RECORDED WEBINAR:
Evolving Threats, Evolving Strategies: Mastering Brand and Domain Security
Our panel of cybersecurity experts address the crucial role of brand and domain security with emerging cybersecurity strategies. Cybersecurity professionals, brand managers, and organization leaders alike will leave the webinar with an understanding of how to identify existing gaps in their security infrastructure and implement effective measures to protect their digital brand and identity.
Key points we'll cover:
Understanding brand protection and domain security
Navigating current cyber threat landscape
How to identify gaps within your organization
Comprehensive security strategies
Creating a culture of cyber awareness
WEBINAR TRANSCRIPT
Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching us on our YouTube channel, there's a link to the website in the description of this video. Thank you.
Christy: Hello, everyone, and welcome to today's webinar, "Evolving Threats, Evolving Strategies: Mastering Brand and Domain Security." My name is Christy DeMaio Ziegler, and I will be your moderator.
Joining us today is Walt Fry, Elliott Champion, and Mark Flegg. Walt is the Global Domain Product Manager at CSC responsible for developing the products and platforms that protect and optimize the domain portfolio of the world's largest companies. Elliott is the Global Product Director for Brand Protection at CSC in our DBS headquarters, where he is responsible for our industry-leading proprietary technology and product strategy. Mark is the CSC Global Director of Security Services and is responsible for advising a global client base on digital risk and the preventative measures brands can take to safeguard their assets. And with that, let's welcome Walt, Mark, and Elliott.
Walt: Thank you, Christy, and thank you, everyone, for joining us today. Quick word on the agenda, we're going to start by looking at domain security risks and including the roles that individuals play within the organizations of managing those domain and brand security risks. We're going to talk about how security has evolved in these organizations and in the outside world. Since we've started in the business, it has certainly changed a lot. With technology, the threats are also going to change. We're going to talk about that attack surface. So what are the threats that are currently out there and how do we mitigate them? And then as things are found in both domain and brand security, what do you do to mitigate them? How do you apply those findings to ensure that security is in place?
So like many things with domain and brand security and all cybersecurity, it starts with the people. And specifically, we want to talk about the roles that individuals play within organizations and your organization to ensure that security is in place. So with different sizes of organizations, different focuses within those organizations, the understanding has shifted over the years. And Mark, I certainly know that we have seen a shift in where domain security is owned within both small and large organizations.
Mark: Yeah, we definitely have. Well, I mean, if you go back to the advent of domains, when business made the decision, hey, we want to be on this worldwide web, it was kind of viewed as a technical thing being online, whatever that means. So it was thrown to the IT department to sort out. Make sure we've got a website, people can see who we are, etc. And over time, when cybercriminals started registering domain names containing brands, legal got involved and they said, "Hang on a second. That's infringing in our trademark. We're duty bound to defend it. That's our job. So we need ownership of this as well."
And, of course, marketing threw their hat in the ring. They said, "Wow, this is a really low-cost option to get our global brand awareness out there. If I wanted to start a U.S. company, starting one in Germany, I don't need to hire somebody. I don't need to print collateral in that language, perhaps open an office. I'll just go register a .de. That's way cheaper and more cost effective."
So we saw those three disciplines, IT, legal, and marketing get involved in domain management, if you like, to start out with. And today, you can almost tell the maturity of a company for its online space by what's happening and who owns it. What we're seeing now a lot of is companies are maturing, and it's a multi-stakeholder discipline, if you like. So it's representative from IT, legal, and marketing, but it's not at the lower level, kind of administration level. This is coming up like a helix in the organization to the sea level because of the reliance on being online now. For a lot of companies, it can be e-commerce, which generates revenue. We talk about email, websites, everything else in between that are dependent on DNS, for example. So it's really getting a more prominent position within an organization.
Walt: And Elliott, how have we seen the brand and fraud ownership emerge?
Elliott: Yeah, and it's a similar story. So again, what Mark was just saying there, how we've seen over time these different groups evolve. It's very interesting. In the past, you would still see various different teams who would like to, certainly earlier on in my career, print things off, look at things in person. They would like written reports. And now you've seen that adoption of the full digital space in their whole work environment and the fact that they understand that how important these connections with their customers are in the digital world. Now post-2020 to 2022, I think we all understood how important the online environment is.
