Skip to main content

On May 3rd 2023 Google Registry announced the release of eight new top-level domains (TLD). Two of these domains share the same naming conventions as common file names which are .zip and .mov. These TLDs could pose an increased risk to organizations through the use of social engineering attacks. For example https://github.com/kubernetes/kubernetes/archive/refs/tags/@v1.27.1.zip looks likes a legitimate domain to a GibHub repo to download a .zip file for kubernetes, however the link actually takes you to the domain of v1.27.1.zip. 


 


How does Netskope mitigate the threat from these domains?


 


The Netskope platform can help prevent phishing attacks through the use of deep learning for phishing website detection and remote browser isolation which work across all top-level domains.


 



Figure 1: Testing RBI with m365install.zip domain 


 


How can Netskope help provide insight into domain usage in an organization’s environment? 


 


Even with controls in place to help mitigate this threat, using Netskope Advanced Analytics can provide insights into where these domains show up in an organization’s environment and insights into potential missed malicious activity. 


 


To start we can create a dashboard in Advanced Analytics to be able to monitor visits to these domains, bytes downloaded and uploaded, and other contextualizing information. 


 


Under the Advanced Analytics tab go to “Personal.” Here we can create our own dashboard and tune them before sharing them organization wide. Select “New” in the top right hand corner then “New Report” in the drop down menu. 


 



Figure 2: Creating New Advanced Analytics Dashboard 


 


Select “Edit Dashboard” 



Figure 3: Newly created dashboard


 


Rename the dashboard and click “Add” and “Visualization” in the drop down menu 



Figure 4: Adding Widget to Dashboard


 


To get good contextualization and filtering for this potential threat, select “Transaction Events.” In the left hand column, select “User,” “Application,” “Domain,” “Site,” “URI,” “Port,” “Protocol,” “Source IP,” “Source Country,” “Destination IP,” “Destination Country,” “Event Timestamp,” “Bytes Downloaded,” “Bytes Uploaded,” and “Total Bytes.” These fields provide an excellent view of the events and allows easy filtering based on the particular domains that is desired to be viewed without worrying about picking up .zip and .mov files that users may be uploading or downloading. 


 


To filter Domains select the filter symbol within the left hand column 



Figure 5: Filtering in Advanced Analytics 


 


For the domain filter, select “ends with" from the drop down filter and put .zip in the filter field along with how far back to search. 



Figure 6: Filtering .zip domains


 


Hit “Run” and make sure the table “Visualization” is selected in the “Visualization” tab



Figure 7: Visual Representation of data queried by widget


 


Once you save the widget, it will be present on the dashboard in which you can schedule run times, have it refresh every time it is loaded, and schedule delivery of the dashboard contents to team members. To find use of .mov domains repeat the same steps but add .mov into the domain filter field instead of .zip.


 


Now the organization has visibility into where .zip and .mov domains show up in the organization and users who go to them. From here leaders can make informed decisions on use cases and exposure to support other security policy decisions. Security personnel can look through the data for any suspicious activity such as an abnormal geographical location source or destination, large number of uploads or downloads, and abnormal port or protocol usage at a glance.

Be the first to reply!

Reply