The recent rise in internet use, as people are moving more of their lives online due to Covid-19, has been matched by a rise in malicious activity in the form of phishing attempts, malware distribution, and botnet command and control (C2) activities.
For most users, it can often be very difficult to tell a legitimate website from a malicious one. This has led to an increase in the number of successful spam, phishing and malware attacks. For these attacks to be successful, internet users are typically directed to a website which tries to trick the user into installing malware, or provide personal or financial data.
On the internet, large corporations (such as ISPs), internet infrastructure providers (such as CentralNic Registry), security companies, and law enforcement agencies, regularly log malicious attacks but are faced with the challenge of who to turn to for rapid action to be taken against these domains. In order to be in a position to act against these domains, registries and registrars need corroborated and quantifiable data from law enforcement and the business community to verify the malicious activity. This often causes delays in suspension of domain names, which in turn leads to the potential for more unsuspecting internet users to fall foul of an attack.
The DomainTrust™ Project
CentralNic Registry has been working with the Global Cyber Alliance (GCA), other registries, registrars, ISPs, banks and internet administration bodies to launch an initiative known as DomainTrust™.
DomainTrust is a sophisticated intelligence platform that provides registries, registrars, and cyber protection agencies high quality, large-scale sets of data on suspected malicious and criminal domains that are being used in phishing attempts, malware distribution, and command and control (C2) activities. This data provides them the intelligence upon which they can take further action: investigation, suspension, or disablement.
By collecting and analysing real-time threat intelligence data from multiple sources, which are trusted to differing degrees, a unilateral, accurate and rapid enforcement decision can be made based upon the trust level of the aggregated data.
Trust sources, and the information they provide, are monitored and assessed to ensure their assigned trust level status is appropriate for the information that they are providing at any particular time. This will allow the decision algorithms to adjust for fluctuating quality of information from a particular source without affecting success rate or the decision process.
In order to reduce the chance of suspending a domain name in error, registries and registrars need up-to-date and accurate information from multiple trusted sources in order to be confident enough to take unilateral action against a malicious domain name. Until now, the financial and reputational risk associated with suspending a legitimate domain in error has meant that registries and registrars have been forced to take a very conservative approach to domain enforcement, normally waiting upon a court order before acting.
CentralNic Registry believes that the DomainTrust project is a great step forward in protecting internet users by providing rapid, accurate and trusted evidence of domain name misuse to registries and registrars. This is essential if the approach to addressing DNS abuse outlined in the DNS Abuse Framework, which has been adopted by many of the largest organisations within the industry (including CentralNic Registry), is to be successful. With this evidence, the likelihood that rapid, unilateral action will be taken increases greatly, thereby reducing the amount of harm caused by abuse of the domain name system.
For more information about the DomainTrust initiative please visit the DomainTrust website.