A treasure trove of data: using domain reputation in practice

A quick recap on domain reputation

If you’re unfamiliar, a good place to start is our beginner’s guide to domain reputation. In essence, threat intelligence data provides a valuable indicator of if, when, and how you should engage with a domain.

As with any form of reputation, domain reputation is not binary, i.e., excellent or terrible. There are all shades of grey between. Gaining context behind the reputation score enables effective protection, prioritization, and mitigation.

There are multiple use cases, but before we dig in, there’s an important distinction to note. Think of domain reputation as having two ‘levels’:

1. A simple ‘yes’ or ‘no’ indicator of whether it’s safe to engage with the domain. This data is best suited to blocking connections, for example, with email and DNS resolver applications.
2. Context-rich metadata providing dynamic threat intelligence. This is best suited to aiding investigations, monitoring trends, informing decisions, and prioritizing.

Domain reputation for defenders

For Security Operations Centers (SOCs), it’s fundamental to identify and prioritize relevant threats and risks. But with so many risks and often underfunded departments, there’s real pressure to deliver efficiently, with limited resource. Domain reputation data is a cost-effective asset to utilize. Here’s why:

Prioritize live threats 

Take malware on your network, attempting a connection to download another module. It’s set up to attempt hundreds of connections, most to benign websites, to try and obfuscate the real connection to the malicious host.

Using domain reputation, you can find out the reputation of the whole log. From the hundreds of connections, it will highlight which domains are bad in real time. It will also provide details of the malicious activity, e.g., the associated behavior, when it was last seen, related IPs, and much more. This data provides the necessary intelligence to free resources from manual investigation and enables fast, effective remedial work through accurate prioritization.

Proactively mitigate

One reason domain data is so valuable is the ability to detect relationships from one domain to another. The vast majority of malicious activity is automated by computers – leaving a fingerprint of patterns to uncover relationships. So from a single malicious domain, threat researchers can sometimes discover hundreds more.

Domain reputation data gives you proactive insight into threats before any action takes place, keeping you one step ahead in preventing harm to your organization.

For network administrators

Keeping an organization’s network secure in today’s environment, with more devices coming online, in increasingly disparate locations, is an unenviable task. Using domain data at the DNS level will lighten the burden by automatically blocking or redirecting connections to malicious sites.

Blocking malicious connections

Whether a user tries to access a phishing site, or a botnet or malware on your network attempts a connection to its command and control, threat intelligence data can automatically identify and block these connections with great accuracy. So it’s not surprising many insurance companies will reduce premiums if you have protection in this way.

By utilizing domain, IP, and/or nameserver threat feeds via your DNS resolver through response policy zones (RPZs), you gain the ability to block connections automatically. The recursive server queries the threat feeds to see if the domain is listed. Where it is, communications are blocked or redirected, maintaining network security. It is worth noting though, not all botnet C&Cs or malware rely on domain names. For comprehensive protection, threat feeds should also be implemented at the router/firewall level. Learn more here.

Validating events

Depending on the team size, network administrators may also need to validate or further research these events – for example, prove a suggested false positive is, in fact, malicious. In this scenario, the rich metadata available can be utilized to gain more insight and context into each malicious domain.

For email administrators

Using domain data via DNS blocklists (DNSBLs), you are able to filter email content and create a proactive way to protect your email stream.

How?

The data you consume as DNSBLs is created by researchers who are able to determine patterns and relationships between domains. They can assess if a domain is malicious before it’s used in the wild, for example, from the date of registration or patterns in the domain name’s format.

This provides users with proactive protection, not just reactive. Similarly, where domains are newly registered and already sending emails, it’s highly likely there’s malicious intent. Again, domain data allows you to proactively block these communications, keeping you ahead of the threat.

For senders

For senders, particularly ESPs, domain reputation can offer you and your customers significant protection and insight through the whole lifecycle, from sign-up to ongoing management:

• Customer vetting: where you have customers sign up – be that online, by email, or telephone – domain reputation can shed light on the prospect’s profile and indicate whether they are to be trusted. The valuable insight the data will give you can inform you how to proceed and whether you want them to use your infrastructure.
• Onboarding: following the above, make proactive decisions based on reputational signals for managing customers, i.e., pooling customers according to risk. You can protect your most valued customers from being in an IP space with lesser-known, more reputationally risky customers.
• Monitoring: with customers constantly changing their tactics and approaches, you can’t rely on how they behave initially. None more so than if a malicious actor is trying to mask their real activity. Domain reputation data provides a view of any degradation in reputation so that organizations can act before they have harmful impact.
• User experience: when crafting email campaigns, or individual emails, anywhere a domain is being used, be that the “to:address”, “from:address”, or in the body of the email, the domain can be checked. Users can get a real-time alert as they create emails, highlighting if the domain is of concern so they can take the appropriate action.
• Customer support: alternatively, rather than offering customers insight as they’re creating, emails can be assessed for signs of unintended (or intended!) maliciousness before they leave your mail server. Where a domain is listed, the email can be blocked. This keeps your infrastructure safe and provides a valuable touch point for customer support to offer a positive, teachable moment.

The versatility of domain reputation data

As you’ve seen, the application of domain reputation is varied, and we frequently learn about new and creative ways the data is being used. Safe to say, anywhere a domain is used, domain reputation data can be used too. Be that to get a binary answer of whether a domain can be trusted, or to gain detailed insight into that domain to supplement further research, investigations, and ongoing management.