Why Domain Analysis and Credential Leakage Is Important Intelligence

<p>The power of threat intelligence is that it can help organizations understand how they are targeted by attackers. This knowledge can then be used to apply defensive measures against those threat vectors. In this way, organizations can address certain attacks before they happen.</p><p>For instance, monitoring newly observed domains for names that are similar to a company's existing domain name could be an indicator that an adversary is preparing for an attack. Leveraging a domain name that looks very similar to the company's real domain name to craft a malicious link could trick users into clicking and installing malware.</p><p>By generating permutations of a domain name in advance of an attack, companies can gain valuable threat intelligence and insight into the potential attack surface. When used in combination with a long URL, it can be difficult to distinguish the legitimacy of a typo-domain at first glance. If one of these domains is then observed in network traffic, it can be highlighted and action taken before serious damage is done.</p><p><img src="https://cdn.filestackcontent.com/6AAVSy8UQpevcKBIuXtx"/><br/> <em>Figure 1. – Example of possible “typo” domain combinations generated</em></p><p>Another angle to consider is leaked credentials. Employees may use their work email address to register for websites on the Internet for personal or company use. Regardless of the reason, if that website is compromised and the credentials leaked to the Internet, attackers may have everything they need to login as that user on other websites - including company assets if they used the same password for corporate resources as they did on the compromised website. Monitoring credential dumps for corporate email addresses is a way to address this problem potentially before attackers have attempted to utilize the credentials. Reaching out to users to have them change their passwords or forcing password resets for any compromised accounts are ways this can be addressed once known.</p><p>Anomali Labs has done research on newly registered domains and credential dumps for the companies in the Stockholm OMX 30 stock index. The results showed that 90% of the OMX 30 companies had at least one potentially malicious domain registered and 70% of them had at least one email and password shared in plain text. These are items that could certainly be used to stage attacks against these organizations.</p><p>Turning threat intelligence into actionable defenses should be the goal of any threat intelligence program and is the heart of what Anomali brings to the table. <strong><a href="https://wwwlegacy.anomali.com/files/anomali-labs-reports/OMX-30.pdf" target="_blank">Click here to see the Anomali Labs report on the OMX 30</a></strong>.</p>