RECORDED WEBINAR:
Understand Domain Name Strategy: Safeguard Your Online Ecosystem and Defend Against Bad Actors
We’ve all heard of first come, first served. But did you know that rule also applies within the domain name system? First come, first served allows any third party to register a domain name within seconds, whether or not it matches a business’s trademark.
Do you have a strategy in place to secure your online presence and detect what bad actors are doing with your IP? Watch our webinar with CSC’s experts, Justin Hartland and Quinn Taggart to learn more.
WEBINAR TRANSCRIPT
Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo and other engagement features. To set up a live demo, please complete the form above on our website. If you currently are not on our website and are watching this on our YouTube channel, there's a link to the website in the description of this video.
Christy: Hello, everyone, and welcome to today's webinar, "Understand Domain Name Strategy: Safeguard Your Online Ecosystem and Defend Against Bad Actors." My name is Christy DeMaio Ziegler, and I will be your moderator.
Joining us today is Justin Hartland and Quinn Taggart. Justin is CSC's Global Director of Products for the Digital Brand Services Division, based out of London. Justin has spent more than 20 years in the domain name and brand protection industry and brings his wealth of knowledge to CSC clients. Quinn is a product manager for the Global Brand Security and assists clients in the areas of online brand and cybersecurity strategy. Quinn has been with CSC for over 20 years, and his wealth of knowledge and experience is appreciated by brand owners as he helps them to bring a better understanding to their evolving digital asset portfolio and minimizes their risk. And with that, let's welcome Quinn and Justin.
Justin: Okay. Well, I'm going to start off today, and thank you for the introduction. I'm looking forward to going through today's session with Quinn. What we're going to do today is we're going to talk about a good domain name strategy and look at various elements of that. But before we dig into that, Quinn and I are just going to go through a few examples of why this is so important.
And I'll just start off with this one. Now it's a little bit old, but this is regarding a company called VINCI. It's a French company, 300,000 employees. They're listed on the Paris Stock Exchange. Their main website is vinci.com. And what happened was somebody registered vinci.group, and they used this to send a press release that looked like it was from the CFO of VINCI to Bloomberg, basically saying that there's a profits warning. The impact of this was that €3.5 billion were wiped off the share price of VINCI. Huge, huge, huge issue for the company. And this was all coming from a domain being registered that obviously fooled people. It looks fairly convincing because VINCI goes by VINCI Group. And so this really did lead to a massive impact.
So understanding your domain name portfolio is critical. And I'm going to let Quinn just go through another example of why this is so important. Over to you, Quinn.
Quinn: Thanks, Justin. Sometimes the threats can come from within. So as you're reviewing your portfolio of domains and the inventory that's accumulated over the years, you're likely going to come across some domains that probably look like it's an old campaign or it's an older brand or something, and so we should just let that go and kind of thin out the herd. Possibly, you can run into a situation like what recently happened with Samsung in that they have a Chrome extension out, which is linked back to a domain name that was in their inventory, and they just let it go. And so samsunginternet.com was sitting as past renewal date, but, of course, the Chrome extension was still active.
And it's the interdependencies of the domains within your own inventory that are going to be critical in situations like this. Is the domain used as a destination for URL forwarding? Is the domain used in a lot of backlinks? Do people have it linked to or from other websites? Understanding those interdependencies are going to be really critical in being able to make sure that you rationalize your portfolio appropriately. Back over to you, Justin.
Justin: Thanks, Quinn. So just looking at threat targets that are really there for large corporations. Now if we look at this diagram, effectively, you have the internal threats and you have external threats. Companies are really good at protecting themselves with the internal threat information, so putting up firewalls, making sure things don't get through. However, the vast majority of threats sit outside of that firewall. It's about 80%. And so we'll have a look at a few of those and why it's so critical when it comes to your domain portfolio.
So these are various attack vectors. We're probably aware of quite a few of them. I'll just give you some examples. So, for example, phishing, how is that related to domains? Well, this is where people might register a domain where there's the letter "I" in your domain and they replace it with a "1," and then it's used in a phishing attack. It's the same for typosquatting, where we see DNS hijacking or IP spoofing. These are all things that really are tied back into that global domain portfolio. So making sure that you are registering and monitoring the right things is critical when it comes to having a really good corporate portfolio.
