Domain Monitoring


What is Domain Monitoring?

Domain monitoring is the cybersecurity practice of monitoring an organization’s internet domains to identify any suspicious or unauthorized activity.

This includes tracking changes to domain registrations, detecting look-alike or typosquatting domains, and monitoring for any signs that a domain might be used for malicious purposes like phishing or spreading malware.

The goal is to protect your brand, website, or organization from threats by catching potential issues early and taking action to mitigate risks.

Why Is Domain Monitoring Important?

According to IBM, the top initial infection vectors are phishing and stolen credentials. These attack vectors often exploit domains in some capacity, making domain monitoring an essential defense mechanism. Domain monitoring helps organizations in the following ways:

  • Security: It helps identify and mitigate threats such as phishing attacks, where malicious actors create look-alike domains to trick users and steal sensitive information.
  • Brand Protection: It helps safeguard your brand by detecting unauthorized use of similar or identical domain names that could be used to trick customers or damage your reputation.
  • Customer Trust: Maintaining the security of your domain helps build and preserve customer trust, as they are less likely to fall victim to scams associated with your brand.

How Does Domain Monitoring Work?

Domain monitoring works by continuously tracking various aspects of a domain to identify and respond to potential threats. Here’s a breakdown of how it typically operates:

  1. Registration Monitoring: This involves keeping an eye on new domain registrations, especially those that are similar to your organization’s domains. This helps detect typosquatting and phishing attempts early.
  2. DNS Monitoring: Track all DNS records and changes. This can alert you to unauthorized changes that might indicate a hijacking attempt.
  3. WHOIS Data Monitoring: Keep track of the WHOIS ownership and contact details of your domains. Any changes in this data can signal potential security issues or unauthorized transfers​.
  4. SSL Certificate Monitoring: Monitoring SSL certificates ensures they are valid and haven’t expired, which is crucial for maintaining secure communications.
  5. Content Monitoring: Monitoring the content on a domain helps detect unauthorized changes or the presence of malicious code.

Examples of Domain-Based Attacks

  • Netnod: Netnod is a major DNS provider based in Sweden. They run one of the 13 “root” name servers, a critical part of the global DNS infrastructure. From 2018 to 2019, attackers targeted their infrastructure by sending unauthorized EPP instructions to various registries. This allowed them to redirect traffic and capture sensitive information. The attackers were also able to disable DNSSEC safeguards long enough to obtain SSL certificates for Netnod’s email servers.
  • Google Vietnam: In 2015, the threat actor group LizardSquad, gained unauthorized access to the DNS settings of Google Vietnam’s domain. This allowed them to redirect visitors to a malicious website displaying the group’s message. Beyond the significant disruptions this caused, the attackers had access to any sensitive data sent to the hijacked domains.
  • OCBC Bank: In 2021, customers of Singapore’s Oversea-Chinese Banking Corporation (OCBC) were hit by phishing attacks, resulting in approximately $8.5 million in losses across 470 customers. The attackers used fraudulent domains to trick customers into providing their account details. Despite the bank’s efforts to shut down these domains and alert customers, the attackers continually set up new “mule” accounts to receive the stolen funds​.

How to Get Started with Domain Monitoring?

When getting started with domain monitoring, there are several key steps that should be implemented:

1. Define Objectives and Scope

  • Identify Critical Domains: List all your organization’s domains, including subdomains and related assets that need monitoring.
  • Determine Key Threats: Understand the types of threats you aim to detect, such as typosquatting, DNS hijacking, and unauthorized changes.

2. Choose the Right Tools

  • Domain Monitoring: Track new domain registrations, new TLS certs generated, changes in DNS records, and WHOIS data.
  • DNS Monitoring: Implement DNS monitoring tools to detect changes in DNS records.
  • WHOIS Data Monitoring: Use WHOIS data monitoring tools to keep track of ownership changes and expiration dates.

3. Set Up Automated Alerts

  • Configuration: Configure your monitoring tools to send automated alerts for any suspicious domains, such as lookalike or typosquatting domains registered or changes in DNS records.
  • Custom Alerts: Customize alerts based on specific keywords, patterns, or threat intelligence relevant to your organization.

4. Integrate with Security Operations

  • SIEM Integration: Integrate domain monitoring tools with your SIEM (Security Information and Event Management) system for centralized logging and alerting.
  • Incident Response: Develop and implement incident response procedures for handling alerts from domain monitoring tools.

5. Continuous Monitoring and Analysis

  • Regular Audits: Conduct regular audits of your domain portfolio to ensure your asset inventory is up to date and monitoring settings are configured correctly.
  • Threat Intelligence: Integrate data breach monitoring to gain visibility into leaked employee credentials that could be used to make unauthorized DNS or WHOIS changes.