Defenders face numerous challenges trying to protect organizations from cyber attacks. Many of the tools available take a reactive approach to threats, leaving organizations to wait for attacks and hope that their defenses will detect or stop them. Monitoring domain registrations is one way to proactively detect when criminals stand up infrastructure to be used in a future attack.
Attackers frequently attempt to bypass existing security controls by registering domains that mimic authentic corporate infrastructure. These domains can be weaponized within hours of registration and subsequently used for delivery of malicious payloads and exfiltration of sensitive data. The ability to detect these malicious domains within one hour of registration is therefore essential to a proactive security posture.
The Anomali Domain Monitoring Service is a yearly subscription that includes monitoring a customized number of domains or keywords for new suspicious registrations. This service enables security teams to:
The Anomali proprietary algorithm identifies homoglyphs — characters that appears very much like another (e.g. number 0 and uppercase O)— and look-alike domains and converts them to IOCs in ThreatStream within one to four hours of generic toplevel domain (gTLD) registration. Seasoned security analysts and threat researchers also manually review and report (within 48 hours) any additional anomalous activity associated with registrations.
Identified domains are imported into ThreatStream and customer integrations, automatically providing clients with:
The Domain Monitoring Service also detects and reviews domains that may be in violation of corporate brand infringement.
Homoglpyhic and look-alike domains play an integral role in various parts of the Cyber Kill Chain. For the example of companyX.com, a malicious actor may register the domain c0mpanyX.com. This domain can then be weaponized and subsequently used in one to all of the following common attack vectors:
The following attack timelines outline the sequence of events for a Phishing attack with and without the Domain Monitoring Service. In both cases, the attacker is successful in tricking an employee to reveal their credentials. The idea being that, even with a very effective phishing awareness program, given enough phishing attempts — some will be delivered and eventually someone will click. With the Domain Monitoring Service, companyX.com is able to intervene and prevent any critical damage.