Deciphering Threat Signals: New Domain Registrations
Over the last few months, we have shared high level information regarding zvelo’s view of the web, and how we observe activity throughout the entire lifecycle of a website to identify suspicious activity which may indicate looming threats from Malicious Cyber Actors (MCAs). In this post, we’ll begin to tie some of the pieces together around how zveloCTI (Cyber Threat Intelligence) moves beyond the detecting Malicious and Phishing activity from within the ActiveWeb, and delves below the surface to observe suspicious activity in the ProActiveWeb and InActiveWeb for actionable Threat Intelligence. While there are numerous indicators for suspicious activity that draw attention to potential threats, one of key indicators is New Domain Registrations.
For basic background information which may be helpful, we recommend the following blog posts to familiarize yourself with the concepts discussed in this post.
- zvelo’s ProActiveWeb: Stop Threats Before They Become Active
- Lifecycle of a Website: A Progression Through zvelo’s View of the Web
And for those readers who may not already be familiar with Domain Generation Algorithms (DGAs):
New Domain Registrations
After a domain name is registered, it’s linked to a hosting service where the website will eventually live. If the website has not been created and has no content, that domain is considered parked. A parked domain is registered but not yet linked to a hosting service and is not actively being used. While sites are often parked for legitimate reasons, this can be an early indicator of suspicious activity — especially when it comes to potential Command and Control (C2) threats which make use of Domain Generation Algorithms (DGAs).
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for Command and Control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the Command and Control channel, as there potentially could be thousands of domains that malware can check for instructions. (MITRE ATT&CK T1568/002).
Why Do We Monitor New Domain Registrations?
The graphic below shows the relationship of data, information, and intelligence. As the image shows, massive amounts of raw data are required to produce a small amount of actionable intelligence.
New Domain Registrations are one of many signals zveloCTI leverages for Threat Intelligence, as this can be one of the earliest indicators for potential threats. These potential early detections provide key insights as the raw data is collected, processed, and analyzed to help identify suspicious activity which should then be monitored more closely. One approach for detecting suspicious domains is to check for recently registered names or for rarely visited domains.
From major international events like the Olympics, to catastrophes like the Beirut explosion, to the upcoming US elections, to the Coronavirus pandemic, MCAs frequently use global news or events to register domains which will be used for their malicious campaigns. Early detection is crucial to disrupting the kill chain and stopping the potential threats before they become active.
For example, in the early days of the Coronavirus, the zvelo Cybersecurity Team noted a sudden increase in the number of suspicious Coronavirus related domains. After an in depth Threat Analysis, the data showed several emerging trends including geographical naming, redirection to potentially malicious content, domain ages, and malicious traffic via third parties.
Once the suspicious domains have been identified, those are observed and cross-referenced with propriety sources and other data to predict the trajectory of a domain – whether it’s good or bad. After potentially malicious domains have been identified, those undergo further investigation and validation. This validation is a crucial step to ensure the data produces actionable intelligence.
The End Goal
The primary purpose for using data from New Domain Registrations is to identify the earliest predictors possible and use those to disrupt the kill chain and stop threats before they happen. In addition to monitoring the ActiveWeb traffic generated by 650 million users globally, zvelo also monitors the ProActiveWeb for threat signals – including New Domain Registrations. The ProActiveWeb is a segment which is a precursor to sites becoming part of the ActiveWeb. Our zveloCTI service is focused on detecting and analyzing the ProActiveWeb for threats and suspicious activity to provide partners with unique insights and a competitive edge in their respective markets.