About Theo Geurts

CIPP/E Contractual Compliance and Privacy Officer at Realtime Register B.V.

Contacts and TLD Metadata interface update

After extensive work, we have updated the Contacts & TLD Metadata segments to the new interface that you’ve already gotten familiar with in other segments in the Domain Manager.

Along with the more modern look, we’ve focused on several improvements for your convenience. To list some highlights:

  • Performance; the new interface is optimized for much larger volumes of contacts, so the speed with which you find what you’re looking for and finish the task at hand will be much improved.
  • History timeline; you’ll find this completely new addition extremely helpful in tracking down what happened in the past for each contact handle, when it happened, and who carried it out.
  • Filtering functionality has been made much easier to work with.
  • We’ve added a ‘bulk update brand’ option where those of you using our multiple brands per account functionality can easily update multiple contacts handles to a new/updated brand at once.
Posted in DM

Realtime Register Insights is now available

Realtime Register always aims to add value for you and make a difference as a registrar! The past year we have been working hard to introduce a new service called Realtime Register Insights.

Realtime Register Insights provides you visible data about your domain portfolio. Now, at introduction, you will find useful dashboards on the content of your Domain Portfolio and your company’s Domain Abuse statistics.

Read more about Realtime Register Insights.

Posted in DM

Realtime Register joins the Global Cyber Alliance

Last month, Realtime Register partnered with the Global Cyber Alliance (GCA) to expand the Realtime Register Insights Domain Abuse Platform capabilities.

At Realtime Register, we have been collecting abuse/intelligence feeds like Pokémon this year. By adding the GCA Domain Trust Feed we are now up to 72 feeds. The information gathered we make available to our resellers, providing them with deep insight into how criminals are using their services. 

 

However, the Domain Trust Feed is not just a feed; it is much more.

Let’s get technical

 The GCA uses the Quad9 feed. Quad9 protects users from accessing known malicious websites, leveraging threat intelligence from multiple industry leaders, and currently blocks an average of more than 60 million threats per day for users in 90 countries. Pretty impressive, right?

 

Quad9 checks websites against IBM X-Force’s threat intelligence database of over 40 billion analyzed web pages and images.

The fun does not stop there as IBM X-Force taps into 18 different intelligence partners. 

  • Abuse.ch
  • The Anti-Phishing Working Group
  • Bambenek Consulting
  • F-Secure
  • mnemonic
  • 360Netlab
  • Hybrid Analysis GmbH
  • Proofpoint
  • RiskIQ
  • ThreatSTOP

There is an inevitable overlap of feeds since we already use Pulsedive, which offers around 30+ feeds and already includes Bambeneks C2 feed and Abuse.ch to detect malware. But better be safe than sorry.

But the Domain Trust platform offers more. 

As you can see in the above picture, the CGA Domain Trust Platform uses categories. The result is that multiple scenarios can unfold with more than one entity adding information to the feed. 

For example:

Quad9 flags a domain as suspicious. For registrars, this information is not actionable. But an ISP who is scanning some part of the internet could also see something dodgy. If the ISP marks the domain as suspicious on the feed, the registrar now has two insights. 

There could also be the situation that a law enforcement officer just concluded the investigation of the domain name and marks it as malicious, and decides it should be taken down or not. With three independent sources, a registrar has much more information to act on to check if a takedown is justified or not. 

If the domain name is taken offline by us/the registrar, we pass that information to the GCA Domain Trust Platform users. It is pretty cool that registrars or registries can ping back the feed results through an API. 

 Powerful

All in all, the Domain Trust intelligence platform is a powerful tool for registrars and registries to use in their fight against domain name abuse.

Security Threat Monitoring Beta

In this article/faq, I will explain the security threat dashboarding/monitoring. 

What is it?

In the first beta phase, we will make the threat intelligence we download from Pulsedive available to our customers in the domain manager. 

If you are a customer of Realtime Register you can join the beta program. 

Please contact our support team for information.

As a customer, you will be able to see the active security threats. 

