets, use suspicious tools, and work with other hackers. Your solution should understand how cybercrimi-nals think and how threats evolve, so you can pinpoint malicious campaigns and take proactive action. Monitoring and tracking dark web activity is a key part of how threats are discovered and mitigated.

Brand ProtectionYou’ve spent a lot of time and money creating and building your brand. Hackers know just how valuable it is and can use that to their advantage. Your DRP solution should scan external sources for evidence of bad guys using your brand to target customers and run scams.

Your DRP solution should keep an eye on your domains, IP addresses, mobile applications, and social media pages, so that it can spot imposters. It should then share alerts across your orga-nization, in such departments as marketing, compliance, IT, pub-lic affairs, legal, R&D, fraud, and human resources.

Fraud DetectionYou have all kinds of defenses out there in the form of perim-eter security tools. You’ve got firewalls, gateways, IDS/IPS, and malware detection systems, and you’ve taken steps to integrate

CHAPTER 6 Ten Use Cases for Digital Risk Protection 27


and harden those systems. Good work! Problem is, hackers are responding by going around these defenses and using fraud instead, especially for financial and retail organizations. That means your DRP solution must be watching for attempts to set up customer phishing sites, or to sell such things as leaked cre-dentials, Social Security numbers, and bank account info of your customers and employees. Real-time alerts help prevent fraud before it happens and can save organizations millions in fraud costs each year.

Malicious Mobile App IdentificationMobile devices and apps have extended your reach right into cus-tomers’ purses and pockets by way of their smartphones, which is a great thing. But attackers have responded with rogue mobile apps, which your marketing team likely isn’t monitoring for nor thinking about. Your DRP solution must check various application stores, including legitimate and pirate stores, to spot these suspi-cious applications and initiate takedowns if applicable.

Be sure your solution has partnerships with app stores to quickly take down bad apps, and work with your marketing team to ensure you’re alerting them to brand impersonation attempts.

VIP and Executive ProtectionBack in the day, depending on your business, you may have supplied physical security for your executives. Locked-down offices, at least, maybe even bodyguards. Now, your high-level executives face serious cybersecurity risks. So do others with important roles, such as operational leaders, investors, board members, and advi-sors. Your DRP program must scan online sources to find efforts to spoof or target these important people, then use both automated and human-driven means to take down those threats.

Automated Threat MitigationGiven the immensity of the potential threats out there and the shortage of talent for mitigating those threats, automating the mitigation process is key. You need a solution that turns data into



intelligence, and then turns that intelligence into action. That means threat blocking and threat takedowns, resets of creden-tials, and creation of policies that keep your organization safe. With successful automation comes simplification — in this case, the potential to consolidate security tools. It takes an investment to do this right, but you may be astounded just how much of a return that investment will earn.

Leaked Credentials and Sensitive Data Monitoring

What if a burglar had a key to the front door of your house? That would sure make crime easy. Cybercriminals jump for joy when they obtain direct, credentialed access to your systems. Protect-ing customer data and intellectual property has become critically important for organizations. Your DRP solution must be on the lookout for stolen credentials, passwords, and sensitive data, and provide real-time alerts when they’re discovered.

The best way to ensure that your DRP is acting on up-to-date cre-dential information is by integrating it with Active Directory and Microsoft Exchange. That way it can automatically validate and reset active credentials if they’re found to be leaked.

Third-Party Cyber Risk AssessmentAs if protecting your own systems isn’t hard enough — plus all those external things you have less control over, such as social media sites — you also need to worry about your vendors, part-ners, and other investments that are part of your digital footprint. Their cyber risk is your cyber risk because of their integration with your operations. Your DRP solution must be able to evalu-ate the threats facing these third-party organizations, so you can effectively manage your cyber supply chain and overall risk.


www.intsights.com/drpdemo

http://Dummies.com

WILEY END USER LICENSE AGREEMENTGo to www.wiley.com/go/eula to access Wiley’s ebook EULA.

http://www.wiley.com/go/eula

These materials are © 2019 John Wiley & Sons, Inc. Any ... · thriller with clever investigators...

Documents

Transcript of These materials are © 2019 John Wiley & Sons, Inc. Any ... · thriller with clever investigators...