One of the chief problems in cybersecurity is the inherent reactivity of most forms of defense. An attack has to be observed, analyzed and reverse-engineered. THEN, protection can be developed. This means attackers are successful, and inside environments, for a period of time before the attack is noticed, before the indicators for that attack can be extracted, and before a policy can be disseminated to stop it.

There has been a wide variety of research in recent years around this problem. How to speed up the cycle to recognize attacks and to potentially get out in front of attackers to block them before the attacks start. Both my own PhD research and other researchers have noticed that one attribute that is overwhelmingly an indicator of maliciousness in DNS is “newness,” that is to say, the newer a domain is, the more likely that it is bad. More importantly, when a domain is new and otherwise benign, it is rarely in meaningful use except by the organization that’s setting up whatever will go there.

Intuitively, we can make a safe assumption about new domains. Attackers, particularly those doing phishing and brand impersonation, have domains that are operational for a short period of time. (pretty much as long as the take down notice takes to be processed by the registrar) Attackers, once they are known, tend to face various attempts to shut down their operations. This dynamic doesn’t affect legitimate operators of domains who register domains in the duration of one year or longer, with no one trying to shut them down. To work around these challenges, attackers will use DGAs (Domain Generation Algorithms) as we explained in this post

On the flip slide, for those concerned about false positives, the most important component is to block domains actually in use by an organization. Very few organizations and businesses set up a domain and use them in production on the same day. There is a development cycle, time to create a website, build an e-mail server, and so on. The time people “sit” on domains until they go in use is relatively long, in comparison.

To enable blocking newly observed domains, Farsight leverages their Passive DNS network of sensors around the world. When a domain is first seen anywhere on the internet in a DNS query, it is then put into a feed and can be blocked by your ThreatSTOP enabled devices. ThreatSTOP provides targets to block, backed on newly observed domains in the last 24 hours or the last 5 days. This provides organizations looking to enact proactive blocking a quick path to do so, especially for those organizations that are concerned about phishing.

Blocking newly observed domains is a research-proven technique to start to get ahead of attackers and block threats before they’ve been identified… and more importantly, before those threats are successful. You can learn more on how ThreatSTOP and Farsight tackle DNS security by registering for our DNS Security live stream. 


We're offering exclusive access to try ThreatSTOP NOD, Powered by Farsight premium threat intelligence feed as part of a trial. We want you to try this data and see how it will work for you.

Start your automatic 14-Day ThreatSTOP trial below and contact to quickly and easily enable this premium threat feed integration.