Architelos gac domain abuse best practices feb 12

1 © 2014 Architelos and/or its affiliates. All rights reserved.

Reality Check: Domain Name Abuse

Alexa Raad, CEO Architelos www.architelos.com

Feb 12, 2015

Singapore Feb 2015 GAC Meeting


Agenda

•  Definition •  Abuse Primer •  Best Practices •  Key Components

© 2014 Architelos and/or its affiliates. All rights reserved. 3

Abuse = Exploiting Internet Users • Purposes that are deceptive, malicious • Categories are not mutually exclusive


Relationship


About Spam…

•  Unsolicited email

•  The problem: domains advertised in spam

•  Spam is the distribution/delivery mechanism for phishing, malware, fraud, identity theft, etc.

•  85% of all email sent in the world is spam*. Most of it is not just harmless advertising, it’s part of illegal and/or illicit activities.

* M3AAWG statistics; also http://www.senderbase.org/static/spam/


Example Spam Email - Jan 17, 2015

Hello,

Dear [redacted]

To get back into your account, you'll need to confirm your account . It's easy: Click the link below to open a secure browser window. Confirm that you're the owner of the account and then follow the instructions.

By Clicking Here

[hxxp://www.amazoon.company/seller/index/web/index.php?cmd=5885d80a13c0db1f22d2300ef60a67593b79a4d03747447e6b625328d36121a1f9e08eb1299421ca1639745433caa407f9e08eb1299421ca1639745433caa407]

Or contact paypal Member Services Team. We're available 24 hours a day, 7 days a week. If you have recently updated your billing information, please disregard this message as we are processing the changes you have made


..for Phishing Attack


Factors that Allow Abuse to Succeed

Low price Economic incentive

Lax registration policies Lack of enforcement, or…

lax and/or inconsistent enforcement


ABUSE PRIMER


1.  “Not all abuse is created equal” – Some are more dangerous than others

ex: Spear phishing attack on Sony


2.  Abuse can morph over time

Time

Sev

erity


3.  They all start with a domain name registration


4.  Different TLDs have different profiles •  Different business models

•  Open vs. eligibility criteria restrictions vs. .brand/closed

•  Price

•  Distribution model

= Different risks


5.  Existence/prevalence of abusive domains in a TLD does not necessarily indicate mismanagement by the Registry

What matters in effective and consistent mitigation to reduce “time to harm”

Ignoring abuse over time, and letting it flourish, is mismanagement.


6.  Abuse patterns for a TLD varies over time Abuse patterns vary to find exposures in policies and operations.

Day to day pattern Month by month


7.  Virtually every TLD has at least some abuse By the end of 2014, new gTLDs had 1/4th the levels of abuse found in established gTLDs

Almost every ccTLD and legacy gTLD has some abuse. This is a consequence of usage, and it is inevitable.


8.  Effective abuse mitigation is also good for business Abuse à reputation of the TLD, which in turn affects:

•  Use (ex: applications can block the TLD altogether)

•  New registrations (adoption by legitimate registrants)

•  Renewals


9.  Effective mitigation is about reducing “time to harm”

IP Address

Domain Name

Website

email

Internet Browser

Device(s)

Applications

“Mitigation”

Less Effective

Criminals

More Effective “Damage

Assessment”


Best Practices •  Align operational procedures and processes to support policy

Consistency (same bad behavior should consistently result in same enforcement)

Measure, learn over time, and adjust

•  Understand what's happening in the domain space

Continuous monitoring (and not periodic technical analysis)

Use multiple data sources to get the complete picture

•  Analyze and prioritize Mitigate most egregious domain abuses

Look for correlation and relationships to idenitfy problem spots

Ex: abusive domain names à problem registrars

•  Focus on reducing time to “Time to Harm” How long the abusive domain is active and therefore able to cause harm. Most damage is done within first two hours in a phishing attack


Putting Best Practices to Work •  Well designed procedures, processes and workflows

•  Abuse data detection

•  Analysis & prioritization

•  Notification & communication

•  Enforcement (Ex: suspension, takedown, deletion etc.)

•  Documentation (record keeping)

•  Measurement Effectiveness? Accuracy?

•  Complaint & redress


Processes (e.g. regular and exception work flows)

Procedures (ex: Whois validation, Abuse verification,

Escalation, Registrar notification, Suspension or takedown, Documentation)

Policies (Abuse Policy, Registration Policy, Acceptable Use, etc)

Principles (Security/Safety,

Privacy, Transparency, Accountability, Fairness, Redress, Consistency)

Procedures are a set of operational actions which support one or more policies. •  Consistently applied •  Contradictory •  Nullify other procedures •  Nullify other policies

Each procedure may have multiple processes to help achieve the objective. Ex: Escalation procedure may have various processes (i.e. IF X exists, then do…Y, If X does not exist then proceed to Z). Processes are defined in terms of workflows.

A Complete Abuse Mitigation

System


Abuse data detection •  Choose reputable data which report on one or more abuse types

At a minimum, look for data feeds and sources that cover spam, phishing, malware, botnets Some data sources are specialists in an abuse type No one vendor will catch all the abuse

•  Data should have: Validation mechanisms in place so as to eliminate or minimize false positives Mechanisms to remove resolved abuse from their lists

•  Multiple Data Sources: Reporting the same abuses independently adds confidence

•  Some invoke actions from third-parties, such as law enforcement


For it to work, at a minimum you need to assume:

•  Spam=Phishing=Malware=Botnet

•  No correlation or commonality between abuse types

•  Abuse patterns stay the same over time

•  Abuse follows a Normal Distribution curve Or simply put, depending on when you sample you can get widely different results

Monitoring versus Sampling


Analysis and Prioritization •  Different abuse types have different urgency:

•  Some may need to be taken down immediately •  Some have different notification paths

•  Verifying Abuse •  Verification is Data vendor work ideally, Registries and Registrars

are not specialists and it’s not cost effective for most entities to have in-house specialists

•  False positives undermine confidence, but in good quality data providers, they are extremely rare.

•  Some forms of abuse legally have to be verified or handled with third parties, such as child pornography


DATA

Information

(=Data + Data +Data)

Knowledge (=info+ info + info)

How they Fit

Wisdom

Registrar data Malware

Mitigation, Enforcement

Reputation Correlation & Relationships Context

Analysis Prioritization

Detection


Is the Cost Prohibitive?

•  It's good for business

•  Responsible new gTLD registries planned for this, because:

•  Had to describe anti-abuse plans and costs in their applications. •  Included in Registry contract

•  Options are: “Do-it-Yourself” or outsource •  For a medium-sized registry: usually one person part-time •  Outsourced Abuse Desk consulting •  Basic commercial detection services are available for ~ US$250 - $400/month*

* Domain Assured and NameSentry


Thank you!

Questions?