Domain Name Security Challenges episode artwork

EPISODE · Dec 25, 2023

Domain Name Security Challenges

from Info Risk Today Podcast · host InfoRiskToday.com

Protecting domain name systems finally has the attention of cybersecurity professionals -because every recent large data breach has involved a DNS vulnerability. But there is much work to be done. According to Ihab Shraim, chief technical officer at Corporation Services Company, just 1 in 100 security companies knows who their registrar is and where their domain name resides.

Episode metadata supplied by the publisher feed · Published Dec 25, 2023

Protecting domain name systems finally has the attention of cybersecurity professionals -because every recent large data breach has involved a DNS vulnerability. But there is much work to be done. According to Ihab Shraim, chief technical officer at Corporation Services Company, just 1 in 100 security companies knows who their registrar is and where their domain name resides.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Domain Name Security Challenges

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Welcome to Cybersecurity Insights, the podcast for the CyberEd.io learning community. Our goal is to bring cybersecurity practitioners the latest and most relevant education and training to upskill and dive deeper into topics that matter in today's modern cybersecurity world. Good day, everyone. This is Steve King, the managing director here at CyberEd.

And today I have the pleasure of Ihab Shreim's company. He is the CTO of CSC Digital Brand Services and a guy who's been around a while and knows the space really well. CSC is the provider for the Forbes Global 2000, by the way, and also the 100 Best Global Brands in the area of enterprise domain names and DNSs and digital certificate management, et cetera, et cetera. This is a great conversation and very relevant right now since DNS has finally gotten the attention of folks in the cybersecurity industry who had felt for years like they were ignoring this.

And then if you look at every breach that's occurred in the last, you know, I don't know, couple of years, they've had horrible vulnerabilities in their DNS. So I think that there's a there's a movement afoot here, which is great. Ihab has also been a primary inventor on 10 U.S. patents.

Once upon a time, he was on the board of Binary Guard. He also served as their CTO. And prior to that, he was a general manager for Presidio's managed security service and vice president of engineering and CIO for Clarivate Analytics. He's a graduate of George Washington University, holds an undergrad in electrical engineering and computer science.

And with that, I welcome Ihab to our show. Thank you very much. Yeah, I'm looking forward to it. Let's let's jump right in.

Why why are security professionals and why have they been radically overlooking domain security? Awesome question. If you look in terms of domain security, basically, just to create a definition around that, it's basically protecting domain name portfolios around the globe, which means you may have presence in America, Europe, and a certain country, et cetera. So global companies do have presence everywhere.

And as you know, there are what's called global GTLDs, as in .com, .net, .org, and so forth. And there are CCTLDs, which are country code, by which a domain name portfolio is defined within that country. For example, .UK or .RU. RU stands for Russia, as well as UK stands for United Kingdom.

So protecting that domain name portfolio is unarmed. And unfortunately, it is missed in the security posture. It is captured in different mechanisms, but it's not well thought out when it comes to security practitioners as well as global companies, because what happens when you deal with a massive portfolio, you have to think in terms of your registrar, you're locking your domain names, ensuring that registrar is focused on registering corporations rather than retail and so forth. So it's really missed.

And in fact, I just want to allude to something. I went to Gartner and Black Hat conferences last year as well as this year. And I've gone to the vendor shows and I would ask the same two questions. Who's your registrar and where are your domain names reside?

And let me guess, nobody knew the answer. Excellent. No one knew the answer. In fact, one out of maybe a hundred would know the answer.

And there are these are security companies that are protecting enterprises out there. It is just eludes them, unfortunately. And just one thing about our company, our company does many things, but to include registering companies online and so forth. And CSC stands for Corporation Services Company.

Yeah. You know, part of the challenge, I think, in getting our collective mind wrapped around the problem is that I don't think we understand the complexity of the various threat vectors. Can you sort of dive into that a little bit and talk about how these vulnerabilities are leveraged? Excellent.

So security professionals within any company are focused on protecting the enterprise inside the firewall. In other words, they are looking at the DMARC points, regardless of whether they are in the cloud or extended to the user residing in a house, meaning working from home or within the perimeter of the enterprise, meaning the corporation within their data center or cloud. What they are looking for, they're looking for anything that could harm the company from the perspective of threat vectors. What is missing in this ecosystem is what's outside the firewall or what's outside the DMARC.

In other words, where are these hackers, bad actors, fraudsters are attacking that particular company? Most of these attacks are after the soft targets. So hackers, bad actors would rather attack something that is easy to attack and it's exposed by which they can scan it and look for a soft area that they can penetrate through that defense mechanism. So what are these soft targets?

Domain name ecosystem. The domain name ecosystem is where you have registered those domain names. Do you have a web hosting part? You have a web server.

