The Domain Abuse Activity Reporting System (DAAR)

Similar documents
DNS Abuse Handling. FIRST TC Noumea New Caledonia. Champika Wijayatunga Regional Security, Stability and Resiliency Engagement Manager Asia Pacific

Detecting Abuse in TLDs

Identifier Technology Health Indicators (ITHI) Alain Durand, Christian Huitema 13 March 2018

Security Gap Analysis: Aggregrated Results

Anti-Phishing Working Group

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

SURBL-Listed Domains And Their Registrars (In Just Seven or Eight Minutes)

Exploring the ecosystem of malicious domain registrations in the.eu TLD

Detecting Malicious URLs. Justin Ma, Lawrence Saul, Stefan Savage, Geoff Voelker. Presented by Gaspar Modelo-Howard September 29, 2010.

GFI product comparison: GFI MailEssentials vs. McAfee Security for Servers

Cisco s Appliance-based Content Security: IronPort and Web Security

Whois Study Table Updated 18 February 2009

Infoblox Dossier User Guide

Network Security Detection With Data Analytics (PREDATOR)

Characteriza*on of Blacklists and Tainted Network Traffic

GFI product comparison: GFI MailEssentials vs. Barracuda Spam Firewall

Technical Brief: Domain Risk Score Proactively uncover threats using DNS and data science

GFI product comparison: GFI MailEssentials vs Symantec Mail Security for Microsoft Exchange 7.5

Luminous: Bringing Big(ger) Data to the Fight

Office 365 Integration Guide Software Version 6.7

A Heuristic Approach for the Detection of Malicious Activity at Autonomous System

Security Reputation Metrics for Hosting Providers

I G H T T H E A G A I N S T S P A M. ww w.atmail.com. Copyright 2015 atmail pty ltd. All rights reserved. 1

PURPOSE STATEMENT FOR THE COLLECTION AND PROCESSING OF WHOIS DATA

BOTNET-GENERATED SPAM

Registry Internet Safety Group (RISG)

Fighting Spam, Phishing and Malware With Recurrent Pattern Detection

Is the WHOIS service a source for addresses for spammers?

DNS Risk Framework Update

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Sophos Central Admin. help

Best Practices. Kevin Chege

Fast Flux Hosting Final Report. GNSO Council Meeting 13 August 2009

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

Sales Training

Maximum Security with Minimum Impact : Going Beyond Next Gen

GAC PRINCIPLES REGARDING gtld WHOIS SERVICES. Presented by the Governmental Advisory Committee March 28, 2007

Documentation for: MTA developers

GFI product comparison: GFI MailEssentials vs. LogicNow - Control

Spam, Security and SORBS v2.0

Next Generation Endpoint Security Confused?

Update on Whois Studies

Introduction This paper will discuss the best practices for stopping the maximum amount of SPAM arriving in a user's inbox. It will outline simple

GFI product comparison: GFI MailEssentials vs. Trend Micro ScanMail Suite for Microsoft Exchange

PROTECTING YOUR BUSINESS ASSETS

Global Phishing Survey 2H2009

Network Services, Cloud Computing and Virtualization

A Comprehensive CyberSecurity Policy

Machine-Powered Learning for People-Centered Security

August 14th, 2018 PRESENTED BY:

Smart Protection Network. Raimund Genes, CTO

Fastfeed API Overview

Botnets: major players in the shadows. Author Sébastien GOUTAL Chief Science Officer

RDAP Implementation. Francisco Arias & Gustavo Lozano 21 October 2015

Symantec Protection Suite Add-On for Hosted Security

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

GFI Product Comparison. GFI MailEssentials vs Sophos PureMessage

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

Testing? Here s a Second Opinion. David Koconis, Ph.D. Senior Technical Advisor, ICSA Labs 01 October 2010

Comparing Management Systems that Protect Against Spam, Viruses, Malware and Phishing Attacks

This descriptive document is intended as the basis for creation of a functional specification for 2

FortiGuard Antispam. Frequently Asked Questions. High Performance Multi-Threat Security Solutions

Intellectual Property Constituency (IPC)

MX Control Console. Administrative User Manual

ICANN Policy Update & KSK Rollover

Detecting and Quantifying Abusive IPv6 SMTP!

