Unfortunately, all too often organizations are flooded with alerts regarding possible look-a-like domains, but can’t identify which are the most important or take action against dangerous instances of domain infringement until after an employee or customer notifies them that they’ve been victimized. By then the brand, reputational, and material damage has been done, and without a streamlined system to manage the mitigation of threats, valuable time and energy are spent catching up on those items instead of looking forward to preventing the next cyber attacks on the horizon.
Domain infringement has only grown worse in recent years due to the opening of thousands of new gTLDs, the growth of free and incredibly cheap domain registration services, and cyber attack techniques like domain shadowing. Because corporate attack surfaces are changing, threat actors are also changing their methods. Since business has moved many critical financial and data transactions beyond the firewall to the open internet, attackers are following suit, directly scamming end-users with high-volume phishing campaigns against consumers or targeted spear-phishing campaigns attempting to fool corporate employees.
These cyber attacks are cheap to execute, and they are proving to be incredibly efficient in breaching sensitive data. Limited staff and resources coupled with the sheer number of suspicious domains and subdomains exploiting brand names out there present one of the most significant challenges for any organization to manage—a query of the branded terms of 20 Fortune 100 companies in RiskIQ's domain infringement detection revealed 37,000 probable instances of domain infringement over a two-week period or 1,850 incidents per brand.
A query of the branded terms of 20 Fortune 100 companies in RiskIQ's domain infringement detection revealed 37,000 probable instances of domain infringement over a two-week period or 1,850 incidents per brand.
RiskIQ also found that subdomain infringement is a serious issue, which is more difficult to detect, and which fewer organizations are able to effectively address. Of a sample of nearly 4,000 infringements across five financial services brands, subdomains made up a sizeable chunk of domain infringements (about 25% of the total) and caused a majority of the bad stuff—75% of malware and phishing instances identified within infringing domains were found when the infringement took place in the subdomain.
Built atop an industry-leading repository of security data, the RiskIQ platform automatically builds a dynamic inventory of legitimate domains owned by an organization and continuously detects newly created domains and subdomains related to its brand names. RiskIQ helps organizations prioritize domain threats and intelligently allocate resources to managing them by automatically tracking their content and behavior over time for changes that increase or decrease the risk they pose to the business. This automated discovery and monitoring give both top-level visibility into my organization’s overall domain threats risk posture at any point in time, as well as context about how each domain is being used by the third parties who own it in order to identify and mitigate urgent threats.
And, because of the potentially high volume of alerts—we saw above how often these brands are targeted—the ability to drill down from a broad set of candidates to quickly identify which domain threats should demand your time and attention is crucial. By analyzing factors such as whether the domain has a live website, the type of content on that site, the volume of traffic to that site, whether it's configured to send and receive email, etc., you can triage incidents to address the most critical ones first.
When a critical infringing domain or subdomain is found, a Domain Infringement event is created in the workspace which customers can view in their events dashboard and events list inside the RiskIQ web application, in an email alert, or via the RiskIQ events API. This way, you can identify and respond to cyber attacks before they damage your organization.
The RiskIQ platform automatically monitors all suspicious domains and subdomains related to your brands for changes in content or behavior presented to site visitors every 48 hours, or instantly whenever a Whois or DNS change occurs on the domain between scheduled checks. These observed changes prompt users to re-review previously seen threats against which no action was previously taken, but may now warrant a different response based on changed risk level.
Mitigation workflow built directly into the platform allows users to quickly generate and send the appropriate type of abuse complaints to the registrar, ISP, registrant, or other parties associated to an offending domain or subdomain in order to stop malicious and fraudulent activity. Items are tracked to mark successful resolution of the threat and follow-up notices are automatically sent for any issues that remain unresolved after a specified period of time in order to minimize manual effort to see issues through to completion. All information associated to any threat mitigation actions, including the date, sending user, recipients, the body, and attachments of messages sent or received back and forth in relation to the incident, are tracked in the RiskIQ platform to centralize this information in a single location. These streamlined processes let organizations manage mitigations more efficiently and devote more time to preventing future cyber attacks.
Contact us for more information about how RiskIQ can help your organization defend its brand on the open internet and tackle targeted domain infringement cyber attacks.
The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need
Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evo...