By Steven Cardinal
You have invested in your brand. Your customers know and trust you. Your employees trust the information systems you provide them to do their jobs. In today’s world, much of an organization’s brand is tied to its Internet domain name – that .com or .org address that makes you stand out from the competition. But what happens if that brand is damaged? What is the impact if threat actors steal or spoof your brand name? You may be able to recover, at a cost, but wouldn’t it be nice to not become a victim at all?
At Soteria, we work with many customers who have been the target of domain takeover and domain spoofing attacks. We provide guidance to lower the risk of these attacks and these are basic steps that you can take to secure your domain names to avoid becoming the next victim.
Starting from the top, securing domain names begins with the selection of a domain name registrar. Some registrars are accredited by the registries while others are third (or fourth) parties that perform the leg work on your behalf (for a convenience fee). While some of these latter types of registrars mean well, the additional layers of complexity could present painful delays when dealing with an issue. Choose a reputable registrar to manage these critical brand assets.
Once your registrar is selected, the following eight controls should be put in place to protect your domains.
1. Registrar administration account: Establish an account to login to the registrar to request and manage your domains. Ensure this account is associated with your organization and not to an individual who may win the lottery next week and disappear. Also ensure this account is protected by a very strong password or passphrase, that Multi Factor Authentication (MFA) is enabled, and that brute-force attempts trigger a notification and account lock.
2. Registrar contact information: When registering a domain, you will be asked to provide details for administrative, billing, and technical contacts. Just as for your administration account, these should be associated to the business and not to an individual and their personal accounts. Beyond that, enable the privacy protections offered by the registrar to hide your information from WHOIS searches and protect yourself from spam and identity theft.
3. Domain registration management: Once you register a domain, you are on the hook to maintain it. This means renewing it on a periodic basis, whether manually or automatically. You do not want to miss the renewal, as a threat actor or competitor may grab the registration immediately. If setting up automatic renewal, make sure your payment information remains up to date and set a reminder to validate it on a regular basis. If manually renewing, establish a long registration period and set a reminder so you don’t forget! Also in this category is a feature called Domain Lock, in which moving a registration from one registrar to another requires some additional security checks.
With the above controls in place, there are a few extra actions that will further protect your brand.
4. Domain name inventory: As with any inventory system, it is important to know what you have so you can take the measures to protect them. Ensure your procurement processes alert you for any domain purchases. Speak with your marketing people and your developers. Track down every domain the company has registered, even the ones you are not using. Make sure you gather not only the domain name, but where it is registered, who provides the authoritative name server, who within the business owns it, and whether it is used to host any services. Bonus points if you can identify whether it is providing any email services, such as being used in a newsletter.
5. Domain name risk assessment: Perform a quick risk assessment for each domain. How recognizable is the domain name in association with your brand? In other words, if it were abused, how badly could your organization or your customers be harmed? Is it being used for services that could be targeted, such as Man in the Middle (MITM) or email spoofing attacks?
6. Prioritized remediation: Based on the risk assessment, work through your domains in order of greatest risk to secure them. This includes using the domain name registrar security steps mentioned earlier, but it also includes some DNS lockdown. For instance, if you own a domain name that is not being used in outbound email, set up SPF, DKIM, and DMARC records to reduce the likelihood of it being spoofed.
7. Subdomain takeover: Subdomain takeover attacks leverage the fact that some subdomains are aliased to third-party services that lie outside the control of the organization. For instance, the creation of an AWS S3 bucket establishes a Route 53 DNS entry that can point to a resource outside of the organization’s AWS account. Each subdomain should be validated that it is in-use and refers to a legitimate organizational resource.
8. Domain monitoring: Even if you have your own domain management procedures in place and functioning well, threat actors can and do try to leverage or damage your reputation for their own purposes. They may, for instance, register domains similar to your own or use various typosquatting methods to register domains that look like yours to the human eye. It is for this very purpose that Soteria created our DNSense service to monitor domain name registration events to identify these attempts and alert you to the threat. Soteria analysts can even perform the necessary leg work to get these domains taken down to reduce the threat to your organization.
With the prevalence of social engineering attacks causing real harm to organizations, protecting your brand through a secure domain name protection strategy can go a long way towards that sought-after peace of mind.