Probability of ROI and Tighter Network Security by Blocking Malicious Subdomains

CircleID CircleID: Failing to block a stealthy malicious host from making connections to your network could cost your company millions of dollars, a damaged reputation, and severe losses in sensitive private data.

Threat intel teams have faced on-going problems:

Expensive feeds that are slow to catch new threats
Chasing false positives in alerts wastes time and money
Vendors selling a new appliance for every ill
Would 100% of your users Spot the Bot?

Sophisticated security professionals wouldn't be fooled, yet what about some of your endpoint users? Long, confusing subdomains have been successfully used by crooks for over a decade. More of these dangerous hostnames are created every day due to increased value for compromised accounts. Even social media accounts are now seen by criminals as providing a high concentration of valuable personal information. Control of a Facebook account for example, can enable access to payment methods, impersonation of executives or IT staff, and security question answers useful for breaking into higher value accounts.

Once a user's account is compromised, corporate assets they have access to may be exfiltrated by criminals who can now intercept multi-factor tokens for administrator privilege systems.

PRELIMINARY RESEARCH:

8 out of 10 Malicious Hostnames Go Active in First 48 hours After Creation

You can prove or disprove this assertion [1] by checking the validity for your own network, with the data that matters — your own. Take a look at the last 5 - or 10 - or 100 - malicious hostnames involved in infections, breaches, or clicks on phish at your own company.

How much time passed between creation of the malicious hostname - and when the malicious action first took place on your network? Don't average the results - bucket them by days because those buckets will lead you to a winning threshold strategy. You can then apply this strategy to identify and protect from the malicious methods represented by each time constrained bucket. [2]

Using this preliminary research or your own data, here's an example of transforming the initial conundrum into an opportunity to add a solid network protection layer.

Global Conundrum of Doom:

New hostnames flow freely through your network because:

Large number of new subdomains are not malicious and are needed for business activity
Content Distribution Network (CDN) hostnames
Cloud service hostnames
Campaign tracking hostnames
Threat feeds you buy won't list the newest malicious hostnames until it's too late - some malware has already been dropped into your systems
Transform the Problem into a Low Cost High ROI Solution:

The same data point that gives criminals the advantage over you - you've never seen the hostname before - so you don't know to block it - can be turned on its head to give you the advantage over the criminals.

Let's say you've never seen the hostname before, and it's not from a common CDN or business cloud service. You don't need to trust this new hostname, not in the first 48 hours of life.

Add rules to your existing network appliance to:

Block hostnames created less than NN hours ago
Exception for new hostnames based on a small whitelist
Continue using your best threat feeds to cover old/slow hostnames
How many hours should you use for NN? Ideally base this on your own network data and experience. 48 hours may be a place to start - just remember to stay flexible in case the criminal element or new legitimate services change tactics.

Increase Confidence Levels Using Global Passive DNS

Your own network data is the best data to develop protections relevant to your enterprise. At the same time, you need to do external validation of data points such as "when was a hostname first seen in the global DNS". Check the hostnames seen in your network - known good, unknown, or known bad - against what the rest of the world sees.

It's a quick study to get a "hostname age" data point for the hostnames seen in your corporate network for a day, a week, or even an hour based on your equipment or limitations. At the request of a customer, Zetalytics recently created an ad hoc UDP query service that accepts a hostname and instantly returns the date it was first seen.

Unlike "domain age" services based on slow whois queries - a query service for hostname age works for the vast array of malicious subdomains such as those based on dynamic DNS providers, free services that attract and harbor criminals, as well as providing solid and reliable knowledge for base domains you should whitelist.

When selecting a passive DNS data source, test for global geographic diversity as well as customer type diversity. Check that the type of hostname visibility matches your needs, ensuring that it is a good mix of enterprise vs consumer and has great coverage in the countries where your company does business.

Conclusion:

Whether you roll your own, outsource to a service, or go down the middle with expert advice and training to help your team best utilize your own network data - there are golden opportunities for network protection from the newest malicious hostnames on your network. Hostnames so new - even your best threat intel feeds haven't found them yet.

RESOURCES: Contact fredt@zetalytics.com to join a slack channel community collaborating on research and results about new malicious hostnames. We have ongoing discussions with other compliance and security professionals looking into similar parameters for their network, how to conduct the research, and what results people are seeing.

[1] “8 out of 10 Malicious Hosts First Seen Today, Yesterday or Never”, https://zetalytics.com/hostnames.html
[2] See RESOURCES at end to join a Slack channel community collaborating on this work

Written by April Lorenzen, Chief Data Scientist at ZetalyticsFollow CircleID on TwitterMore under: Cyberattack, Cybercrime, Cybersecurity, DNS, DNS Security, Domain Names, Networks

The post Probability of ROI and Tighter Network Security by Blocking Malicious Subdomains appeared first on iGoldRush Domain News and Resources.

Continue reading

BrandBucket crosses the $1M profit mark in 2016

Morgan Linton Morgan Linton: Okay, I know I’m probably the 10th blog to cover BrandBucket’s 2016 sales report today, but I think there’s interesting data there and I also know that many of my readers are startup founders and entrepreneurs who don’t know that there’s a whole world of blogs about domain names out there. So first – visit […]

The post BrandBucket crosses the $1M profit mark in 2016 appeared first on iGoldRush Domain News and Resources.

Continue reading

GoDaddy’s CEO Blake Irving will soon retire

OnlineDomain.com OnlineDomain.com: GoDaddy Inc. (NYSE: GDDY), announced Blake Irving’s retirement from the role of CEO, effective December 31, 2017. Scott Wagner, GoDaddy’s president and chief operating officer, will assume the CEO role upon Blake’s departure. Irving will continue to serve on GoDaddy’s Board of Directors through June 2018. “After more than three decades in technology, I’ve decided …
The post GoDaddy’s CEO Blake Irving will soon retire appeared first on OnlineDomain.com.

Related Articles:
Scott Wagner Joins GoDaddy As COO, CFO
GoDaddy’s CEO Blake Irving Publishes “About Us” & “Our Company Values” Videos
GoDaddy Q2 2016 Report: Revenue Up 15.6%, Domain Revenue Up 10.2%

The post GoDaddy’s CEO Blake Irving will soon retire appeared first on iGoldRush Domain News and Resources.

Continue reading