See how URL filtering and other best practices from Palo Alto Networks prevail over malicious usage of NRDs, including phishing, malware, and scam. Don't panic! Our podcasts and more are here to help. Got Questions? Get Answers here on LIVEcommunity.
Newly registered domains (NRDs) are known to be favored by threat actors to launch malicious campaigns.Academicandindustryresearch reports have shown statistical proof that NRDs are risky, revealing malicious usage of NRDs, including phishing, malware, and scam.
Category breakdown of NRDs from January through May 2019. Alarming? Check out the Unit 42 blog for more...but don't panic. We've got you covered.A best security practice calls for blocking and/or closely monitoring NRDs in enterprise traffic. Despite the evidence, there hasn’t yet been a comprehensive case study on the malicious usages and threats associated with NRDs using real-world examples. Unit 42 recently published "Newly Registered Domains: Malicious Abuse by Bad Actors," which presents a comprehensive case study and analysis of malicious abuses of NRDs by bad actors.
Unit 42 has been tracking NRDs for more than nine years. They collaborate with the Internet Corporation for Assigned Names and Numbers (ICANN) and various domain registries and registrars, which provides direct visibility of many NRDs registered under both generic top-level domains (gTLDs) and country-code top-level domains (ccTLDs).
Unit 42 continues to indirectly identify NRDs by leveraging a combination of data sources, including WHOIS, zone files, and passive DNS. The Unit 42 proprietary NRD feed consists of 1,530 top-level domains, which, to our knowledge, exceeds the best NRD feed/service publicly offered on the market.
Palo Alto Networks customers are all protected against malicious indicators (domain, IP, URL, SHA256) mentioned in the Unit 42 blog, via URL Filtering, DNS Security, WildFire, and Threat Prevention where applicable. AutoFocus customers with further interests in the malware mentioned in this blog can refer to the following AutoFocus tags AzoRult, Emotet, Pykspa, and Ramnit.
At Palo Alto Networks, we recommend blocking access to NRDs with URL Filtering. While this may be deemed a bit aggressive by some, due to potential false-positives, the risk from threats via NRDs is much greater. At the bare minimum, if access to NRDs is allowed, then alerts should be set up for additional visibility. We define NRDs as any domain that has been registered or had a change in ownership within the last 32 days. Our own analysis has indicated that the first 32 days are the optimal timeframe when NRDs are detected as malicious.