And if I just move on to the next one, this really digs a bit deeper. So, as you can see, we have typosquatting. I just gave an example. You have where domains get hijacked. There's a lot of social engineering that happens with certain registrars if they don't have good security protocols. Malicious domain registrations, you can cut out some of that. We saw the example earlier, vinci.group. That's a simple domain name that probably doesn't cost a lot of money to register, and that could have eradicated that risk. You get hijacked subdomains. There are some dormant domains. And all of these things can lead to ransomware, domain shadowing, cache poisoning if you don't put DNSSEC on your domains.
Phishing attacks, try and make yourself as hard as possible. Now, look, phishing attacks, they can use other random domains to fire a phishing attack. Just make it harder to ensure that the domains that they can get that contain your brand are taken out of play. DDoS attacks, that really comes into the DNS situation, but making sure your domains are sat on a really robust DNS infrastructure.
So all of these things need to be taken into account. And so Quinn and I are going to sort of walk you through, in today's session, some of the aspects that you can really hone in on to make sure you're making the right decisions to prevent these security threats.
Quinn: Now dormant domains, Justin, is something it's a bit of a newer buzzword, I guess, if you want to call it that. But some folks might be thinking, "Well, if it's dormant, why is that a threat? Why should I consider that a threat?" Maybe just give a couple of examples of how a dormant domain can actually be used in a vector.
Justin: So what happens is some bad actors will register hundreds, if not thousands, of domains in one go, and they just sit there. So even with a good domain monitoring system, you can pick up these names, but then you sort of see them just sort of sat there. But actually, these people are registering various different brands, and when the time's right, they sort of release them to the world quickly. But they can sit there for quite a long time without being used. And this is like on an industrial scale.
And this is where, I think, with the likes of AI coming into play, we're going to see more and more of this, where they're getting the computers to actually just generate the domains that they think are going to be the most effective in a phishing attack. And so making sure that we keep an eye on those and making sure that once they are enacted, that we take action, or we take a proactive stance and actually take action against those names before they're used in a bad way.
So there's a lot of this happening right now, and we're seeing it on, I would call it, more of an industrial scale than we ever saw before. In particular, there are certain countries where this happens a lot and that we see a lot. Now are these going to go away? I don't think so. It's going to be trial and test, and they're going to see what works best. They run these things like businesses. So I really think it's an area that you need to stay on top of and just make sure that you are keeping track of how your brands are being used on the internet. I don't know if you wanted to add any more on that, Quinn.
Quinn: Well, the only thing I'd add, I guess, is a lot of folks will think, "All right. Well, I'll plunk the name into a browser, and I don't see a website, so why should I worry?" The worry comes below the horizon. I mean, we set the horizon as above the horizon is your active website for the root and the www that we're all used to seeing as far as that part goes.
But there's a lot of things below that horizon that can happen. You could have thousands of subdomains that are active below the horizon. But one of the biggest threats, of course, is email. So you don't have to have an active website on the root in the www in order to have active email. And that's where your phishing attacks, your scams, your spam is going to come into play. And that's why when we evaluate domains through monitoring or even if we're doing some Brand Advisory team analysis, we'll look for those sorts of records and just make sure that they're not there, or if they are there, that we report it back, because that can easily be where the real threat is.
Justin: Yeah. And not to get too techy, Quinn, but this is where we're looking at particular records within the domain.
Quinn: Yes.
Justin: I don't know if you want to just explain in layman's terms what we'll be looking for, and all of this information is available for us to go and check.
Quinn: Yeah. So when we go through and do a rudimentary analysis, we're looking for, of course, the root in the www to see if they do resolve to live content. But then we're looking for whether or not they're configured for email. We're looking to see whether or not there's an SSL certificate associated with the domain name. All of those can imply some criticality and some use.
Now when we analyze a client's portfolio, we do exactly the same thing, and we look for those elements. And we're also looking for domain security elements, things like DNSSEC. Does it have registry lock? CSC's mode of that is called MultiLock. So you'll hear that interdependently. As well, we'll look for other email security type settings, like DMARC and SPF and TXT. All of those technical records will imply a certain degree of usage or planned usage.
