Newly Observed Domains: threat protection from new domains

The Security Challenge

Early Protection from Unknown Domains

New domains are created and published every day as part of the Domain Name System (DNS) – but not all of them are created for legitimate purposes. Bad actors use new domains for criminal activities such as spam, malware distribution or botnets in the first minutes of creating them.

Security teams need real-time information regarding new domain usage so that they can apply rules to block access until security providers have time to analyze the domains – and threats can be avoided. Security analysts don’t have a way to gather and analyze this information in a timely manner because it is broadly distributed across name servers around the world.

The Farsight Solution

Newly Observed Domains (NOD)

Provides organizations with real-time actionable insights based on the newness of a domain.

This enables them to protect their users until those domains are better understood by the rest of the security industry thereby materially changing their risk profile. NOD leverages Farsight’s real-time Passive DNS sensor array and cross-references that data with its industry-leading DNSDB® historical Passive DNS database.

Malware obstruction

Block outbound connections to newly minted and used domains by leveraging NOD Response Policy Zones on DNS Servers; thus, disrupting techniques commonly used by modern malware.

Phishing protection

Take immediate action in case of suspected brand phishing, confusion or dilution when new names are detected. New domains are often used to trick users by creating a lookalike site. These domains are dangerous until they are classified and blocked. They can be blocked for periods of time by leveraging NOD Response Policy Zones on DNS Servers.

Spam filtering

Filter email of very young domains (e.g., five minutes old or newer, 30 minutes old or newer, etc.) by adding SpamAssassin rules that readily consume this DNSBL. Most email coming from new, lookalike domains can be malicious. It’s good practice to protect users from these messages.

“Farsight’s NOD protected, on average, each of my users at least once a day.”

U.S.-based university

Newly Observed Domains (NOD) provides early protection

Farsight observes millions of domains each day and detects that more than 100,000 of those are newly configured from the perspective of the historical DNSDB database. Leveraging more than 2 TB of daily real-time Passive DNS data, NOD discovers newly configured domains when they are first used. This is a great contrast to the typical 17 hours after registration using other discovery methods such as TLD Zone File Access or WHOIS.

NOD is available as a real-time stream as Security Information Exchange (SIE) Channel 212. With NOD, newly observed domains in DNS zone file format can be queried or downloaded.

The available formats for NOD service are aimed at blocking malware, phishing, and spam that leverages rapid domain name creation and use. They can deliver a range of exclusion lists directly to the recursive name servers of your enterprise.

This provides network security managers with the ability to block connections to domain names based on their age such as from domains less than 3 minutes old,

NOD for threat intelligence teams

Did you know?

Attackers are opportunistic and will remain active as long as they can operate undetected: According to a January 2016 Ponemon Institute Survey, 37 percent of attackers quit if they can’t yield value after a delay of 10 hours.