Home / Blogs

Probability of ROI and Tighter Network Security by Blocking Malicious Subdomains

April Lorenzen

Failing to block a stealthy malicious host from making connections to your network could cost your company millions of dollars, a damaged reputation, and severe losses in sensitive private data.

Threat intel teams have faced on-going problems:

  • Expensive feeds that are slow to catch new threats
  • Chasing false positives in alerts wastes time and money
  • Vendors selling a new appliance for every ill

Would 100% of your users Spot the Bot?

Sophisticated security professionals wouldn't be fooled, yet what about some of your endpoint users? Long, confusing subdomains have been successfully used by crooks for over a decade. More of these dangerous hostnames are created every day due to increased value for compromised accounts. Even social media accounts are now seen by criminals as providing a high concentration of valuable personal information. Control of a Facebook account for example, can enable access to payment methods, impersonation of executives or IT staff, and security question answers useful for breaking into higher value accounts.

Once a user's account is compromised, corporate assets they have access to may be exfiltrated by criminals who can now intercept multi-factor tokens for administrator privilege systems.


8 out of 10 Malicious Hostnames Go Active in First 48 hours After Creation

You can prove or disprove this assertion [1] by checking the validity for your own network, with the data that matters — your own. Take a look at the last 5 - or 10 - or 100 - malicious hostnames involved in infections, breaches, or clicks on phish at your own company.

How much time passed between creation of the malicious hostname - and when the malicious action first took place on your network? Don't average the results - bucket them by days because those buckets will lead you to a winning threshold strategy. You can then apply this strategy to identify and protect from the malicious methods represented by each time constrained bucket. [2]

Using this preliminary research or your own data, here's an example of transforming the initial conundrum into an opportunity to add a solid network protection layer.

Global Conundrum of Doom:

New hostnames flow freely through your network because:

  • Large number of new subdomains are not malicious and are needed for business activity
    • Content Distribution Network (CDN) hostnames
    • Cloud service hostnames
    • Campaign tracking hostnames
  • Threat feeds you buy won't list the newest malicious hostnames until it's too late - some malware has already been dropped into your systems

Transform the Problem into a Low Cost High ROI Solution:

The same data point that gives criminals the advantage over you - you've never seen the hostname before - so you don't know to block it - can be turned on its head to give you the advantage over the criminals.

Let's say you've never seen the hostname before, and it's not from a common CDN or business cloud service. You don't need to trust this new hostname, not in the first 48 hours of life.

Add rules to your existing network appliance to:

  • Block hostnames created less than NN hours ago
  • Exception for new hostnames based on a small whitelist
  • Continue using your best threat feeds to cover old/slow hostnames

How many hours should you use for NN? Ideally base this on your own network data and experience. 48 hours may be a place to start - just remember to stay flexible in case the criminal element or new legitimate services change tactics.

Increase Confidence Levels Using Global Passive DNS

Your own network data is the best data to develop protections relevant to your enterprise. At the same time, you need to do external validation of data points such as "when was a hostname first seen in the global DNS". Check the hostnames seen in your network - known good, unknown, or known bad - against what the rest of the world sees.

It's a quick study to get a "hostname age" data point for the hostnames seen in your corporate network for a day, a week, or even an hour based on your equipment or limitations. At the request of a customer, Zetalytics recently created an ad hoc UDP query service that accepts a hostname and instantly returns the date it was first seen.

Unlike "domain age" services based on slow whois queries - a query service for hostname age works for the vast array of malicious subdomains such as those based on dynamic DNS providers, free services that attract and harbor criminals, as well as providing solid and reliable knowledge for base domains you should whitelist.

When selecting a passive DNS data source, test for global geographic diversity as well as customer type diversity. Check that the type of hostname visibility matches your needs, ensuring that it is a good mix of enterprise vs consumer and has great coverage in the countries where your company does business.


Whether you roll your own, outsource to a service, or go down the middle with expert advice and training to help your team best utilize your own network data - there are golden opportunities for network protection from the newest malicious hostnames on your network. Hostnames so new - even your best threat intel feeds haven't found them yet.

RESOURCES: Contact fredt@zetalytics.com to join a slack channel community collaborating on research and results about new malicious hostnames. We have ongoing discussions with other compliance and security professionals looking into similar parameters for their network, how to conduct the research, and what results people are seeing.

[1] “8 out of 10 Malicious Hosts First Seen Today, Yesterday or Never”, https://zetalytics.com/hostnames.html
[2] See RESOURCES at end to join a Slack channel community collaborating on this work

By April Lorenzen, Chief Data Scientist at Zetalytics. April is an Internet security researcher specializing in the preemptive discovery of miscreant and crimeware resources in the domain name system. She is the primary architect of the free open source data visualization tool "Mal4s” as well as operating IoC security feeds continuously since 2004, overseeing one of the world's most geographically diverse passive DNS systems in her work as Chief Data Scientist at Zetalytics.

Related topics: Cyberattack, Cybercrime, Cybersecurity, DNS, DNS Security, Domain Names, Networks


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Domain Registrations Reach 331.9 Million, 6.7 Million Growth Year over Year

.brands Spotlight: Banking and Finance Industries

Google Buys Business.Site Domain for 'Google My Business'

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital