RISK User Manual 1 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Table of Contents Table of Contents ................................................................................................................... 2 Tabs Description ..................................................................................................................... 3 Add company ...................................................................................................................................3 Digital Assets (Mapping) ................................................................................................................. 12 Digital Assets (Description) ............................................................................................................. 14 Geography...................................................................................................................................... 27 Digital footptint .............................................................................................................................. 30 Tips/Recommendations.................................................................................................................. 32 Support Request ............................................................................................................................. 34 User Profile .................................................................................................................................... 35 Risk Indicators .......................................................................................................................37 Dark Web ....................................................................................................................................... 37 Network Hygiene (IP Reputation) ................................................................................................... 40 Botnet Activity ............................................................................................................................... 44 Data Breaches (Compromised Credentials) ..................................................................................... 46 Threat Actors.................................................................................................................................. 47 2 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Tabs Description Add company After the authentication is completed, the next key step will be to add an organization (company) for further monitoring by clicking “Add Company”: Monitoring process is based on analysis of the source data describing digital footprint of particular organization (domains, networks, etc). That’s why the Operator should define the set of signatures describing the Company. We recommend to focus on domain names as a priority. Clicking “Add company” link, next details need to be fulfilled: • Company name; The company name should include the full company name, which will be under digital risk monitoring. This field is mandatory. • Separate domain name; The domain name is the address of the website that can be typed in the browser URL bar to visit the website. Please write the domain name or import it from file. This field is mandatory. • Network information (IP or Network Range); The Network Information enables web applications to access the underlying connection information. Please write the network information or import it from file. This field isn’t mandatory. • Add extra; 3 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia You can also add intellectual property markings, executives, key staff, and other criteria for further digital risk monitoring. This field is not mandatory, but it will definitely help to increase the accuracy of monitoring and to improve targeting on your enterprise. • Description; Please, add any information to the field that you suppose could help the monitoring process and provide better targeting to the enterprise environment. This field isn’t mandatory. 4 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Add Extras By clicking on Add extras link, you may choose to add information to the next fields for risk estimation. Please, note adding extras is not mandatary field, but it will help you to increase the range of monitoring data and will provide you detailed information on the chosen sub-category. Next sub-categories may be chosen: • Custom; Define your own criteria and multiple subjects of interest manually using the wizard. • Anti-Piracy; It will target monitoring on privacy sources, such as illegal WEB-sites, P2P networks, torrent trackers, alternative content repositories and unauthorized media resources, violating your content licensing conditions and T&Cs. • Dark Web Monitoring; Effective monitoring of Dark-Web, search of defined subjects of interest or your company details on cybercriminal resources and various communication channels widely used for illicit activity (TOR, I2P, Freenet, etc.). • Operations Environment + Social Media; Monitoring of a particular brand and its digital footprint exposed on the Internet (brand name, known domain names, corporate network pools, e.g. IPv4/IPv6). It is ideal for comprehensive risk-scoring tasks and security posture assessment of your enterprise. • Incident Response; Your first assistance in post-incident investigations based on source intrusion sets, threat actor details, known indicators of compromise (IOCs). • Social Media Monitoring; It initiates monitoring only on social networks, such as Facebook, Linkedin, Twitter and works best for OSINT, brand protection and social media analysis. 5 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia • Threat Actor Monitoring; It targets monitoring on a particular threat actor or/and group of actors (nickname/alias, contact, other known signatures). Typically used by investigators and intelligence analysts for attribution research and threat actors profiling based on the source data. After, the sub-category is chosen, it is essential to define risk estimation criteria based on selected template. You can import data for each parameter or enter lists manually. The templates include next criteria: 6 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Brand Names may include the company brand names and its digital footprint. They will be monitored on cybercriminal resources to either search of defined subject or prevent using the brand name for illicit activity. Several brand names can be added to monitor. Emails may include known emails of company employees. The emails will be monitored on the data leaking and the source, identification (e.g. dark branch, dark web, botnet, etc.) and the risk score will be placed after the threat is evaluated. IOC will be deleted. Actors may include the information about specific threat actor or a group of actors to provide threat actors profiles to the investigators and intelligence analysts for research. The nicknames, alias, contacts and signatures may be used to fulfill the field. Signatures may include the raw on which monitoring of the actors will be provided. Otherwise, the signatures may include the part of code to prevent data leaking. TTPs will be deleted. BINs may include the bank identification numbers provided at the credit cards, chosen for monitoring compromised data avoiding its appearing in the dark-web. Executives may include key person full name, who will be monitored in OSINT sources to