ProcessUnity GRX is on a mission to map the cyber security profile of every organization around the globe. As part of this mission, we have partnered with Recorded Future to provide threat intelligence and data insights for all Customers and Third Parties within the GRX platform along with continuous Risk Monitoring and Alerting.
Recorded Future is a leader in threat intelligence that helps to identify a potential breach as well as brand abuse across third parties. Recorded Future can assist in proactively and continuously evaluating third parties and how their credentials, sensitive information and brand name is transacted across the deep, dark, and social webs.
Why Is Risk Monitoring and Alerting Important?
Most companies end up finding out about a breach of one of their third parties in a news headline. With our new Risk Monitoring & Alerting capabilities, you will have visibility to third-party potential breaches within your portfolio in near real-time, along with a weekly digest email. In addition, you’ll have the vital information and context needed to assess the possible impact on your business and collaborate with the affected Third Party to assess and manage the risk.
Third Parties or Customers that have a critical high risk alert or potential breach event on their own company will receive an email within 24 hours along with an in platform notification. Customers will receive a weekly digest summary email if any of their third parties in their portfolio have triggered a critical risk rule event.
Company Profile/Notifications
View Your Own Organization
- Accessible from the My Company Profile Page
- Recorded Future Widget with Risk Summary
- Detailed view rules to help drive proactive mitigation and issue tracking
- Individual domain ratings insights from Risk Recon that are used to derive the overall rating
View a Third Party
- Accessible from any Company Profile Page
- Recorded Future Widget with Risk Summary
- Summary of impacted rules for Third Party probing and investigation
- Individual domain ratings insights from Risk Recon that are used to derive the overall rating
Note: Users assigned to the Account Admin or TP Portfolio Manager user roles will receive the off-platform notifications about any relevant First or Third-Party events.
For questions/discrepancies/disputes on rules, contact cybergrx@recordedfuture.com directly.
Recorded Future Ruleset
The 7 Categories of Third-Party Risk
- Breach or Incident Reporting
- Leaked Credentials
- Hygiene
- IP Address
- Dark Web
- Domain
- Threat Research
Severity Scale
- Very High (90-99): Observed very high severity threats
- High (65-89): Observed high indicators of high severity threats and elevated cyber-risk
- Moderate (25-64): Observed over time indicators of moderate threats and cyber-risk
- Informational (5-24): Important for general situation awareness
Risk Rules & Risk Categories
Rule Name |
Criticality |
Rule Category |
Description |
Time Frame |
Recent Security Breach Disclosure |
Very High |
Breach or Incident Reporting |
Company reported a data breach in the last 90 days |
Last 90 Days |
Recent Validated Cyber Attack |
Very High |
Breach or Incident Reporting |
Insikt Group assessed/validated a significant cyber event affecting this company in the last 90 days |
Last 90 Days |
Recent Reported Cyber Attack |
High |
Breach of Incident Reporting |
Recorded Future has assessed a reported cyber attack affecting the company in the last 90 days |
Last 90 Days |
Recent Attention on Ransomware Extortion Websites |
High |
Breach or Incident Reporting |
Company is mentioned on a Ransomware Extortion Website in the last 90 days |
Last 90 Days |
Domain With Unrestricted SPF Record |
High |
Hygiene |
Company domain has an unrestricted policy statement (+all) |
Current |
Likely IT Policy Violations |
High |
IP Address |
Hosting a TOR network node |
Current |
Recent High-Impact Abuse of Company Infrastructure |
High |
IP Address |
Hosting Command & Control server or URL, Hosting Phishing site or URL, or Hosting Malware download site or URL |
Last 56 Days |
Hosts Recently Communicating With C&C Server* |
High |
IP Address |
An IP address belonging to the company has been observed recently communicating to a known malware command and control server on uncommon ports. |
Last 30 Days |
Cyber Exploit Signal: Critical |
High |
Other |
Current Cyber Exploit Reporting trend analytic is at Critical level |
Current |
Domain With DKIM Record With Weak Encryption |
High |
Hygiene |
Company domain with a DKIM record that has an encryption strength less than 1024 bits |
Current |
Domain With Improperly Configured DKIM Record |
High |
Hygiene |
Company domain with a DKIM record that has been improperly configured |
Current |
High Volume of Attention on High-Tier Forums |
Moderate |
Dark Web |
Dark Web High-Tier Forum users have extensively talked about your company, sold accounts to your platform, or discussed using your platform for suspicious activities |
