More Related Content Similar to Architelos gac domain abuse best practices feb 12 (20) More from DNS Entrepreneurship Center (20) Architelos gac domain abuse best practices feb 121. 1© 2014 Architelos and/or its affiliates. All rights reserved.
Reality Check: Domain Name
Abuse
Alexa Raad, CEO
Architelos
www.architelos.com
Feb 12, 2015
Singapore Feb 2015 GAC Meeting
2. 2© 2014 Architelos and/or its affiliates. All rights reserved.
Agenda
• Definition
• Abuse Primer
• Best Practices
• Key Components
3. © 2014 Architelos and/or its affiliates. All rights reserved. 3
Abuse = Exploiting Internet Users
• Purposes that are deceptive, malicious
• Categories are not mutually exclusive
5. © 2014 Architelos and/or its affiliates. All rights reserved. 5
About Spam…
• Unsolicited email
• The problem: domains advertised in spam
• Spam is the distribution/delivery mechanism for phishing,
malware, fraud, identity theft, etc.
• 85% of all email sent in the world is spam*. Most of it is not
just harmless advertising, it’s part of illegal and/or illicit
activities.
* M3AAWG statistics; also http://www.senderbase.org/static/spam/
6. © 2014 Architelos and/or its affiliates. All rights reserved. 6
Example Spam Email - Jan 17, 2015
Hello,
Dear [redacted]
To get back into your account, you'll need to confirm your account . It's easy: Click the link
below to open a secure browser window. Confirm that you're the owner of the account and
then follow the instructions.
By Clicking Here
[hxxp://www.amazoon.company/seller/index/web/index.php?
cmd=5885d80a13c0db1f22d2300ef60a67593b79a4d03747447e6b625328d36121a1f9e08eb
1299421ca1639745433caa407f9e08eb1299421ca1639745433caa407]
Or contact paypal Member Services Team. We're available 24 hours a day, 7 days a week. If
you have recently updated your billing information, please disregard this message as we are
processing the changes you have made
7. © 2014 Architelos and/or its affiliates. All rights reserved. 7
..for Phishing Attack
8. © 2014 Architelos and/or its affiliates. All rights reserved. 8
Factors that Allow Abuse to Succeed
Low price
Economic incentive
Lax registration policies
Lack of enforcement, or…
lax and/or inconsistent enforcement
10. © 2014 Architelos and/or its affiliates. All rights reserved. 10
1. “Not all abuse is created equal” – Some are
more dangerous than others
ex: Spear phishing attack on Sony
11. © 2014 Architelos and/or its affiliates. All rights reserved. 11
2. Abuse can morph over time
Time
Severity
12. © 2014 Architelos and/or its affiliates. All rights reserved. 12
3. They all start with a domain name
registration
13. © 2014 Architelos and/or its affiliates. All rights reserved. 13
4. Different TLDs have different profiles
• Different business models
• Open vs. eligibility criteria restrictions vs. .brand/closed
• Price
• Distribution model
= Different risks
14. © 2014 Architelos and/or its affiliates. All rights reserved. 14
5. Existence/prevalence of abusive domains
in a TLD does not necessarily indicate
mismanagement by the Registry
What matters in effective and consistent mitigation to
reduce “time to harm”
Ignoring abuse over time, and letting it flourish, is
mismanagement.
15. © 2014 Architelos and/or its affiliates. All rights reserved. 15
6. Abuse patterns for a TLD varies over time
Abuse patterns vary to find exposures in policies and operations.
Day to day pattern Month by month
16. © 2014 Architelos and/or its affiliates. All rights reserved. 16
7. Virtually every TLD has at least some
abuse
By the end of 2014, new gTLDs had 1/4th the levels of
abuse found in established gTLDs
Almost every ccTLD and legacy gTLD has some abuse.
This is a consequence of usage, and it is inevitable.
