Review: Gazing through a hacker’s lens with RiskIQ Digital Footprint

Requiring no setup or installation, Digital Footprint scans for vulnerability information from outside the firewall ... just like a potential attacker would.

scanning the internet malicious magnifying glass
Getty Images

Whenever skilled attackers decide to attack a network, the first phase is normally reconnaissance. They either scan a network looking for vulnerabilities, or do penetration testing by hand, trying to get an inside look at individual systems that can be easily attacked or exploited. Not every hacker group works this way, but the majority of the most successful ones follow this pattern, especially for targeted attacks.

Perhaps surprisingly, there is a lot of information about most pieces of network infrastructure that is easily available to those who know how to scan for it. Because hardware like servers, networking gear and even internet of things (IoT) devices are connected to the internet, they can be scanned and cataloged from outside their protecting firewalls. Sometimes, they even offer up information about themselves in response to a ping, as this is a requirement of their communications function.

That is where the RiskIQ Digital Footprint tool comes into play. It can scan an entire network, no matter how large, and provide a wealth of information that would be like gold to a hacker. It will point out what servers are running outdated operating systems, which ports on each device are open, what assets have extra DDOS protection, how many computers have unpatched security flaws and a host of other vulnerability information.

One thing that sets the RiskIQ Digital Footprint apart from just about every other security program reviewed for CSO magazine is the setup and installation phase. There is none. Digital Footprint scans for vulnerability information from outside the firewall, just like a potential attacker would.

Organizations can buy a one-time Digital Footprint scan from RiskIQ, which would generate a detailed snapshot of network vulnerability. A continuous monitoring option is also available that additionally shows vulnerabilities over time, including an overall health score and the upwards or downwards trend as fixes are made and new vulnerabilities arise. In either case, pricing is based on the number of network assets being scanned. There is no physical setup, only a little bit of labor to configure the scan to catch all network assets within its net.

RiskIQ Digital Footprint John Breeden II/IDG

Using the continuous monitoring option will slowly move the overall heath score up or down in response to new vulnerabilities or completed fixes, so users always know if their organization is moving in the right direction on cybersecurity.

For the testing, a government agency with an extensive public presence was used as the target, as well as a private testbed setup populated with specific vulnerabilities. The government agency was not a current customer of RiskIQ, though that didn’t matter because the scanner was simply collecting vulnerability information that was either accessible from the internet with no special permissions, or offered up by the agency’s own servers in response to Digital Footprint’s query.

Once a scan is complete, vulnerabilities are grouped into two categories within the main program interface, Threat Indicators and Security Posture. The threat indicator column lists critical problems that are currently ongoing, and should probably be immediately fixed. Most of these are generated when RiskIQ cross-references discovered assets with third-party threat reporting and intelligence feeds. They include things like company webpages that are infected with malware, webpages that have low reputation scores, or network hosts that are being blocked by third-party threat reputation services. Most organizations that have good internal cybersecurity likely won’t have too many active Threat Indicators, though RiskIQ found one on the government network, which was hosting a PDF with a macro-type piece of malware. The PDF’s location, and a detailed reason for the alert, was included in the report.

RiskIQ Digital Footprint John Breeden II/IDG

The main dashboard of the RiskIQ Digital Footprint program divides up network problems it has discovered into two categories, Threat Indicators of active problems and Security Posture for vulnerabilities that might be exploited in the future.

The Security Posture category is where most organizations, especially those with sprawling networks, are going to most likely earn a low score, or at least one that is a lot lower than their active Threat Indicator column. Here is where Digital Footprint really shines compared with other vulnerability scanners. The detail provided by the program is pre-sorted into several top-level categories including Website Common Vulnerabilities and Exposures (CVE), domains that are not protected from re-routing or re-directing type attacks, open ports on internal devices, SSL configuration and vulnerabilities like Heartbleed susceptibility, and others.

RiskIQ Digital Footprint John Breeden II/IDG

Digital Footprint divides up all discovered assets into an overall inventory that includes every device, computer or webpage within a network that can be viewed or accessed from outside the firewall.

A percentage score out of 100 shows how many vulnerabilities exist in each category, and how much those problems are contributing to the overall network security health score. Diving into each category further sorts the information to make it easier to diagnose problems. For example, when we drilled down into the Open Ports category, we found open ports on several devices within the target network. These included IoT devices, system ports, database servers, networking equipment, web servers and more.

Drilling down further, we could look at the specific devices, the open ports, and even what the vulnerable devices were connecting to within the network. Doing this, we were able to determine that some of the vulnerabilities at the government agency were running on servers that had no function, and no other network connections. Perhaps they once served a purpose and were later abandoned. The fix in that case might be to simply shut down the unused asset, since it was doing nothing other than providing a window for hackers.

RiskIQ Digital Footprint John Breeden II/IDG

Drilling down into any menu within Digital Footprint shows extremely detailed information about the vulnerable asset. This can act as a roadmap for teams to fix those vulnerabilities before an attacker can exploit them.

The overall level of detail is extremely high when looking at discovered vulnerabilities. Even a junior IT staffer could probably fix the bulk of discovered problems using the report, especially if it only requires something simple like patching an operating system. Once fixed, Digital Footprint can confirm that the vulnerability no longer exists, and that no new vulnerabilities have formed because of it. That will nudge the overall network health score in a positive direction too, so C-level executives can keep tabs on how their organization is doing in plugging vulnerabilities, even if they don’t have any cybersecurity training.

Digital Footprint John Breeden II/IDG

Categories like Open Ports can be further broken down into more detail, so administrators can see, for example, if their new IoT devices are becoming a major security concern.

Digital Footprint from RiskIQ is one of the easiest programs an organization can deploy to generate either a snapshot or an ongoing look at their network vulnerabilities and security problems. Given that attackers are most certainly looking at networks through a similar lens, deploying the program is almost like reading a potential adversary’s playbook before a game. This gives defenders a chance to fix vulnerabilities before they can be exploited, and the ability to evaluate how their overall efforts in cybersecurity are performing over time.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)