All Time |
High Volume of Attention on Dark Web Markets |
Moderate |
Dark Web |
Dark Web Market users have extensively talked about your company, sold accounts to your platform, or discussed using your platform for suspicious activities |
All Time |
High Volume of Recent Attention on High-Tier Forums |
Moderate |
Dark Web |
Dark Web High-Tier Forum users have talked about you extensively recently and are likely selling accounts or abusing your platform |
Last 90 Days |
High Volume of Recent Attention on Dark Web Markets |
Moderate |
Dark Web |
Dark Web Market users have talked about you extensively recently and are likely selling accounts or abusing your platform |
Last 90 Days |
Recent Typosquat Similarity to Company Domain - DNS Sandwich |
Moderate |
Domain |
A high volume of typosquats were detected as DNS Sandwich typosquats (e.g. excitingoffer.recordedfuture.com.suspicious.site.com) |
Last 90 Days |
Recent Typosquat Similarity to Company Domain - Punycode Typo or Homograph |
Moderate |
Domain |
A high volume of typosquats were detected as Punycode or Homograph typosquats (e.g. go.recodedfuture.com or xn--ecordedfuture-9pc.com) |
Last 90 Days |
Domain With Overly Permissive SPF Record |
Moderate |
Hygiene |
Company domain has a loose policy statement (?all) |
Current |
Domain With Multiple SPF Records |
Moderate |
Hygiene |
Company domain has multiple SPF records |
Current |
Domain With Expired SSL/TLS Certificate |
Moderate |
Hygiene |
Company domain with an expired certificate |
Current |
Domain With Self-Signed SSL/TLS Certificate |
Moderate |
Hygiene |
Company domain where subject and issuer names are the same |
Current |
Domain With Insecure SSL Protocol |
Moderate |
Hygiene |
Company domain using SSL 2.0 or SSL 3.0 protocols |
Current |
Domain With Deprecated TLS Protocol |
Moderate |
Hygiene |
Company domain using TLS 1.0 or 1.1 protocols |
Current |
Domain With SSL/TLS Configuration With High-Risk Vulnerability |
Moderate |
Hygiene |
Company domain with known SSL/TLS configuration vulnerability |
Current |
Domain With Ineffective HSTS Configuration |
Moderate |
Hygiene |
Company domain with ineffective HSTS max-age configuration |
Current |
Possible IT Policy Violations |
Moderate |
IP Address |
Hosting a Honeypot |
Current |
Infections Recently Reported in Company Infrastructure |
Moderate |
IP Address |
Host of suspicious DNS names (fast flux, cluster of DDNS names), Infection reports on threat lists with higher credibility and fidelity, External honeypots reports suspicious traffic |
Last 14 Days |
Recent Possible Malware in Company Infrastructure |
Moderate |
IP Address |
Target of IP connection from Malware Sample Analysis |
Last 42 Days |
Company IPs with often-exploited open ports |
Moderate |
IP Address |
Company owned infrastructure identified via the associated IPs has been found as having often-exploited ports opened. |
Current |
Recent High Volume of Exposed Credentials |
Moderate |
Leaked Credentials |
A high volume of company email addresses (20 or more) with passwords were exposed |
Last 90 Days |
Cyber Exploit Signal: Important |
Moderate |
Other |
Current Cyber Exploit Reporting trend analytic is at Important level |
Current |
Company Website Using Technology Version With High-Risk Vulnerability |
Moderate |
Other |
Company websites are running products affected by high-risk CVEs. Different patching methods and software fixes may should be taken into account when reviewing this information. |
Current |
Company Website Using Unsupported Technology Version |
Moderate |
Technology |
Company website is running a software version that is no longer supported by the manufacturer. (See Unsupported Technology Versions) |
Last 90 Days |
Suspected Recent DDoS Attack Target |
Moderate |
Security Incidents |
Recorded Future suspects that this company was the target of a DDoS attack within the last 90 days |
Last 90 Days |
Historical Security Breach Disclosure |
Informational |
Breach or Incident Reporting |
Company reported a data breach more than 30 days ago. |
Before Last 90 Days |
Historical Validated Cyber Attack |
Informational |
Breach or Incident Reporting |
Insikt Group assessed/validated a significant cyber event affecting this company over 30 days ago. |
Before Last 90 Days |
Historical Reported Cyber Attack |
Informational |
Breach or Incident Reporting |
Recorded Future assessed a reported cyber attack affecting this company from over 90 days ago. |
|
Historical Attention on Ransomware Extortion Website |
Informational |
Breach or Incident Reporting |
Company is mentioned on a Ransomware Extortion Website before the last 90 days. |
Before Last 90 Days |
Attention on High-Tier Forums |
Informational |
Dark Web |
Dark Web High-Tier Forum users have talked about you before and may sell accounts to or use your platform for suspicious activities. |
All Time |
Attention on Dark Web Markets |
Informational |
Dark Web |