But I think to your point about adoption, I think now we've seen these various different departments work together. What we now see is often a digital governance team or sometimes called a digital governance committee. And that's where these various different teams will come together and understand the type of data that they want. What's interesting is that they all see it from different perspectives. So we've seen various different types of marketing teams will be looking at things like traffic, as Mark was saying before. Then you've got legal teams that are looking for the various different types of brand abuse cases that we've seen. And security teams are now part of that team, and actually they're a much more prominent voice within those teams to look at things that are going on.
That in itself has moved the other groups into a more security direction. So yeah, it's been very interesting over the last few years to see these teams develop and also the types of metrics, the data, and the types of KPIs that they're looking at for their own organization.
Walt: And it is really important that they combine all of those perspectives because the risks are ever-changing and becoming more varied. So looking at this, what are those types of risks that the cybersecurity experts are most concerned with these days?
Mark: I think if I start with that one, Elliott. For me, the recent phenomenon we've seen is things around subdomain hijacking. We're seeing a lot of companies where they simply don't have good zone cyber hygiene, and this is starting to bite them. We've gone through kind of 20 plus years of finding our way being online and whatever that means with emerging technologies.
We used to run our own data centers. Then we outsourced. And then we outsourced again, but we call it cloud. It's still somebody else's data center. And nobody has documented this process. Nobody has documented why we need a domain name. Nobody has documented why we need a subdomain.
And cybercriminals are playing on this on the subdomain side because where somebody has decided, hey, we don't want this website anymore and decommissioned it with a cloud provider, you'll then find that the cybercriminals will pick up on that, that they haven't bothered doing the due diligence and removing the zone record. So they'll go to the cloud company and say, "Can I have that host name if it's available?" "Yes, you can." They now control the content for one of your subdomains. That's not great because they want to use that subdomain in their phishing campaign because it's a numbers game as we all know and using a recognized brand, a recognized domain name is going to give me a lot more good signals to send off rather than some random domain string that I've used. So they want to use your subdomain and your domain name as part of the phishing email.
So we're seeing a lot more attention to this now because of that neglect for 20 years. And it's everybody's role now. As custodians, as we all are in organizations, it's on our watch to clean all of this up.
Elliott: Yeah, and just expanding on that, so I'm focused on the external threats perspective, and the thing that I find interesting is how some of these things, Walt, have not evolved over time and the fact that phishing still is a problem and the fact that we're just coming to terms with it day-to-day. The big customers I speak with week in week out, they're often seeing ever so slight evolutions of this main threat that we all know, but they continue to see it attacking the enterprise. You can see a few here on this slide that we've shared, and these are common discussions that that we see people are having day-to-day.
Another one I would just talk about is the domains and making sure that people are educated across that digital governance team about just how easy it is to weaponize a domain name. So making sure that you're protected inside, as Mark was just saying there, but also making sure you have an understanding of the fact that almost anyone can register anything. So those domain registrations can go any which way. And the second you have a new brand, a new campaign, you're releasing something in a new region, people can weaponize and jump off the back of that. Every action has an equal and opposite reaction. And when you're in this space, you're going to have whether it be domainers or bad actors try and take advantage of that.
Another thing that's quite interesting is one of the things that we've been looking into is the different types of domain behaviors. So again, this is just specifically looking at those domains and the way that they change, move, and are used in different ways. And what we've seen as well is that these are often different dependent on different types of industry verticals. So whether you're in finance, tech, or e-commerce, we'll see different types of patterns of threats.
And just before I pass it back over to you, Walt, I'll just say bear in mind we've got a few of these other ones here. Of course, there are those that get the headlines. So you've got the impersonation attacks. You've got people who are pretending to be other people on LinkedIn or taking over websites. So those are the ones that are ever present and are more publicly facing that organizations are being hit with.
Mark: Yeah. And Elliott, before you do hand back to Walt, I should have said basically, I mean, the way we look at it, right, you've got domains that you want and domains that you don't. And that sometimes clears the space for people to understand it better. There's certainly security things you should or could and should be doing on the domains that you want. And then there's the things that you don't and the things that you can do, so.
Walt: Yeah. I want to dive into that a little bit, Mark. But picking up on that point that Elliott made of those threats being present and now people are just coming to terms with those, we at CSC, as we've tried to be in front of those trends, we've evolved, I think, from having a focus on the internal and platform security, which is always there of course, to either building platforms or building strategies and integrations that do have more of a focus on that outside world.
Mark: Yeah.
Walt: So Mark, if you would, just take us through this evolution a bit.
