Protect online brand: Farsight Security Brand Sentry

The Security Challenge

Criminals Manipulate Trusted Brand Names

Organizations allocate substantial resources to draw partners, customers and employees to product information, services and commerce on their websites. Customers quickly navigate to these websites within secure domains to find everything they need in one central location.

However, despite the best safeguards, an organization’s domain can suddenly become insecure. A stealthy type of cyber crime called brand typo squatting is attacking organizations, infiltrating them through the fraudulent manipulation of Domain Name System (DNS) naming conventions.

Brand typo squatting creates a niche in an otherwise secure domain to launch one of the following attacks

Brand Infringement

Unauthorized use of a trademark


Assuming the online identity of another entity to acquire that organization’s brand equity.

Brand Dilution

Malicious use of a brand, diminishing its perceived quality.

Brand Typo Camping

Registration of a “typo domain” that is lexically similar to a brand with the intention of launching one of the three attacks listed above.

The Farsight Solution

Brand Sentry

Actionable Intelligence to Stop Brand Erosion

Brand Sentry enables an organization to monitor in real-time its brands for unauthorized or uncharacteristic usage. This actionable intelligence empowers an organization to quickly identify illegal, infringing or threatening incidents against their brands in order to stop and prevent future breaches. The Brand Sentry solution monitors the global Internet and triggers an alert when an organization’s brands or lookalikes are first detected in the DNS.

Many of these newly-created and fully qualified domain names (FQDNs) are used in phishing attacks against users, customers, and partners. They are also used for brand counterfeiting, brand abuse, identity theft, and intellectual property abuse.

Subscribing to Brand Sentry dramatically reduces brand vulnerability by providing:

  • Early detection of lexically similar FQDNs that are close (or exact) matches to a brand name. These FQDNs, rapidly used after creation, often indicate criminal intent.
  • Notification either through JSON blobs or binary NMSGs any time a new domain is observed that seems suspiciously similar to an organization’s brand.
  • Advance warning that enables a security team to integrate data into Splunk/SIEM solutions to analyze phishing attacks against partners, customers and employees, as well as brand counterfeiting.

How Does It Work?

Brand Sentry begins with subscribers defining brands as text strings (and optionally specifying known good hosts or subdomains to be whitelisted). Next, subscribers specify one or more "match engine modules" -- each offering a different class of matching (literal, homoglyph, or phonetic) and a different type of matching (substring, regular expression, etc). Finally, the brands and match engine modules are loaded into the Match Engine.

Brand Sentry then monitors Farsight Security's Newly Observed Hostnames feed and compares each new FQDN against each brand (this FQDN is known as a candidate). If one or more of the match engine modules returns a match, the candidate is now considered anomalous and an alert is returned. When a match is found, an alert is returned with data surrounding the specific event, to an organization, in real-time. The organization uses this information to alert and take action against the threat.

The Muscle Behind Brand Sentry

Farsight observes millions of domains each day. Using the historical DNSDB database as a delta, Farsight detects that more than 100,000 of these are newly-configured domains daily.

Leveraging more than 2 TB of daily real-time Passive DNS data, Farsight discovers when these domains are first used. Other discovery methods, such as TLD Zone File Access and WHOIS, can’t identify newly-configured domains until 17 hours after registration.