CyberGRX is on a mission to map the cyber security profile of every organization around the globe. As part of this mission, we have partnered with Recorded Future to provide threat intelligence and data insights for all customers and Third Parties within the CyberGRX platform along with continuous Risk Monitoring and Alerting.
Why Is Risk Monitoring and Alerting Important?
Most companies end up finding out about a breach of one of their third parties in a news headline. With our new Risk Monitoring & Alerting capabilities, you will have visibility to third-party potential breaches within your portfolio in near real-time, along with a weekly digest email. In addition, you’ll have the vital information and context needed to assess the possible impact on your business and collaborate with the affected Third Party to assess and manage the risk.
Third Parties or Customers that have a critical high risk alert or potential breach event on their own company will receive an email within 24 hours along with an in platform notification. Customers will receive a weekly digest summary email if any of their third parties in their portfolio have triggered a critical risk rule event.
Company Profile/Notifications
View Your Own Organization
- Accessible from the My Company Profile Page
- Recorded Future Widget with Risk Summary
- Detailed view rules to help drive proactive mitigation and issue tracking
View a Third Party
- Accessible from any Vendor Profile Page
- Recorded Future Widget with Risk Summary
- Summary of impacted rules for Third Party probing and investigation
Note: Users assigned to the Account Admin or TP Portfolio Manager user roles will receive the off-platform notifications about any relevant First or Third-Party events.
For questions/discrepancies/disputes on rules, contact cybergrx@recordedfuture.com directly.
Recorded Future Ruleset
The 7 Categories of Third-Party Risk
- Breach or Incident Reporting
- Leaked Credentials
- Hygiene
- IP Address
- Dark Web
- Domain
- Threat Research
Severity Scale
- High (65-99): Observed high indicators of high severity threats and elevated cyber-risk
- Moderate (25-64): Observed over time indicators of moderate threats and cyber-risk
- Informational (5-24): Important for general situation awareness
Risk Rules & Risk Categories
|
Rule Name |
Criticality |
Rule Category |
Description |
Time Frame |
|
Recent Security Breach Disclosure |
High |
Breach or Incident Reporting |
Company reported a data breach in the last 90 days |
Last 90 Days |
|
Recent Validated Cyber Attack |
High |
Breach or Incident Reporting |
Insikt Group assessed/validated a significant cyber event affecting this company in the last 90 days |
Last 90 Days |
|
Recent Attention on Ransomware Extortion Websites |
High |
Breach or Incident Reporting |
Company is mentioned on a Ransomware Extortion Website in the last 90 days |
Last 90 Days |
|
Domain With Unrestricted SPF Record |
High |
Hygiene |
Company domain has an unrestricted policy statement (+all) |
Current |
|
Likely IT Policy Violations |
High |
IP Address |
Hosting a TOR network node |
Current |
|
Recent High-Impact Abuse of Company Infrastructure |
High |
IP Address |
Hosting Command & Control server or URL, Hosting Phishing site or URL, or Hosting Malware download site or URL |
Last 56 Days |
|
Hosts Recently Communicating With C&C Server* |
High |
IP Address |
An IP address belonging to the company has been observed recently communicating to a known malware command and control server on uncommon ports. |
Last 30 Days |
|
Recent Single-Document Email Address Exposure |
High |
Leaked Credentials |
Company email addresses were seen on a single source in the last 90 days for the first time (newly observed) |
Last 90 Days |
|
Recent Single-Document Credential Exposure |
High |
Leaked Credentials |
Company email addresses with passwords were seen on a single source in the last 90 days for the first time (newly observed) |
Last 90 Days |
|
Cyber Exploit Signal: Critical |
High |
Other |
Current Cyber Exploit Reporting trend analytic is at Critical level |
Current |
|
Domain With DKIM Record With Weak Encryption |
High |
Hygiene |
Company domain with a DKIM record that has an encryption strength less than 1024 bits |
Current |
|
High Volume of Attention on High-Tier Forums |
Moderate |
Dark Web |
Dark Web High-Tier Forum users have extensively talked about your company, sold accounts to your platform, or discussed using your platform for suspicious activities |
All Time |
|
High Volume of Attention on Dark Web Markets |
Moderate |
Dark Web |
Dark Web Market users have extensively talked about your company, sold accounts to your platform, or discussed using your platform for suspicious activities |
All Time |
|