And that's really the crux of it all. Being able to identify those thousands of domains that are getting registered, that Justin referred to, is one part. Trying to predict which ones are actually going to get used down the road, that's the real flip of the coin because you really don't know when or where those are going to be used. And so some of you might be thinking, "Well, shoot, I can't register everything." And no, you shouldn't, and you shouldn't try. It's certainly going to be a budget buster. But that's where, and we'll highlight a bit of that later on, the balancing act really comes.
Justin: Yeah. And I know you'll cover this later, but it's the one thing that we advise on, and I know Quinn's done this many times, is that in a way, if you're looking at your portfolio, you need to kind of do a bit of a forensic deep dive on your domains, because by and large, if you've got a portfolio of domains that is a couple of thousand, even a couple of hundred, do you honestly know what each of those domains are being used for? And I think the answer is no. And so what you can do is you can look at the traits of each domain and understand, has it got traffic, has it got email records, has it got an SSL, etc. So this is part of managing a domain and understanding. But we'll go into more detail later on on that.
Quinn: And so when you look at the available budget that you have for domains within your company infrastructure, one of the key things is that you're going to have some offensive domain registrations. Those are the ones that are going to tie into your core brands, your core web properties. This is your presence. Then you're going to have some defensive registrations that are going to be tied into just protecting your brand online, making sure that you've secured these particular domains so that nobody else can. And they're directly related, obviously, to your core brands as well and your core areas of your business.
And then you've got monitoring and enforcement, and that's really where the penchant for risk is going to come in and try to keep the three of those elements balanced out. But it's also about balance within your organization as a whole. You want to be able to involve all of the relevant stakeholders.
Now in some organizations, historically, domains have been an IT function. Keep the lights on and make sure the sites resolve. Just do what needs to be done and keep things moving. But more and more, of course, these other key areas of the business and the corporate structure have been engaged with domain management. You've got the legal team, which is ultimately responsible for overall brand protection for the company anyway. So they're the holders of the trademarks, the patents, the other intellectual property that can drive into the domain name side of the business. You've got marketing, which is obviously involved, whether they like to admit it or not sometimes, and making sure that you've got traffic. SEO ranking, they're responsible for that aspect of the domain inventory and making sure the performance is there. And then you've got your infosec people, which are thrust a little bit more into the forefront than might have been in the past simply because of the way in which things have evolved over time.
And so, as a result, we've got all four pieces here trying to balance on the center. But one of the key aspects, of course, is if you are in charge of the domain inventory internally, you're going to want to make sure you've got direct lines of communications into all of the major stakeholders.
Now we're going to focus on the domain side of things. I'm sorry.
Justin: Quinn, I'm going to interrupt you for a moment. I just think it's really important because it's not the case with every company that the information security team are involved. But it certainly has increased, I would say, over the last five years. And one of the things that we have been trying to educate everybody on is how critical the domain name is for every business. All of your email, your VPN, your web properties, your apps, everything is reliant on the domains that are under your management and the safeguards around those domains.
Now if you're using an enterprise-class registrar, like CSC, then you've got good safeguards. But there's a lot of companies that don't, and they might be using a small business provider for their domains, where we see things like social engineering, etc. taking place. So it's really important that if your information security people aren't involved in domain names, that you perhaps start educating them because this is an absolutely critical area for your business. And so, like I say, they've naturally moved into that space because I think a lot of companies have gone, "Yeah, actually, this is critical." But I think there are still some companies that are catching up with that. Sorry, Quinn.
Quinn: No, no, that's a great point. And I think that one of the key aspects of involving the infosec folks in the beginning is that you're not being pressured because of some sort of an urgent nature. I mean, obviously when it hits the fan because something has gone down or you've got a breach or you've got some other aspect of infringement, everybody gets involved because they need to. But it's better to do it when there's none of that happening and making sure that everybody understands how things are being done internally.
Now once you've got some of the extra stakeholders involved, it might require a little bit of extra education, as Justin mentioned, but also, too, some process improvements. You may not have a formal domain name policy or processes in place, but it's something to consider, and they're really easy to go and put into place and make sure you've got the support that you need. So we'll take a step back for a second, and we'll look at some of the basic pieces.
