Security Experts:

Domain Registrars ID Cyber-Criminals With Secure Domain Foundation API

Tech Experts Unite to Launch Secure Domain Foundation

The Secure Domain Foundation will protect the domain industry from abuse by helping domain registrars and other Internet infrastructure operators identify cyber-criminals setting up criminal networks, the non-profit's founder said in an interview.

Launched Monday at ICANN's 49th Public Meeting in Singapore, the Secure Domain Foundation offers tools to look up a domain registration or a hosting request to identify potential criminal activity. The foundation will use its API to provide the registrar with an instant “credit score” indicating the likelihood of the domain being part of a criminal network, said Chris Davis, the president of SDF. Davis, a director at security company Crowdstrike, is known for his work identifying the Mariposa botnet.

Secure Domain FoundationSDF will “increase the pain for the bad guys” by making it harder to switch providers, Davis said.

Currently, if a domain registrar or hosting provider shuts down a domain for malicious activity, it's no big deal for the criminal to move to a different provider and resume operations, Davis said. SDF will provide a WHOIS lookup via its API product so that registrars such as GoDaddy can look at an application and know that the email address has been previously associated with a command-and-control server, or that the person had been shut down by a different provider just a few days ago.

The SDF's service “not only validates the contact registration data provided but also lets the registrar and registry know if we have seen that data used previously in relation to cyber crime,” said Norm Ritchie, chairman of SDF.

Over the past two years, SDF has been pulling together postal addresses, email addresses, malware indicators, botnet activities, and other domain-related information to compile an extensive database about malicious domains and actors. The data validation service will draw upon this extensive database. ICANN recently mandated that domain registrars must start validating contact information provided during domain registration. SDF's service makes this easier to implement.

Registrars can incorporate the data validation services directly into the registration process, or query the list of known-bad actors as part of a batch process run at a later time. The goal is to provide registrars with information to make their own decisions, not to force registrars to take certain steps. If a registrar learns that a certain domain is malicious and associated with a botnet, it is up to the registrar to decide whether to monitor the account closely, shut it down immediately, or not do anything at all. It is up to the registrar what it wants to do, as the SDF just provides tools and information, Davis said.

SDF will also take a pro-active role in identifying bad actors and notifying law enforcement and registrars with sufficient evidence to get the domain shut down, Davis said. Other organizations with research on malicious servers can also contact SDF. The foundation will act as a “clearinghouse for abuse complaints,” Davis said.

Some of the industry's biggest brands back this foundation, including the Anti-Phishing Working Group (APWG), Blacknight Solutions, CIRA (.ca), CO Internet (.co), CoCCA, Crowdstrike, DomainTools, Emerging Threats, Enom, ESET, Facebook, Foreground Security, Internet Identity, Mailshell, Names.com, SecDev Group, Verisign, and Verizon.

While the current market focus is on domain name registrars, registries, ccTLD operators, and gTLD operators, SDF plans to expand services to include hosting providers, DNS operators, CERTS, law enforcement, and other key stakeholders in Internet infrastructure.

While SDF will provide just the data validation service via the API as part of the initial launch, Davis said the focus was on a staged approach to expand its services. One approach is to work with these providers on setting up locks and other protective security features to make it harder for domain name system records to be maliciously modified.

“We are going to save the world one step at a time,” Davis said.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.