Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
I’m not one for cheesy belief statements, but one of Warren Buffet’s, “It takes years to build a reputation and seconds to destroy it,” certainly rings true in information security. Though Warren Buffet was not likely referring to information security, the reality is that the loss of customer trust, which often stems from breaches or cyberattacks, can derail an organization entirely. These days, derailment is made even more likely as a result of the digital economy.
Organizations are now required to have an online presence for the purposes of growing the brand, increasing reach and overall exposure, or face going offline for failing to do so. While this can be incredibly exciting from the perspective of the brand and marketing teams (and business leaders), this presents a new type of security challenge for information security professionals – who must create defence off the back of any threats emanating from social media and the internet, in general. The reality is that being online creates new threats – and those responsible for protecting the organization must react with increased speed and skill to stay ahead of the game.
Effective Online Brand Protection requires continual monitoring and remediation of threats to a company’s brands across social, mobile, websites, and other external sources. This approach often requires the involvement of the security, marketing, brand, and legal teams.
While approaches to Online Brand Protection once amounted to tracking negative sentiment on Twitter, this is no longer enough.
This blog will outline the top threats to brands we see online, and some of the best practices for protecting them. Before this, however, let’s first remind ourselves why we should even care at all.
Brand damage occurs when there is a loss of customer trust or when the image of the brand is tarnished. Such an outcome can be driven by counterfeit products, negative publicity and, more significantly, breaches.
A notable example of a brand affected by brand damage is Equifax, who were responsible for allowing one of the largest breaches in 2017 to occur, affecting 143 million individuals. Damage for Equifax took form in financial loss and reputational crisis. For example, a financial statement issued by Equifax in 2019, highlighted that in the first half of 2019, company revenue was down 2 percent, compared to the first quarter of 2018, as a result of the 2017 cybersecurity incident. Overall, the breach cost the company $1.23 billion. The scale of the breach and the financial damage has meant Equifax’s cyber incident has not escaped scrutiny.
Attacks on brands have other, tangible impacts on both the organization and the individual. Here are the top three:
The film Catch me if you can can teach us a thing or two about impersonation, which sees Leonardo Dicaprio impersonate a pilot. In its true form, impersonation is the act of pretending to be something or someone, in order to entertain or defraud. While not all impersonation looks as glamorous as Leonardo Di Caprio in Catch Me if You Can, the reality is that brand impersonation employs similar tactics, and can come in many guises, so let’s take a look at some examples.
1.Domain impersonation
The most commonly known form of impersonation is a spoof domain, which sees a threat actor use a domain to mimic a brand. In its most basic form, a spoof domain can simply involve using the brand name or can extend to hosting content that mimics the brand (check out this example of a phishing site impersonating a financial services institution). Attackers will employ such a tactic to engineer the end user into thinking that the content is legitimate. A spoof domain can be created for anything, even political candidates, as Digital Shadows Photon Research identified (who do, yes, count as brands), but – perhaps more commonly known – domain spoofs are widely associated with and created to impersonate organizations, regardless of how renowned the brand is.
Figure 1: Domain Impersonation examples
That said, while any brand can be impersonated, some brands are impersonated (and potentially used for malicious purposes) more than others, as a result of the industry and brand presence. Notably, research conducted by Digital Shadows Photon Research team observed, on the criminal forums and marketplaces, that phishing templates, for investment firms, were the most expensive phishing templates on offer – proving that some industries are more valuable than others. In addition to this, research independent of Digital Shadows, conducted last year, indicated that Paypal remained one of the most-spoofed brands in phishing, suggesting that brands with global reach face unprecedented brand attack. Both the type of brand and the industry in which they reside, can therefore be seen likely to determine the likelihood of impersonation.
2. Social Media account impersonation Fake social media accounts are not the only phenomenon causing the social media giants a bit of grief.Organizations are seeing their brands used by threat actors to entice customers by promising them a deal that’s too good to be true. Much like a domain, the social media profile will use the brand name and/ or logo, however, the extent of impersonation depends on the willingness of the threat actor to make the impersonation like-for like.This type of impersonation is all too common; adversaries will mimic support accounts on Twitter in an attempt to redirect customers to malicious sites. You can read more about a twitter account impersonation tactic here.
