If your company was hacked today, would you know?

Probably not, says a new report from cyberdefense firm RiskIQ. According to the company’s PassiveTotal Citizen Lab study more than 80 percent of attacks originate outside an organization’s firewall. This confirms reports that hackers easily evade many standard defense tactics and remain persistently connected to a network for weeks or months at a time.

RiskIQ is a persistent threat detection platform that helps companies discover, analyze, and mitigate data breaches. The company’s threat dashboard visualizes insights about web, social, and mobile activity. The study was conducted in partnership with Citizen Lab, a Toronto-based interdisciplinary research group at the Munk School of Global Affairs that investigates cyber-infiltration and espionage operations targeted at “civil society groups” like nonprofits and government organizations.

SEE: Security awareness and training policy (Tech Pro Research)

The RiskIQ partnership with Citizen Lab was designed to demonstrate the challenges of persistent threats. “We [collaborated] with the intent to improve critical research so analysts could more efficiently hunt digital threats and proactively defend their organizations,” Brandon Dixon, vice president of product at RiskIQ and co-creator of PassiveTotal, explained in a statement. “We design our products for situations exactly like this, but it is extremely rewarding to hear that we’ve influenced positive change in the fight for privacy and human rights.”

Threat actors, a RiskIQ spokesperson said, frequently target civil organizations and governments because they are well-funded but often have limited capacity to identify and respond to attacks. “Many … targets are often at serious risk, and in many cases, besieged by threat actors working for governments and regimes. Without these researchers, people like renowned UAE human rights defender Ahmed Mansoor, whose iPhone was attacked via remote jailbreak using a string of zero-days … or [those] targeted by an extensive phishing campaign linked to malware and fake news sites, would have little to no recourse.”

SEE: Cybersecurity in 2017: A roundup of predictions (Tech Pro Research)

For example, a Citizen Lab operation codenamed “Stealth Falcon” used RiskIQ’s data and correlation technology to query a series of IP addresses used by actors targeting human rights activists. “A query returned a related domain,” the RiskIQ spokesperson said, “as well as an email address that differed from known Stealth Falcon infrastructure. Pivoting across relevant PassiveTotal data sets, Citizen Lab connected the email and domain to a domain that was registered to NSO Group. Suspecting that these domains were part of an exploit delivery infrastructure, they began seeking evidence of messages containing links to the network.”

The experiment conducted with Mansoor led to the discovery of a remote jailbreak that relied on a number of iPhone zero-day attacks. This helped investigators connect domain registration information from a related phishing email to a bevy of malware-distributing fake news sites tied to the attack.

SEE: New World Hackers group claims responsibility for internet disruption (CBS News)

Though investigations like the one conducted by Citizen Lab and RiskIQ are time-intensive, they’re also essential to help companies and organizations locate and shut down attacks and to help law enforcement identify perpetrators.

“Tools like [RiskIQ’s PassiveTotal] help us punch above our weight,” said Citizen Lab Research Manager Masashi Crete-Nishihata. “Its ease of use and ongoing evolution of its features make it an excellent tool for our research, and a benchmark that we [use to] compare other [cyber] options.”

Read more