Third-Party Risk Rules

Recorded Future's Third-Party Risk module includes over two dozen risk rules enabling you to evaluate 100,000 of the world's largest companies. A list of risk rules with definitions and what we think they might mean to you or your companies of interest can be found below.

For more information on Third-Party Risk, please talk to your sales representative. A subscribers-only list with detailed criteria can be found here.

Rule Definition
Recent Security Breach Disclosure This company may have urgent sensitive information in the wild due to a recent security breach.
Recent Validated Cyber Attack Validated reporting by Recorded Future's Insikt Group indicates a company has recently experienced a recent cyber attack, breach, or event that placed the company's information assets at risk.
Historical Security Breach Disclosure This company may have sensitive information in the wild due to a security breach in the past.
Historical Validated Cyber Attack Validated reporting by Recorded Future's Insikt Group indicates a company has experienced a recent cyber attack, breach, or event that placed the company's information assets at risk.
High Volume of Attention on High-Tier Forums Dark Web attention often correlates with more threat activity against a company, increasing the likelihood of attack.
High Volume of Attention on Dark Web Markets Attention on Dark Web markets may indicate illicit sale of company assets or accounts, or fraud schemes.
High Volume of Recent Attention on High-Tier Forums High volume of recent Dark Web attention indicates potential fraud schemes, exploit/attack discussion, or threat actor chatter about this company.
High Volume of Recent Attention on Dark Web Markets Attention on Dark Web markets may indicate illicit sale of company assets or accounts, or fraud schemes.
Attention on High-Tier Forums Dark Web attention often correlates with more threat activity against a company, increasing the likelihood of attack.
Attention on Dark Web Markets Attention on Dark Web markets may indicate illicit sale of company assets or accounts, or fraud schemes.
Recent Attention on High-Tier Forums Recent Dark Web attention often correlates with more threat activity against a company, increasing the likelihood of attack.
Recent Attention on Dark Web Markets Recent attention on Dark Web markets may indicate illicit sale of company assets or accounts, or fraud schemes.
Recent Typosquat Similarity to Company Domain - DNS Sandwich Recent typosquatting-style similarity to existing corporate domains are potential indications of domain abuse (such as phishing), defensive registration, or targeting by threat actors.
Recent Typosquat Similarity to Company Domain - Punycode Typo or Homograph Recent punycode typo or homograph typosquatting-style similarity to existing corporate domains indicate possible social engineering attempts to fool users into clicking a fraudulent web site address and indicates targeting by threat actors.
Recent Typosquat Similarity to Company Domain - Non-Punycode Typo or Homograph Recent typosquatting-style similarity to existing corporate domains are potential indications of domain abuse (such as phishing), defensive registration, or targeting by threat actors.
Historical Typosquat Similarity to Company Domain - DNS Sandwich Typosquatting-style similarity to existing corporate domains are potential indications of domain abuse (such as phishing), defensive registration, or targeting by threat actors.
Historical Typosquat Similarity to Company Domain - Punycode Typo or Homograph Punycode typo or homograph typosquatting-style similarity to existing corporate domains indicate possible social engineering attempts to fool users into clicking a fraudulent web site address and indicates targeting by threat actors.
Historical Typosquat Similarity to Company Domain - Non-Punycode Typo or Homograph Typosquatting-style similarity to existing corporate domains are potential indications of domain abuse (such as phishing), defensive registration, or targeting by threat actors.
Likely IT Policy Violations This company is hosting a TOR node or triggering indicators of typical IT policy violations could subject it to increased risk of reputation damage, data loss, or conduit for abuse by threat actors.
Recent High-Impact Abuse of Company Infrastructure Recent severe infrastructure abuse observed on company infrastructure indicates the company could be inadvertently supporting threat actor infrastructure.
Possible IT Policy Violations This company may be triggering indicators of typical IT policy violations that subject it to increased risk of reputation damage, data loss, or conduit for abuse by threat actors.
Infections Recently Reported in Company Infrastructure Company infrastructure has been associated with threat lists or reported by honeypots for suspicious internet traffic.
Recent Possible Malware in Company Infrastructure Malware sandbox detonations associated with company infrastructure indicate malware is potentially communicating with company infrastructure.
