1) Rapidly changing domain names creates a cover for cybercriminals
As we have seen in last few years, inspite of having a good security system, Cybercrime has increased a lot. Many of the websites has been hacked, login details of users are stolen, confidential and personal data is misused and others. And when research is done to find reasons behind this, our researchers have found that domain names are rapidly changing on Web which results in weakens effectiveness of security controls and leads to creation of a cover for cybercriminals.
2) Weakens the effectiveness of security controls
Effectiveness of security controls is getting weaker and researchers done research on this also to know the main causes behind this. Researchers have analysed 660 million hostnames at Blue Coat, a security vendor and came to know that out of this, only 470 million hostnames existed and that also for even less than a day. Result is that only 71% of the hostnames existed.
To catch web threats, Companies who are using products of Blue Coat requested for various domain names for a period of 90 days. Most of domain names which are throwaway belonged to Yahoo, Amazon, Google i.e. legitimate businesses and to blogging platforms, Web optimization companies and webhosting services.
Domain names are frequently changing for years, but one thing which is very interesting found, by the researcher, Tim van der Horst of Blue Coat, about numbers, is scale.
Blue Coat also found that out of top 50 parent domains by whom short-lived hostnames are generated, out of 5 only 1 was malicious.
But if we compare the no. of hostnames which are generated by legitimate businesses to the amount of criminal activity, then it was found that latter is very small as compared to former one. And out of total no. of domain names which were examined on just one day, it was found that only 0.43 % largest malicious parent domains were generated.
3) Role of Domain Generation Algorithms (DGAs)
DGAs played a significant role in weaken the effectiveness of security controls. In the several families of malware, domain generation algorithms (DGAs)were used, results in the no .of the malicious hostnames. Command-and-control servers exact and real location was hided by the fake names and this task performed by DGAs very well as they create the fake names in large no. Nevertheless, if someone consider the usage of real malicious hostnames, then their small number is also significant.
4) Criminals use the sites for
Sites are used by the criminals for drive and this is done by downloads and by hosting the kits which are exploited. Malware is downloaded by the kits to the victims computers and via phishing attack lured to the location. And to prevent the interaction between command-and-control servers and compromised computers, short-term hostnames are used.
As domain names are rapidly changing, thus correlation between all the attacks and detection was avoided. And companies could not rely only on the blacklists to avoid the malicious hostnames, they required systems also meant for prevention or intrusion detection and anti-virus softwares which must be updated from time to time.
5) Granular policy control and other threat mitigation actions
Granular policy control, in order to create this, risk value on domain names must be assigned by the technology on the basis of several factors such as on the popularity of the website, links to other sites, on the same IP address number of other sites hosted and on the basis of those sites ratings. With this, there must be a transient hostnames baseline also which is either malicious or secure.
According to Blue Coat, alerts and other threat mitigation actions are caused by a potential compromise which was constituted by detecting an anomaly from that baseline.