The Risks and Dangers of New Domains

Clearly, no domain-based scam or malicious activity can happen on a domain until it has been registered. Thousands of new domains are registered every day. In terms of DNS risk mitigation, monitoring new domains is a critical tool to have in the arsenal. It is an early indicator of some of the most significant threats, it carries low cost and low risk, and it can provide improved clarity in the evaluation of other indicators.

A New Domain Emerges

The first question you need to answer is what qualifies as a new domain, and there is certainly more than one answer. To get to the core of that answer, let’s take a brief look at what the question is really trying to accomplish. Ultimately, from a security perspective, the primary objective is to prevent users on your network from going to websites that are going to infect their systems with malware of some sort or expose your data to some kind of compromise.

It is estimated that nearly 90% of companies were targeted for a DNS-based attack in 2022, across all industries. Phishing attacks are reportedly responsible for as high as 90% of initial infections. Roughly one-third of all data breaches originated from a gap in DNS coverage. If there were a service that could reliably stop that much of the threat of cyberattack then it would be a game changer. New Domains are the first step on that path, and its primary purpose is to identify that threat and terminate the kill chain before it ever hits your network.

The primary way that New Domain monitoring achieves this goal is through stopping traffic to domains that have been registered within a certain time frame. Why would that matter? Because, as we demonstrate below, many attacks can occur within minutes of the website being launched. Around a third of all phishing sites go dark within hours of being first seen. It’s nearly impossible to detect, assess, and block novel malicious activity within such a short period of time.

Cutting numbers of that magnitude out of your attack surface would not only provide a significant blanket of protection for your network, but if you have an internal cyber defense function such as a SOC or a Managed Defense Service, it would cut tremendous amounts of alerts from your system and significantly reduce storage required for your Security Event and Incident Management (SEIM) platform. Reduced risk, reduced alert fatigue, reduced storage space, reduced investigation time, and reduced lost productivity, all result in reduced cost andl provide a significant return on investment.

Of course, that singular approach has gaps. What about the campaigns that last longer than those observation periods? In most cases those domains eventually show up on typical threat feeds, and can be dealt with normally.

The Risk of the Inverse Case

Just because 80 or more percent of phishing domains were registered in a small time window does not mean that anywhere near that percentage of newly registered domains are used in phishing attacks. Approximately one million domains are registered every month, or over 33,000 domains are registered every day. Only a very small number of those domains end up being used for malicious purposes. Doesn’t blocking all of the domains registered in the recent past result in a denial of service for all of those valid domains?

It certainly can, but there is a very small likelihood that you or one of your users is going to end up at one of those domains within that time window unless you already have advance knowledge of it. If that is the case then you can safely place the domain on an Allow List and it not cause any issues. There is, however, still a chance that you could happen across one of these domains in that window, and we see that as a risk assessment problem along the lines of encountering unsolicited links in a potential phishing attack. Unless there is a high degree of legitimate urgency and a significantly high confidence that it is safe, it is probably safer to wait until the restriction is lifted or to avoid the domain and obtain whatever was needed there somewhere else.

At DNSFilter, we have two separate approaches to best meet the needs of our customers. We categorize domains in this category as either a “New Domain” or a “Very New Domain”. Internal DNSFilter research found that the average delay from registration to appearing in a feed fell at just over 10 days, with a long tail distribution reaching some even longer temporal windows. A study in 2021 found that one third of phishing and scam pages are inactive within 24 hours, half the pages are inactive within 5 days, and 70% of pages were inactive within 30 days. And other research has found that the median time for the first time a phishing domain was clicked had gotten as low as four minutes in 2020. Our “New Domains” category applies to any domain that is either newly registered or has been transferred within the last 30 days. However, for customers with more urgent needs or greater risk tolerance, the “Very New Domains” category only covers the highest period of risk and releases a domain after it has been classified for more than 24 hours (plus potential drift for the data to be updated). The risk to visit a site under either of those time windows should only be accepted if there is very high confidence that the domain is safe, as verified from a reliable source.

Sleeping in the Parking Lot

Eagle-eyed observers may have noticed that none of the statistics provided above cover the entire spectrum of the potential threat. It’s certainly the case that the more diligent malicious actors have access to the same information that has been outlined above, and an edge case emerges immediately that could circumvent any of the protections mentioned: they can just register a domain and wait until nobody is watching to begin their campaign. While being registered and not addressable is not a definite, or even highly likely, indicator of maliciousness, it is a risky condition and there aren’t a lot of reasons for traffic to be directed to sites that are not active yet. Domains or websites in that state are what we call “parked”, or sometimes in more non-technical terms the term “under construction” may be used, and it is generally a good idea to block them as well, since we never know when that site is going to become active and whether it will begin to engage in malicious activity.

But to add a further layer of protection, we monitor a website for the first time it is referenced in our resolvers (or those of our partners), and we classify websites within the first thirty days of the first observed visit as “Newly Observed Domains.” Since this category will necessarily apply to every one of the domains we encounter, and the vast majority of our traffic is non-malicious, it would not be a good strategy to block these domains on the first visit. And while we do acknowledge that there is some degree of risk involved in allowing that first visit, cybersecurity is often a reactive discipline, and we have to see a threat before we can evaluate it. Any time we encounter a newly observed domain, however, it triggers evaluation by our AI and ML models which are trained on detecting features that tend to indicate maliciousness. The accuracy is not perfect, but we have not found one that is yet. We’ve developed a product which, through a layered approach and deliberate consideration, has a track record we stand by proudly, and are working to improve all the time.

The Road Ahead

Attackers are always looking to achieve the greatest volume of success with the lowest level of cost or effort. The drive toward phishing kits and Phishing-as-a-Service will allow a level of repetition that will lead to improved accuracy and effectiveness with our AI detection models, which can be trained to detect and categorize malicious activity based on shared behaviors and attributes, which will enable an increasing capability for zero-second detection and blocking in many cases. But no cybersecurity capability or artificial intelligence can ever get to that point without having seen a truly novel technique, so the risk of new domains will never completely go away. Again, cybersecurity detection is reactive by its very nature. And even if a domain is detected by a threat feed, there is an assumed risk in the delay for that detection to be added to the feed, for the feed to be distributed and then ingested. In the current threat landscape, a campaign could be launched, executed, completed and dismantled in the time it takes to perform those tasks. The only way to be sure is to block preemptively unless there is a high degree of confidence in the safety of the domain in question.