Introduction
In today’s world of digital abundance, the capacity to navigate through vast amounts of data in a meaningful way is indispensable to organisations and end-users alike. Inadequate categorisation of information makes it difficult to find relevant information, resulting in information overload and reduced efficiency.
Domain categorisation is a valiant attempt to address this issue and involves classifying internet domains under different umbrellas based on their content, audience, purpose, and other parameters. This practice significantly optimises digital experience, as it facilitates internet usage control measures, targeted ad placement for marketing objectives, web analytics, and perhaps above all, blocking malicious websites hosting malware, botnets, or other harmful content.
Traditional domain classification tools: The problem
Traditionally, domain classification tools have relied on blocking methods utilising a blacklist. While usually created with reliable data, these blacklists are insufficient for addressing more advanced forms of cyber-attacks such as domain generation algorithms (DGA) used in various malware. The Domain Name System (DNS) is another popular attack vector that adversaries exploit to lure victims into malicious domains. DNS-layer threats affect many large corporations each year, resulting in significant financial losses. And yet, they largely escape the radar of security teams given the inadequate control measures in place. What is more, newly surfaced malicious domains do not usually appear on these blacklists, and even when they do, it is often too little too late, meaning the damage has already been done. With all these factors in play, the necessity of classifying and detecting malicious domains in a timely manner becomes abundantly clear.
DNSSense’s solution
Instead of relying on static keyword- and rule-based methods, DNSSense uses a dynamic approach to domain categorisation that involves simultaneous monitoring of hundreds of security features of internet assets. This association-based approach enables Cyber X-Ray, DNSSense’s AI-powered engine, to establish meaningful relationships between various network components such as clients, domains, IP addresses, fully qualified domain names (FQDNs), SSL certificates, inlinks and outlinks, among others, to unearth malicious domains. Cyber X-Ray combs through the vast expanse of all internet domains on a daily basis, creating a comprehensive database that includes current data and information dating back up to five years.
This puts DNSSense in a unique position to offer insights into some of the most popular malicious domains that often elude detection by other brands. The following table is an illustrative example that we are proud to share:
Let’s take a closer look at the first website to see why it has been deemed malicious by DNSSense but not by others. As evident from the image below, the IP address associated with this website is blacklisted by 14 different security systems over a period of two years.
Apart from the IP address, all of the website’s subdomains appear on several blacklists, as shown in the following image:
What’s more, the website has gone through multiple non-existent (NX) and (mail exchange) MX record changes, both of which are major red flags that the domain in question has been involved in malicious network activity.
The website’s WHOIS information also lacks important indicators about its ownership, registration and expiration dates, and contact information that raise serious questions about its safety.
Fed with a continuous stream of data from nearly 400 Cyber Intelligence Centres, Cyber X-Ray is able to uncover the aforementioned telemetry pointing to suspicious activity by a domain that often goes unnoticed by other classification tools. The re-learning capacity of Cyber X-Ray, realised by its Artificial Intelligence and deep learning algorithms, ensures that newly registered domains can be detected and avoided In near real-time. The combinative power of all these factors makes DNSSense’s solutions an invaluable asset to all organisations that understand DNS security goes beyond implementing a simple blacklist!