New tools deter hackers from using domain names to deliver attacks

Companies can receive real-time warning before internet identifiers are used in malicious ways

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Manip­u­la­tion of a tar­get­ed company’s domain name for mali­cious pur­pos­es is some­thing cyber crim­i­nals do all too routinely.

By slight­ly alter­ing an organization’s legit domain name, or by redi­rect­ing some­one try­ing to nav­i­gate to that company’s web­site to a rogue serv­er, crim­i­nals can exe­cute an array of scams, such as phish­ing, click fraud, brand­jack­ing or typosquat­ting.

Relat­ed video: Domain name manip­u­la­tion game

Paul Vix­ie, the cre­ator of sev­er­al Domain Name Sys­tem (DNS) pro­to­col exten­sions and appli­ca­tions on which the inter­net is built, today heads up a secu­ri­ty firm, Far­sight Secu­ri­ty Inc., ded­i­cat­ed to help­ing com­pa­nies com­bat DNS abuse.

Third­Cer­tain­ty caught up with Vix­ie at the Black Hat cyber­se­cu­ri­ty con­fer­ence ear­li­er this month. We spoke to him about two new Far­sight ser­vices, Brand Sen­try and Domain Sen­try. The for­mer helps iden­ti­fy phish­ing and coun­ter­feit­ing; the lat­ter helps com­pa­nies mon­i­tor and be alert­ed to any changes to their domain or IP address­es that might sig­nal an attack. Text edit­ed for clar­i­ty and length.

3C: Did you ever imag­ine DNS would be manip­u­lat­ed and exploit­ed at this level?

Paul Vixie_400
Paul Vix­ie, inter­net pio­neer and Far­sight Secu­ri­ty Inc. founder

Vix­ie: When DNS was first stan­dard­ized in 1984, the net­work was a bunch of gov­ern­ment con­trac­tors, most­ly uni­ver­si­ties and var­i­ous gov­ern­ment research orga­ni­za­tions. All their employ­ees were trust­wor­thy and all very polite. DNS was designed with that in mind.

So as the inter­net grew and became the com­mer­cial behe­moth that it is today, it, of course, has to allow any­one to have access. Any­one can buy a domain name. Any­one can get an IP address and put a serv­er on the net­work. And there’s no func­tion by which peo­ple who are using the inter­net mali­cious­ly can be dis­con­nect­ed from it.

3C: How does Far­sight iden­ti­fy the mali­cious stuff going on?

Vix­ie: DNS activ­i­ties don’t look mali­cious. It’s not being used to do a denial of ser­vice attack, or to exer­cise vul­ner­a­bil­i­ties. The DNS is being used in order to help deliv­er attacks against us. (Crim­i­nals) need reli­able DNS for bad pur­pos­es the way we all need reli­able DNS for good pur­pos­es. We’re look­ing for attacks that hap­pen to lever­age fea­tures of the DNS.

3C: So you’re pay­ing very close atten­tion to pat­terns, using algorithms?
Vix­ie: We’re not going to beat the bad guys with math. Almost every­thing we do is tra­di­tion­al data pro­cess­ing as it’s been prac­ticed for 50 years except that we do it all in real time. It turns out that we know how to find strings of char­ac­ters, some­thing we’ve known how to do for years. So we didn’t have to invent any­thing, we’re just apply­ing age-old tech­niques in this mod­ern con­text of real-time DNS analysis.

3C: So how do your new ser­vices bring this to bear?

Vix­ie: To con­nect to Brand Sen­try, the cus­tomer has to tell us the set of brand names that they wish to pro­tect. And then we will look for sus­pi­cious look­ing vari­a­tions on those names in parts of domain names and oth­er parts of our real-time stream. You can get anom­alies back from us in real time. Sim­i­lar­ly with Domain Sen­try, if you give us your list of domain names, we can tell you any­time we see your inter­net iden­ti­fiers, if we see them used in an anom­alous, red flag way. We will send you what we saw, and tell you why we think it’s suspicious.

3C: How do your cus­tomers lever­age this intelligence?

Vix­ie: Gen­er­al­ly, a com­pa­ny that cares about this has already made an invest­ment in some kind of a log man­age­ment thing, like Splunk or Mal­tego. It might be orches­tra­tion soft­ware from Phan­tom. What we can do is plug direct­ly into that API and feed our obser­va­tions into all of the soft­ware and hard­ware that you’ve already invest­ed in.

3C: And there is a lot of mali­cious activ­i­ty mov­ing on any giv­en day?

Vix­ie: Every day, we see two new domain names bought up every sec­ond. At least half of them will be dead in less than a day because they were craft­ed for a par­tic­u­lar attack against a par­tic­u­lar enti­ty. They get tak­en down when that enti­ty com­plains, and then the bad guys just buy more. The vast major­i­ty of new DNS data cre­ation events are for mali­cious purposes.

See more sto­ries relat­ed to domain names:
Easy cre­ation of domain names by hack­ers leaves SMBs dan­ger­ous­ly exposed
Vul­ner­a­bil­i­ties still leave DNS—and businesses—wide open to attack
What’s in a (domain) name? For gener­ic TLD hack­ers, a lot