High Volume of Recent Attention on High-Tier Forums |
Moderate |
Dark Web |
Dark Web High-Tier Forum users have talked about you extensively recently and are likely selling accounts or abusing your platform |
Last 90 Days |
|
High Volume of Recent Attention on Dark Web Markets |
Moderate |
Dark Web |
Dark Web Market users have talked about you extensively recently and are likely selling accounts or abusing your platform |
Last 90 Days |
|
Recent Typosquat Similarity to Company Domain - DNS Sandwich |
Moderate |
Domain |
A high volume of typosquats were detected as DNS Sandwich typosquats (e.g. excitingoffer.recordedfuture.com.suspicious.site.com) |
Last 90 Days |
|
Recent Typosquat Similarity to Company Domain - Punycode Typo or Homograph |
Moderate |
Domain |
A high volume of typosquats were detected as Punycode or Homograph typosquats (e.g. go.recodedfuture.com or xn--ecordedfuture-9pc.com) |
Last 90 Days |
|
Domain With Overly Permissive SPF Record |
Moderate |
Hygiene |
Company domain has a loose policy statement (?all) |
Current |
|
Domain With Multiple SPF Records |
Moderate |
Hygiene |
Company domain has multiple SPF records |
Current |
|
Domain With Expired SSL/TLS Certificate |
Moderate |
Hygiene |
Company domain with an expired certificate |
Current |
|
Domain With Self-Signed SSL/TLS Certificate |
Moderate |
Hygiene |
Company domain where subject and issuer names are the same |
Current |
|
Domain With Insecure SSL Protocol |
Moderate |
Hygiene |
Company domain using SSL 2.0 or SSL 3.0 protocols |
Current |
|
Domain With Deprecated TLS Protocol |
Moderate |
Hygiene |
Company domain using TLS 1.0 or 1.1 protocols |
Current |
|
Domain With SSL/TLS Configuration With High-Risk Vulnerability |
Moderate |
Hygiene |
Company domain with known SSL/TLS configuration vulnerability |
Current |
|
Domain With Ineffective HSTS Configuration |
Moderate |
Hygiene |
Company domain with ineffective HSTS max-age configuration |
Current |
|
Possible IT Policy Violations |
Moderate |
IP Address |
Hosting a Honeypot |
Current |
|
Infections Recently Reported in Company Infrastructure |
Moderate |
IP Address |
Host of suspicious DNS names (fast flux, cluster of DDNS names), Infection reports on threat lists with higher credibility and fidelity, External honeypots reports suspicious traffic |
Last 14 Days |
|
Recent Possible Malware in Company Infrastructure |
Moderate |
IP Address |
Target of IP connection from Malware Sample Analysis |
Last 42 Days |
|
High Volume of Exposed Credentials |
Moderate |
Leaked Credentials |
A high volume of company email addresses with passwords were exposed (all-time) |
All Time |
|
Recent High Volume of Exposed Email Addresses |
Moderate |
Leaked Credentials |
A high volume of company email addresses were recently exposed |
Last 90 Days |
|
High Volume of Exposed Email Addresses |
Moderate |
Leaked Credentials |
A high volume of company email addresses were exposed (all-time) |
All Time |
|
Recent High Volume of Exposed Credentials |
Moderate |
Leaked Credentials |
A high volume of company email addresses with passwords were recently exposed |
Last 90 Days |
|
Cyber Exploit Signal: Important |
Moderate |
Other |
Current Cyber Exploit Reporting trend analytic is at Important level |
Current |
|
Company Website Using Technology Version With High-Risk Vulnerability |
Moderate |
Other |
Company websites are running products affected by high-risk CVEs. Different patching methods and software fixes may should be taken into account when reviewing this information. |
All Time |
|
Company Website Using Unsupported Technology Version |
Moderate |
Technology |
Company website is running a software version that is no longer supported by the manufacturer. (See Unsupported Technology Versions) |
All Time |
|
Historical Security Breach Disclosure |
Informational |
Breach or Incident Reporting |
Company reported a data breach more than 30 days ago. |
Before Last 90 Days |
|
Historical Validated Cyber Attack |
Informational |
Breach or Incident Reporting |
Insikt Group assessed/validated a significant cyber event affecting this company over 30 days ago. |
Before Last 90 Days |
|
Historical Attention on Ransomware Extortion Website |
Informational |
Breach or Incident Reporting |
Company is mentioned on a Ransomware Extortion Website before the last 90 days. |
Before Last 90 Days |
|
Attention on High-Tier Forums |
Informational |
Dark Web |
Dark Web High-Tier Forum users have talked about you before and may sell accounts to or use your platform for suspicious activities. |
All Time |
|
Attention on Dark Web Markets |
Informational |
Dark Web |
Dark Web Market users have talked about you before and may sell accounts to or use your platform for suspicious activities. |
All Time |
|
