Blog

Why Domain Analysis and Credential Leakage Is Important Intelligence

Travis Farral
October 28, 2016
Table of contents
<p>The power of threat intelligence is that it can help organizations understand how they are targeted by attackers. This knowledge can then be used to apply defensive measures against those threat vectors. In this way, organizations can address certain attacks before they happen.</p><p>For instance, monitoring newly observed domains for names that are similar to a company's existing domain name could be an indicator that an adversary is preparing for an attack. Leveraging a domain name that looks very similar to the company's real domain name to craft a malicious link could trick users into clicking and installing malware.</p><p>By generating permutations of a domain name in advance of an attack, companies can gain valuable threat intelligence and insight into the potential attack surface. When used in combination with a long URL, it can be difficult to distinguish the legitimacy of a typo-domain at first glance. If one of these domains is then observed in network traffic, it can be highlighted and action taken before serious damage is done.</p><p><img src="https://cdn.filestackcontent.com/6AAVSy8UQpevcKBIuXtx"/><br/> <em>Figure 1. – Example of possible “typo” domain combinations generated</em></p><p>Another angle to consider is leaked credentials. Employees may use their work email address to register for websites on the Internet for personal or company use. Regardless of the reason, if that website is compromised and the credentials leaked to the Internet, attackers may have everything they need to login as that user on other websites - including company assets if they used the same password for corporate resources as they did on the compromised website. Monitoring credential dumps for corporate email addresses is a way to address this problem potentially before attackers have attempted to utilize the credentials. Reaching out to users to have them change their passwords or forcing password resets for any compromised accounts are ways this can be addressed once known.</p><p>Anomali Labs has done research on newly registered domains and credential dumps for the companies in the Stockholm OMX 30 stock index. The results showed that 90% of the OMX 30 companies had at least one potentially malicious domain registered and 70% of them had at least one email and password shared in plain text. These are items that could certainly be used to stage attacks against these organizations.</p><p>Turning threat intelligence into actionable defenses should be the goal of any threat intelligence program and is the heart of what Anomali brings to the table. <strong><a href="https://wwwlegacy.anomali.com/files/anomali-labs-reports/OMX-30.pdf" target="_blank">Click here to see the Anomali Labs report on the OMX 30</a></strong>.</p>
Travis Farral

Travis Farral is the former Director of Security Strategy at Anomali. Travis is a seasoned IT security professional with extensive background in corporate security environments.

Discover More About Anomali

Get the latest news about Anomali's Security and IT Operations platform,

SEe all Resources
No items found.
No items found.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

October 28, 2016
-
Travis Farral
,

Why Domain Analysis and Credential Leakage Is Important Intelligence

<p>The power of threat intelligence is that it can help organizations understand how they are targeted by attackers. This knowledge can then be used to apply defensive measures against those threat vectors. In this way, organizations can address certain attacks before they happen.</p><p>For instance, monitoring newly observed domains for names that are similar to a company's existing domain name could be an indicator that an adversary is preparing for an attack. Leveraging a domain name that looks very similar to the company's real domain name to craft a malicious link could trick users into clicking and installing malware.</p><p>By generating permutations of a domain name in advance of an attack, companies can gain valuable threat intelligence and insight into the potential attack surface. When used in combination with a long URL, it can be difficult to distinguish the legitimacy of a typo-domain at first glance. If one of these domains is then observed in network traffic, it can be highlighted and action taken before serious damage is done.</p><p><img src="https://cdn.filestackcontent.com/6AAVSy8UQpevcKBIuXtx"/><br/> <em>Figure 1. – Example of possible “typo” domain combinations generated</em></p><p>Another angle to consider is leaked credentials. Employees may use their work email address to register for websites on the Internet for personal or company use. Regardless of the reason, if that website is compromised and the credentials leaked to the Internet, attackers may have everything they need to login as that user on other websites - including company assets if they used the same password for corporate resources as they did on the compromised website. Monitoring credential dumps for corporate email addresses is a way to address this problem potentially before attackers have attempted to utilize the credentials. Reaching out to users to have them change their passwords or forcing password resets for any compromised accounts are ways this can be addressed once known.</p><p>Anomali Labs has done research on newly registered domains and credential dumps for the companies in the Stockholm OMX 30 stock index. The results showed that 90% of the OMX 30 companies had at least one potentially malicious domain registered and 70% of them had at least one email and password shared in plain text. These are items that could certainly be used to stage attacks against these organizations.</p><p>Turning threat intelligence into actionable defenses should be the goal of any threat intelligence program and is the heart of what Anomali brings to the table. <strong><a href="https://wwwlegacy.anomali.com/files/anomali-labs-reports/OMX-30.pdf" target="_blank">Click here to see the Anomali Labs report on the OMX 30</a></strong>.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.