Dark Web Market users have talked about you before and may sell accounts to or use your platform for suspicious activities. |
All Time |
Recent Attention on High-Tier Forums |
Informational |
Dark Web |
Dark Web High-Tier Forum users have talked about you recently and might be selling accounts or abusing your platform. |
Last 90 Days |
Recent Attention on Dark Web Markets |
Informational |
Dark Web |
Dark Web Market users have talked about you recently and might be selling accounts or abusing your platform. |
Last 90 Days |
Recent Typosquat Similarity to Company Domain - Non-Punycode Typo or Homograph |
Informational |
Domain |
A high volume of typosquats were detected as a typo or Homograph but not Punycode. |
Last 90 Days |
Historical Typosquat Similarity to Company Domain - DNS Sandwich |
Informational |
Domain |
A high volume of typosquats were detected as DNS Sandwich typosquats (e.g. excitingoffer.recordedfuture.com.suspicious.site.com) |
Before Last 90 Days |
Historical Typosquat Similarity to Company Domain - Punycode Typo or Homograph |
Informational |
Domain |
A high volume of typosquats were detected as Punycode or Homograph typosquats (e.g. go.recodedfuture.com or xn--ecordedfuture-9pc.com) |
Before Last 90 Days |
Historical Typosquat Similarity to Company Domain - Non-Punycode Typo or Homograph |
Informational |
Domain |
A high volume of typosquats were detected as a typo or Homograph but not Punycode. |
Before Last 90 Days |
Domain With Missing DMARC Record |
Informational |
Hygiene |
Email sending domain without a DMARC record |
Current |
Historical Misconfigurations and Vulnerabilities in Company Infrastructure |
Informational |
IP Address |
Servers insecurely configured as Open Proxies, Spam mail sender, or Vulnerable host detected by external scanner |
Before Last 14 Days |
Infections Historically Reported in Company Infrastructure |
Informational |
IP Address |
Host of suspicious DNS names (fast flux, cluster of DDNS names), Infection reports on threat lists with higher credibility and fidelity, External honeypots reports suspicious traffic |
Before Last 14 Days |
Historical Possible Malware in Company Infrastructure |
Informational |
IP Address |
Target of IP connection from Malware Sample Analysis |
Before Last 42 Days |
Historical High-Impact Abuse of Company Infrastructure |
Informational |
IP Address |
Hosting Command & Control server or URL, Hosting Phishing site or URL, or Hosting Malware download site or URL |
Before Last 56 Days |
Recent Misconfigurations and Vulnerabilities in Company Infrastructure |
Informational |
IP Address |
Servers insecurely configured as Open Proxies, Spam mail sender, or Vulnerable host detected by external scanner |
Last 14 Days |
Recent Low-Conviction Communication With C&C Server* |
Informational |
IP Address |
Communication between an IP address belonging to the company and a potential malware command and control server (see Network Traffic Analysis) has been observed but the signal does not explicitly indicate malicious or programmatic behavior. |
Last 30 Days |
High Volume of Exposed Credentials |
Informational |
Leaked Credentials |
A high volume of company email addressed (200 or more) with passwords were exposed (all-time) |
All Time |
Recent Exposed Credentials |
Informational |
Leaked Credentials |
5 or more company email addresses with passwords were recently exposed |
Last 90 Days |
Exposed Credentials |
Informational |
Leaked Credentials |
20 or more company email addresses with passwords were exposed (all-time) |
All Time |
Cyber Exploit Signal: Medium |
Informational |
Trend |
Current Cyber Exploit Reporting trend analytic is at Medium level |
Current |
Company Website Using Often-Exploited Technology |
Informational |
Other |
Company websites are running affected products of CVEs and technologies known to be exploited often. |
All Time |
Historically Reported by Insikt Group |
Informational |
Threat Research |
Insikt Group has reported on this company more than 30 days ago |
Before Last 28 Days |
Recently Reported by Insikt Group |
Informational |
Threat Research |
Insikt Group has reported on this company in the past 30 days |
Last 28 Days |
The number of total triggered risk rules in the portal does not match the number of risk rules in the article.
Some risk rules are mutually exclusive. For instance, a Cyber Exploit Signal: High and a Cyber Exploit Signal: Medium will never be displayed on a company intelligence card at the same time. As a result, the count of total risk rules triggered is the total number of risk rules that are possible to trigger at a single point in time. This support article defines all risk rules related to Third-Party Intelligence.
Support:
For questions / discrepancies / disputes on rules, contact cybergrx@recordedfuture.com directly. Please make sure to put ProcessUnity GRX in the subject line to be routed accordingly.
Comments
0 comments
Please sign in to leave a comment.