Enterprises, Internet hosting providers and domain registration companies need to step up their defences to prevent attackers from creating or seizing domains for spreading malware, says a vendor.
“There are things around account control and the ability to deal with abuse complaints quickly and effectively that just need to get better,” said Lars Harvey, vice-president security strategy at Infoblox. That includes enterprises and hosting providers limiting privileged accounts and toughening passwords to Web sites, he said.
But he also said hosting providers aren’t taking down malicious content at dangerous domains fast enough. “The fact of the matter is that many hosting providers can be slow to respond, allowing exploits to propagate for considerably longer than they should. This should be a key area of focus for improvement.”
He made the comments as the Infoblox — which sells solutions that protect domain name systems (DNS) infrastructure — issued its Q4 2015 DNS Threat Index Report on Wednesday, which not only showed a rise in malicious domain name creation, it also found the overwhelming majority of those bad domains in the period were located in the U.S.
The United States hosted 72 per cent of newly observed malicious domains and related infrastructure (servers, storage, networking equipment, etc.) used to launch cyberattacks. Only one other country of origin, Germany at just under 20 percent, registered above 2 per cent.
The report pointed out that the attackers themselves may be in other countries, but have taken over infrastructure elsewhere to hide their origins.
But it also says the list can be an indication of which countries tend to have either lax regulations or policing, or both. “Identification of those countries helps shine a light on needed improvements,” the report said
Harvey said the U.S. is likely the leading target simply because its infrastructure is leading edge — and, as a rich country, the potential victims are there.
Steven Barry, director of IT at the Canadian Internet Registry Authority (CIRA), which oversees the .ca domain, said in an interview that CISOs need to work with their domain registrar to leverage security tools it providers. Some, like CIRA, offer domain lock capabilities, which prevents a domain from being changed without verification.
Otherwise, Barry said, “the main advice is boring — keep systems up to date,” including patching.
The Infoblox report reflects evidence from other sources. For example, this week McAfee Labs Threats Report March 2016 said during the quarter 32 per cent of botnet control servers discovered were in the U.S., followed by Germany (8 per cent), Russia and the Netherlands (5 per cent each) and France (4 per cent). A combined group of unnamed countries, grouped as “other,” accounted for 37 per cent.
The DNS system ties domain names (such as www.thiscompany.com) to IP addresses. Because IP addresses can be blacklisted attackers try to take over domains and either change the underlying address, or set up malicious sub-domains (also called shadow domains) underneath.
As a result, Harvey said, “you can’t just really on blocking IP addresses to prevent your people on your network from going to all the bad things that are out there.”
Previous reports have shown a somewhat regular up and down cycle of malicious domain creation. which Infoblox dubs the “planting and harvesting” cycle — suggesting attackers take two or three quarters of creating the bad domains, then a quarter of exploiting them — although overall malicious activity doesn’t change.
But Q4 2015 “saw a relative increase to pretty high levels of activity” from Q3 Harvey said. It fact is was relatively high over 2015 (although the report only goes back to 2013). The fourth quarter surge could be an anomaly, or it could mean the pace of bad domain creation is picking up.
“A lot was driven by the spread of exploit kits,” he said, “and there are various techniques that the spreaders use and one is domain shadowing, where they create new hostings — they compromise accounts at domain registrars and they create new sub-domains underneath those.”
The Infobox report said the Angler exploit kit continues to lead DNS exploit kit activity, RIG— an older kit that has been far back in the pack in usage during previous quarters—is now number two.
During 2015 RIG began using domain shadowing techniques similar to those pioneered by Angler to defeat reputation-based blocking strategies, the report says. Infoblox adds this indicates that as exploit kits are updated in coming years, there may be a reappearance of past threats in a new guise or location.