Cyber security is not a linear process. At Nominet, two decades of expertise in protecting the country’s internet namespace may have given us tools and experience to draw on, but we still work in a challenging landscape every day. The risks evolve as fast as the technology, and we approach cyber security as a journey. Learning and refinement are the only constants in our endless work to keep pace with the cyber criminals.
Those of us working in this area of business will also attest to the juggling act that makes up much of our cyber security work. We must constantly balance negative impact with positive benefit: there is a business impact from suspending or blocking a benign domain name, but a site used for criminal purposes can cause rapid and widespread harm.
We also need to weigh up the benefit of using automated algorithms, in terms of speed, against the number of false positives this brings. How much is too much when it comes to inaccuracy? One per cent can seem like a low rate of false results, but context changes what is acceptable. In our work protecting Government systems with our Protective DNS service, that percentage would cause significant impact.
Thankfully, we have plenty of input to guide our decisions at Nominet. Like most businesses, various sources of threat intelligence, some of which are open source, are consumed and analysed to inform our decision-making process. We factor in the reliability of the intelligence we receive (those with more context are more useful) and, in combination with the intelligence we produce ourselves, direct our actions and activities as we believe is best.
This might involve sending the intelligence straight out for others to use. For example, with Domain Health we share information with .UK registrars about the domains under their administration, highlighting those that are implicated in spam, phishing, malware or botnet activity. We also supply practical advice on how registrars can address any problems via their own channels.
In other instances, we create our own algorithms and refine our internal processes to detect criminal activity across the .UK Domain. Our tool Domain Watch uses algorithms for identifying, at the point of registration, which domain names are likely to be used for criminal purposes such as phishing. The combination of our expertise and manual and automated processes enables us to quickly spot and respond to malicious activity.
With Domain Watch, the business impact of blocking a domain at registration is likely to be minimal because the domain name has just been created – and if a domain is suspended, the registrant will receive an email informing them what has happened, together with the next steps required if they feel the suspension was not correctly applied.
It is a sad fact that some domains are clearly intended to be deceptive, often featuring typos of well-known organisations in both the public and private sectors, or include reassuring words such as ‘secure’ to mimic an authority, e.g. nominet-secure.uk. Since the launch of the service in July 2018 we have suspended 129 domains intended for phishing use, including barc1ays.co.uk and notifications-hmrc-gov.uk.
Sometimes, a domain that looks like phishing can have a legitimate use. We have had one authority reassure us that the domain name was supposed to look like a phishing site as they were using it for phishing training. We also found a domain that mimicked a Government site was being used legitimately for a video game. Despite some false positives, the work we do can result in a significant positive impact. We’re able to identify potential phishing sites before they enact their campaigns, mitigating the use of .UK domains in phishing activity.
This is just one of the areas in which Nominet works tirelessly to maintain the safety of the .UK namespace. We also work with police and other law enforcement agencies to suspend .UK domains that are being used for criminal activity. Our recent annual report reveals that we suspended over 32,000 .UK domains for criminal activity over the past year, which was double that of the previous year. Despite the high number, 32,000 suspensions only represent around 0.27% of the total .UK domains under management to date.
However, there is always more to be done. Not only are we trying to catch up with the cyber criminals, we are also trying to predict likely action based on past criminal patterns. The variables are vast, as is the volume of data to be handled, but improving solutions are better than no solutions, and the journey is one of endless learning.