As cyberrisks continue to increase, organizations and cyber insurers face greater challenges in quantifying them and addressing their capacity for harm. Seemingly every day, we learn about new developments involving supply chain attacks, ransomware and business email compromises, bringing additional layers of complexity with regard to what coverage they require and how to stop them.
One way that risk managers, compliance officers and other executive leaders can mitigate many of the existing and emerging attacks is to focus on an often-overlooked target in security: web domains. More than seven of 10 organizations have experienced a domain name system (DNS) attack within the last 12 months, with 58% of the impact reaching “significant” levels. As awareness of domain security issues to grow, cyber insurance providers may start holding companies accountable for the quality and rigorousness of their domain defense strategies and proactive approaches. Therefore, risk managers and compliance officers must work with security leaders to protect their companies and brands from domain incidents before they get started.
There are a two key reasons why web domain security is important. First, web domain attacks can enable other attacks. It is easy to register fake domain names containing trusted brand names, which has resulted in a systemic surge of phishing and related fraud online. When coupled with breaches of top cloud providers and domain registrars hampered by poor domain security hygiene, this can lead to the weaponization of millions of domains and associated subdomains with one attack. According to research from the Interisle Consulting Group, criminals behind spam, malware, and botnet attempts are targeting domain names for threat resource acquisition.
Second, domain names are a critical component of a brand’s external attack surface. Adversaries know that domains represent the digital “front door” that customers and business partners associate with a company’s products, email communications and corporate persona. Organizations may overlook domain protection because they take this component of their security posture for granted. But when adversaries launch successful takeovers of domains, they essentially acquire the keys to the kingdom. They are now free to intercept emails and user/customer interactions as they wish, and send traffic to their malicious sites. The resulting chronic abuse of domains adds another layer of significant risk that can impact the security posture, risk level, consumer safety, intellectual property and revenue of victim companies.
Risk managers and compliance officers can help their organization better defend their domains by following these six steps:
1. Establish a defense-in-depth strategy. This remains the most indispensable component of a risk management initiative for domains, and needs to include the implementation of domain registry locks, which confirm any requested changes with the domain owner, to eliminate unauthorized and potentially harmful changes to the domain. CSC research found that 81% of global brands do not use registry locks. They are also not deploying additional, critical components of defense-in-depth/risk management such as enforcing multifactor authentication (MFA). This should apply to systems supporting domain names, DNS records and digital certificates to reduce the risk of compromise.
Additionally, 95% are not leveraging domain name system security extensions (DNSSECs), which authenticate communications between DNS servers. Without DNSSEC, adversaries can hijack any step of the DNS lookup process and take control of a browsing session, redirecting users to their phony, ill-intended websites. Only one-half deploy domain-based message authentication, reporting and conformance (DMARC), which protects an email domain from spoofing, phishing and other cyber scams via email server reports identifying possible authentication issues and malicious activity.
2. Upgrade domain registrars. Companies should assess domain registrars and select enterprise-class ones, which typically incorporate defense-in-depth safeguards, along with DNS redundancy to provide a backup DNS to boost resiliency. Unfortunately, CSC research reveals that the majority of companies are still using consumer-grade registrars that do not focus on domain security or brand protection. In addition, There are marketplaces that auction and sell domain names—including trademarks and brands—to the highest bidder, which has resulted in an increase in the use of malicious domains for phishing.
Enterprise-class registrars offer another advantage in the form of certificate authority authorization (CAA) records, which allow a company to designate a specific certificate authority as the sole issuer of certificates for the company’s domains. If a hacker does not use the appointed authority to get a new certificate, their request will fail, and the intended victim company will receive an alert that someone tried to request a new certificate outside of its CAA policy. However, a mere 5% of brands use CAA records—a figure that would improve dramatically with the greater adoption of enterprise-class registrars.
Additional research from CSC and cybersecurity ratings provider SecurityScorecard found that companies that use enterprise-class domain registrars scored one-half to a full letter grade higher for security than those that do not. This research validates the use of proactive domain security measures as part of cyber insurance underwriting guidelines and cybersecurity policies to address attacks at the source.
3. Incorporate zero trust. Zero trust has emerged as a top defense strategy for organizations today. Through zero trust, they seek to implement policies and practices that support a “never trust, always verify” authorization culture, such as the enforcement of least privilege by limiting access to solely what is needed to perform an approved/authorized function. But zero trust must extend beyond business systems, applications and devices, and include a company’s domain ecosystem.
4. Play “prevent defense.” To borrow a sports analogy, this refers to the proactive registration of register domains that could be high-value targets such as homoglyphs (domain names that are confusingly similar to legitimate brand domain names, a.k.a. intentionally “fuzzy matches”), typos or key country domains. Adversaries could target these registrations as part of their attack plan, so some prevent defense here will keep them from doing so.
5. Monitor domain and DNS activity regularly. This will identify incidents in which a brand or company name is registered in a domain name by a third party, and/or domains are compromised for phishing, brand abuse and other fraudulent activity. Similar monitoring should apply to key digital channels like marketplaces, apps, social media and email.
6. Get tough on global enforcement. Organizations may consider a number of technical and legal tactics to limit, block or take down fake domains. Similar actions may be considered via marketplace delistings, social media page suspensions, mobile app delistings, cease and desist letters, fraudulent content removal, and complete threat vector mitigation.
Domains serve as a lifeline of businesses today, impacting website, e-commerce, app and email activity of all kinds. As risk managers and compliance officers work closely with IT/security leaders to fortify systems, devices and users, they must also focus on comprehensive strategies and measures to strengthen domain security as their first line of defense.