Mark: Yeah. I mean, I won't call out everything, but we recognized very early on, as kind of the corporate domain registrar, there are more things that we can do for our clients to protect what we call digital assets. And it all started back in kind of 2012 with our IP validation. We put in MultiLock or registry lock, optional two-factor. And then we realized, hang on a second, people aren't signing up for this, and it's so important that they do. We need to protect these assets. So we introduced federated identity or SAML 2.0 single sign-on. And then we mandated two-factor back in 2017. That wasn't a popular move for us. We got pushback from clients. But for me, it's table stakes. If your bank didn't mandate two-factor authentication, you would wonder what was wrong in today's terms. So it's one of those things that you've just got to do and you've got to have.
And then we went down more kind of from protecting our environment, we went down a, right, how do we distill the facts, the threats, the real threat vectors for our clients, and we introduced Security Center. It does a fantastic job of doing that. We went through an iteration of that. I say an iteration. It's really a complete rebuild from the ground up with DomainSec, that we launched the UI this year. And it's our new platform that brings everything together, so the domains that you own, the domains that you don't. You can see everything in one platform. And I'm sure this line will continue into the future as we develop solutions and help mitigate risk for our clients. There will be new threat vectors in the future, no doubt about it. And we will keep ahead of the cybercriminals.
Walt: Yeah, and in those, with those integrations from 2019 and through the DomainCasting that you see there at the bottom in 2023, it really shows that recognition of the cybersecurity universe and how important that brand and domain security are to cybersecurity overall as we come up with these ideas and develop them, those are really being picked up on. And in some cases, we're making that argument, and it's certainly being heard that the domain and brand security is cybersecurity.
So Mark, you mentioned the domains that you own and the domains that you don't own. These really need to work together, and it really needs to be one comprehensive strategy. But certainly the risks are different. So here you see domains that a company owns, there are third-party domains that are legitimate, and then there are those that could be a threat, right? So Mark, I'll start with you. If a company owns domains, how do they make sure that those are secure while also worrying about the outside world?
Mark: Yeah. There are a lot of solutions out there, and it's part of what we call defense-in-depth approach. So some of these solutions will overlap, and that's a good thing. The longer it takes to get through something, the safer it is generally.
So just because you've registered a domain name doesn't mean that a cybercriminal will not try and get hold of it. Yes, they'll register soundalikes, and Elliott will cover that I'm sure. But if you haven't got a registry lock in place, for example, then you run the risk of unauthorized changes, you run the risk of somebody being able to breach the registrar. So the first thing you've got to do is make sure you've got a secure registrar. And you can see by our evolution on innovation and what we're doing around security, we do consider ourselves very security conscious.
I think things like making sure you've got an enterprise-grade DNS provider, right? So if I can't touch the domain name, what can I do to the DNS? I.e., I can change where that domain is going to. I can change the traffic routing to a cybercriminal server instead of a normal website where it should be going, that kind of thing, intercept emails. Again, security-conscious provider, somebody that's got a guaranteed uptime, where they will invest in security and bandwidth to help with things like DDoS attacks. And then, obviously an extension on that is DNSSEC to stop man-in-the-middle attacks.
So CAA records is another one, certificate authority authorization to ensure that you're enforcing your policy on which certificate authorities are allowed to issue certificates. We see a lot of trouble with free providers that will issue certificates to anybody as long as they can pass domain control validation, which is very easy on a web token if they've hijacked the domain.
So there are there are lots of things that we can do that are not cost prohibitive. And I think it's about raising awareness to everybody that solutions are there, and it doesn't have to break the bank to do it. But you do have to protect them because cybercriminals would love to get hold of some of the biggest brand domain names in the world. And if they're able to hijack the domain or the DNS, then you're in a whole world of pain.
And I talk to a lot of CSOs in my role. And if you ask any of them, "Who's your firewall provider," they'll tell you instantly. And then you ask, "Who's your domain registrar?" And they struggle, and that kind of tells you everything that you need to know about this space. It's neglected. Nobody is paying it the attention that it actually deserves because it's great that you worry about your firewall, but if I hijack your domain or DNS, then nobody is finding it. So what are you worried about?
Walt: And the TLD landscape has greatly expanded with new gTLDs and in some cases liberalization of some of the country code TLDs. So that third-party owned domain strategy needs to be extremely solid. How do you sort through all of that, Elliott, to know what's a threat, what's not, what to act on, and what not to?
Elliott: Yeah. No, it's an ever-evolving target, and that's why, again, we have to get together. The best organizations I see that really master this area are building their evolving strategies, and that strategy is not written in stone. It's something that they're all reviewing on a quarterly basis typically. But also they're looking at all of these different data points and trying to bring it all together.
