As cyber attacks and brand abuse become more sophisticated and damaging, monitoring and investigative tactics have to grow in scope to include DNS and Whois data, as Tim Chen explains.
Network security professionals have long been on the cutting edge of technology and the use of data to address compromises. Security breaches and cyber attacks can destroy incredible amounts of value in a very short time. A 2013 study by the Ponemon Institute showed that cyber attacks cost companies an average of $5.4 million per attack.
By taking a deeper look at the methods and tools used by network security professionals, processes to improve online brand protection strategies can be identified.
Network security starts with data. The basic network security model involves installing sensors or other data collection points within the client network. Service providers will overlay deep data analytics and pattern recognition in order to detect abnormal network behaviours. Often the terabytes of internal network data will be augmented by sourcing significant amounts of external data such as IP blacklists or spam domain lists.
Timely investigation of who is behind cyber attacks is vital for immediately mitigating threats as well as understanding possible related threat activity. Detailed research is also important for gathering evidence that can be used in prosecution.
"It's time to go to the next level with deeper data and analytics from within the dns and associated data stores."
Most types of cyber attacks leave a trail of network signatures, including domain names, host names and Internet protocol (IP) addresses. When combined with Whois data, this domain name system (DNS) data can help identify the people behind these attacks, as well as associate other related resources that may be targeting a network or organisation.
Brand protection professionals can deploy similar strategies to improve their effectiveness.Traditional online brand protection strategies have involved tactics such as looking for typo domain names, knock-off ecommerce sites, unauthorised brand and logo use, and brand-abusing spam sites. There has been very little use of deeper DNS data. Incorporating this data, following the advanced strategies used in network security, provides a much more comprehensive approach to brand protection.
Simply defined, the DNS is the system that converts numerical network addresses (IP addresses) to host names (domain names). Under the bonnet it is a lot more complex. The DNS records describe the relationship between domain names and IP addresses. Domain names, IP addresses and nameservers are associated with each other and with individual people and organisations via Whois records. And there are multiple layers to these relationships.
As information gets passed between DNS resolver and various nameservers, in order to get your client an IP address, an enormous amount of data and information is created and passed through the DNS. It is the real-time availability of this data that is of particular value in brand protection and investigation.
Having access to DNS data can be useful in a number of ways for brand protection professionals:
- By monitoring DNS traffic, brand owners can be notified in real time of users requesting domain names that may contain a brand’s keyword terms. This can include host name or third level domain information (ie, brandname.randomdomain.TLD).
- Brand protection agents can analyse the Whois data of the nameserver and IP address associated with brandtypo.com in order to identify possible malicious organisations. Advanced tools can then be used to find other domains pointed to those Internet resources, thereby getting ahead of future offences.
- Brand agents can then cast a much wider net by looking at all domains, IP addresses, nameservers and mail servers associated with the offending domain, IP address, nameserver or MX (mail exchanger) record to create a broad ‘watch list’ of organisations or sites that are associated with the offending site and may be used for brand fraud. In this way, brand protection agents can get ahead of attackers and move from a defensive to an offensive position.
There are signals everywhere in the DNS to help identify who is infringing an organisation’s brand and what other domains they might use in the future. For this reason, every online investigation should include DNS and Whois data.
As cyber attacks and brand abuse become more sophisticated and damaging, monitoring and investigative tactics have to grow in scope. Branching out beyond the simple online brand monitoring tools is necessary to keep pace with the escalating conflict.
It’s time to go to the next level with deeper data and analytics from within the DNS and associated data stores. Talk to IT organisations about the tools and services they use to protect their network. Ask DNS or Internet service providers about data access. Discover the more powerful tools that brand protection companies may be using to monitor cyber abuse.
Tim Chen is the CEO of DomainTools. He can be contacted at: Tim@DomainTools.com
This article was first published on 01 September 2013 in World IP Review
whois, domain name, DNS, trademark, cyber attacks, brand abuse