So one of the big things, of course, is the domain name life cycle. Now some people will think, "Well, it's my domain. I own it." Yeah, as long as you keep making your payments, it's yours. But technically, we look at domains as a lease, and like with any other lease, as long as you keep making the payments and you keep renewing the domain name, it is yours to operate with and at your leisure.
However, with the life cycle of the domain, as we follow the wheel around clockwise, once the domain expires, it goes into a bit of a grace period. It pops into what we call the pending deletion stage. Depending on the registry, these timelines could be a little different. And then it becomes available again to anybody who wants to be able to go and pick them up.
Now each country, of course, has their own set of rules and regulations, and that's what makes domains so interesting over time. But at the end of the day, this simplified approach timeline will give you a feel for the fact that once you've decided to let it go, it will come available, and it will be available for somebody else to go and register. If you don't like that idea, if you think that that's a risk factor for you, then that's part and should form part of your thought process and your review process when you're looking at the inventory in your system, because if you have it right now and you keep renewing it, it's yours, and you protect yourself. And sometimes there's going to be some really good cases where that's going to be important for you to do.
So another key aspect, of course, we talked a second ago about involving all the stakeholders. So this is a very simplified approach. I affectionately call these the spaghetti diagrams, because it just looks like a plate of spaghetti, to me anyways. And this is where working with an enterprise-level provider is helpful. Typical corporate environment right now, you've got inside counsel, outside counsel, the company directors, and executives. We've got all kinds of risks that are competing for time and money internally. And then, of course, you've got your web properties and everything that has to be out there, all of your intellectual property that goes along with it. It can get very confusing very fast.
But one of the things that CSC can help our clients with and being that interceder in the middle is that we can form part of your team. We can come in between yourselves and your outside counsel and be able to really just solidify that internal relationship. We can facilitate process improvement. We can help with education and the like. But putting CSC right here in the middle of everything, and I can't draw with my mouse, but putting us in the middle is really important for us, and we can absorb a lot of that extra stress.
Justin, did you want to comment on that?
Justin: No, I was just laughing about your drawing.
Quinn: Yeah, okay. Thanks a lot. I need an actual pen. Trying to draw with the mouse is not easy.
Justin: Into some practical things that everybody can think about with their domain portfolio. And Quinn and I decided to break this down into sort of four elements. So we're going to have a look at what can you do with regards to domain registrations, what you should be thinking about with domain transfers, domain lapsing, and also blocking services, which are out in the marketplace.
So I'll start off by going through registration strategies. So here are a number of things that you can think about when it comes to a registration strategy. So I'm going to start off with the second point, and I will come back to brand launches.
So the first is domain availability reports. So this is really important to benchmark what you do have, what you don't have, what third parties might have. And it might be that they're legitimate third-party registrations. That does happen, especially if you've got a generic brand name. But that really gives you an idea of what is available in the world and where are my gaps and what do I need to fill.
You might want to just narrow it down to the new gTLDs. So new gTLDs were introduced 10 years ago. There are a lot of them, and so you may want those just to analyze that. It's an area where some of them have registered many millions because they've been offered to the marketplace very sort of cheap or even almost given away. So that does come with risks associated with it. So you can kind of benchmark where you are and make sure that you're safe on that.
You can perform things like live site analysis to understand what you've got and what's creating traffic for you, what you're using, and then therefore what else might complement your portfolio. Something simple is just to take your trademark portfolio and reconcile it against your domains, and that can also help spot gaps.
And not for everybody, but you can do a typo and keyword analysis. In particular, companies that suffer from phishing tend to like looking at typo analysis because quite often, as I mentioned, there are certain brands where certain characters might get flipped. And so therefore it's really good to have a look at what's out there, who's registering it. Do we want to register these defensively just so we take them off the market and mitigate the risk?
And I'm going to go back to brand launches because this is an area that's super important, and we see it time and time again. If you have a clear structure when you launch a new brand and you have domain names tied into that, then you will have a successful time from a domain perspective. If you don't, it can cost your business a lot of money. And I'm going to let Quinn say a few words on this because I know Quinn has worked with a lot of our customers in supporting them with brand launches. So over to you, Quinn.
