Lurking in the Deep: Submarine Domains Waiting to Activate
Elliot Champion of CSC Digital Brand Services dives deep into a look at submarine domains and the impact they can have on your business. This article originally appeared in Insight Jam, an enterprise IT community enabling the human conversation on AI.
There’s plenty of focus today on what companies can do in advance to prepare against cyber-attacks– rightfully so. But, what about the strategies cyber-criminals are deploying to lay the groundwork for those cyber-attacks? How are we preventing these strategies from taking root?
My team at CSC has been observing an increasing trend in domain security attacks that stem from what we call “submarine domain registrations” – domains that are registered by criminals but remain unused and inactive for extended periods until the day of an actual cyber-attack. “Submarine domains” is an analogy for the activity of these dormant domains, as they drop quietly within a domain ecosystem and then resurface again as a threat— just like a submarine.
Lurking in the Deep: Submarine Domains Waiting to Activate
Introduction
While the official terminology for domains with this specific registration pattern (i.e., “strategically aged domains”) is typically referred to as “dormant” within the industry, we came up with a separate terminology for the specific instances where the dormant domain is purposely kept and re-registered with the intent of committing fraud and online brand abuse. We did this because there are other uses for picking up a dormant domain, including situations like trademark rights being owned by a third party that then poses a commercial risk due to traffic, in which case the company would have to acquire the domain. In this article, I’ll specifically dive deeper into how submarine domains operate, what they are capable of, and how companies can strengthen their security postures to address them.
Lying in Wait, Poised to Strike
Cyber-criminals are privy to publicly available information about domains, as well as the reality that many organizations rely on security programs that don’t monitor for domain aging or risky registrations on a consistent basis. As a result, they are constantly on the lookout for available, branded domains they can weaponize. Some cyber-criminals may register and hold onto branded domains – perhaps hosting holding or parking pages, or displaying “site under construction” messaging – with the intent to resell them back to the targeted organization. Or, they may be plotting an even greater malicious activity such as a phishing or malware attack.
While fraudulently registered domains traditionally are leveraged for cyber-attacks within a short window of time, say within 30 days, we define a domain name that’s weaponized more than 6 months from its original registration date to be a ‘submarine domain.’ The biggest issue with these domains is that they are not suspicious right away. Submarine domains often escape initial detection because they don’t immediately have any of the characteristics of a domain registered to launch an attack – e.g., an active MX record – which would usually raise a red flag. This leaves plenty of room for cyber-criminals to build more complex and personalized attack campaigns that have more devastating ramifications.
Typically, younger domains are likely to be used by bad actors, but this is not always the case. Aside from the age of the domain, it’s also important to closely monitor how close the domain registrations are to previously identified threats and see if there is a registration pattern. Registration patterns aren’t easy to spot in one place, but collecting an overarching view across various top-level domains (TLDs) can enable teams to see patterns across IP addresses.
It’s also vital to watch out for mimicking behaviors in your domain activity. What we mean by this is, if your brand is registering a series of new domains for a product, service, or new brand, are third parties doing so as well?
Submarine domains capitalize on the process of domain aging, where cyber-criminals fraudulently register domains associated with a brand and leave them dormant (or inactive) until they are ready to be weaponized. This is similar to other attack strategies where threat actors use legitimate tools and processes within a company to steal information or launch malware or other malicious campaigns.
Locate the Submarine Domain, Be on Watch
Although domains are foundational to business operations, many organizations do not consider domain security to be a critical component of their overall cybersecurity programs. Often, this is because it’s not clear whose responsibility they are; Security or IT teams can think they are part of the Marketing or Legal teams’ remit, and vice versa. But, without security protocols in place, domains can be registered by anyone, at any time and for any reason, and this leaves unassuming companies ripe for exploitation.
The key to tackling submarine domains is the mitigation and preparation before the malicious act occurs. Security and brand protection teams who wish to prevent the consequences of activated submarine domains need to develop strategies to continuously monitor for dormant domains in their ecosystem, which could be threats waiting to be activated. Not only is it important to have productive monitoring, but it is also equally important to have effective enforcement and a digital governance team across all teams (marketing, security, legal, IT, etc.), who all understand the process and are committed to mitigating any damage.
Dormant domains suspected to be submarine domains must be monitored constantly for any changes that indicate they are being prepared for use, and appropriate procedures must be in place to address the malicious domain activity they were created for.
Best Practices and Final Thoughts
A good defensive strategy to use against submarine domains involves:
- Conducting defensive registrations on key strings
- Watching the entire ecosystem and gathering key information such as:
-
- Who registered the domain? Was it a trusted internal team, a company partner or an unknown third party?
- When was the last time the domain was in use?
- What is the domain connected to? Have any MX records been attached to this domain that might indicate its intended use for email phishing campaigns?
- Are there any trends within your domain ecosystem, e.g. groups of domains behaving in the same way?
- Monitoring for new re-registrations and dropped domains
- Taking enforcement action against the live cases
Cyber-criminals looking to infiltrate and exploit your company will continue to scour digital enterprises for the quiet areas where no one is looking. As submarine domains continue to grow as online threats, my biggest advice is to be proactive in creating a strategy that covers your entire domain ecosystem and have a clear action plan for a takedown when a live case occurs. This allows you to be prepared for all eventualities.