3. CEO or company executive Impersonation This type of impersonation relies on a company executive to entice lower-level employees into releasing funds or sensitive documents. That said, it doesn’t even have to be a company executive; even suppliers can be impersonated.One notable and recent illustration of the damages an organization can incur, as a result of executive impersonation, is the case of Nikkei,. 2019, Nikkei lost $29 million to scammers who tricked an employee into thinking the sender was a business executive. Nikkei is not alone in this – impersonation can happen to any organization, even Digital Shadows!Figure 2: Example of a typical BEC attemptWhile spoofing of executives is common in email campaigns, it also surfaces on social media. Attackers and fraudsters often register fake social media profiles, which can be highly valuable for targeting employees and customers.
4. Mobile Application Impersonation
As the usage of mobile devices continues to increase, organizations are turning to mobile applications that enable them to better interact with their customers and provide new tools for employees. Unfortunately, cybercriminals also want to communicate with your customers and create spoof mobile applications that seek to harvest their information. You can read more about instances we’ve seen of mobile application impersonation here.
So far, we’ve identified the potential impacts and most common threats around online brand protection. However, which stakeholders should own protecting the brand – information security professionals or marketing gurus? To identify this, it’s worth understanding the true goals of each stakeholder:
Figure 3: How the security, marketing and compliance teams should work together (An Example)
While every organization does have a different organizational makeup, loosely identifying goals of each department, as we did above, helps build a clearer image of who should be taking ownership of brand protection. Given that protecting the organization falls under the umbrella of security, and that brand protection is now regarded as a security issue, the job of protecting the brand can be owned by those within the security department. That said, such responsibilities should not be siloed to the security department, but rather the marketing team – who will be responsible for increasing exposure, via marketing campaigns – must work with the security department. Collaboration and cross-functional team work is key. Later, we’ll outline how the various departments should work together via a scenario.
To learn more about best practices for building cross-departmental processes, you can watch our webinar on Best Practices Protecting Your Brand Online.
MITRE PRE-ATT&CK: How your brand can be used to gain a foothold in your network
Before walking through a scenario, it’s worth looking at how the brand might be targeted by a threat actor – and we’ll use the MITRE ATT&CK (and PRE-ATT&CK) framework, something we typically embed into Digital Shadows’ research where we can, with the goal to provide actionable intelligence.
PRE-ATT&CK, in particular, has a strong social media flavor to many of the tactics and techniques. For example, look at this list below (which is by no means exhaustive) and try to imagine a world in which social media would not be an absolute goldmine for attackers.
Of course, social media often plays a critical role beyond the PRE-ATT&CK stage. Gaining access to social media accounts may be a goal itself. Notably, this occured to Barcelona FC’s Twitter account, when the hacking collective OurMine took over the social media account, using a third-party social media tool.
Using the MITRE frameworks, in the previous section, has shown us how the brand may be exploited by an attacker. However, for the purposes of this section, we’ll adopt a hypothetical scenario to outline how a brand can be managed and protected by the organization.
Figure 4: Hypothetical timeline of events for Molnnet Brand Protection campaign
STAGE 1: Planning
To illustrate the best practices of brand protection let’s consider the following hypothetical scenario, involving the same dummy global paper supply company, Molnnet.
Sept 2020: the marketing team for Molnnet launches a global digital media and advertising campaign to build awareness of the release of the new product, PaperLite. This product will also be showcased at the global trade show, Paper Expo April 2021, which gathers thousands of suppliers and buyers across the world.
Months prior to Paper Expo April 2021, the marketing team launches a press release, in addition to several digital media and TV advertisements. On the software development side, a brand new mobile app is being developed which will enable Molnnet customers to purchase supplies with less friction. The mobile app will also be supported by a new website, available via desktop.
Consequently, Molnnet’s brand exposure has increased – and so too has its attack surface. The brand is being googled as a result of the marketing campaigns, and website traffic increases threefold. On top of this, the holiday season means that customers are purchasing more than usual, as they need paper supplies to wrap presents – this means more visitors to the products page and online orders doubling in sales.