Quinn: Yeah. Thanks, Justin. And I think one of the key factors when it comes to a brand launch is engage your provider early and making sure that you understand what the landscape is going to look like before you start doing any kind of marketing or filing trademarks. Now one of the key things when you start comparing domain names with trademarks is that when you file for a trademark, it takes time. Two years is a nominal amount of time for a trademark to be accepted because there's a process that has to be done. It has to be published for opposition. People have to have a chance to go and say, "No, I think that that's infringing on our mark. You're not allowed to do that." You don't get that kind of situation with domains.
Domains are instant almost, and it's first come, first served. But one thing about the trademarks is that when you file that trademark application, it becomes public knowledge. People can search for that. And if it's pending, then you're tipping your hat and your hand as to what you've got planned. So timing of the domain registrations to your trademark filing is extremely important, especially if it's a new brand. Making sure that you've got those domains upfront. You don't necessarily have to have a trademark in order to be able to secure the domain. So take advantage of that and make sure you get what you need upfront. You can always expand the reach later on if things are successful. But one of the key aspects of it is making sure that you've got that base. You've got the comm. You've got your local ccTLDs. If you're based in London, you want .uk and co.uk. If you're based in Germany, you want the .de. You've got to have that base to get started with it.
But also, one of the key aspects, and we see this time and time again, is where the brand thought process gets way down the road and then realizing, of course, that the domains are not available. Now that can be very disheartening, especially if you've got a lot of weight into the process up until that point and now you're kind of stuck. It's like, "Well, that's our preferred piece. We've already got things done. Marketing is ready to go." Yeah, but you don't have the domains. Now what? And people are left scrambling trying to figure out, "Well, how am I going to make that work?"
Involving us early in the process can help. We can use the availability checks and some other tools to go and try to map out what the landscape looks like and potentially give you some alternatives that might help guide you through. You still might have to make some adjustments, but at least you didn't waste a whole lot of time, effort, and money to get all the way down only to find out that you can't get the domains that you were looking for.
Justin: Thanks, Quinn. Okay, so I'm going to just go through the next section, and then I'll pass it back to Quinn.
So looking at domain transfer. So I've spoken on previous webinars about the advantages of consolidation. So in many cases, a lot of companies do have all of their domains centrally managed, but not in every case. And so what we find is it means that you workflows. There is no way of knowing who is the provider immediately if there are any issues on domains. There's a number of advantages in having that consolidation.
And so as part of your domain strategy, you should have a clear process. Now it may be that you choose two providers. Again, I'm not sure if that is the right maneuver. For certain companies, it might be. For some others, I don't think it would be. But you have a clear policy of like, "This is our provider," like you do with many other services that you use.
The second part here is global compliance. So this is becoming more and more important. We are seeing here, for example, in the European Union, that they are looking at the registries who run .de, .fr, etc., to put in place more compliance and more know your customer, which feeds down to registrars, such as CSC and every other registrar that works in those countries. And what that means is there will be more loopholes. They will want you to have the correct data. They will be checking that data. They will be requiring certain information when you register new domains. If you do not comply, they will suspend domain names. So it's really important that you understand that these things are happening and that you're working with a registrar like CSC, who is always looking and speaking to the registries about what those compliance needs are.
Making sure that you've got a clear process when you enforce against domain names. So, for example, we've seen in the past that certain companies have a really good enforcement process. And those names sit with, I don't know, some small registrar, but they never get moved into their actual portfolio. And those names have still got content which might be egregious to their brand. So really it's making sure that you've got the full circle of process in place for your enforcement. So once that enforcement takes place, once you've been given the green light that that domain is now under your control, that you then transfer it to your preferred provider. And what we also recommend is if you are managing your domains through CSC, is that you would also incorporate something within your portfolio to say that, "We recovered this name." And Quinn will sort of maybe touch on that when we're talking about lapses next and why that's important.
And then the final thing here is when you're with a company that does a lot of acquisitions, having a clear process for this, and that, again, it's a bit like brand launch when it starts off. Sometimes what we find is if two really well-known brands come together, a whole load of speculators will go out there and register those two brands together, .com, co.uk, whatever those extensions are. So you need to start thinking about those things from that stage, but then also looking at consolidating those portfolios together.
I don't know if you wanted to add any more. Again, I know you've done a lot of work on sort of M&A with our customers, Quinn.