either create the profile list from the found sources or to prevent the personal data leaking in the dark web. Code identifier may include the part of code based on which monitoring of data leaking from the repositories are conducted. Server names/formats may include the server address to follow the data leak or cyberattacks on the server. Indicators of customer data may include any customer data, when investigating the data leaking or defining the potential risk level. Point - of - Sale Identifiers may include a critical channel data, where financial transitions for goods and services are executed and where data leaks and cyber threats need to be monitored. Key members of staff may include key stakeholders, which information can be under threat of data leaking or should be monitored at the OSINT sources at web. Data Leak Protection (DLP) identifiers may include part of code identifiers to be monitored at the dark web. Specific documents marking may include any mark used by the enterprise to mark the documents to monitor from the data leak. Commonly used documents titles may include document titles by which documents leaking can be identified. Anything else that is unique may be used to monitor the confident information and prevent data leaking or defining the tips how the data can be protected. Git search phrases might be added, based on which risk monitoring will be conducted. 7 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia 8 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia 9 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia 10 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia 11 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia The sub-category can be changed in the appropriate field. The template is the same for each subcategory and all the data fulfilled will be saved, even if you decide to change the sub-category. Digital Assets (Mapping) Based on the information provided in previous steps, the assets, which may be of interest for your search/monitoring will be identified. If you find them valuable to target or to define the risk monitoring, please select them from the list below. The suggested assets may be the following: domains, emails, associated IPS, which could expand risk monitoring. Similar domains may be checked or exported to target the search. In addition, the system will suggest you the similar domains that can be corresponding to your target company. Otherwise, you could skip the step and continue with notifications settings. 12 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia 13 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Digital Assets (Description) The digital assets include the domain name, number of findings and reputation risks divided on domain names, emails and actors. You could choose any specification from left, so anchor links will provide you to the corresponding information. The asset could have two positions that are enable and disable. The asset is enabled, when the risks are under monitoring, so that it is displayed green at the screen. When the button near the asset is grey, it means no monitoring is conducted, and the asset is disabled. Besides, you could export the report on the specified asset, it will be prepared at the csv form and include email, username, password, password hash, salt, ip, date, source name. info, etc. 14 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia If there are many assets, you can manage selected items by choosing the items and clicking on the two tips. The assets can be chosen based on the options: export to the report, disable, enable or delete. Please note the deleted items will not be monitored and the information on the assets will be discarded. By clicking the “ + “ sign, you will be able to add the asset and corresponding subject of interest. As well as the other tabs, digital assets will provide the opportunity to select appropriate blocks and to generate the report. 15 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia The button generate report will help you to choose the blocks, based on which the report will be generated in PDF and other formats. Notifications Settings The last step will be setting your preferences, while risk estimation will be started right away. Currently the system supports only the notifications, which can be sent via email. My Portfolio The profile will provide you overall information on the digital risks based on the multiples companies you have added. Their domains and their IPS address can be seen in the profile. You may use the search bar to find an appropriate company, added before to your profile. Multiple companies can be added to keep an eye on all digital risks of your business activities. After you add a company, you will get notifications when new risks will be detected. 16 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Each company gets its own risk rate based on overall risk assessment. You can archive company to stop risk monitoring, but still have access to all collected data. Once you delete or stop the company from your portfolio, all data will be irrevocably deleted too. The historical findings risk graph is available at the company profile with notifications on new, high, medium and low risks. A new subject of interest or asset can be added by clicking “+” button. If you decide to add the assets, please chose the subject of interest and corresponding assets. Several assets can be added to the field. When everything is ready, click “Add” button to submit the new assets to the system. 17 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Besides, you will be able to generate the My portfolio report in case you want to share or print the information on companied from your portfolio list. It can be possible by clicking by the Generate report button. The provided report can be saved in pdf, shared by the link or QR code. 18 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Company profile Under the company name, you are able to find the risk-rating matrix, which will help you to identify the threat indicator. The lowest to the alphabetical list the letter is, the higher the risk treat was identified. Risk ratings descend from A to F as the severity and number of threat indicators increases. A – C rating indicates that Resecurity Risk has detected several problems that could affect the security of your enterprise. Please review the risk indicators identified. Any new incident cause this rating to go down, you will be notified in a timely manner. Companies with a D or F rating are 5.4 times more likely to be victims of data breaches than those with an A or B rating. The number of domains, IP address, digital assets ad identified risks can be viewed in the company profile. As well as tips that will help you to improve your secure response and lower your global risk score. At the top of the page, you will be able to change the name of your company, if it is necessary. In addition, to check, whether the company is under monitoring/watched or stopped, this setting can be changed both at the Company Profile and My Portfolio pages. The number of domains, IP addresses, digital assets and identified risks are presented at the block after the risk –rating description. So that, overall assets are specified and will be described in more details at other tabs. Please look at the navigation bar Risk Indicators, Geography, Digital Footprint, Quick tips, Digital assets for specified information. The findings are presented by the risk category such as data breaches, network hygiene, dark web, botnet activity, cloud security, miscellaneous risks can be found out at the page. At the Risk Change, it is possible to find out the change logs with the risk identifiers and it’s explanation, reflected at the time-line. Clicking to the see all, you will be redirected to the Risk Indicators, including the pie chart with the tendency to each of risk category. By clicking on the pie chart, you will be able to see number of critical, high, medium, low incidents at the corresponding risk description. 