DNS is exposed to the public. So these are various vulnerabilities that could be out there where some of it are properly patched, some of it may not be properly patched and so forth. And we can go into a lot of examples. For example, dangling DNS where DNS can be hijacked.

And that's, by the way, the most recent attack that had a lot of press behind it last year and the year before, where very easily a company would forget about their subdomain name. And now that they don't, you know, they don't remember them. No, they were functioning at one time, but then they moved on and then that site was abandoned in the cloud and bad actors will exploit that. So and phishing, for example, phishing happens mainly outside the firewall.

In other words, they fish their target. This is called a targeted attack. So they fish their target, meaning the users of that company, as in the customers, outside the DMark of the company. For example, if you look at the phishing attacks launched against financial companies, they go after the users who are sitting at home conducting online banking and financial movements of as our daily purchases online through e-commerce sites and the like.

Yeah. Was it Microsoft itself responsible for a remote code vulnerability in their own DNS servers that that was like a critical 10 on the CVSS, is that? Yes, that's that's one vulnerability. But if you look at the primary vulnerabilities that you see within DNS, let's let's take that.

Let's take a level back here. Why are these vulnerabilities doing this? The Internet operates today on IPv4, of course, with an extension of IPv6. IPv4, the Internet Protocol version 4, is full of security holes.

That's why we are dealing with such mass of attacks out there. So when you attack a DNS infrastructure, what you look for, of course, you can probe immediately any company. You can probe what is their primary DNS server, secondary DNS server, and what is their footprint on the Internet. That's easily done.

You can look at, let's say, a target company A, you look at the WHOIS record of the company A, and then you look at their DNS servers. You apply a couple of commands like NSlookup and so forth. You get the NS1, NS2. Now you have them, the servers.

Then you go after what is the most recent vulnerability out there on DNS? And you see if that vulnerability does exist within that DNS services. Also, DNS services have always, if you think in terms of companies, they have a backup system, right? A failover system.

You can identify that with a few commands on the command line. Now they have built a blueprint of what to do with DNS. Now, remember, I alluded to subdomain name hijacking or dangling DNS. This is an easy one to just like quickly, what is that entail?

Normally, the marketing team, let's say, will launch a subdomain name, which is, you know, a launch of a marketing campaign. They would put it in the cloud, then they will call their IT system, IT engineers. Could you please point the DNS records to that particular cloud instance in some web hosted company? And then the work is done.

So normally the marketing team will disconnect. They remove their content from that web hosted site. But in reality, the DNS records still exist in the zone file of DNS. And now bad actors scour the Internet looking for these missing links.

And what they all they have to do is build a website and repoint that subdomain name to that particular hosted environment. Voila, now you can either phish the company or do something such as narrate something negative about the company, etc. Yeah. And no one knows.

And no one knows. It's very hard to detect because nobody goes and monitors subdomain name monitoring. Why not? Why not?

Exactly. And then with phishing attacks, you have these blended attacks that you don't see the market is talking so much about them. You know, you phish a company and then it's augmented with malware. But what if that malware doesn't do anything?

In other words, you click on a link and that's what's lethal about the current malware that we see. You click on a link, a downloader will take place, or it's embedded in the image or embedded with an attachment through a simple email that goes to the victim or the person who's going to fall prey for that particular campaign. Now you have that malware sitting and that malware is not going to go active. That malware is going to look at the clock of the system and will stay dormant for a very, very long time.

And then it wakes up and it does certain executions, meaning certain tasks, such as collecting certain data sets, probing within the network, figuring out how to go lateral if it can, but most likely is going to go communicate with the command and control. But recently, they don't communicate with the command and control right away. They have a few instructions to go make lateral movements. Then they communicate with the command and If you have a vital domain name, a critical domain name that operates online, you don't move it.

For example, e-commerce, call it e-commercecompanyA.com. That domain name cannot be moved to another registrar. You cannot just manipulate the ownership of that domain name. So that's called locking or multi-locking a domain name.

We go further beyond that. We look at, we monitor the add, drop, and modification of these domain names every day. For example, Verisign published what's called zone files, .com, .net, and so forth. We monitor the behavior of these domain names in association with the brand itself.

So call it brand A. Now we monitor everything as in newly registered domain names, drop domain names, or re-registered domain names that are similar to that particular name. And that's an art on itself because we have a holistic approach to monitor those domain names that are crucial to that company. So their online presence is always protected and any variation, any similarities is thoroughly investigated.

Two other points that we normally do, we recommend having an enforcement company to be right next to you. And what is an enforcement company? A company that is capable to shut down any phishing site, any hostile site that could lure your customers or your employees to. And if you have that black book, you'll be able to shut down any site around the world because of your name, your credibility, and your ability to take that.