Sept 2020: the marketing team informs the security department of the upcoming campaigns, monthly meetings are held to update various stakeholders of the various activities. In return, the security teams have a departmental meeting, every week, to update one another of various developments.
STAGE 2: Security team monitors the external environment
Now that the security department is aware of the upcoming campaign and its desired outcomes, Molnnet monitors the external environment, using a digital risk management tool, Digital Shadows SearchLight. In order for the tool to monitor effectively, company assets are added, which increases coverage.
Figure 5: Molnnet reviews company assets
The Molnnet security team reviews the assets internally, discussing what their team wishes to monitor – but also consults the marketing team for the assets that they would like to monitor for. Company assets include domains (including test and staging domains), IPs, brand names, code snippets – Molnnet’s security team populates all the assets.
The marketing team ensures the brand names are populated, but also makes a special request to add a staging domain and secret project name based on the upcoming marketing campaign. The staging domain is used by the marketing team’s in-house web developer, who is currently building a dedicated site for Paper Expo 2021. This website should not be publicly accessible according to the marketing department – so monitoring for it is critical.
STAGE 3: Detection
All assets have been reviewed and populated into the digital risk solution: now 24/7 monitoring begins. Within the first few weeks of monitoring, alerts trickle through and the internal Molnnet security operations analysts observe and triage. The built-in risk scoring functionality enables the internal SOC analysts to prioritize and assess risk.
Figure 6: Impersonating domain detected for Molnnet asset
One SOC analyst’s attention is grabbed when an incident comes through: a mention of client systems information on github public repository. Already this doesn’t look like it should be there. The SOC analyst investigates the detected incident, ascertains that the system’s information, which contains username and an encrypted password for an internal website (jira.molnnet.com), is public when it should not be. Immediately, the SOC analysts grab their manager and inform him or her of the development, which results in an escalation to the marketing, legal, and compliance teams.
Figure 7: Impersonating domain detected for Molnnet asset
Stage 4: Actioning
Having escalated the incident to the marketing team and conferred internally, it is deemed that the GitHub incident that was detected by Digital Shadows is in fact a true positive.
Within the hour of escalating, the SOC analyst focuses on removing the exposed content. There are two parts to this: First, an employee has publicly committed the domain to the code repository – so the SOC analyst must contact the software engineering department to identify them and make them aware of this case. Second, the content needs to be removed, so the SOC analyst uses the built-in template to initiate the hosting site (GitHub), to issue a content removal on the basis that it shouldn’t be there.
Figure 7: Molnnet SOC analyst initiates a takedown
In the meantime, the information security manager works with the marketing, legal, and compliance teams to discuss the wider implications of the exposure including the system’s information, which could be used to access Molnnet’s infrastructure, having been publicly listed for approximately 3 hours at the time of detection.
While the various stakeholders confer, the incident response team have issued a takedown to Github. At the same time, the SOC team identifies the software developer who initiated the commit publicly.
It unfolds that the software developer had unintentionally exposed the system’s information, along with username and encrypted passwords. The team issues the data exposure policy book, reminding that all sensitive company data, even systems information, must be made to private repositories on Github, not public as this breaches company policy.
Further efforts are also made to ensure that the IP associated with the website in the github post (jira.molnnet.com) would be whitelisted to ensure only Molnnet employees can access the site.
As a precaution, the password associated with the website, although encrypted, is reset.
Overall, the impact was largely minimal, and business operations were minimally disrupted. Though this did have the potential to disrupt had it gone undetected for longer.
With the proliferation of the digitized economy, which sees brands become bigger online, it is essential to have the following:
At Digital Shadows, we speak to a large number of security teams about their approaches to Online Brand Protection. You’ll be unsurprised to learn that this fluctuates from organization to organization – some have really well-defined processes in place that involve multiple departments, whereas others ignore it and leave the issue of brand to the marketing or brand team. Based on these conversations and observations, it’s possible to outline five stages of maturity for Online Brand Protection.
Figure 8: Maturity model for Online Brand Protection
For those just getting started on the journey, we’ve outlined some free tools to get started below:
Looking to learn more about how we help discover attackers impersonating your domains, social accounts, and mobile applications? Learn more about SearchLight here.