New vs. Old Domains

In the past few years, companies have all been warned about the dangers of accessing newly registered domains (NRDs) and for good reasons. Many members of the security community have, after all, seen networks breached after an employee clicked a link to such a domain embedded in a spam or phishing email. But are users only supposed to be wary of NRDs? What about old domains? Do they not figure in cyber attacks as well? This post explores the risks each domain type poses.

Out with the Old, in with the New?

Studies often show that thousands of possibly malicious NRDs could be making their way into the Domain Name System (DNS) daily. Estimates can be determined by dividing the average number of NRDs registered per day by the average number of tries before one of them is found malicious on threat databases. 

These figures could include the NRDs using the top-level domain “.com” as well as thousands more if all the TLDs are added to the mix by using an NRD data feed available from services like https://iqwhois.com/newly-registered-domains.

Users who are tricked into clicking the malicious NRDs could end up getting phished or redirected to malware hosts. Not only are they at risk of financial and identity theft but their computers could also fall under the control of the attackers. These could end up as part of botnets or similar criminal infrastructures used to attack bigger targets.

These scenarios make monitoring and consequently blocking access to NRDs, if found suspicious or malicious, a critical cybersecurity strategy. But is that enough? Don’t users need protection against old domains, too?

Maybe Age Doesn’t Matter

The quick answer to the questions above is a resounding yes. While many threats can come from NRDs, aged domains also figure in cyber attacks. Analyses of published SolarWinds indicators of compromise (IoCs), for instance, found that the threat actors favored old over new domains in their campaigns.

The threat actors in this case could be avoiding the hassle of not successfully infiltrating their targets’ systems since monitoring and blocking access to NRDs has become a norm among the more security-savvy companies. It is interesting to note, however, that several domains used in the attack were new. That could be a failsafe if the old domains do not manage to get their malware into computers.

For the SolarWinds actors, it seems domain age does not really matter. What counted more was making sure the domains delivered their malicious creations to their targets’ computers.

If security studies reveal anything important, it is that both old and new domains can pose dangers to any organization. Taken together, however, it is clear that NRDs can figure in any attack. As the SolarWinds hack showed, the threat actors did not just use relatively aged domains but mixed these up with NRDs to ensure attack success.

In light of this, it is a good idea to monitor the addition of domains to the DNS using an NRD data feed or database to reduce a company’s attack surface. Such feeds enumerate all the NRDs that made their way to the Web and could potentially end up being abused by cyber attackers daily or weekly. By marking suspicious NRDs for a closer look and blocking access to all those found malicious, organizations can ensure better protection for their and their customers and employees’ data.