IT admins could go a long way towards protecting their users from malware and other dodgy stuff on the internet if they ban access to any web domain less than a month old.
This advice comes from Unit 42, the security branch of networking house Palo Alto Networks. To be exact, the recommendation is that any domain created in the past 32 days ought to be blocked. This comes after the gang studied newly-registered domains – NRDs for short – and found that more than 70 per cent fell under the classification of "suspicious," "not safe for work," or "malicious."
"While this may be deemed a bit aggressive by some due to potential false-positives, the risk from threats via NRDs is much greater," noted Unit 42's Zhanhao Chen, Jun Javier Wang, and Kelvin Kwan. "At the bare minimum, if access to NRDs are allowed, then alerts should be set up for additional visibility."
According to Unit 42's study of new domains created on 1,530 different top level domains (TLDs) from March to May of this year, just 8.4 per cent of NRDs could be confirmed as hosting only benign pages. 2.32 per cent were confirmed not safe for work, while 1.27 per cent of the domains were classified as malicious, meaning they were found to host malware, phishing, or botnet, command and control tools.
The solid majority of the domains, 69.73 per cent to be exact, fell under the label of "suspicious," meaning the domains appear to have been parked, had insufficient content to be verified as legit, or were considered "questionable," or "high risk," but not flat-out malicious. 18.2 per cent were classified as just "other," rather unhelpfully.
In other words, just under three quarters of new domains are used for sites that vary from completely empty, to shady at best, to verified as attack sites.
Sea Turtle hackers head to the Mediterranean, snag Greece's TLD registrar as a souvenirREAD MORE
The numbers can also vary by TLD, with ".com" or ".org" sites far more likely to be hosting legit content than lesser-known TLDs where it is easier to acquire a domain.
Given these numbers, the Unit 42 crew concluded that when it comes to blocking new domains, the potential benefits far outweigh the risks. As a rule, they believe newly created domains ought to be walled off from end users for 32 days.
"Our own analysis has indicated that the first 32 days is the optimal time frame when NRDs are detected as malicious," the team explained, noting that after 32 days most scams and attack sites have run their course and moved on, meaning the domains in use become far more likely to be legit.
Those who want to go even further, and aren't as bothered by the prospect of blocking legit sites, could even apply the rules to entire top level domains, such as ".to", ".ki" and ".nf" that are, by and large, much more likely to host malicious sites. ®