Registrar Session ICANN Contractual Compliance

Technical Approaches to Spam and Standards Activities (ITU WSIS Spam Conference)

Cisco Security: Advanced Threat Defense for Microsoft Office 365

Economics of Cyber Security

Gateways. Kevin Chege

Marketing 201. March, Craig Stouffer, Pinpointe Marketing (408) x125

PineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO

Mail Assure. Quick Start Guide

Incident Play Book: Phishing

Korea Phishing Activity Trends Report

Synchronized Security

Sophos Central Admin. help

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Mavenir Spam and Fraud Control

Ethical Hacking and. Version 6. Spamming

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

APWG Global Phishing Survey 2H2010

Securing the SMB Cloud Generation

THE ACCENTURE CYBER DEFENSE SOLUTION

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Built without compromise for users who want it all

Issues in Using DNS Whois Data for Phishing Site Take Down

Intermediaries and regulation

Christmas Island Domain Administration Limited ( cxda)

Correlation and Phishing

Sponsor s Monthly Report for.coop TLD

New Developments in the SpamPots Project

For example, if a message is both a virus and spam, the message is categorized as a virus as virus is higher in precedence than spam.

SOLUTION MANAGEMENT GROUP

The best for everyday PC users

Transcription:

The Domain Abuse Activity Reporting System (DAAR) Dave Piscitello APWG EU October 2017

The Domain Abuse Activity Reporting system What is the Domain Abuse Activity Reporting system? A system for reporting on domain name registration and abuse data across TLD registries and registrars How does DAAR differ from other reporting systems? Studies all gtld registries and registrars for which we can collect zone and registration data Employs a large set of reputation feeds (e.g., blocklists) Accommodates historical studies Studies multiple threats: phishing, botnet, malware, spam Takes a scientific approach: transparent, reproducible 2

DAAR & the Open Data Initiative Goal of Open Data Initiative is to facilitate access to data that ICANN organization or community creates or curates DAAR system uses data from public, open, and commercial sources DNS zone data WHOIS data Open source or commercial reputation blocklist (RBL) data Certain data feeds require a license or subscription In cases where licensing permits, DAAR data or reports will be published and included in the Open Data Initiative 3

Project Goals DAAR data can be used to Report on threat activity at TLD or registrar level Study histories of security threats or domain registration activity Help operators understand or consider how to manage their reputations, their anti-abuse programs, or terms of service Study malicious registration behaviors Assist operational security communities The purpose of DAAR is to provide data to support community, academic, or sponsored research and analysis for informed policy consideration 4

DAAR Uses TLD Zone Data Collects all gtld zones for gtld registry analytics DAAR uses publicly available methods to collect zone data Centralized Zone Data Service, zone transfer) DAAR only uses domain names that appear(ed) in zones Currently, system collects zones from ~1240 gtlds Approximately 195 million domains 5

DAAR Uses Whois DAAR uses published registration data (Whois) Uses only registration data necessary to associate resolving domain names in zone files with sponsoring registrars Reliable, accurate registrar reporting depends on Whois Collecting registration records for millions of domains is a big challenge 6

DAAR Uses Many Threat Data Sets DAAR counts unique abuse domains A domain that appears on any RBL reporting to DAAR is included in the counts once DAAR uses multiple domain or URL abuse data sets to Generate daily counts of domains associated with phishing, malware hosting, botnet C&C, and spam Calculate daily total and cumulative abuse domains Calculate newly added abuse domains (a monthly count), and cumulative abuse domains (365 day count) Create histograms, charts, days in the life views DAAR reflects how entities external to ICANN community see the domain ecosystem 7