Historical Misconfigurations and Vulnerabilities in Company Infrastructure Company infrastructure has previously shown up in open proxy, spam mail, or vulnerable host lists, indicating potential misconfiguration or abuse of company infrastructure.
Infections Historically Reported in Company Infrastructure Company infrastructure has been associated with threat lists or reported by honeypots for suspicious internet traffic in the past.
Historical Possible Malware in Company Infrastructure Malware sandbox detonations associated with company infrastructure indicates malware has potentially communicated with company infrastructure in the past.
Historical High-Impact Abuse of Company Infrastructure Severe infrastructure abuse observed on company infrastructure indicates the company could have inadvertently supported threat actor infrastructure in the past.
Recent Misconfigurations and Vulnerabilities in Company Infrastructure Company infrastructure has recently shown up in open proxy, spam mail, or vulnerable host lists, indicating potential misconfiguration or abuse of company infrastructure.
Recent Single-Document Email Address Exposure Leaks of novel email addresses belonging to a company increase risk that a threat actor is building a phishing tor spam targeting list against the company.
Recent Single-Document Credential Exposure Novel credential leaks belonging to a company have increased risk of account takeover / impersonation or compromise of company infrastructure.
High Volume of Exposed Credentials Indicates corporate credentials may have been stolen and posted online, potentially subjecting the company to credential stuffing or other attacks.
Recent High Volume of Exposed Email Addresses Large volume of exposed emails associated with company infrastructure provides threat actors with an opportunity to build a phishing target list against a company and indicates corporate email address use for non-business purposes.
High Volume of Exposed Email Addresses Large volume of exposed emails associated with company infrastructure provides threat actors with an opportunity to build a phishing target list against a company and indicates corporate email address use for non-business purposes.
Recent High Volume of Exposed Credentials Indicates corporate credentials may have recently been stolen and posted online, potentially subjecting the company to credential stuffing or other attacks.
Recent Exposed Email Addresses Exposed emails associated with company infrastructure provides threat actors with an opportunity to build a phishing target list against a company and potentially indicates corporate email address use for non-business purposes.
Exposed Email Addresses Exposed emails associated with company infrastructure provides threat actors with an opportunity to build a phishing target list against a company and potentially indicates corporate email address use for non-business purposes.
Single-Document Email Address Exposure Leaks of novel email addresses belonging to a company increase risk that a threat actor is building a phishing tor spam targeting list against the company.
Recent Exposed Credentials Indicates corporate credentials may have been stolen and posted online, potentially subjecting the company to credential stuffing or other attacks.
Exposed Credentials Indicates corporate credentials may have been stolen and posted online, potentially subjecting the company to credential stuffing or other attacks.
Single-Document Credential Exposure Novel credential leaks belonging to a company have increased risk of account takeover / impersonation or compromise of company infrastructure.
Cyber Exploit Signal: Critical This company is likely experiencing an ongoing cyber attack or exploit event.
Cyber Exploit Signal: Important This company is likely experiencing an ongoing cyber attack or exploit event.
Cyber Exploit Signal: Medium This company may be experiencing an ongoing cyber attack or exploit event.
Company Website Using Often-Exploited Technology Companies running commonly exploited software (e.g., WordPress) or affected products of CVEs introduces increased risk of web site exploitation or attack.
Historically Reported by Insikt Group Recorded Future's industry-leading Insikt Group reporting indicates the company or its infrastructure has been associated with known threat actors.
Recently Reported by Insikt Group Recent Recorded Future's industry-leading Insikt Group reporting indicates the company or its infrastructure is associated with known threat actors.

While Recorded Future endeavors to provide accurate information on a range of companies, IPs, domains, and many other entities, we appreciate any feedback that can be used to improve our offerings. Please e-mail riskfeedback@recordedfuture.com if you have feedback or corrections on the risk scores assigned to any entity, and our team will review as soon as possible. 

Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.