So you kind of use the analogy of whatever can be measured can be improved. They're using those data points to say, "Okay, now we know," to your point about liberalized domains, "those new domain registrations that are available, how are we now reacting to those? How are we making sure that we're also going to be protected?"
I'd say there's sort of three main areas that I would cover, just looking at here for the external attack surfaces. So I'd first of all just acknowledge, again to Mark's point, that people are having discussions constantly about firewalls. And the fact that these domain names are outside the firewall, these third-party risks are outside of that firewall, that's really interesting because what it kind of represents is an interesting dynamic where often, and we know this because we gather this data at a macro level, we're looking at the whole ecosystem of the domains that are registered, new registrations, re-registrations, drops, good guys, bad guys when we're looking at all of that data, it's interesting just to acknowledge that we can kind of see the bad guy as he's doing it and they can see us as we're registering those legitimate domain names for our customers. So that's an interesting dynamic. It's kind of like it's a chess game. So you have to build that into your approach, knowing that every move you make is acknowledged.
I'd also then go into the types of domain registrations. That would be my second point. So the fact is that these are not just straightforward domain registrations, where they're going to look exactly the same. These are not going to be those that we would have seen many years ago. They're going to use certain character sets that look to the naked eye to be exactly the same character that you would see. So if that comes in and that's attacking your organization, attacking your stakeholders, it can be actually quite difficult to pick that up without using the appropriate set of technology.
Final point I'll just make and I think this is where you were going before as well is looking at the type of data. So obviously, we're very hungry with the type of data that we want. We've expanded out all of the different types of datasets we have within our DomainSec platform. But also I think customers are getting more hungry with their data. I think there's different ways that they want to consume that data, so through APIs, and also different types of reporting options.
There's really interesting tools and techniques that people are using as they connect to their SIM and SAW programs that I think are allowing them to institute their policies and processes much more easily rather than chasing people via email. And isn't that funny that we're talking about domain names and people chasing people via email? But actually doing it through a structured process and that program and those applications.
So yeah, I think there's lots of ways that people are aggregating that data, and that's allowing them to have more consistency in managing this.
Walt: Great. Yeah, so to bring this up a level after that great detail, overall, the strategy can boil down to this. There are names that should be registered, obviously names that are being used actively. But then there are reasons to register defensively as well. But you can't do everything. So there are blocking programs as well to keep others from having it, [Securant 00:22:58], and so that's what Mark has talked about how do you secure those names that you own. And then Elliott, as you were saying, the monitoring and the aggregation of those results to then actually act on them.
So now we get into those findings, and the findings can be massive. Of course, many cybersecurity systems have been built around that idea that more data is better. But then you need to make sense of that data. So when you get those findings, what should you be looking for, and then ultimately the actions that are taken. And I'll direct that to you, Elliott, to talk about some of those findings since you were talking about that aggregation of massive amounts of data.
Elliott: Yeah, absolutely. So how do you eat an elephant one bite at a time? So I'd say that obviously you've got a huge amount of data here. So you've got all of this, as we said, not just you and your domain registrations, but everyone outside of you that's watching those and making their own third-party domain registrations around your brand and your trademark. So I think a key here is to understand all the different characteristics of these domains. We often call these our domain behaviors.
So one point might be when was it registered? Is it in proximity to the domain that you just registered would be another that then is going to point to the fact that it's in reaction to the things that you're doing. Or is it in proximity to other threats that we've seen for some of your other brands? Are we seeing some of those domain names that, for example on here, you could see it could be high risk or it could be a dormant domain name, a domain name that currently isn't presenting any of those domain behaviors? Are we then seeing some domain behaviors present themselves? Are we then seeing an MX record being raised? Are we seeing this move from a blank page to a parked page? Are we seeing the domain name being readied to be weaponized?
And then there's also other types of scoring and risk scoring that we have ourselves, proprietary scoring that allows you to understand if something is like you, so how close this is. I will say an interesting, evolving area is a few different domain names that barely even include the brand name in them. But the vast majority of these attacks are still going to be weaponized directly towards the organization using the main names, using the main campaign brand name, subnames, and those are the things that we then subdivide.
So there is a lot of data here. There's no doubt. But categorizing them by behaviors and then categorizing them by type, like dormant domains, is the first place to do it.
Walt: All right. Well, thank you. So with that, I want to thank everyone for their time.
WE'RE READY TO TALK
Our specialists are ready to answer your questions.