When the European Union introduced General Data Protection Regulation (GDPR) guidance several years ago to address privacy concerns, it became the genesis of a worldwide movement that led to an increased focus on privacy issues. Similarly, the EU recently released guidance on a security issue that still doesn't get the focus that it should — DNS abuse.
The Domain Name System (DNS) is a hierarchical and decentralized naming system used to identify computers, services, and other resources reachable through the Internet or other Internet Protocol (IP) networks. Specifically, DNS abuse is any activity that makes use of domain names or the DNS protocol to carry out harmful or illegal activity. Malicious activities on the DNS have been a frequent and serious issue for years, affecting online security, undermining trust on the Internet, and causing harm to users and third parties. This type of abuse also includes cybersecurity threats and the distribution of illegal and harmful materials.
While many organizations are aware of traditional approaches to cybersecurity, the one area that consistently gets ignored is maintaining and protecting Web domains. Inaction leads to issues such as DNS hijacking, which redirects employees, partners, and customers to sites that put them at risk or steal sensitive data. When legitimate domains are compromised, cybercriminals bypass traditional security, making it more difficult to identify, mitigate, and block such users. Fraudsters also use malicious domains (e.g., homoglyphs or confusingly similarly named domains or subdomains) and email spoofing to commit fraud and intellectual property abuse.
To date, there is no global consensus on what should be done to prevent or fight DNS abuse, and there are no policies in place to hold domain registrars to higher validation standards in terms of ownership. Upholding and preserving a reliable, resilient, and secure DNS is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend.
To address this, the European Commission recently conducted a study and issued this report, which assessed the scope, impact, and magnitude of DNS abuse, and also provided input for possible policy measures based on identified gaps. Analysis was completed of the available data and the report proposed a set of recommendations to prevent, detect, and mitigate DNS abuse.
DNS Report Takeaways
While this report is compelling and provides guidance to follow, there are key components of it that enterprises should home in on when looking to improve the domain security posture of their organization. Specifically, the report recommends the following:
- Selecting providers with more validation standards for domain registrations.
We need to hold domain registrars to higher standards. They need to take a customer validation approach that verifies who the customer is to ensure abuse isn't happening. This "know your customer" strategy is used in enterprises today to mitigate fraud, and in this instance, it can bring a level of compliance to a situation where cybercriminals are currently registering any new domain whenever they want to.
- Initiate prevention and remediation solutions.
Free hosting and subdomains, services that were originally intended for legitimate services, are commonly exploited in phishing attacks. Companies should activate proactive detection of suspicious domain names containing targeted brand keywords. Additionally, they should monitor the domain and DNS space for brand abuse, infringement, and fraud. Trusted notifier programs should be developed so that enterprises can enforce their rights through reporting and suspending offending domains.
- Increase adoption of security controls.
Domain name system security extensions (DNSSEC) can authenticate communication between DNS servers. However, low adoption and lack of deployment can lead to hackers taking control of an Internet browsing session and redirecting users to deceptive websites. SPF and DMARC protocols should continually be adopted as the first line of defense against business email compromise (BEC) as those protocols can mitigate email spoofing. Just as crucial to security is to enable registry locks. While this area wasn't discussed in the European Commission report, it's a great way to prevent attacks, as it enables end-to-end domain name transaction security to mitigate human error and third-party risk. Most large registries in Europe, such as those in Germany, France, and Sweden, have adopted this security measure, but it's not consistent, with notable exceptions such as Italy and Spain. Unlocked domains are vulnerable to social engineering tactics, which can lead to unauthorized DNS changes and domain name hijacking.
- Better standards in top-level domains (TLDs).
A TLD is the final component of a domain name (.org, .icu). The generic TLDs (gTLDs) are the most abused domains by volume. However, some new gTLDs and country code TLDs (ccTLDs) have a higher concentration of fraud. You can get a TLD for less than a dollar these days, and phishers love this easy accessibility. There needs to be further consideration of tools and measures that safeguard intellectual property rights and consumer safety in a cost-effective and scalable way. One example is blocking programs — leveraged by the Donuts DPML program — which could reduce DNS abuse. Donuts, a part of the gTLD program, offers a blocking service for trademark holders known as the Domain Protected Marks List, or DPML.
Building Domain Standards
While the EU report provides great insights into how to better mitigate threats to domains, it should serve as a foundational piece upon which companies and countries around the world can build.
As domain standards evolve, it will be important for government and industry to develop effective policies and programs to ensure that Web users aren't at risk of crime and fraud during their daily lives. Simultaneously, limiting hackers' ability to operate and maliciously commit fraud will be vital to our society and digital economy.