One of the tools that cybersecurity professionals have historically relied on is access to a WHOIS database, a publicly shared list of records relating to domain names that includes the dates when these were registered, updated, or are due to expire as well as contact details such as the names of individuals or organizations, physical location, phone number, and email address of the domain owners and the IT staff tasked with maintaining them.GDPR shuts down access to WHOIS, making it more difficult for #CyberSecurity teams to determine whether a domain is part of a criminal operation. Click To Tweet
But now much of that data is being removed to comply with the mandates of the General Data Protection Rule (GDPR) rule enacted by The European Union. Without access to that data it becomes a lot more challenging to white list domains of known trusted entities versus all the fake domains that cybercriminals rely on to launch malware that needs to communicate back to a command and control mechanism somewhere on the Web.
WHOIS provides valuable information that gives cybersecurity analysts a fair amount of context in terms of how likely it is that a given domain is good or bad, notes Harold Byun, vice president of products and marketing for Baffle, a provider of data encryption tools. Restricting access to this information results in a valuable loss of information that cybersecurity teams can use in their arsenal to counter attackers, adds Byun.
As a result, the number of malicious domains being created by bad actors is likely to substantially increase in 2019, notes Caleb Barlow, vice president of threat intelligence for IBM Security. Regulators should also work more closely with cybersecurity professionals to provide some exceptions to the GDPR compliance process to rules that could result in a 30 to 90 day waiting period to deploy endpoint protection after a security breach has been discovered, adds Barlow.'In the absence of ready access to a WHOIS database to identify known good domain cybersecurity professionals will most likely have to rely more on machine learning algorithms capable of tracking new domains as they come online.' ~ @MVizard Click To Tweet
In the absence of ready access to a WHOIS database to identify known good domain cybersecurity professionals will most likely have to rely more on machine learning algorithms capable of tracking new domains as they come online. Akamai, for example, provides a data science service through which it identifies suspicious domains as they begin to launch queries against domain name system (DNS) servers.
Regardless of approach, a desire to protect privacy has now come into conflict with the common good. In theory, the Internet is a public resource, so owners of domain names should be required to register them in a way that makes it simple to see who owns what domain. The owners of legitimate domains also have a vested interest in eliminating any fraud that may be occurring because criminals launched a domain that, for example, slightly misspells one word in the domain they created. There may even come a day when the regulatory bodies that manage the Internet decided to develop their own analytics capabilities to verify domain names and the entities that own them.
In the meantime, cybersecurity professionals in 2019 will clearly need to be more vigilant when it comes to checking domain names. Cybersecurity criminals have become especially adept at rapidly shifting the command and control mechanisms they rely on to distribute malware between domain names. But as it turns out, it may very well be reliance on domain names to distribute malware that may very well wind up being their ultimate undoing.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.