And last but not least, I will always say that monitoring, monitoring, monitoring, you have to have that integrated with your security operations center or your SOAR solution so that you can immediately take action and you set a procedure by which you say step one, step two, step three in the event that I see something that could damage my reputation outside my company, I'm sorry, outside the firewall or any infringement on that domain name portfolio. Yeah, you know, it's amazing. We see this happen so frequently and we're not, you know, we're not talking about, you know, mom and pop small businesses in the middle of Kansas. We're talking about, no offense to Kansas, but we're talking about Fortune 50, Fortune 100 companies.

You know, if you look at their main website, you know, are frequently non-secure. So what do you think not secure means to them? You know, and I'm just stunned that people continue to ignore this. In fact, wasn't a lot of people, and I think I'm one of them, believe that the compromise DNS was the original entry point for the SolarWinds attack.

Exactly, exactly. Well, you know, if you think in terms of, Steve, what is happening now? And it's interesting because I know your background. I mean, we evolved in the early 90s where having a domain name connected to a DNS record, an A record was an easy thing.

You could just go do it and no one would think that somebody would go and hijack, say, a session, a DNS session. Then we started seeing a problem, DNS poisoning, the late 90s, early 2000s. Then the TCP IP sessions became to be hijacked. There were some scripts that can be pulled together.

You sit on the network, you sniff some traffic, and then you hijack that TCP IP session. Then it moved forward. If you look at all the problems we kept dealing with are systematic problems that you can do something about it if you protect your DNS servers and your secondary servers and the failover servers. Now, of course, there's no magic wand that you can protect everything.

And that's where risk management comes in play. But most of these attacks require what? A domain name. It begins with a domain name and you must have a DNS record for it.

And if you begin with that proper way of looking at the world, it becomes much simpler to protect the enterprise. And one last piece about this. Most of companies today are so bogged down with, if you look at their security operations centers and their network, in the old days network operators, why are they not able to detect these things? Well, so quite alarming.

What you see is that within these security operations centers, they do have all the tools that you can think of under the sun. Great tools, I mean, great companies are producing awesome. But the individual who's working in that SAW is suffering from several problems. Number one, alert fatigue.

This is a cumbersome problem and I see it almost in every company. The second problem you see, vendor fatigue. You have to have training on this vendor UI versus the other UI. Then the market, of course, is pushing a lot of products toward the frontier, which where VCs do a lot of investments.

For example, you will see we moved from EDR solutions to XDR to source systems. And prior to all that, it was a SIM system, right? So that evolution right there, you say, wow, I should be detecting stuff. On the contrary, the detection mechanism is getting worse and worse and worse in these security operations centers.

It shouldn't surprise anyone, actually, if you pull back 10,000 feet, you look at this. You know, these networks, for the most part, working on were designed 25 years ago. And they've been slapped together ever since in layer after layer after layer of like new tools and new approaches to new threats, et cetera, et cetera. But we have no idea.

I mean, I don't think I can find a network engineer that could tell me what his or her network topology looks like at any given moment. You know? And so, but we're always surprised, you know, like, why come we're having all these breaches? Well, we designed these systems with no insight as to what the future was going to look like.

And instead of ripping and replacing them, which seems to be my thing these days, we continue to like add on to, you know, increase the complexity and increase the challenge. And we have to do more and we have less to do with. And I just can't imagine being a CISO in 2023. If your observation is 100% spot on, what you have alluded to is one of the most fundamental core elements of where our industry is suffering from.

Historical build-out. In addition to current build-outs, it does have a name. It's called spaghetti code. Seriously.

You're talking about my original code now, so be careful. Well, look, think of what's happening now. Let's take a look at what's happening today. Now, the market has shifted a little bit.

Corporations are resizing. Budgets are kind of shrinking, right? So what does that mean? That means it's a big opportunity for the larger companies to do M&A.

And the M&A now is skyrocketing. In fact, the other day I saw a company got raised $1.5 million, without naming it, to shut down companies. In other words, they'll take care of the people who work to shut down a startup because there was some massive investment in the cybersecurity world in the past seven years. And a lot of startups are closing now.

And this company just came out of nowhere and said, yeah, I can create a business out of it. But to get back to the point, the real point is that old systems merged with newer systems and M&A, meaning you, let's say you buy eight, nine companies. And there are companies who buy much more than that. When you integrate them, what do you think the bottom line is going to be, Vic?

They're not going to go rewrite all the code. You're going to end up with legacy code, unpatched. You are going to end up with duct tape being placed between systems. You are going to end up with shadow IT.

You are going to end up with vulnerabilities. You're going to end up with a gamut of problems. And add to that, you will have 20, 30 tools to monitor the environment, which poses a challenge for security professionals. And indeed, indeed it does.