Reputation Data: Identifying Threats 8

DAAR Is Not An Abuse List Service OCTO-SSR does not compose its own reputation blocklists DAAR presents a composite of the data that external entities use to block threats DAAR collects the same abuse data that is reported to industry and Internet users The abuse data that DAAR collects are used by commercial security systems that protect millions of users and billions of mailboxes daily Academic and industry use and trust these data sets Academic studies and industry use validate these data sets exhibit accuracy, global coverage, reliability and low false positive rates 9

DAAR Criteria for Reputation Data (RBLs) RBLs must provide threat classification that match our set of security threats Evidence that operational and security communities trust the RBL for accuracy, clarity of process RBLs have positive reputations in academic literature RBLs are broadly adopted across operational security community Feeds are incorporated into commercial security systems Used by network operators to protect users and devices Used by email and messaging providers to protect users 10

Reputation Block Lists: Protecting Users Everywhere RBL use is nearly ubiquitous RBLs block more than unsolicited commercial email RBLs in Browsers Google Chrome uses APWG, and Safe Browsing URL Data RBLs in the Cloud and Content-Serving Systems Akamai uses SURBL, Symantec, ThreatSTOP, and custom RBLs AWS WAF uses RBLs to block abuse or volumetric attacks Google Safe Browsing blocks malicious URLs and AdWords fraud RBLs in Your Social Media Tools Facebook composes and shares its ThreatExchange platform RBLs in the DNS ISPs & private networks use Resource Policy Zones (RPZs) at resolvers. Spamhaus and others provide RBLs in RPZ format 11

Reputation Block List Uses: Private Network Operators RBLs in commercial firewalls, UTM devices Admin guides from Palo Alto Networks, Barracuda Networks, SonicWall, Check Point, Fortigate, Cisco IronPort, and WatchGuard TitanHQ SpamTitan, Sophos UTM, andproofpoint also provide RBL-based filtering to protect users from visiting malicious URLs External RBLs mentioned: Spamhaus, SURBL, SpamCop, Invaluement, abuse.ch, Open ORDBL, Spam and Open Relay Blocking System (SORBS), Squidblacklist.org, RBLs in enterprise mail/messaging systems Spam solutions from GFI MailEssentials, SpamAssassin, and Vamsoft ORF include Spamhaus or SpamCop RBLs available for Microsoft Exchange RBLs and Third-Party Email Service Providers (ESPs) Amazon Simple Email Service RBL or DNS block lists Look at ESPMail Exchange (MX) and Sender Policy Framework (SPF) resource records 12

RBLs in Academia: One means of asserting RBL confidence Partial list of academic studies and citations of RBLs that report to DAAR Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Blacklist Ecosystem Analysis: Spanning Jan 2012 to Jun 2014 Taster's Choice: A Comparative Analysis of Spam Feeds Learning to Detect Malicious URLs Understanding the Domain Registration Behavior of Spammers The Statistical Analysis of DNS Abuse in gtlds (SADAG) Report Shades of grey: On the effectiveness of reputation-based blacklists Click Trajectories: End-to-End Analysis of the Spam Value Chain 13

Current Reputation Data Sets SURBL lists (domains only) Spamhaus Domain Block List Anti-Phishing Working Group Malware Patrol (Composite list) Phishtank Ransomware Tracker Feodotracker SpamAssassin: malware URLs list Carbon Black Malicious Domains Postfix MTA Squid Web proxy blocklist Symantec Email Security for SMTP Symantec Web Security Firekeeper DansGuardian ClamAV Virus blocklist Mozilla Firefox Adblock Smoothwall MailWasher 14

Does DAAR Identify All Abuse? No reputation provider can see all the abuse Each is catching only some (what they see) Providers look for different types of abuse, use different methods or infrastructures Some lists are big and some are small. The smaller the list, the less percent of overlap it might have with a larger list 15