19 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia At the Risk by Categories, it is possible to analyze the level of threat in each risk category, as well as number of threats. Clicking to the see all, you will be redirected to the Risk Indicators. The Risk Change can will provide data history on the time –periods in years. Clicking on the picks, you will be able to the risk –rate and the date. The newest risks are shown at the right column with the date, increase points. 20 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia If you want to get more detailed and later information on risk changes, please click “See all” link and you will be redirected to the Risk Indicators page. Risk by Category, will provide you the number of total findings, divided by source, high, medium and low risks level. If you want to get detailed information on each the risks in the appropriate category, click on the risk category and you will be redirected to the Risk Indicators pages filtered by the chosen category. Quick tips will help you to increase accuracy and gain more comprehensive monitoring result. The list of tips will identify how to view more detailed summary and improve your secure response and lower your global risk score. 21 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia If you would like to see more information on the Quick Tips, click on the “See all” under the Quick Tips block and you will be redirected to the Quick Tips page. By clicking the Generate report button at the company profile page, you will be able to choose the blocks, based in which the report will be generated. Choosing the blocks, you will be able to get the report in pdf format. The report can be visited by the link or copied to the paper documents. 22 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Navigation After all information is clear, please go to the navigation and click on “Select company” button. There you will be able to choose either to add a new company, which will be presented at your portfolio. So that, you could choose between your companies in portfolio on which to get the detailed information on risk monitoring. 23 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia When you chose the company, the following navigations tab from the left of the screen will help you to get information on main risk sources. There are risk indicators, geography, digital footprint, quick tips and digital assets. By clicking on the special tab, you will get corresponding information on the specified asset. If you click on the company name, which is located right after Resecurity logo, you will get the ability to “Add new company” to the Profile or to choose between two companies, as it is at the example AMG and BDO. If you click on the Resecurity logo, you will be redirected to My Portfolio page. 24 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Let’s start from the first tab Risk indicators and investigate the assets there. Risk Indicators The risk indicators page includes the overall list of data breach detections by the score, risk source, record date and detection date. 25 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia You could chose the certain detection and get detailed information on date, id, username, password. Also, additional information such as first name, last name, host, birth day, sex, city, tel. country code, tel. area code, tel. no, headphone country code, headphone no may be found out. You could search on the appropriate data branch, based on botnets, threat actors and dark web. The total number of all detections are specified, including the viewing all new threats. If you click on “New” button, only the threats found during this day will be provided on the list. 26 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia In addition, you are able to choose the exact threat on which the report should be generated. The report could be generated in scv or pdf formats. Clicking on the “+” button, new subjects of interests or assets can be added. Geography By choosing the geography tab, you will be able to see the domains and their location at the world map. Clicking on “Add Domain” or “+” buttons, you will be able to add the asset and the subject of interest. 27 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia The appropriate domain can be found through the search bar and chosen to be defined at the world map. The highlighted areas are those ones, where monitored domains are located. By clicking to the specified area, you will get the exact number of domains found in that area. If the area is dark, it means that Resecurity have not found the domains or IPs foot there. Georgraphy breakdown will help identify the domains, based on the amount of findings and sorting by the country. The risk score is also specified as high, medium, low. So that, you will get the asset domain, IP address, the country where the asset is located and their risk level. 28 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia If you want to get detailed information, you could click on the asset and chose “ Export details” function. So that excel file with the specified information on the asset will be downloaded. The file will include data on username, email, password, password hush, salt, ip, source name, info. In addition, you are able to generate report, by choosing the blocks and getting corresponding information. 29 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Digital footptint The digital footprint includes the domains name that are monitored, based on their digital footprint located all over the world. The search bar can be used to specify the domain name, you are interested. The records detected consists on the recourse address, full company name, country name, SLL certificate and support SSLs version. Http protocol also may be found. If you click on the asset to get the detailed information, you will get next overview: • resource address; • country name; • organization name; • ISP; • last update; • ASN; • host names. 30 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia The location of the company will be provided on the google map. You could use “+/- “ buttons at the card to impact the card size and manage your navigation through the map. Technologies description and port services will be specified under the map. 31 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia In addition, you are able to generate report, by choosing the blocks and getting corresponding information. Tips/Recommendations The tips will help you to increase accuracy and gain more comprehensive monitoring result. Also, to view detailed summary and improve your secure response and lower your global risk score. 