What is the, I'm conscious of the time here, so I want to give you one final question, if I can. What is the, what is your assessment of the impact of generative AI going to be on the world of domain security? Wow, man, you've hit, seriously, Steve, you've done your research, my friend. Yes.

If you look at, this is a great question. And let's take it even further. We're currently conducting a deep study on, say, let's take with generative AI, there are two things now to look at from our perspective. On the domain name ecosystem, let's look at ChatGPT.

ChatGPT, the OpenAI, they launched 3.5 last November. So we said, okay, what happened after last November and on till this day versus before then? How many domain names were registered before November of last year? You will be shocked.

11,000 domain names, approximately. How many domain names were registered after November 2022? 104,000 domain names. Then you say, for how many of those are, and where are they registered?

So let's look at the GTLD extensions. Where are they? We found that 75% of them went in the .com world, 4% .net, and here's the surprise, about 4% equal to .net, which is .net is highly popular, .xyz, which is a GTLD for any, say, blogger or anyone who wants to create an NFT for themselves. But xyz is cheap.

You can buy it at a very cheap rate, $2, $3, versus a .com, $18.90. Makes sense? Plus, if you want to lock it, it really adds up after a while for that particular domain name. Very surprised when we saw that.

We said, okay, so is there any fraud? This is our business. We have, we monitor challenging for security professionals in the near future. Yeah, no kidding.

And I think the near future is honest. And then, you know, the whole idea of trying to figure out how to regulate AI, it seems silly to me because what, for example, would you do to change the arc of what you just described? And then if you did it in America, you know, who's going to do it in China, Russia, Iran, North Korea, you know, other countries around the globe who maybe don't have the same considerations about the morality of their behavior that we try to do, I guess. But it seems to me to be a lot of wasted effort into thinking about how to regulate this stuff because you just described the case where, you know, it's not, you'll have to accept the fact that ChatGPT or OpenAI, for example, is not nefarious in their, you know, in their management of their large language models.

But there are so many ways around the guardrails that they've tried to put in place to prevent the sort of thing that you just described. And you're absolutely right. I mean, it's super easy to get, I mean, I can get them the right code to create, you know, 25 different threat vectors and let them loose. Oh my God, you're so right, Steve.

I mean, it is so good now in ChatGPT, which is, as I told you, it's a tool that you can lease for a hundred bucks a month, more, a bit more than that, $120. This tool can write you embedded code by which you can embed malware. This is, it's even getting, it's getting scary. Malware that has multi-level encryption and decryption.

I mean, when we are speaking that way and in an infant revolution, what is going to happen in two years from now? What is going to happen in three years from now? This thing is accelerating at, it's not exponential rate. It's almost a vertical rate.

It is so shocking to me, the amount of abilities that these tools have. And they are looking at more tools. They tell you, for example, they have a roadmap. Oh, we can add XYZ to these tools very soon.

For example, if you are interested, as I said earlier, in building a phishing attack or building a phishing kit, we can do that for you. Not only that, you want to embed it with malware. We can do it for you. You want to poison the data.

This is also heavily alarming, meaning poison the data of OpenAI, ChatGPT, and Lambda of Google and others. We can show you how to do that. And then that's where it becomes scary. You can build, but you can poison the data.

That means the data is going to be judged. You are going to receive judgment or some analysis based on poisoned data, meaning bad data. And that's the scary part. Yeah, of course.

And what's going to happen two years from now, obviously, you're going to return to the show and we're going to do another interview and we're going to see what happened in the last two years. So with that, I think I'm going to close the show today. And I want to thank you again. It's been a real pleasure discussing this topic.

Most people don't want to, for some reason. And I would also invite you to teach a course at CyberEd if you'd like to, on domain name security and domain security in general, because it's a topic that people need to need to understand more about than they do today. So if you'd like to do that, let's honor to do that. I would be that would be great.

So in the meantime, once again, this is Yad Shreem, the CTO of CSC Digital Brand Services. And I hope that our audience enjoyed this as much as I did today. And I'm glad we're finally talking about this with an expert out in the open where it belongs. So until next time, it's Steve King, your host, signing off.

Thank you for joining us for another episode of Cybersecurity Insights. You can connect with us on LinkedIn or Facebook, or send us an email at [email protected]. For more information about the podcast, visit cybered.io forward slash podcast. Until next week, stay safe and secure, and we'll see you on the next episode of Cybersecurity Insights.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on December 25, 2023.

What is this episode about?

Protecting domain name systems finally has the attention of cybersecurity professionals -because every recent large data breach has involved a DNS vulnerability. But there is much work to be done. According to Ihab Shraim, chief technical officer at...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!