Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
We are on the brink of the most serious cyber threat to the open and public Internet for decades. ICANN, under pressure from domain name registrars and EU data protection authorities, has proposed an “interim” plan that will hide critical information in WHOIS. Cyber security, cyber threat assessment, and anti-abuse professionals rely on this data to track down bad guys and keep the Internet as safe and secure as possible.
ICANN and the registrars have been going back and forth on ways to align privacy laws with the WHOIS system, which functions as a public “phone book” for Internet domains, recording information that includes the name, email address, street address, and phone number of the company or individual who registered the domain.
For years, there has been an accepted procedure for handling situations in which WHOIS conflicts with privacy law—nobody disputes the importance of protecting the privacy of natural persons. But now, with only sixty days to go before the General Data Protection Regulation (GDPR) adopted by the European Union (EU) takes effect, registrars, who finance ICANN, have pressured ICANN into closing the public phone book altogether, turning the open and public Internet into a Tor-like deep and darknet. Specifically, ICANN came out with an interim solution nicknamed the “Cookbook,” which suggests completely masking the contact email address, thereby completely masking who is responsible for managing or controlling a resource on the Internet. The Cookbook also suggests masking information for corporations, even though GDPR doesn’t apply to them.
The ability to register domains anonymously is a massive problem for the cyber security of the internet—cyber attackers need to establish an infrastructure to originate their cyber attack and set up servers to communicate with their malware. Often, they’ll register multiple domains at the beginning of an attack campaign for use during all phases of their operations. Cyber security professionals rely on the WHOIS protocol to query for ownership information about a domain, IP address, or subnet. Without this data, it becomes significantly more difficult to rapidly take down phishing sites or compromised domains hosting malware—the vast majority of cybercriminal activities.
The Cookbook also makes it impossible to see which sites are connected or under the same management or control. For example, if someone in an organization’s marketing department registered a domain using a corporate account without going through the correct internal procedures, and that site did not have the right patches or was not scanned for vulnerabilities, the cyber security team would have no way to know about or fix the problem to protect innocent visitors.
With the registrar business being low-margin, anything that will reduce the cyber security line item on their budget is most welcome, if they can get away with it. Too many registrars would rather conceal the connectedness between domain assets than lose business or deal with reports of malicious activity. GDPR has become the perfect excuse for this because there is always ambiguity when new laws come out. If they can take advantage of this uncertainty to make the domain system more closed and private for their financial gain, they will certainly do it.
The Governmental Advisory Committee (GAC) of ICANN met in San Juan, Puerto Rico in March 2018. The GAC advised the Board to instruct ICANN to maintain the current structure of the WHOIS to the greatest extent possible. The GAC essentially pleaded to the ICANN Board to instruct ICANN that it must reconsider hiding the registrant email addresses from the free phone book, emphasizing (quite diplomatically) that it may not be proportionate given the significant adverse impact on law enforcement, cybersecurity, and rights protection it would have.
The GAC appropriately went even further by emphasizing to the ICANN Board that it must instruct ICANN not to erroneously use GDPR, which applies to people, as an excuse to shut down public access to corporate contacts in the phone book, which is not even in the remit of GDPR. As discussed, this unjustifiable over-application of GDPR even prevents companies from protecting their very own infrastructure.
If the phone book must change in some ways, notwithstanding the accepted procedures for handling WHOIS conflicts with privacy laws, then ICANN must ensure that those with a legitimate purpose still have continued access to the contact information needed to protect business and the public until the re-designed phone book is ready for use. You can’t just close the book and tell cyber security professionals, who rely on WHOIS data to keep the internet safe, to come back when it’s re-designed, potentially months later. It’s entirely unacceptable for ICANN to leave each registrar to decide if and how it will provide continuous access, with no means of enforcement. Continuous access must be mandatory. The phone books also have to be easy to use in today’s world, i.e., not designed to impose limits that undermine all functionality in the digital age—if you can only use the phone book manually or less than you would reasonably need, the query volume limitation is no more than a disguised blockade.
Being able to connect the dots for cyber threat intelligence analysis is actually the only way to protect innocent people. For example, it is not uncommon for people’s identities to be compromised for criminal activities. Some may think this means that WHOIS is unreliable if criminals have compromised the domain already, but DNS hijacking is not nearly as common as compromising the domain hosting account. It’s simply not fair to harm innocent people by depriving cyber security analysts of circumstantial evidence that comes from a complete historical and up-to-date context. This is necessary to assess the severity of a cyber threat accurately. Without being able to link domains together, the innocent will suffer, and criminals will get away.
To repeat, we are on the brink of the most serious cyber threat to the open and public Internet for decades. We must step up to the plate and not get complacent about this. Too much is at stake. We need a temporary policy in place at ICANN that recognizes there is no privacy without cyber security. And that means ICANN must have a way to hold registrars accountable if they abuse GDPR as an excuse to cripple WHOIS.
We at RiskIQ value our relationship with ICANN staff too, and we recognize that it takes courage to admit that both ICANN’s management and the multi-stakeholder model do not appear to be working here—or at least that there’s a risk they won’t work in time. There are politics for everyone involved, but together, we can collectively demand that ICANN step away from this reckless and short-sighted plan.
There are only a few days left. If we aren’t willing to hold ICANN accountable, then we are accountable for not standing our ground. After all, we are ICANN. So now it’s time to decide if you’re willing to stand your ground to fight for what’s right. RiskIQ has written a letter to the ICANN leadership expressing our concern. This is a developing story with recent updates published here.
We invite you to support this effort by signing a letter similar to the one submitted to ICANN. You can fill out the brief form below the letter to lend your support for this important policy issue that affects us all. The clock is ticking.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
Enrich @Splunk security with attacker-facing asset discovery. Build reports, dashboards, identify vulnerabilities, and enable proactive attack surface management. Learn more and get the app! https://bit.ly/38wV3rm
Security in Google Play is improving, but bad actors can still place mobile apps there. In 2019, RiskIQ detected 25,647 blacklisted apps in the Google Play Store.
'Joker' Android Malware Pulls Another Trick to Land on Google's Play Store http://ow.ly/xniR50AuqJ6 by @jaivijayan #Android #malware #GooglePlay #mobile
Digital change expands what lives outside the firewall. We checked and counted up what we saw. Get the report and take command of your digital attack surface. https://bit.ly/3cOzJ0T
Ready to achieve #ThreatHunting mastery? Check out our most recent threat hunting workshop - we'll show you how to discover unknowns and investigate threats across your organization's attack surface https://bit.ly/2BUDF3V
As the pandemic rages on, we have an election coming up and that brings another round of targeted and themed attacks. RiskIQ Security Intelligence Services Add-on for Splunk helps you extend your program, protecting your organization and constituents. #protect2020 https://twitter.com/RiskIQ/status/1281241793040916483
RiskIQ Security Intelligence Services for @Splunk puts our unmatched internet telemetry at the fingertips of Splunk users, a powerful shield from the onslaught of cybercrime leveraging current events such as #COVID19 and the election. Read more: https://bit.ly/2Oa8ZhH