Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
Palo Alto Networks specialists shared the latest achievements in combating malicious activity.
Cybercriminals often reserve a large number of domain names for their fraudulent activities. In research circles, this phenomenon is called "domain warehousing "or"domain accumulation".
The accumulation of domains is a significant threat in the field of cybersecurity, as it allows attackers to create extensive networks of phishing and fraudulent sites. These sites often disguise themselves as legitimate web resources, misleading users and forcing them to disclose confidential information such as usernames, passwords, bank card details and other personal data.
In addition, accumulated domains can be used to distribute malware and conduct attacks on critical infrastructure. At the same time, tracking and blocking such domains is a serious challenge for specialists, given their number and constant updating.
To effectively solve the problem described above, Unit 42 specialists from Palo Alto Networks have developed a new method for early detection of malicious domain accumulation using extensive databases and machine learning.
When creating a large number of such domains, attackers use various services and scripts to automate and speed up routine actions. The operation of such automation usually leaves traces in various data sources, such as certificate transparency logs and passive DNS data. It is these traces that can be used to detect suspicious activity, which the researchers did.
To detect accumulated domains, Palo Alto Networks specialists developed more than 300 attributes and processed terabytes of data, including billions of pDNS records and certificates. To train the Random Forest machine learning algorithm, we used a knowledge base consisting of millions of both malicious and secure domains.
The method was tested for a very long time, and by July of this year, with the help of their new system, Palo Alto specialists discovered over a million unique malicious domain names, and tens of thousands more suspicious domains are detected daily.
According to the measurements and tests carried out, the new model detected accumulated domains on average 34 days earlier than the data providers on VirusTotal did. Such a period is a real record when it comes to the field of cybersecurity.
The automated domain classification system reliably protects customers of Palo Alto Networks products, but the company does not forget to block identified domains and share data with other companies, so the risks are reduced for everyone in the industry.
Thanks to automation, Unit 42 researchers have already uncovered many campaigns related to phishing, malware distribution, and other types of cybercrime, including fraudulent sites that mimic legitimate email services in different countries.
The effectiveness of the Palo Alto Networks approach highlights the importance of combining multiple large datasets, such as pDNS and certificate logs, to uncover malicious campaigns.
The researchers will continue to work on improving their methods of detecting and preventing cyber threats in order to provide the best possible protection for both their customers and all participants in cyberspace.
Cybercriminals often reserve a large number of domain names for their fraudulent activities. In research circles, this phenomenon is called "domain warehousing "or"domain accumulation".
The accumulation of domains is a significant threat in the field of cybersecurity, as it allows attackers to create extensive networks of phishing and fraudulent sites. These sites often disguise themselves as legitimate web resources, misleading users and forcing them to disclose confidential information such as usernames, passwords, bank card details and other personal data.
In addition, accumulated domains can be used to distribute malware and conduct attacks on critical infrastructure. At the same time, tracking and blocking such domains is a serious challenge for specialists, given their number and constant updating.
To effectively solve the problem described above, Unit 42 specialists from Palo Alto Networks have developed a new method for early detection of malicious domain accumulation using extensive databases and machine learning.
When creating a large number of such domains, attackers use various services and scripts to automate and speed up routine actions. The operation of such automation usually leaves traces in various data sources, such as certificate transparency logs and passive DNS data. It is these traces that can be used to detect suspicious activity, which the researchers did.
To detect accumulated domains, Palo Alto Networks specialists developed more than 300 attributes and processed terabytes of data, including billions of pDNS records and certificates. To train the Random Forest machine learning algorithm, we used a knowledge base consisting of millions of both malicious and secure domains.
The method was tested for a very long time, and by July of this year, with the help of their new system, Palo Alto specialists discovered over a million unique malicious domain names, and tens of thousands more suspicious domains are detected daily.
According to the measurements and tests carried out, the new model detected accumulated domains on average 34 days earlier than the data providers on VirusTotal did. Such a period is a real record when it comes to the field of cybersecurity.
The automated domain classification system reliably protects customers of Palo Alto Networks products, but the company does not forget to block identified domains and share data with other companies, so the risks are reduced for everyone in the industry.
Thanks to automation, Unit 42 researchers have already uncovered many campaigns related to phishing, malware distribution, and other types of cybercrime, including fraudulent sites that mimic legitimate email services in different countries.
The effectiveness of the Palo Alto Networks approach highlights the importance of combining multiple large datasets, such as pDNS and certificate logs, to uncover malicious campaigns.
The researchers will continue to work on improving their methods of detecting and preventing cyber threats in order to provide the best possible protection for both their customers and all participants in cyberspace.
