Want to stop phishing? Embrace DNS analysis

5th July 2019

Stuart Reed

Stuart Reed
VP, Products

Phishing attacks are almost as old as the internet, but the age of this cyber crime tactic doesn’t make it any less potent. Indeed, over time phishing attacks have become more sophisticated as cyber criminals have strived to stay one step ahead of security teams. Responsible for countless data breaches and malware downloads, the cost to businesses of phishing attacks is an eye-watering $9bn in 2018 alone.

Exploiting the Domain Name System

One of the ways in which bad actors try to stay one step ahead is by registering new domain names with which to launch attacks. Phishing attacks rely on domain names that have been registered through the internet’s Domain Name System (DNS). By registering thousands of new domain names for attacks, criminals keep ahead of the domain name blacklists that registrars use to block phishing content. The time between the domain being registered and it being determined as criminal, known as ‘dwell time’, is the window of opportunity for criminals and the period of most danger for organisations.

The sheer scale of the phishing challenge is a real cause for concern for cyber security teams in organisations big and small. It is thought that a new phishing site is created every 15-20 seconds and that around 4,000 are registered each day. Many of these newly-registered domains – or newly-observed domains (NODs) as they are known – will be live for days or hours before being blacklisted by registrars. Until then, they represent a clear and present danger to organisations.

Can you block everything?

An obvious tactic would be to block all new domains until they have been whitelisted. The disadvantage of that approach is that would get in the way of workflow. At a time when agile working and digital transformation are of paramount importance, anything that adds a delay can be counter-productive

A better method would be to check all domains as soon as they are released for signs that they could be intended for criminal purposes. As phishing sites leave a footprint in the form of their DNS profiles, it’s possible for security teams to introduce an enterprise analytics capability to monitor for NODs.

Adding suspicious domain blocking

The key is for organisations to analyse the DNS data travelling out of their organisation on a granular level and in real time. Advanced machine learning techniques can assess the likelihood of a NOD being malicious and assign a score to it.

The security team can then implement policies and controls to automatically block all website traffic to NODs that are over a certain threshold, until such time as the registrar white- or blacklists it. The same technique can be used to identify and block spam coming from the email accounts associated with new domains.

In addition, as blocking is in the control of the organisation, this makes for speedy resolution if a suspicious domain turns out to be valid. It could also be that the domain is malicious, but needs to be accessed for forensic purposes. In both cases, access to the domain can be restored in seconds by the security team.

High-level data science

The approach may be simple at first glance – blocking traffic associated with new domains that are suspicious – but it is absolutely effective: neutering all attacks that exploit the dwell time between phishing sites going live and their being identified and added to the blacklists run by domain registrars. The part that isn’t so simple, is to identify domains that are likely to be used for malware rather than blocking every new domain.

This requires intensive, continual research by cyber security experts and data science teams – observing criminal trends and techniques and continuously evolving the detection, learning and prediction algorithms.

Stay safe with Nominet

Nominet has those skills and expertise, and organisations can access them in the form of the NTX cyber security platform. This adds a new layer of analytics to their existing security capabilities. Phishing has historically been an intractable challenge, but new DNS-based approaches to security offer a new and formidable weapon for cyber security teams.

If you would like more information on the threat posed by phishing attacks and see how these can be combated through proactive DNS-based security, why not arrange a no-obligation demonstration?

Like this? Try these...