Why Is DAAR Reporting Spam Domains? The ICANN Governmental Advisory Committee (GAC) expressed interest in spam domains as a security threat in its Hyderabad correspondence to the ICANN Board of Directors Why? Because Most spam are sent via illegal or duplicitous means (e.g., via botnets). Spam is no longer singularly associated with email Link spam, spamdexing, tweet spam, messaging spam (text/sms) Spam is a major means of delivery for other security threats Spam has evolved to a (cloud) service: Avalanche, for example, provided domain registrations to customers DAAR mainly measures domain names found in the bodies of spam messages MOST IMPORTANTLY, spam domain reputation influences how extensively or aggressively security or email administrators apply filtering 16

Visualizing DAAR Data 17

Data Set: All gtlds having at least 1 reported abuse domain Security Threats 1200000 1000000 800000 600000 400000 200000 0 Phishing Domains: New TLDs Phishing Domains: Legacy TLDs Malware Domains: New TLDs Malware Domains: Legacy TLDs Spam Domains: New TLDs Spam Domains: Legacy TLDs Botnet C&C Domains: New TLDs Botnet C&C Domains: Legacy TLDs May 2017 Jun 2017 Jul 2017 Aug 2017 Sep 2017 18

End of Month Snapshots: Phishing Domains Percent of Abuse 19

End of Month Snapshots: Malware Domains Percent of Abuse 20

End of Month Snapshots: Botnet (C2) Domains Percent of Abuse 21

End of Month Snapshots: Spam Domains Percent of Abuse 22

Data Set: All gtlds having at least 1 reported abuse domain 100% Percent of Domains Resolving in the DNS: Legacy vs New TLDs 12% 12% 11% 11% 11% 88% 88% 89% 89% 89% 50% MAY 2017 JUN 2017 JUL 2017 AUG 2017 SEP 2017 % New TLD Domains that Resolve in DNS % Legacy TLD Domains that Resolve in DNS 23

Data Set: All gtlds having at least 1 reported abuse domain Percent of Total Abuse Domains Reported To DAAR System: New versus Legacy TLDs 47% 45% 44% 49% 43% 53% 55% 56% 51% 57% MAY 2017 JUN 2017 JUL 2017 AUG 2017 SEP 2017 Percentage of Total Abuse Domains (New TLDs) Percentage of Total Abuse Domains (Legacy TLDs) Total Abuse Tells Only PART of the Story: Let s drill down to Consider Concentration Or Distribution 24

Where is Abuse Concentrated in New TLDs? Exploited New TLDs MAY 2017 Abuse Domains Reported to DAAR New TLD Program Resolving Domains for Which DAAR Obtains Data 5 most exploited new TLDs 56% 22% 10 most exploited new TLDs 73% 34% 25 most exploited new TLDs 97% 70% Exploited New TLDs SEP 2017 Abuse Domains Reported to DAAR New TLD Program Resolving Domains for Which DAAR Obtains Data 5 most exploited new TLDs 53% 26% 10 most exploited new TLDs 71% 48% 25 most exploited new TLDs 95% 67% TLDs for which no abuse domains were reported are not included in the counts 25

Project Status 26

Project Status Doing it right is more important than doing it fast Reviewing our data feeds and licensing Tuning collection systems to ensure timely and resilient updates Third party independent review of our methodology Version 2.0 features under development Additional automation for reporting Granular attribution Experimentation with additional measurements https://www.flickr.com/photos/artisticbokeh/ 11/1/17 27 27

Exploring the feasibility of Delving deeper into how domain names are used Legitimate vs. compromised domain data? Tracking recidivism? Additional classifications of spam domains Add URL amplification: how many unique abuse URLs are associated with a unique abuse domain? Including more data? IP and ASN reputation data? Registration fee data New (additional) reputation data https://www.flickr.com/photos/artisticbokeh/ 28

Questions? Thank You @icann facebook.com/icannorg youtube.com/icannnews flickr.com/icann linkedin/company/icann Dave s Contact Info: dave.piscitello@icann.org @securityskeptic www.securityskeptic.com about.me/davepiscitello slideshare/icannpresentations soundcloud/icann 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback