Ever been asked what your credit score is? Chances are, you don’t know it off-hand and in most cases it won’t really affect your day-to-day dealings and transactions. While arguably similar in concept, a domain’s reputation, or “credit score” if you will, can absolutely affect you or your business’s day-to-day dealings. Here is a brief overview of how.
First of all, what exactly is a “domain reputation”? Well, similar to your own credit score, each domain name has a risk score associated with it. Naturally, the higher the risk score, the further away you should steer from the domain. A way to accomplish this is by determining a domain’s reputation. The concept, in essence, is to implement a process that enables dedicated trained staff or a designed automated platform to make informed decisions as whether to allow, conditionally allow or outright deny various communications with outside domains, IP addresses and URLs. This is generally based on numerous factors that denote risk such as the possibility of containing malware, phishing techniques, data scrapers, botnets, etc.
A domain’s “credit score” is determined by associating its connection with known bad domains through registrant email, related IP addresses, as well as related DNS entries. If any of these host a concentration of flagged domains, the domain in question is said to reside in a risky “neighborhood,” thus increasing the percentage of potential risk. A domain’s reputation score is also determined from the information about the domain itself, like if it on its own is known for distributing malware, for phishing users and all that undesirable stuff. As one might imagine, this can become a bit challenging when domains are freshly registered.
It should be pretty clear to most Internet users by now that waiting for threats to occur is not a viable security option. If this is news to you, perhaps a pivot from online activity to a career in knitting is in order. In today’s age of online subterfuge, where millions (even billions) of dollars of data are sneaking out to unknown domains through sophisticated attacks, companies need tighter controls and automated systems for checking their incoming and outgoing Internet traffic more than ever.
The problem is, ill-intentioned domains go to great lengths to mask their true purpose and appear legitimate. It is a daunting and difficult task weeding out the good from the bad domains, a task that done incorrectly can have serious consequences on your own domain, company, finances and reputation.
On top of all that, most domain or IP reputation feeds rely on observing previously reported dangerous behavior, meaning that someone gets stung before the domain or IP is flagged as malicious - especially if a domain is newly registered and the malicious code is injected immediately before proper spidering.
This typically creates a marked time lag between when the harmful domain is in operation doing its nasty stuff and when it is finally identified and blacklisted, leaving a wide-open window which lets in the breeze of foul misdoings, not to mention new attack methods from new or previously unseen “sleeper” domains. Additionally, every company or vendor tends to utilize their own data formats. Therefore, a consistent vocabulary is rare and each threat type can look significantly different from the next.
The Good News
Cyber criminals tend to stick to the “if-it-ain’t-broke-don’t-fix-it” credo. This means there are recognizable patterns that can be identified.
As well, dangerous domains are usually controlled by organizations with control over multiple domains - “one-offs” are fortunately few and far between. Therefore, if one domain is identified as malicious, then other domains controlled by the same organization garner an elevated risk profile by proxy. This allows an umbrella-like approach to funneling all the bad tuna into one net, allowing you to block these domains in DNS or at your firewall and search your logs to see if any of the other associated bad domains have communicated with your network in any way, shape or form.
There are solutions on the market that perform these specific tasks and help protect you from high-risk domain intrusions. Some solutions, like ZeroGuard’s Domain Reputation feature, conveniently included on our customizable all-in-one platform, also provide a DNS Domain Reputation Report Card (as part of our unified DNS intelligence module) which gives a nice and tidy summation of all activities as well as risk factors and recommendations, depending on the risk type that the domain is presenting.
What To Look For
If performing domain reputation look-ups is an option you are considering for yourself or your business - and by now hopefully this article has convinced you that this is a good move - what exactly do you look for in a program that performs this?Generally, a domain reputation look-up framework is comprised of three parts: feeds, data storage, and real-time response. Feeds collect multi-formatted data from numerous sources. The data, in turn, is stored and categorized by the actual threat it poses and also the context in which it was used.
Simply put, a tool or platform dedicated to analyze domain reputation activity will attempt to predict both the risk level and the likely threats from a domain by analyzing various properties of that exist as soon as it is registered. The domain reputation tool will then store this data and make it accessible for defensive postures and long-term analysis. From there, the domain reputation program will make informed, automatic decisions in real-time response.
While it is increasingly difficult to protect yourself from nefarious intrusions across the Internet multiverse, taking proactive steps such as Domain Reputation searches can go a long way towards shoring up your defenses and evening out the playing field. Letting reputable third-party professionals like ZeroGuard handle these tasks for you is invariably the best option in most scenarios.