Detect Domain Infringement Attempts and Respond
Category: Analytics and SIEM, Data Enrichment and Threat Intelligence
Cyware Products Used:
Respond
Orchestrate
Collaborate
Intel Exchange
Third-Party Integrations Used:
Proofpoint Domain Discover Service: To continuously monitor domain infringement attempts and send insights that contain essential details to respond to the threat.
SIEM: To identify hits to the malicious domain
Problem Statement
Threat actors register a domain name that closely resembles your company’s domain name and use them for targeted phishing campaigns against your organization. Out of all the domain registrations that happen on a daily basis, many are registered by attackers to impersonate legitimate businesses and defraud their
employees and customers. Hence, it is important for security teams to continuously monitor their company’s domain presence as part of their digital security strategy.
Solution
The solution is to use an automated domain presence monitoring system that can keep a watch of all the new domains that get created in closer resemblance to your company’s domain name. In addition to detecting the domain infringement attempts, the solution also automatically identifies any hit to the malicious domain and blocks the malicious domain on the proxy server and email gateway.
Retrieve Domain Infringement Alerts: The playbook starts by retrieving domain infringement alerts from the Proofpoint application. The alert provides important insights that provide a full picture of how attackers are undermining your brand.
Domain Enrichment: The malicious domain name is sent to the Whois application for enrichment. The enrichment provides details about the domain registrar.
Verify Registrar Credibility: The playbook now compares and verifies if the registrar details of the malicious domain are the same as the registrar for your organization.
False Positive Alert: If the domain registrar is the same, the playbook updates the Proofpoint alert with the Same Registrar tag and closes the alert as false positive.
Create Respond incident: If the domain registrar is different then the playbook creates an incident in Respond and on boards critical insights from the alert and Whois enrichment to the incident.
Verify Hits to Malicious Domain: The playbook now verifies if any users from your organization have already accessed the malicious domain by checking the SIEM logs. The details are added to the Respond incident if any hits are found.
Notify Security Teams: The playbook notifies the security teams about the attack.
The malicious domain details are sent to Intel Exchange to keep the threat intel teams informed about the threat. The playbook also adds a Sent for Investigation tag to the indicator.
The malicious domain details are sent to other security team members as a Collaborate advisory alert.
Response Actions: The malicious domain is blocked on the proxy server and email gateway to make sure it is not accessible to internal users.
Ready for Investigation: The Respond incident is assigned to an analyst for investigation. Analysts can investigate the legitimacy of the malicious domain and send a request to take down the domain
Benefits
Respond Effectively to Domain Threats
Organizations can continuously monitor your domain to receive useful intelligence and get accurate details of any domains that pose security, trademark, or other risks to your company and customers.
Robust Domain Protection
The solution enables your security teams to be proactive, consistent, and smart about domain protection to keep your brand and business protected always.
Minimize Response Times
By automating the response against complex and diverse threats, playbooks prove to be effective at minimizing response time thereby reducing overall risk exposure.