This blog is taken from our recent Domain Monitoring Solutions Guide, which provides best practices and free tools to begin monitoring for impersonating domains.
What is Domain Monitoring?
Domain monitoring is a fundamental part of any brand protection program that involves tracking the registration of domains that have slight variation or permutation of the target company name or brand. This can include a spelling error, switched characters, or additional keywords added to the domain name. It may even not have a similar domain name, but the contents of the site are visually similar.
Impersonating domains are subsequently used for phishing attacks, BEC campaigns, and for selling counterfeit goods. Left undetected, these domains can lead to data breaches, credential theft, significant brand and reputational damage, and loss of revenue.
How has domain monitoring evolved?
For several years, companies have attempted to solve this challenge by proactively buying similar-looking domains, hoping that owning these domains reduces the risk that these may be used for malicious purposes. The problem with this former approach is it cannot and has not scaled.
That may have worked in the past, but the sheer numbers make this approach unfeasible. ICANN now recognizes more than 1,200 Generic Top Level Domains, which means that anyone with a credit card can buy any number of domains. If you imagine that each of these can have tens of thousands of possible permutations, it’s clear that this strategy does not work.
Most organizations have now realized that they need to monitor for domains themselves. In our Domain Monitoring Solutions Guide, we provide an overview of what you should consider and some free tools to get you started.
Where should you collect from?
Detecting these domains yourself is the ideal scenario, but domains publicly reported by others are not to be ignored. There’s plenty of domains reported on Twitter and across various threat/phishing feeds –not to mention from phishing emails reported internally by employees.
Newly Registered Domains
The most useful data source for detecting domain impersonation is via a feed of newly registered domains. Different top level domains (TLD) such as .com, .gov, and .edu entities will provide different levels of data. More on the challenges associated with this below!
Certificate transparency logs are another great source of domain data. To learn more about certificate transparency logs, check out this great post on SANS ISC InfoSec Forums: Using Certificate Transparency as an Attack / Defense Tool.
Beyond the domains themselves, it’s important to collect the DNS data associated with them. The DNS data can have vital information that helps you to assess the associated risk, and identify broader trends.
What are the top challenges to effective collection?
TLD Coverage and Standardization
Unfortunately, there is no one provisioner of domains. In order to gather domain registration data, you will need to gather these from different top level domains. Be aware that there is no standardized format for these, so challenges can arise when you begin to analyze the data.
It’s one thing getting the right DNS data and context, but another accessing the historical data and tracking it over time. Attackers may change WHOIS information in order to hide links to other campaigns, so going back to view previous details can be highly valuable. Some security teams use Archive.org’s Wayback Machine to get an idea of what the domain has looked like previously (https://archive.org/web/web.php).
Ongoing monitoring and storage
Oftentimes, security teams will want to capture screenshots, analyze the contents of domains, and store historical DNS data. This type of historical data can be vital for quickly responding to risks associated with domain impersonation. It would be cost prohibitive to store all domains and their contents for all time, so security teams should be clear about how much data they wish to pay to store.
Download the Domain Monitoring Solutions Guide.
In the next blog, we’ll move on to the next stage of domain monitoring–detection. This will dig into all different types of typosquat and combosquat you need to search for.
In the meantime, download your own copy of the Domain Monitoring Solutions Guide to get started.