Threat Management, Incident Response, TDR

New group provides threat intelligence to domain registrars, other firms

A new organization aims to prevent cyber crime by making sure the domain name industry receives the needed intelligence to immobilize criminals.

On Monday, the formation of the Secure Domain Foundation (SDF), a Canada-based non-profit, was announced. A number of companies, in and outside of the domain name industry, have backed the newly-formed group, from registrars, Nominet and Rightside Registry, to major service providers like Facebook and Verizon.

SDF provides a reputation and validation API, which allows users to quickly identity potential abuse, according to the group's website. In addition, the service enables domain registrars to comply with requirements established in the Internet Corporation for Assigned Names and Numbers' (ICANN) 2013 Registrar Accreditation Agreement.

On Friday, Chris Davis, the co-founder and president of SDF, who also serves as director of partnerships at CrowdStrike, told how the organization came about.

“The problems I was having as a researcher, was that [the majority of] modern malware actors used domain names for either command-and-control infrastructure or for distributing their malware,” Davis said. Too many times, an actor whose activities had been detected would simply register another domain name to continue their attacks, he added.

“What we are striving to do with the SDF is to provide domain registrars intelligence on the attackers,” he said.

Davis led efforts to identify and dismantle the Marisposa botnet, which, at one point, consisted of 13 million infected PCs spanning 190 countries.

He added that tech companies, like Facebook and Verizon, with expansive customer bases, were just as interested in using threat information to find, and stop, scams or infections being spread by attackers.

“As we've been figuring out the best way to share information on bad actors, the thing that we noticed was that the interest was all over the industry,” Davis said. “Not just people that deal with domain names, but [companies] like Facebook get abused all the time. When we talked to Facebook about this, they were immediately interested about how they could help. Same thing with Verizon – [they were] interested in how their customers are being infected.”

While SDF provides free tools, research and threat information to domain name registrars, registries, country code top-level domain (ccTLD)  operators and generic top-level domain (gTLD) operators, its goal is to eventually expand its services to law enforcement, hosting providers, DNS operators and other related parties in the security ecosystem.

“The mission statement is people coming together to share information on bad actors to effect change,” Davis said. “The way we are going to do that is to get lots of different companies and sectors involved.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.