Parked Domains - A Real Concern

by Al Wissinger

July 20, 2020

Parked domains serve as excellent targets for cybercriminals. As noted in reports highlighted by Cisco Umbrella as far back as 2012, parked domains are among the top categories of websites that serve malware.

Did you know that most businesses have no idea just how unproductive employees are and how they are exposing the company via high risk activities? A recent client study, over a random 7-day period, showed that of the Top 50 websites visited, 42% of the time they were not business related. Further analysis showed some 44% of those were high-risk sites with malware, phishing and other fraud, spyware, adware and usage of proxy avoidance and anonymizers.

Typical business objectives are clear: improve productivity and revenue while lowering costs, reducing business risk, and improving business processes. In every case above, these objectives are not being met a large percentage of the time. Fluency’s next generation SIEM, combined with an advanced EDR such as SentinelOne, can fully reconstruct all employees’ daily behaviors regardless if they are behind the corporate firewall or working from the home environment and on their own devices. Do you really know what your employees are doing and how they are exposing your company’s data? Can you afford to not know?

An average seven-day week for a Fluency client with 100 seats, shows some 0.42% of the sites visited within their organization are parked domains. While that percentage is low, it represents more than 376 separate occurrences within that short period. Most of these are occurring behind their company firewalls. Imagine a work-from-home (WFH) employee using their own computer and internet to access corporate databases. What ransomware is on their system just waiting to get behind a company’s firewall?

Looking further at that week’s average activity, we see that 51 sites represented malware, phishing, proxy avoidance, anonymizers, spam URLs, spyware and adware. That translates into 51 times in just one-week when employees exposed the company to potentially severe problems. Also, in that same period, 64% or 128,015 of all sites visited were first-time occurrences according to Fluency’s machine learning. Their firewall blocked some 16% or 31,965 sites. Personal storage sites are also visited on a regular basis at an average rate of 0.41% -- representing 371 times within the same week.

All of these findings, coupled with the pandemic, means that work-from-home (WFH) employees’ personal behavior has suddenly become a pathway to vulnerabilities for thousands, if not millions, of organizations.

Many of these organizations have done their best to help secure employees’ environments by putting an advanced EDR such as CrowdStrike or SentinelOne agent on their system and enabled them with a VPN connection to the company’s environment. Normal home-based personal activities would include the use of a Dropbox account to save images, documents, and other items that they then could share. What if one of these saved items is a ransomware bug just waiting for a chance to get out; the scenario might go as follows.

One evening, on their own time, the employee visits an unknown parked domain site, gets redirected to a malware site with malicious code, then accesses their private Dropbox where the ransomware file now sits. The next morning, the employee fires up their computer, logs into the VPN and the company’s systems. Later that day, while the VPN is connected, they access their private Dropbox account, even though it is against corporate policy, and the ransomware bug escapes into the company’s environment. Exposure is highly likely in that scenario.

Many CISCOs may assert that their team of highly paid and skilled security analysts will catch such activity via a SIEM they have been running for the last decade. On paper, these analyst are excellent, and they often score high brownie points when it comes to personal performance – in some cases, being praised for closing a hundred or more alerts per day.

What CISOs may not realize is the industry average for truly closing alerts after a thorough investigation is just 10 per day. What happened with the other 90 they closed? If the security leadership in an organization places performance objectives on employees and tie that to their pay, analysts will do what they need to in order to maximize their pay. Alert fatigue is an industry-wide issue – and for many organizations, ransomware is slipping through the cracks because they are taking the entirely wrong approach.

Fluency’s model is focused on ground truth awareness (looking at everything, including network data), user behavioral analytics (who is doing what, when, where, how) and automated workflow management (executing automated next-step analysis so that analyst don’t have to in most cases). This, in addition to Fluency’s patented risk scoring model that substantially reduces the number of false positives, enables analysts to focus on the highest priority alerts that require the most attention.

The deeply integrated cross-platform relationships between Fluency and vendors like SentinelOne, Cylance, Mimecast, Check Point and many others, result in a next-generation SIEM that brings tremendous operational efficiency to security operations. This allows CISOs and their security analysts to stand as proactive threat hunters instead of alert-based, burned out employees – dramatically reducing an organization’s cyber and business risk.