This article is sponsored content produced by Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies.
Registry operators that want to ensure the security of their domains on offer and in use can quickly assess these for the presence of threats with the aid of a domain reputation checker. This is one of the various ways, they may avoid being flagged for insufficient monitoring — a salient problem according to recent news.
In fact, a recent Internet Corporation for Assigned Names and Numbers (ICANN) audit revealed that roughly 5% of generic top-level domain (gTLD) registry operators do not employ security threat monitoring despite being mandated to do so. From November 2018 to June 2019, 60 of the 1,207 registry operators audited did not monitor for security threats. An additional 180 registry operators that currently do not have registered domains were also found in violation of the stipulation, although they claimed exception because they did not have dot-brands in use.
The ICANN audit also revealed 13 TLDs with incomplete analyses and security reports. These TLDs also lacked documented or standardized abuse handling measures, which could result in the absence of action against identified threats. The ICANN said these TLDs would undergo retesting in the next auditing round. The report also found that some new gTLDs showed lower abuse frequency.
Failure to monitor security threats could compromise the stability, security, and resilience of the Domain Name System (DNS), according to ICANN community members. The results of the audit were, however, also not new. For instance, during the 2013 Beijing Communique, the Governmental Advisory Committee pointed out some DNS security threats, which led the Board of Directors to make necessary additions to the Registry Agreement for Registry Operators. As such, Section 3 (b) of Specification 11 of the agreement now states:
“Registry Operator will periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. Registry Operator will maintain statistical reports on the number of security threats identified and the actions taken as a result of the periodic security checks. Registry Operator will maintain these reports for the term of the Agreement unless a shorter period is required by law or approved by ICANN, and will provide them to ICANN upon request.”
The ICANN reported that the registry operators already addressed their shortcomings, so the identified gTLDs are now compliant. To further monitor and address security threats, the organization also implemented the Domain Abuse Activity Reporting (DAAR) system to study and report domain registration and domain abuse committed by the registry operators. It also put in place the Contractual Compliance Audit Program that would focus on specifically auditing for DNS security threats.
Further investigation by the ICANN revealed that the registry operators did perform their duties and surmised that the issue could have stemmed from differences in interpreting the new provisions of the Registry Agreement. A few registry operators, for instance, believed they only needed to provide statistical data and not specifics (e.g., malicious domains and actions they took) as the ICANN expected. As such, the ICANN hopes to further discuss the additions with the registry operators so they could have a shared understanding of what Specification 11 3 (b) covers.
The current provision did not specify the frequency of security monitoring, as well. As such, of the 965 compliant registry operators, only 772 carried out daily monitoring while the rest did so at different frequencies (e.g., weekly, monthly, annually). In addition, while some of the registry operators chose to share their security efforts with regard to DNS threats, others declined to provide information.
Although the registry operators are doing their share to keep the DNS infrastructure safe, that does not mean domain owners should become complacent. Because their domains serve as their business’s front doors, they should also make sure that these always remain threat-free.
To do that, they can rely on domain monitoring tools that can help prevent threats from entering their virtual realms and affecting their customers and stakeholders. Said applications help search for domain records in bulk so as to learn more about current and prior registrants as well as connected domains sharing an IP address or group of them.
That way, should the registry operators fail to monitor for threats from their end, the domain owners’ business, customers, and stakeholders will still remain cyber secure.
About the author
Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.
