Architelos gac domain abuse best practices feb 12

1© 2014 Architelos and/or its affiliates. All rights reserved.
Reality Check: Domain Name
Abuse
Alexa Raad, CEO
Architelos
www.architelos.com
Feb 12, 2015
Singapore Feb 2015 GAC Meeting

Agenda
•  Definition
•  Abuse Primer
•  Best Practices
•  Key Components

© 2014 Architelos and/or its affiliates. All rights reserved. 3
Abuse = Exploiting Internet Users
• Purposes that are deceptive, malicious
• Categories are not mutually exclusive

Relationship

About Spam…
•  Unsolicited email
•  The problem: domains advertised in spam
•  Spam is the distribution/delivery mechanism for phishing,
malware, fraud, identity theft, etc.
•  85% of all email sent in the world is spam*. Most of it is not
just harmless advertising, it’s part of illegal and/or illicit
activities.
* M3AAWG statistics; also http://www.senderbase.org/static/spam/

Example Spam Email - Jan 17, 2015
Hello,
Dear [redacted]
To get back into your account, you'll need to confirm your account . It's easy: Click the link
below to open a secure browser window. Confirm that you're the owner of the account and
then follow the instructions.
By Clicking Here
[hxxp://www.amazoon.company/seller/index/web/index.php?
cmd=5885d80a13c0db1f22d2300ef60a67593b79a4d03747447e6b625328d36121a1f9e08eb
1299421ca1639745433caa407f9e08eb1299421ca1639745433caa407]
Or contact paypal Member Services Team. We're available 24 hours a day, 7 days a week. If
you have recently updated your billing information, please disregard this message as we are
processing the changes you have made

..for Phishing Attack

Factors that Allow Abuse to Succeed
Low price
Economic incentive
Lax registration policies
Lack of enforcement, or…
lax and/or inconsistent enforcement

ABUSE PRIMER

1.  “Not all abuse is created equal” – Some are
more dangerous than others
ex: Spear phishing attack on Sony

2.  Abuse can morph over time
Time
Severity

3.  They all start with a domain name
registration

4.  Different TLDs have different profiles
• Different business models
• Open vs. eligibility criteria restrictions vs. .brand/closed
• Price
• Distribution model
= Different risks

5.  Existence/prevalence of abusive domains
in a TLD does not necessarily indicate
mismanagement by the Registry
What matters in effective and consistent mitigation to
reduce “time to harm”
Ignoring abuse over time, and letting it flourish, is
mismanagement.

6.  Abuse patterns for a TLD varies over time
Abuse patterns vary to find exposures in policies and operations.
Day to day pattern Month by month

7.  Virtually every TLD has at least some
abuse
By the end of 2014, new gTLDs had 1/4th the levels of
abuse found in established gTLDs
Almost every ccTLD and legacy gTLD has some abuse.
This is a consequence of usage, and it is inevitable.

8.  Effective abuse mitigation is also good for
business
Abuse à reputation of the TLD, which in turn affects:
•  Use (ex: applications can block the TLD altogether)
•  New registrations (adoption by legitimate registrants)
•  Renewals

9.  Effective mitigation is about reducing “time
to harm”
IP Address
Domain Name
Website
email
Internet Browser
Device(s)
Applications
“Mitigation”
Less Effective
Criminals
More Effective
“Damage
Assessment”

Best Practices
•  Align operational procedures and processes to support policy
Consistency (same bad behavior should consistently result in same enforcement)
Measure, learn over time, and adjust
•  Understand what's happening in the domain space
Continuous monitoring (and not periodic technical analysis)
Use multiple data sources to get the complete picture
•  Analyze and prioritize
Mitigate most egregious domain abuses
Look for correlation and relationships to idenitfy problem spots
Ex: abusive domain names à problem registrars
•  Focus on reducing time to “Time to Harm”
How long the abusive domain is active and therefore able to cause harm. Most damage is
done within first two hours in a phishing attack

Putting Best Practices to Work
•  Well designed procedures, processes and workflows
•  Abuse data detection
•  Analysis & prioritization
•  Notification & communication
•  Enforcement
(Ex: suspension, takedown, deletion etc.)
•  Documentation (record keeping)
•  Measurement
Effectiveness? Accuracy?
•  Complaint & redress

Processes
(e.g. regular and exception work flows)
Procedures
(ex: Whois validation, Abuse verification,
Escalation, Registrar notification, Suspension
or takedown, Documentation)
Policies
(Abuse Policy, Registration
Policy, Acceptable Use, etc)
Principles
(Security/Safety,
Privacy, Transparency,
Accountability, Fairness,
Redress, Consistency)
Procedures are a set of
operational actions which
support one or more
policies.
•  Consistently applied
•  Contradictory
•  Nullify other procedures
•  Nullify other policies
Each procedure may have multiple processes to help
achieve the objective. Ex: Escalation procedure may
have various processes (i.e. IF X exists, then do…Y, If
X does not exist then proceed to Z). Processes are
defined in terms of workflows.
A Complete
Abuse Mitigation
System

Abuse data detection
•  Choose reputable data which report on one or more abuse types
At a minimum, look for data feeds and sources that cover spam, phishing,
malware, botnets
Some data sources are specialists in an abuse type
No one vendor will catch all the abuse
•  Data should have:
Validation mechanisms in place so as to eliminate or minimize false
positives
Mechanisms to remove resolved abuse from their lists
•  Multiple Data Sources: Reporting the same abuses independently
adds confidence
•  Some invoke actions from third-parties, such as law enforcement

For it to work, at a minimum you need to assume:
•  Spam=Phishing=Malware=Botnet
•  No correlation or commonality between abuse types
•  Abuse patterns stay the same over time
•  Abuse follows a Normal Distribution curve
Or simply put, depending on when you sample you can get widely different
results
Monitoring versus Sampling

Analysis and Prioritization
•  Different abuse types have different urgency:
•  Some may need to be taken down immediately
•  Some have different notification paths
•  Verifying Abuse
•  Verification is Data vendor work ideally, Registries and Registrars
are not specialists and it’s not cost effective for most entities to
have in-house specialists
•  False positives undermine confidence, but in good quality data
providers, they are extremely rare.
•  Some forms of abuse legally have to be verified or handled with
third parties, such as child pornography

DATA
Information
(=Data + Data +Data)
Knowledge
(=info+ info + info)
How they Fit
Wisdom
Registrar data
Malware
Mitigation, Enforcement
Reputation
Correlation & Relationships
Context
Analysis
Prioritization
Detection

Is the Cost Prohibitive?
•  It's good for business
•  Responsible new gTLD registries planned for this,
because:
• Had to describe anti-abuse plans and costs in their applications.
• Included in Registry contract
•  Options are: “Do-it-Yourself” or outsource
• For a medium-sized registry: usually one person part-time
• Outsourced Abuse Desk consulting
• Basic commercial detection services are available for ~ US$250 -
$400/month*
* Domain Assured and NameSentry

Thank you!
Questions?

Architelos gac domain abuse best practices feb 12

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Viewers also liked

Viewers also liked (14)

Similar to Architelos gac domain abuse best practices feb 12

Similar to Architelos gac domain abuse best practices feb 12 (20)

More from DNS Entrepreneurship Center

More from DNS Entrepreneurship Center (20)

Recently uploaded

Recently uploaded (20)

Architelos gac domain abuse best practices feb 12