How Organizations Can Avoid Domain Exploitation When “Big News” Breaks

By Ihab Shraim, Chief Technology Officer (CTO) at CSC [ Join Cybersecurity Insiders ]
1582

Due to the inherent nature of business, organizations are continuously in motion: There are always new products/brands/services to market. Corporate news will emerge when companies announce they are closing on an acquisition, hosting a promotional event, making a leadership change and going public, among many other milestones. Or, a company may get caught by surprise when news leaks about such developments before they’re fully prepared to launch.

Because the big event typically commands an “all hands”-level of attention organization-wide, a prime asset often gets overlooked and exploited by cybercriminals: Domains, which are especially targeted during these times, as everyone’s attention is directed elsewhere.

Criminals are constantly seeking to take advantage of major developments to either hijack domains or fraudulently register them under what we classify as “Dormant” domain that operate in stealth mode until its weaponized later as part of a targeted attack campaign. Furthermore, attackers use the Domain Name System (DNS) in one-third of breaches, according to the Global Cyber Alliance. In our own research, we’ve found that 79 percent of registered domains that resemble the Global 2000 brands are owned by third parties. These are called homoglyph – or fake – domains, created by subtle but intentional changes of characters in the domain name. Adversaries will deploy homoglyphs to hatch spoofing, phishing and other cyber scams to, for example, pose as the brand and direct unwitting consumers to a malware-infested website.

Despite the vast potential for costly exposure, businesses are leaving themselves highly vulnerable, as 72 percent of companies have implemented less than one-half of needed security measures to protect their domains, according to our research.

In terms of developments which adversaries most seek to exploit, three categories have emerged as high-risk:

Brand refresh/changes. We are seeing a major convergence of Brand bause into the fraud arena. A move to refresh opens up cyber targets because of the need to register new domain names and the abandonment of old ones related to the former brand identity. A new domain can easily get exploited to create ill-intended homoglyphs. A discarded domain tends to get ignored in perpetuity, providing opportunities for adversaries to grab them and launch malicious schemes.

Either way, a company will place itself in jeopardy – with subsequent attacks leading to costly, reactive resolution/mitigation efforts and brand reputational damages – without effective security measures in place.

Marketing Events/campaigns. Similarly, these initiatives introduce new domains for promotional purposes. Many of them are abandoned after the event or campaign ends. Adversaries stand ready to exploit this cycle, taking advantage of the “buzz” during the promotional phase to trick users into clicking on bogus versions of the company domains or to hijack vacated ones after the fact.

News leaks. When a business is caught off-guard by unanticipated news reports about a product launch, merger, leadership change, etc., cybercriminals can leverage the information to either create phony domains or exploit existing ones.

So how does your organization oversee a news-making development without increasing its exposure for domain abuse? We recommend the following best practices:

Conduct regular domain portfolio audits and monitoring. Analyze your domain portfolio to identify which domains are in use as vital (critical), brand related and defensive . Find out who is responsible for what and – most critically – who is in charge of the securing and monitoring the entire domain portfolio. This enables the flagging of improperly closed subdomains and “dangling” DNS records (an abandoned, outdated resource) that remain ripe for exploitation. Routine audits play an essential role here because total visibility into the entire attack surface represents the first, vital step in achieving overall domain protection.

Assess your partners. You’re only as strong as your weakest link, as the timeless (and true) adage goes. Even if your organization commands tight control over domains, you’re still potentially subject to increased risk if your vendors, third-party suppliers and additional partners do not. Be wary especially of commercial domain registrars who do not actively monitor your domains for unauthorized changes or obscure behavior. You can address these concerns with your partners by requiring them to fill out security questionnaires to determine if they’re taking the same, protective steps as you are.

Commit to defense-in-depth. Our research reveals that companies which acquire enterprise-class capabilities are far more likely to adopt needed defense-in-depth measures than those using basic, consumer-grade registrars.

These measures include registry locks, which confirm all requested changes with the domain owner to eliminate unauthorized changes; domain name system security extensions (DNSSECs), which authenticate communications between DNS servers; and certificate authority authorization (CAA) records, which allow a company to designate a specific authority as the sole issuer of certificates for its domains. This serves as a check on cybercriminals attempting to get unauthorized certificates.

Raise company awareness. Through training and less formal communications sent via emails, corporate Slack channels, etc., employees in all departments can learn about domain defense and the various scheme scenarios to watch out for – particularly when big company news breaks.

The announcement of a new brand, product or service – or an IPO, major merger or leadership change – is exciting stuff. It’s perfectly understandable that everyone involved will entirely focus on the news at hand, in the interest of ensuring absolute success.

But organizations must take proactive steps beforehand to implement a comprehensive domain protection strategy which includes the described best practices here. Otherwise, they may end up making “big news” of another kind – reports about a significant attack that is linked to them. And this is something that no one wants to see.

Ad

No posts to display