Security threats could be phishing domain names or malware domain names. 

The Abuse Dashboarding provides you with information that usually does not get reported to Registrars. 

As a result, you can assist registrants very fast and clear a lot of issues.  

The goal

Our goal is not to set up a new business model. Abuse monitoring is free of charge. The end goal is to reduce DNS Abuse and stop it where possible. Providing our customers with detailed information should assist them in that goal. 

Not Realtime

In the current phase, we refresh the dashboard once a day. 

We are pulling a lot of data, and in the current setup, it is not possible to visualize such data real-time. 

In a later stage, we will be able to process data much faster. 

Getting Access

To get access you need to contact our support team. Once you have access we suggest you create a new user role with the following role: EMBED_BI

EMBED_BI

Once you add that user role to one of your users they will be able to view the data. Depending on the level of abuse it might take a while the first time to process all the data into your account.

The Dashboard

I think the layout is self-explanatory. 

How to export data

You can view the active security threats, the levels of abuse. 

In the dashboard, you can zoom in on different aspects and compare those with each other. 

For example, you can zoom in on a TLD and combine that with the risk level indicators. 

Combining information will give you a better sense of what is going. It also helps to detect patterns. 

Please make use of the filters; they are there for a reason. 

One of the key filters is the “added” filter. The “added” filter shows you the newest IOC’s (Indicators Of Compromise). 

 

Zoom in on Pulsedive. 

When you select a domain name, you can view the details as we downloaded them from Pulsedive, including the link to Pulsedive for even more information. 

It goes beyond the scope of dashboarding to explain Pulsedive fully. But from the screenshot, we can see in this example that the IP address no longer resolves, and the threat is most likely no longer active. Within Pulsedive, you can pivot through more data and or rescan a domain name to obtain the latest information. 

With the information at your fingertips you can remove malicious URLs from your server.

 

Pulsedive provides us with actionable threat intelligence data. The data covers the following areas. 

  • Malware
  • Phishing
  • Advance Persistent Threats
  • Cyber Terrorism and Cyber Warfare
  • Spam
  • Botnets/C2/C&C
  • User-submitted research like intelligence research
  • Domains Generated Algorithm names

History

With our data in combination with the data from Pulsedive some of our resellers can go back till the year 2015.

Spam

Currently, we are not monitoring domain names that are engaged in spam. 

Such feeds are very expensive, considering we do not provide email services. And we do offer our abuse monitoring for free to help to reduce DNS abuse. 

Putting DNS Abuse into context.

We are currently working on a project to provide abuse monitoring information to our customers.
Giving our customers just the raw data is not helpful, so our goal is to contextualize the data.
We still have long ways to go, but the basics are there.

So what do I see right now on our platform?

 

  • Malware (67%)
  • Phishing (23%)
  • The rest falls into somewhat general buckets like BEC fraud, DGA, botnets, dark lists, crypto mining, etc. Very low incidental percentages.

The above-mentioned data is from two years of monitoring.

On the left is displayed the overall abuse percentage since 2018. And yes, the abuse levels are low, certainly if you compare them with the registrar statistics from Spamhaus.

Malware is the biggest problem.
The number of domains used in malware is low (2.71%).
However, the number of URL’s is high (94.24).

When I dive into information, it becomes clear that Emotet a “Crime As A Service” is the biggest threat actor (operational since 2014).

Emotet does not get noticed much by registrars. Due to tactics, techniques, and procedures (TTP) used by these criminals, they do not require domain names. Meaning there is no registration data; there is no money trail; there is simply nothing at the registrar level.

Emotet hacks web and hosting services to deploy their malicious payload and essentially operates a botnet through these hacked services.

I think, however, that when we release contextual information, things will change. I suspect that situational awareness will provide enough info for our customers to harden security.

Currently, we are fine-tuning the data we download from https://pulsedive.com.
Pulsedive will provide our customers with a more granular level of detail. The data provided at Pulsedive is usually used by Security Operation Center Analysts to turn information into actionable intelligence.