32 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia The tips will include new ones provided during the day and archived. They are rated by the risk score to define their importance, category and date, when the tip was provided. The tips are divided by the categories to provide the information on how to improve your secure response and lower your global risk score. In addition, you are able to generate report, by choosing the blocks and getting corresponding information. 33 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Support Request If you have questions and need help from our Support Center, create the support request. It is possible by clicking to circle from the right at the navigation panel. Afterwards, Support page would be open and provide you with the following information. Please fulfill the form with as much information as possible and submit the request. If you click on the ring, than you will be able to see the history of your request/ticket and corresponding information on each ticket. The tickets number with the correspondence will be provided to you. In case you decide to click on the “How we can help” link, you will be redirected to the “How can we help form”. So that you could create a new request and get help from our Support Center. 34 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia User Profile In case you have to change some information at your profile, please click on the last item at the left navigation bar. The is a circle with your photo and first letters of first and last names. If you click on any items from the list, the corresponding settings will be available to adjust. By clicking on Profile, you will be able to upload photo and add first name and last name. The language can be selected from two options, such as English or Vietnamese. 35 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia By clicking on Password link, you will be able to change the password. Please enter a new password and confirm it. The password cannot be blank and confirmed password should be the same as the upper password. By clicking on Authentication, you will be able to monitor whether two-factor authentication is enabled or disabled. If you click to the status, you will be able to change settings from enable to disabled. By default, the status for two-factor authentication is enabled. So that, if you want to disable it, you will need to generate one-time password secret. 36 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia After you entered a one-time password, the two-factor authentication will be disabled. If you would like to enable two-factor authentication again, the procedure with generating a new time password secret will need to be conducted again. Risk Indicators Risk platform collects various cyber risk indicators and presents them in human readable form with proper interpretation. The key categories of risk indicators are described below. Dark Web Effective monitoring of Dark-Web will search of defined subjects of interest or your company details on cybercriminal resources and various communication channels widely used for illicit activity (TOR, I2P, Freenet, etc.). 37 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Dark Web Indicator will include the list of detections that can be under the threat of cybercriminal activity. Each detections will consist of list of sources, where the risk was found, the risk score and record date. This data means the date, when the risk to the item appeared at the web. Detected On will provide the data, when Resecurity found the detection. If you would like to get the detailed information on the record id, source, latest activity and relationship graph of the detection, please click on it at the raw. 38 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia The relationship graph will show connections between actors profiles, e-Crime library, IP, emails, Activity by IP, IP2GEO. 39 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Network Hygiene (IP Reputation) This category of risks describes indicators related to malicious network activity originating from or outside of company network based on the defined/identified network ranges or IP addresses. 40 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Such indicators may include: - malicious network hosts; - network hosts involved in hacking activity; - network hosts involved in mass-scanning; - proxy or socks servers deployed by threat actors; - underground VPN services; - suspicious hosts presumably used for malicious purposes; - bulletproof hosting and hosting providers with illegal content; - network hosts which have been recently compromised and there is a high probability of hosting malicious content on them for further distribution. The information about such network hosts will be available in Risk Indicators listing: 41 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Each record has the following set of fields: - malicious or potentially suspicious IP; - source (original source of risk-score, such as threat intelligence feed); - risk score (low, medium, high); - record date (original date of when this information has been identified) - detected on (date of detection in context of monitoring of the company). By click on particular record the operator may see more detailed information about the IP including historical details: 42 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia In addition to information from various threat intelligence feeds, you may see possible hits coming from Dark Web, Passive DNS and other sources: 43 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia This information allows to analyze particular IP (-s), as well as the security of the company network (if it has been compromised or infected with malware). Botnet Activity A botnet activity refers to information group of computers, which have been infected by malware and have come under the control of a malicious actor. Botnets can be designed to accomplish illegal or malicious tasks including sending spam, stealing data, ransomware, fraudulently clicking on ads or distributed denial-of-service (DDoS) attacks. Botnet will consist on the list of detections with the source, where it was found, risk score, record date and detected on date. 44 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia If you want to get the detailed information, please click on the raw. So that you will get data on data, IP, Bot Country, Machine ID, hostname, botnet, address, request type, software, raw info, bot info, bot files, download bot files. The bot files includes name, data and ability to download file in txt format. 45 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Data Breaches (Compromised Credentials) Data breaches will include all the detections found on the subject of interest or you company. The data will include the source (username, password), source, risk score, record date and detected on date. If you click on detection, so you will get the detailed information on date, id, email, password. 46 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia Threat Actors It targets monitoring on a particular threat actor or/and group of actors (nickname/alias, contact, other known signatures). Typically used by investigators and intelligence analysts for attribution research and threat actors profiling based on the source data. The threat actors’ detection will include the list of detection, result (username, email, password), source, risk score and record date (when the issue appeared / or identified in Dark Web) and detected on by Resecurity. 47 Copyright 2020 Resecurity® Confidential Prepared for Claro Colombia