Can Your IT Security Team Protect Your Brand?
Your IT security team’s principal role is protecting the network.
But with so much business conducted online, they have another important responsibility: protecting your brand.
Right now, cybercrooks could be finalizing a scheme to profit off your good name. They can do serious damage in the process.
Some of these brand threats are a form of commercial infringement -- for example, cheap or counterfeit products or services sold from a website that appears to be associated with your brand.
But many brand threats are far more malicious, such as schemes that attempt to steal personal information from your customers using a website URL that includes part or all of your brand name, or is a twist on it – “BR4ND” instead of “BRAND” for example.
Consider the consequences that could have resulted from these examples:
- One malicious domain, starting with http://bankofamerica24help, hosted a banking trojan as part of an apparent campaign to capture banking credentials
- Another domain starting with http://moderna hosted malware thought to be designed to steal intellectual property from the actual biotech company
Threats such as these can inflict real damage to your brand, directly eroding its value and equity for anyone who is directly victimized by them. Even more, they can wreak serious and lasting harm to your reputation and standing in the marketplace, undermining the trust of your customers, prospects and business partners.
Since they occur in the digital realm, the job of defending against them falls to IT security. But how can your team defend against such an ephemeral threat – a malicious popup website that has no direct connection to your digital realm?
The answer: Near-real time data on relevant, newly active domains. One of the important tools security professionals leverage to protect their network is threat data. It helps them identify and defend against potential cyberattacks that could compromise their assets.
Neustar UltraThreat Feeds, for example, offer a range of critical DNS-derived insights delivered in near real-time. These insights help IT security teams uncover and counter specific cyberthreats to their network in their earliest stages, or even pre-emptively, ranging from DNS tunneling and DGA malware to domain hijacks.
Now, you can tap this same data to identify and defeat web-based attempts to compromise your brand with UltraThreat Feeds API.
This important new security tool provides direct, query-based access to the enormous data resources that power UltraThreat Feeds, comprising traffic data from our own global network of DNS service sites representing billions of daily queries and responses spanning the Internet.
One of the API calls offered through UltraThreat Feeds API is domain activity, and it makes the job of tracking threats from websites encroaching on your brand as simple as entering a focused query:
- Inputs for the query are e2LDs (effective second level domains) and a date range, so start by creating a list of all the TWI5TS and combinations based on your legitimate domains that could be used to compromise your brand.
- Run the query using your list on a regular basis. We recommend every six hours, the time required to observe a newly active domain on its way to becoming malicious.
If none of the potentially malicious domains are active, you’re done until your next regular query.
If any are active, you’ll receive as an output the following information about each of the domains for the date range you specified:
- Count of Subdomains
- Count of Stub IPs (count of IPs that have queried the domain)
- Count of Host IPs
- Count of Domain Name Nameservers
- Count of Extra Records
- Count of Recursive Queries
You can then use this information to gain important insights through additional investigation, such as when the domain was first and last seen, the Host IP(s) and any other domains that share them, and so on. You can quickly learn all the details you need to decide how to respond.
The solution in action. Here’s how the data in UltraThreat Feeds API worked to help a large financial services provider prevent a malicious cybercriminal from exploiting its brand:
- They discovered a newly active domain that spoofed their URL
- Investigation revealed the IP infrastructure was associated with malicious domains
- The phony site looked exactly like the company’s legitimate website, but could only be viewed by computers without cookies from the real site
- When an uncookied visitor landed on the malicious site, malware was immediately downloaded to their device
Based on this information, the company put in an urgent take-down request and the site was promptly removed.
No compromised consumers.
No brand damage.
This company was able to stay ahead of the threat to their brand thanks to the query-driven insights available through UltraThreat Feeds API. It can help your business as well, in brand protection and for other critical security activities such as incident response investigations, fraud prevention, threat hunting and presumptive domain or IP watches.
It’s a powerful resource with innumerable applications, and well worth adding to your security arsenal.
To learn more about how you can incorporate the timely, DNS-derived insights of UltraThreat Feeds API or UltraThreat Feeds into your security framework, contact us or give us a call at 1-855-898-0036 in the US or +44 1784 448444 in the UK.