|
The U.S. government released the Executive Order on Improving the Nation’s Cybersecurity in May 2021, highlighting the rationale of a zero-trust security approach. While the order only covers the government’s digital infrastructure, this initiative could also serve as a catalyst for more robust global cybersecurity.
Cybersecurity professionals already know what zero-trust security means—trusting no one without proper verification, regardless of their origin. As such, everyone and everything has to be verified.
While the zero-trust security model is not new, its implementation requires both the public and private sectors to review their current security practices.
When it comes to detecting suspicious or malicious domains, companies often teach their machine learning (ML)-powered systems to flag newly registered domains (NRDs) and domain generation algorithm (DGA)-generated domains.
However, several high-profile cyber attacks hint that this approach could be outdated or simply not enough. A look into the indicators of compromise (IoCs) related to the SolarWinds data breach is one glaring example. None of the IoCs appeared to be DGA-generated, and only three were NRDs.
The same somewhat held when we investigated the DarkSide IoCs and uncovered more artifacts. The first two domains below are part of the original IoC list while the rest are artifacts connected to the ransomware hashes. Based on WHOIS History data, most of them are more than a year old during the estimated time of the Colonial Pipeline attack.
But NRDs still pose significant risks, as established in the 2020 Cyber Threat Intelligence Recap for COVID-19. As much as threat actors use old domains to evade detection, they also weaponize NRDs to take advantage of people’s interest in current events.
What do these findings teach us? They lead us back to the zero-trust approach—do not trust any domain.
Central to the zero-trust security approach is regular verification of users and traffic as they move laterally throughout your network. Security systems can be taught to look beyond the age of domains and include current and historical WHOIS data and Domain Name System (DNS) intelligence to verify their security and integrity.
To illustrate, consider the domains tagged as IoCs in a recent Nobelium attack against several government agencies. The group is believed to be the same actors behind the SolarWinds campaign (the technical details are published here).
Using WHOIS Search, WHOIS History Search, and DNS Lookup, the domains’ age, registrant information, and IP resolutions were retrieved. These are shown in the table below.
IoCs | Domain Age | Registrant Details | Connected IPs |
---|---|---|---|
worldhomeoutlet[.]com | 476 days | From WHOISGuard Protected to Withheld for Privacy | 5[.]79[.]71[.]205 5[.]79[.]71[.]225 85[.]17[.]31[.]82 85[.]17[.]31[.]122 178[.]162[.]203[.]202 178[.]162[.]203[.]211 178[.]162[.]203[.]226 178[.]162[.]217[.]107 |
theyardservice[.]com | 3,736 days | From WHOISGuard Protected to Withheld for Privacy | 5[.]79[.]71[.]225 85[.]17[.]31[.]82 85[.]17[.]31[.]122 178[.]162[.]203[.]202 178[.]162[.]203[.]211 178[.]162[.]203[.]226 178[.]162[.]217[.]107 5[.]79[.]71[.]205 |
When the data is fed into and analyzed by security systems, the zero-trust approach would immediately deny access to these domains and IP addresses. Here are some key insights from the WHOIS, IP, and DNS data:
The zero-trust security model has other components not discussed in this post. However, the core idea is that this initiative requires scrutinizing all data related to a user, domain, or IP address requesting access to specific information.
Are you interested in the domain footprint of the DarkSide, SolarWinds, and Nobelium attacks? Contact us to get access to our cyber threat intelligence.
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC
Sponsored byIPv4.Global