Understanding the Extent of Your Domain Attack Surface
Domain orcyber attack surfaces consist of domain names and subdomains that threat actors can use to infiltrate a target organization’s or its partner’s network. Web pages, which, as you know, are accessible through domains and subdomains, are among the top attack vectors.
Learning the scope of your domain attack surface is, therefore, essential not only in protecting your organization but also your clients and partners.
Types of Domains to Keep an Eye On
To understand the extent of your domain attack surface, you need to know about three common types of domains to monitor.
Company-Owned Domains and Subdomains
First on the list are domains that you own, including their subdomains. Threat actors could exploit neglected or forgotten Domain Name System (DNS) records configured for certain services, giving them a way to launch a widespread attack known as “subdomain hijacking.”
For instance, a study using attack surface management (ASM) solutions to determine the potential attack surface of the top online payment processing companies found several Zendesk subdomains.
Although not all of the subdomains on the list are directly attributable to the companies they may be spoofing, it is possible that the online payment providers once used them. If these subdomains are no longer in use, third parties can take over and use them to launch attacks against Zendesk, the online payment processors, and their users.
Typosquatting Domain Names
Another type of domain threat actors commonly use is typosquatting domains. These are domain names that are purposely made to look similar to those of a brand or company. They usually figure in phishing attacks, business email compromise (BEC) scams, and spam campaigns.
Let’s take Microsoft as an example. There are hundreds of ways to misspell the company’s name. Some examples are:
Take note of the use of homograph characters, which further amplifies the number of possible typosquatting domains.
Threat actors usually register typosquatting domains in different top-level domains (TLDs), too. For example, you may find microsoft[.]tk on a typosquatting feed. While it uses the brand’s correct spelling, it uses another TLD.
The domain attack surface of an organization also includes subdomains that they do not own or control. We call these subdomains “wild” or “non-attributable.” Their telltale characteristic? They do not share the same WHOIS record details with the company they’re trying to imitate.
How prevalent are these types of subdomains? A study on the top 10 most spoofed brands revealed that wild subdomains make up most of companies’ potential domain attack surface. It scrutinized brands including PayPal, Facebook, Microsoft, Netflix, WhatsApp, Bank of America, CIBC, Desjardins, Apple, and Amazon. On average, wild subdomains made up 99.36% of the brands’ total domain attack surface.
How to Reduce Your Potential Domain Attack Surface
In general, you should eliminate as many potential attack vectors as possible. You can’t accomplish that without knowing what you are dealing with. Understanding the scope of your domain attack surface is the first step toward its reduction.
Aside from using ASM solutions that take these types of domains into account, here are some actionable tips to reduce your organization’s domain attack surface:
- Regularly monitor and update your DNS configuration, making sure that unused subdomains are removed. This action lessens your vulnerability against domain hijacking and subdomain takeovers.
- Check for typosquatting domain names or, better yet, register the most common ones. Filing a Uniform Domain-Name Dispute-Resolution Policy (UDRP) case against the registrant of typosquatting domains could also be an option.
- Frequently check for subdomains that contain your brand name, warn your employees and clients about them, and report them for inclusion in blacklist sites.
Protecting your organization against cyber attacks entails understanding the commonly used cyber attack weapons. As domains and subdomains are among threat actors’ favorites, assessing the extent of your domain attack surface could help strengthen your overall cybersecurity posture.
Jonathan Zhang is the founder and CEO of WhoisXML API—a domain and IP data intelligence provider that empowers all types of cybersecurity enterprises to build better products and achieve greater network security with the most comprehensive domain, IP, DNS, and cyber threat intelligence feeds. WhoisXML API also offers a variety of APIs, tools, and capabilities, including Threat Intelligence Platform (TIP) and Domain Research Suite (DRS).