Recent Attention on High-Tier Forums |
Informational |
Dark Web |
Dark Web High-Tier Forum users have talked about you recently and might be selling accounts or abusing your platform. |
Last 90 Days |
|
Recent Attention on Dark Web Markets |
Informational |
Dark Web |
Dark Web Market users have talked about you recently and might be selling accounts or abusing your platform. |
Last 90 Days |
|
Recent Typosquat Similarity to Company Domain - Non-Punycode Typo or Homograph |
Informational |
Domain |
A high volume of typosquats were detected as a typo or Homograph but not Punycode. |
Last 90 Days |
|
Historical Typosquat Similarity to Company Domain - DNS Sandwich |
Informational |
Domain |
A high volume of typosquats were detected as DNS Sandwich typosquats (e.g. excitingoffer.recordedfuture.com.suspicious.site.com) |
Before Last 90 Days |
|
Historical Typosquat Similarity to Company Domain - Punycode Typo or Homograph |
Informational |
Domain |
A high volume of typosquats were detected as Punycode or Homograph typosquats (e.g. go.recodedfuture.com or xn--ecordedfuture-9pc.com) |
Before Last 90 Days |
|
Historical Typosquat Similarity to Company Domain - Non-Punycode Typo or Homograph |
Informational |
Domain |
A high volume of typosquats were detected as a typo or Homograph but not Punycode. |
Before Last 90 Days |
|
Domain With Missing DMARC Record |
Informational |
Hygiene |
Email sending domain without a DMARC record |
Current |
|
Historical Misconfigurations and Vulnerabilities in Company Infrastructure |
Informational |
IP Address |
Servers insecurely configured as Open Proxies, Spam mail sender, or Vulnerable host detected by external scanner |
Before Last 14 Days |
|
Infections Historically Reported in Company Infrastructure |
Informational |
IP Address |
Host of suspicious DNS names (fast flux, cluster of DDNS names), Infection reports on threat lists with higher credibility and fidelity, External honeypots reports suspicious traffic |
Before Last 14 Days |
|
Historical Possible Malware in Company Infrastructure |
Informational |
IP Address |
Target of IP connection from Malware Sample Analysis |
Before Last 42 Days |
|
Historical High-Impact Abuse of Company Infrastructure |
Informational |
IP Address |
Hosting Command & Control server or URL, Hosting Phishing site or URL, or Hosting Malware download site or URL |
Before Last 56 Days |
|
Recent Misconfigurations and Vulnerabilities in Company Infrastructure |
Informational |
IP Address |
Servers insecurely configured as Open Proxies, Spam mail sender, or Vulnerable host detected by external scanner |
Last 14 Days |
|
Recent Low-Conviction Communication With C&C Server* |
Informational |
IP Address |
Communication between an IP address belonging to the company and a potential malware command and control server (see Network Traffic Analysis) has been observed but the signal does not explicitly indicate malicious or programmatic behavior. |
Last 30 Days |
|
Recent Exposed Email Addresses |
Informational |
Leaked Credentials |
Company email addresses were recently exposed |
Last 90 Days |
|
Exposed Email Addresses |
Informational |
Leaked Credentials |
Company email addresses were exposed (all-time) |
All Time |
|
Single-Document Email Address Exposure |
Informational |
Leaked Credentials |
Company email addresses were seen on a single source for the first time (newly observed all-time) |
All Time |
|
Recent Exposed Credentials |
Informational |
Leaked Credentials |
Company email addresses with passwords were recently exposed |
Last 90 Days |
|
Exposed Credentials |
Informational |
Leaked Credentials |
Company email addresses with passwords were exposed (all-time) |
All Time |
|
Single-Document Credential Exposure |
Informational |
Leaked Credentials |
Company email addresses with passwords were seen on a single source for the first time (newly observed all-time) |
All Time |
|
Cyber Exploit Signal: Medium |
Informational |
Trend |
Current Cyber Exploit Reporting trend analytic is at Medium level |
Current |
|
Company Website Using Often-Exploited Technology |
Informational |
Other |
Company websites are running affected products of CVEs and technologies known to be exploited often. |
All Time |
|
Historically Reported by Insikt Group |
Informational |
Threat Research |
Insikt Group has reported on this company more than 30 days ago |
Before Last 28 Days |
|
Recently Reported by Insikt Group |
Informational |
Threat Research |
Insikt Group has reported on this company in the past 30 days |
Last 28 Days |
Support:
For questions / discrepancies / disputes on rules, contact cybergrx@recordedfuture.com directly. Please make sure to put CyberGRX in the subject line to be routed accordingly.
Comments
0 comments
Please sign in to leave a comment.