View
4
Download
1
Category
Preview:
Citation preview
DOMAINS AND SURFACE WEBTHREATS PLAYBOOK
APRIL 30, 2020
Defending Against an Ever-Evolving Threat
PHISHLABS IS INTELLIGENCE ACTIONED
Proprietary and Confidential | Copyright 2020 PhishLabs 2
Comprehensive across digital channels
Extensive CollectionAutomated and expert analysis
Expert CurationBest in the world threat mitigation
Effective Mitigation
5OF THE
WORLD’S LARGESTCOMPANIES
10OF THE 13
LARGEST FINANCIALS IN NORTH AMERICA
10OF THE
MOST VALUABLE GLOBAL BRANDS
2008PHISHLABSFOUNDED
JOIN THE CONVERSATION
Have questions or Feedback?Use the questions box.
3 Copyright 2020 PhishLabs
ANNOUNCEMENTS
4
1. New COVID-19 Threat Intelligence resource:www.phishlabs.com/covid-19-threat-intelligence/
2. Upcoming webinar
Social Media Intelligence:
Real World Threats, Real World Impact
May 28 at 2 PM ET
Copyright 2020 PhishLabs
DOMAINS AND SURFACE WEB THREATS
1. Domain Threats
2. Surface Web Threats
3. Mitigating Surface Web + Domain Threats
4. Q&A
5
AGENDA
Copyright 2020 PhishLabs
POLL: HOW OFTEN ARE YOUR BRANDS TARGETED WITH MALICIOUS DOMAINS?
1. Rarely2. Sometimes3. Often4. Unsure
7
Elyse NeumannDirector of Client Operations
INTRODUCTIONS
Andrew RobinsonClient Threat Manager, Team Lead
DOMAIN THREATS
8
INTELLIGENCE ACTIONED
DOMAINS 101
Copyright 2019 PhishLabs 9
The Internet maintains two principal namespaces: the domain name hierarchy and the Internet Protocol (IP) address spaces.
• ICANN administers the DNS root• TLDs are delegated to Registries• Registrants control subdomains
.
com
youtube amazon
uk.amazon.com
edu
stanford
net
speedtest
org
wikipedia
en.wikipedia.org
redcross
DNS Root
Top Level Domains (TLDs)
Second Level Domains
Subdomains
Domain Name System (DNS) Hierarchy
DOMAIN LIFECYCLE
10
Names deleted during Add-Grace
become available for re-registration
Drop catch activity
Name is available for re-registration
Redemption possible
Available 5-day Add-Grace Period
EXPIRED
Auto-Renew Grace Period
(0-45 days)
Redemption Grace Period(aka "Pending Delete - Restorable”)
(30 days)
Pending Delete (5 days)
Released (Available)
Registered (1 to 10-year
term)
Renewal andtransfer possible
Domain tasting activity
Domain no longer in zone(website and email no longer function)
Domain may bein the zone file
Domain isin the zone file
Pre-Drop Alternatives
Life Cycle of a Typical generic Top-Level Domain (gTLD) Name
HOW DOMAINS ARE ABUSED
Copyright 2020 PhishLabs 11
• Host malicious content or phishing sites
• Redirect schemes
• Typo-squatting
• Look-alike or spoofing
• Parked domains
• Unauthorized brand use
• Newly registered domains
• Abuse of free domains
• Abuse of TLDs, gTLDs, and ccTLDs
MONITORING FOR DOMAIN THREATS
Copyright 2019 PhishLabs 12
• Monitoring for newly registered domains
• Typically an automated tool• Search for brand names, keywords, and using fuzzy matched terms• Identifies illicit, malicious, or unauthorized use (collectively spoofed domains)
• Spoofed domains frequently used as part of sophisticated phishing attacks
Mature solutions follow a multi-pronged approach:
1. Detection2. Analysis3. Monitoring4. Mitigation Spoofed URL: amazonn.com
DOMAIN MONITORING - EXAMPLES
Copyright 2019 PhishLabs 13
netflixgiftcode.comcineplex.network
COLLECTING DOMAIN INTELLIGENCE
Copyright 2019 PhishLabs 14
1. Use zone files and third-party domain services to reviewnewly-registered Generic TLD and Country Code TLD
• gTLD's include:o .com, .org, .infoo Sponsored TLDs: .gov, .edu, .telo Brand TLDs: .bmw, .barclays, .abc
• CcTLD's include: .ca, .us, .uk
2. CSSL transparency logs to find new SSL certificate registrations that contain key terms
• Close to 70% of phishing attacks are hosted on SSL pages• Identify concerning subdomains
2. Automated tools tend to produce a high volume of white noise made up of false positives
DNS zone file
ANALYZING DOMAIN INTELLIGENCE
Copyright 2019 PhishLabs 15
1. Review domain feeds and score
2. Review each result
3. Categorize the domain
MONITORING INCIDENTS
Copyright 2019 PhishLabs 16
Once an incident has been created, it should be monitored for:
• Content changes
• MX record changes
Domain monitoring: status updates
2020/04/17 02:12 PM
2020/04/16 02:10 PM
2020/04/15 08:09 AM
SURFACE WEB THREATS
17
INTELLIGENCE ACTIONED
SURFACE WEB 101
Proprietary and Confidential Copyright 2020 PhishLabs 18
