At a young age, most of us were told, “don’t talk to strangers.” While the majority of people we encountered as kids were probably nice and friendly, avoiding all strangers kept us safe from those with bad intentions.
It’s a great policy for kids, but not so great for enterprise security. Assuming every new domain is dangerous and therefore can’t be accessed would make for a pretty terrible experience. On the flip side, assuming all these new domains are nice and friendly opens the door for bad actors. Organizations need the ability to easily view traffic to new domains and ultimately enforce policies if they are more risk averse.
Attackers often use new domains as part of phishing campaigns, exploit kits, ransomware, and other threats. These new domains serve multiple purposes including acting as a way to distribute malware, exfiltrate data, or trick people into clicking on phishing links. By creating new domains instead of reusing domains from previous threats, attackers can outsmart security systems that rely on reputation scores.
Let’s say an attacker registers a new domain to be used in a phishing attack. If the domain is not yet known to be malicious, then when someone receives the email and clicks on the link, it probably won’t be blocked by any security systems. Before this domain can be categorized as a threat or added to a block list , the damage may already be done — the victim may unknowingly disclose sensitive information or malware might be installed and start exfiltrating data from the network.
Today, we’re introducing a new security category within Cisco Umbrella called “newly seen domains.” This new category identifies domains that have been recently queried for the first time across the Umbrella global network and are more likely to be malicious. You have the flexibility to enable the newly seen domains category in two ways:
There are other services out there that offer similar information, so what’s different about the newly seen domains category in Cisco Umbrella?
- Our global network handles over 80 billion requests per day from a diverse set of enterprise and consumer users and we uncover over 3 million new domains every day. We see more and help you proactively block more.
- We’ve built-in logic to offer much more than just a feed of new domains. We use information on the trustworthiness of top-level domains, or parent domain reputation for subdomains, to determine if domains should be added to the list and how quickly the expiration happens. This reduces the potential false positive rate for this category.
- We update our system in minutes, not days. So, you can have visibility into and can proactively block these new domains in near real-time.