Quinn: Yeah, the key thing for M&A is to think of it like the bad guys might. And you made a good point of domains that get registered, that combine the two company brands or company names together, and they're just speculatory, but they're still aggravating because it's infringements on both sides. But it is again, very much like the brand launch, as Justin mentioned, involve CSC early. Get us in, let us have a look, let us map things out, let's see what the risks are.
You as a company may be taking a very structured approach on your domain name inventory. You may have a really good grip on what you have and so on, but the company being acquired might not. And they may have domains in about 80 different places. A bit of an exaggeration, but it comes down to they may not even understand what they have when it comes to domains. And so being able to try to help rope those in and realize where they might be and how we're going to try to wrangle them all in after the M&A gets solidified is going to be the big challenge. And it's better to do that when there's no panic into the conversation. And that's usually the big key, is getting in there early so that we don't have to panic.
Justin: Yeah. So I'll pass it over to you now, Quinn, to talk about lapses.
Quinn: Yeah. Thanks, Justin. We've spent, here at CSC, a lot of time dealing with analysis on strategy as it relates to lapse. And so one of the marketing materials to download from today's webinar is on our lapse strategy best practice document. And we've really kind of narrowed it down to stop, review, action. That's kind of like the three-step approach.
But one of the big keys to any kind of thinning of the herd is understanding and quantifying the risks. So if you are a bank or somebody that deals in financials, typically that industry is what we would consider to be risk averse. Whereas other folks might be on the opposite end of the scale and might be a little bit more aggressive and, through whatever reason, decide: You know what, we've really got to thin things out. We've got to try to save some budget. We're going to be a little bit more aggressive. And we're going to assume a little bit of extra risk by getting rid of a bunch of names out of our portfolio.
But from one of the earlier slides when we were talking about balance. So when you look at your risk versus your budget versus monitoring enforcement, if you're taking away from any one of those, you've still got to be able to balance things out. And so one of the things that we want to encourage people to do is make sure that you have some sort of post-lapse monitoring and enforcement in process. Analyzing the data, making sure that you engage the key stakeholders, understanding the interconnectivity between some of the domain names, that's all part of that analysis process. And sometimes it takes a few passes to get through that, to make sure that you don't accidentally dump a domain name that might be a destination for some other domains within your inventory or has a key microsite associated with it. Those are the kinds of accidents that generally have a lot of drama associated with them.
But let's say that you've got some risk-free or low-risk lapses out of the portfolio. Being able to monitor that post-lapse is going to be important to make sure that the bad actors don't pick that up and potentially use that against you.
Anything else you want to add in on that, Justin?
Justin: Yeah. I think just something so people are aware. So we regularly look at the names that we lapse on behalf of our customers and see what happens to those names. And we know from our own data that 11% of the domains that we lapse get re-registered by third parties. It's pretty big. Now, again, some of those might go dormant. Some might be looked to be sold. Some may be used for malicious content. So we know that it's a big problem. And we obviously try and work with our customers to make sure that they don't lapse the wrong things.
But these bad actors, they are watching your portfolios, and they…and start using AI and other things to basically…tell if it's lapsed. So, yeah, it is a really big problem. And I think it's an area that, at the end of the day, if you lapse all of these, and Quinn is right, you need to have monitoring and enforcement, you may end up spending a lot more money on enforcing your rights, the names that you actually owned, than the benefit of lapsing them and freeing up some extra budget. So really be careful when you're taking decisions on this, which is why Quinn is right. You need that sort of forensic look at your portfolio.
Quinn: And 10% doesn't sound like a lot, but it will add up. And then one of the last things, of course, is looking at a blocking strategy. There are blocks available in the new gTLD side of things, and some of the blocks are starting to dip into what we consider to be the regular domain extensions as well, the ccTLDs and the gTLDs, the normal gTLDs. But this can get really complicated really quick. And so this is why we encourage people to reach out, and we can go and take a quick analysis across your core brands and make sure that you're covered. There is a tipping point, cost-wise, when it comes to covering a block versus registering the domains that go along with it. And again, like before, it's about balance and making sure that you're putting your money in the right spots.
WE'RE READY TO TALK
Our specialists are ready to answer your questions.