Surface Web: any readily accessible content on the web
• Can be accessed by search engines
• Isn’t hidden behind forms or logins
• Occasionally referred to as the Open Web
• Consists of over a billion websites
SURFACE WEB THREATS
Proprietary and Confidential Copyright 2020 PhishLabs 19
Surface web threats steal hard earned credibility from organizations using:
• Unauthorized associations• Traffic diversion schemes• Counterfeit goods• Other misrepresentations
Common surface web threats abuse:
• Logos• Domains• Brands• Trademarks
SURFACE WEB THREATS
Proprietary and Confidential Copyright 2020 PhishLabs 20
• Attackers taking advantage of free domain names. Freenom offers free registrations for several TLDs -.tk, .ga, .ml, .cf, .gq
• Beyond this, cheap, low-requirement TLDs are the most popular for abuse - .com, .co, .ru
• Free webhosting being leveraged by attackers, i.e. 000webhost.com
• Other paid options are popular for longer-term attacks, such as Cloudflare
SURFACE WEB THREAT INTELLIGENCE
Copyright 2019 PhishLabs 21
1. Continuously review content indexed by search engines containing key terms
2. Score each flagged item
3. Detection of brand references on third-party websites:
• Illicit activity using your brand (pornography/gambling)
• Abuses of Intellectual Property
• Unauthorized association by 3rd parties
• Prohibited channel activity
• Lost revenues due to traffic diversion using your brand name
Low
Medium
High
RISK
SURFACE WEB MONITORING AND ANALYSIS
Copyright 2019 PhishLabs 22
1. Review each scored result to assess the threat
2. Categorize the result and create an incident if it’s a threat
• Unauthorized association
• Counterfeit activity
• Traffic diversion
• Channel compliance
INTELLIGENCE COLLECTION AND ANALYSIS
Copyright 2019 PhishLabs 23
RELEVANCY ALGORITHMS
EXPERT ANALYSIS
AUTOMATEDANALYSIS
TargetReferences
Machine-Filtered Results
MONITORING& MITIGATION
CollectedData
CuratedIncidents
1 2 3 4
SURFACE WEB THREAT EXAMPLES
Copyright 2019 PhishLabs 24
Domain: www.kitchenaid220.com Domain: livingstoninc.com
SURFACE WEB THREAT EXAMPLES
Proprietary and ConfidentialCopyright 2019 PhishLabs 25
Domain: coffee.hownd.com& iframe around content
MITIGATING SURFACE WEB + DOMAIN THREATS
26
INTELLIGENCE ACTIONED
DOMAIN ABUSE MITIGATION
Proprietary and ConfidentialCopyright 2019 PhishLabs 27
• Registries are given broad anti-abuse authority by ICANN
• However, they do not generally host content – simply point a name to an IP
• Therefore they tend not to act on content complaints
Types of abuse that qualify for a registry takedown:
• Spam• Phishing• Malware Hosting
• Fraudulent actions (requires a court ruling)
• Botnet C&C• CSAM distribution
DISPUTE RESOLUTION AND MITIGATION OPTIONS
Copyright 2019 PhishLabs 28
ACPA - Anticybersquatting Consumer Protection Act• Designed to act against cybersquatters• Extension of the Federal Trademark Dilution Act• Range of potential remedies
UDRP – Uniform Domain-Name Dispute-Resolution PolicyBinding arbitration – registrants agree to this when they register a name.Two remedies available:
1. Cancel the domain registration2. Move the domain to an account of the plaintiff's choice
ccTLDs do not fall under this process; some have alternate resolution policies
Most Domain/Surface Web abuse does not fall into these 2 categories• IP/Trademark issues• It is not always feasible to dispute every typosquat with UDRP• Costs are lower than legal action but don't scale well
MITIGATION WORKFLOW EXAMPLE – RU-CENTER
Proprietary and ConfidentialCopyright 2019 PhishLabs 29
Threat: Malicious Domain
MITIGATION WORKFLOW EXAMPLE – RU-CENTER
Proprietary and ConfidentialCopyright 2019 PhishLabs 30
Registrar response
MITIGATION WORKFLOW EXAMPLE – RU-CENTER
Proprietary and ConfidentialCopyright 2019 PhishLabs 31
Domain taken down; site removed
KEY TAKEAWAYS
Proprietary and ConfidentialCopyright 2019 PhishLabs 32
1. Collect data for relevant references to your brand, flag results, score, and review each scored result to assess the threat.
2. Continual monitoring allows for visibility into domains or content that may have been dormant and action when activity is detected.
3. Monitor suspicious domains rather than relying on defensive registrations.
4. Keep in mind that takedowns require a range of evidence and tactics.
Recommended