DNS (Domain Name Service), as one of the fundamental protocols, is used in almost all activities occurring on the internet including web browsing. As a result it is one of the best vantage points to search for security threats.
As a DNS4EU consortium member, we work on developing means for creation of high quality threat intelligence based on DNS data. NASK hosts the Polish national CSIRT, thus we blend our operational knowledge and experience with research on machine learning threat detection systems.
In our work we focus on detection of phishing websites. This objective is divided into two main parts. The first one involves early detection of phishing domain registrations. By monitoring newly registered domains, we look for anomalies at the TLD (Top Level Domain) registry data in order to pinpoint domains potentially used by cybercriminals. In the second part we develop techniques for phishing detection which use anonymized DNS request data. Request data can provide insight into phishing domain life cycle, but also help in detecting such domains in the first stages of their usage.
Timely detection is crucial for both approaches, as phishing domains are frequently used only for a short time, thus giving little space for reaction by defenders. The main mitigation of phishing attacks on the infrastructure level is blocking access to malicious sites. In parallel, we can proceed with sending takedown requests to hosting providers and registrars to disable phishing sites globally.
Domains detected as phishing by our systems will be shared with consortium members and provide additional threat intelligence source for DNS4EU resolver’s security mechanisms.
This blog post was written by NASK, a member of DNS4EU consortium.
Picture source: freepik.com