Digital Shadows - competently helps to reduce digital risks

Perhaps you know what OSINT is and have used the Shodan search engine, or you are already using the Threat Intelligence Platform to prioritize IOCs from different feeds. But sometimes you need to constantly look at your company from the outside and get help in eliminating identified incidents. Digital Shadows allows you to track digital assets the company and its analysts propose concrete actions.

In fact, Digital Shadows harmoniously complements the existing SOC or completely closes the functionality outer perimeter tracking. The ecosystem has been built since 2011 and a lot of interesting things have been implemented under the hood. DS_ monitors the Internet, social. networks and darknet and reveals only the important from the entire flow of information.

In his weekly newsletter IntSum the company provides a sign that you can use in your daily life to source estimates and information received. You can also see the table at the end of the article.

Digital Shadows is able to detect and extinguish phishing domains, fake social media accounts; find compromised employee credentials and leaked data, reveal information about impending cyber attacks on the company, constantly monitor the organization's public perimeter, and even regularly analyze mobile applications in the sandbox.

Identification of digital risks

Each company in the course of its activities acquires chains of relationships with customers and partners, and the data that it seeks to protect is becoming more vulnerable, their number is only growing.

To begin to manage these risks, a company must begin to look beyond its perimeter, control it and receive operational information about changes.

Data Loss Detection (sensitive documents, available employees, technical information, intellectual property).
Imagine that your intellectual property has been exposed on the Internet, or internal confidential code has been accidentally released into a GitHub repository. Attackers can use this data to launch more targeted cyberattacks.

Online Brand Security (phishing domains and profiles in social networks, mobile software imitating the company).
Since it is now difficult to find a company without a social network or similar platform for interacting with potential customers, attackers are trying to impersonate the company's brand. Cybercriminals do this by registering fake domains, social media accounts, and mobile apps. If phishing/scam is successful, it can affect revenue, customer loyalty and trust.

Attack Surface Reduction (vulnerable services on the perimeter with the Internet, open ports, problematic certificates).
As the IT infrastructure grows, the attack surface, the number of information objects, continues to grow. Sooner or later, internal systems may be accidentally published to the outside world, such as a database.

DS_ will notify about problems before the attacker can use them, highlight the highest priority ones, analysts will recommend further actions, and you can immediately make a takedown.

DS_ interface

You can use the solution web interface directly or use the API.

As you can see, the analytical summary is presented in the form of a funnel, starting from the number of mentions and ending with real incidents received from different sources.

Many people use the solution as a Wikipedia with information about active attackers, their campaigns and events in the field of information security.

Digital Shadows are easy to integrate into any external system. Both notifications and REST API are supported for integration into your system. You can call IBM QRadar, ArcSight, Demisto, Anomali and others.

How to Manage Digital Risk - 4 Essential Steps

Step 1: Identify Business Critical Assets

This first step, of course, is to understand what the organization cares about the most and what it wants to protect.

Can be divided into key categories:

• People (customers, employees, partners, suppliers);
• Organizations (related and service companies, general infrastructure);
• Systems and operational critical applications (websites, portals, customer databases, payment processing systems, employee access systems or ERP applications).

When compiling this list, it is recommended to follow a simple idea - assets should be around critical business processes or economically important functions of the company.

Usually hundreds of resources are added, including:

• company names;
• brands / trademarks;
• ranges of IP addresses;
• domains;
• links to social networks;
• suppliers;
• mobile applications;
• patent numbers;
• marking documents;
• DLP identifiers;
• email signatures.

Adapting the service for yourself ensures that you receive only relevant alerts. This is an iterative cycle, and users of the system will add assets as they become available, such as new project names, upcoming M&A, or updated web domains.

Step 2: Understanding Potential Threats

To best calculate risks, you need to understand the potential threats and digital risks of the company.

1. Attacker Techniques, Tactics, and Procedures (TTP)
   Framework MITRE ATT & CK and others help find common ground between defense and offense. Gathering information and understanding behavior across a wide range of attackers provides a very useful context when defending. This allows you to understand the next step in the observed attack, or to build a general concept of protection based on Kill Chain.
2. Capabilities of attackers
   The attacker will use the weakest link or the shortest path. Various attack vectors and their combinations - mail, web, passive information gathering, etc.

Step 3: Monitor Unwanted Digital Assets

In order to identify assets, a large number of sources need to be monitored regularly, such as:

• Git repositories;
• Poorly configured cloud storage;
• Paste sites;
• Social media;
• Crime forums;
• dark web.

To get started, you can use the free utilities and techniques, ranked by difficulty in the guide 'A Practical Guide to Reducing Digital Risk'.

Step 4: Taking Protective Measures

Upon receipt of the notification, specific actions must be taken. We can distinguish Tactical, Operational and Strategic.

In Digital Shadows, each alert includes recommended actions. If it is a phishing domain or a page on a social network, then you can track the status of the repayment in the “Takedowns” section.

Access to the demo portal for 7 days

I'll make a reservation right away that this is not a full-fledged test, but only temporary access to the demo portal to get acquainted with its interface and search for some information. Full testing will contain relevant data for a particular company and involves the work of an analyst.

The demo portal will contain:

• examples of warnings for phishing domains, public credentials, and infrastructure weaknesses;
• search darknet pages, criminal forums, feeds and more;
• 200 cyber threat profiles, tools and campaigns.

You can access this link.

Weekly newsletters and podcast

In the weekly newsletter IntSum you can get a summary of current information and recent events for the last week. You can also listen to the podcast ShadowTalk.

To evaluate the source of Digital Shadows using qualitative statements from two matrices, evaluating the reliability of the sources and the reliability of the information received from them.

The article is based on 'A Practical Guide to Reducing Digital Risk'.

If you are interested in the solution, you can contact us - the company factor group, distributor of Digital Shadows_. It is enough to write in free form on [email protected].

Authors: popov-as и dima_go.

Source: habr.com