17. © 2014 Architelos and/or its affiliates. All rights reserved. 17
8. Effective abuse mitigation is also good for
business
Abuse à reputation of the TLD, which in turn affects:
• Use (ex: applications can block the TLD altogether)
• New registrations (adoption by legitimate registrants)
• Renewals
18. © 2014 Architelos and/or its affiliates. All rights reserved. 18
9. Effective mitigation is about reducing “time
to harm”
IP Address
Domain Name
Website
email
Internet Browser
Device(s)
Applications
“Mitigation”
Less Effective
Criminals
More Effective
“Damage
Assessment”
19. © 2014 Architelos and/or its affiliates. All rights reserved. 19
Best Practices
• Align operational procedures and processes to support policy
Consistency (same bad behavior should consistently result in same enforcement)
Measure, learn over time, and adjust
• Understand what's happening in the domain space
Continuous monitoring (and not periodic technical analysis)
Use multiple data sources to get the complete picture
• Analyze and prioritize
Mitigate most egregious domain abuses
Look for correlation and relationships to idenitfy problem spots
Ex: abusive domain names à problem registrars
• Focus on reducing time to “Time to Harm”
How long the abusive domain is active and therefore able to cause harm. Most damage is
done within first two hours in a phishing attack
20. © 2014 Architelos and/or its affiliates. All rights reserved. 20
Putting Best Practices to Work
• Well designed procedures, processes and workflows
• Abuse data detection
• Analysis & prioritization
• Notification & communication
• Enforcement
(Ex: suspension, takedown, deletion etc.)
• Documentation (record keeping)
• Measurement
Effectiveness? Accuracy?
• Complaint & redress
21. © 2014 Architelos and/or its affiliates. All rights reserved. 21
Processes
(e.g. regular and exception work flows)
Procedures
(ex: Whois validation, Abuse verification,
Escalation, Registrar notification, Suspension
or takedown, Documentation)
Policies
(Abuse Policy, Registration
Policy, Acceptable Use, etc)
Principles
(Security/Safety,
Privacy, Transparency,
Accountability, Fairness,
Redress, Consistency)
Procedures are a set of
operational actions which
support one or more
policies.
• Consistently applied
• Contradictory
• Nullify other procedures
• Nullify other policies
Each procedure may have multiple processes to help
achieve the objective. Ex: Escalation procedure may
have various processes (i.e. IF X exists, then do…Y, If
X does not exist then proceed to Z). Processes are
defined in terms of workflows.
A Complete
Abuse Mitigation
System
22. © 2014 Architelos and/or its affiliates. All rights reserved. 22
Abuse data detection
• Choose reputable data which report on one or more abuse types
At a minimum, look for data feeds and sources that cover spam, phishing,
malware, botnets
Some data sources are specialists in an abuse type
No one vendor will catch all the abuse
• Data should have:
Validation mechanisms in place so as to eliminate or minimize false
positives
Mechanisms to remove resolved abuse from their lists
• Multiple Data Sources: Reporting the same abuses independently
adds confidence
• Some invoke actions from third-parties, such as law enforcement
23. © 2014 Architelos and/or its affiliates. All rights reserved. 23
For it to work, at a minimum you need to assume:
• Spam=Phishing=Malware=Botnet
• No correlation or commonality between abuse types
• Abuse patterns stay the same over time
• Abuse follows a Normal Distribution curve
Or simply put, depending on when you sample you can get widely different
results
Monitoring versus Sampling
24. © 2014 Architelos and/or its affiliates. All rights reserved. 24
Analysis and Prioritization
• Different abuse types have different urgency:
• Some may need to be taken down immediately
• Some have different notification paths
• Verifying Abuse
• Verification is Data vendor work ideally, Registries and Registrars
are not specialists and it’s not cost effective for most entities to
have in-house specialists
• False positives undermine confidence, but in good quality data
providers, they are extremely rare.
• Some forms of abuse legally have to be verified or handled with
third parties, such as child pornography
25. © 2014 Architelos and/or its affiliates. All rights reserved. 25
DATA
Information
(=Data + Data +Data)
Knowledge
(=info+ info + info)
How they Fit
Wisdom
Registrar data
Malware
Mitigation, Enforcement
Reputation
Correlation & Relationships
Context
Analysis
Prioritization
Detection
26. © 2014 Architelos and/or its affiliates. All rights reserved. 26
Is the Cost Prohibitive?
• It's good for business
• Responsible new gTLD registries planned for this,
because:
• Had to describe anti-abuse plans and costs in their applications.
• Included in Registry contract
• Options are: “Do-it-Yourself” or outsource
• For a medium-sized registry: usually one person part-time
• Outsourced Abuse Desk consulting
• Basic commercial detection services are available for ~ US$250 -
$400/month*
* Domain Assured and NameSentry
27. © 2014 Architelos and/or its affiliates. All rights reserved. 27
Thank you!
Questions?