DNS Eviction > Takedown Domain Registration

The name should indicate which digital artifacts are in play, and what actions are applied to those artifacts.

OR DNS Eviction > Issue Takedown Notices DNS Eviction > Initiate Takedown Process

Digital Artifacts

What are the relevant D3FEND Digital Artifacts to this new technique, please propose new artifacts if you cannot find them in D3FEND.

d3f:DomainRegistration

Definition

One or two sentence definition in the style of other d3fend techniques.

The process of performing a takedown of the attacker's infrastructure, specifically domain registration.

How it works

Section explaining how the technique works.

Most nameserver hosts and domain name registrars comply with internationally recognised standards and supply their services based on terms and conditions that provide users and organisations protection from abuse and trademark infringement. Performing a WHOIS query on the attacker's domain will provide a contact that can be notified in the case of abuse. Formal takedown processes should be initiated to suspend or disable the normal function of the domain name.

Considerations

What should people know about this technique, pros/cons, pitfalls etc.

Takedown notifications should clearly demonstrate (with evidence) that the nameserver or registrars Terms and Conditions have been breached.
Takedown processes are notoriously slow and sometimes unsuccessful.
Many government organisations will have takedown processes that should also be followed. They may use this for intelligence to assist other organisations suffering an attack.
Top level domain registrars will have takedown processes that can be followed, as an escalation path, when the nameserver host and/or registrar have not responded or complied timeously or inline with the TLD expectations.

Examples of Domain Registration Abuse

Attackers will create infrastructure from which to carry out their operations and this may include registering domain names to be used in the various attacks. Known misuse cases include:

Registering domain names that are similar to the victim's. This is known as typosquatting or URL hijacking. Legitimate looking mails or URLs could be sent using this domain in phishing campaigns.
Registering domain names that are used in C2 beacons.

References

High quality publicly available technical documents.

https://en.wikipedia.org/wiki/Typosquatting

netfl0 commented 6 months ago

name: Takedown Domain Registration

ID: D3-TDR

netfl0 commented 6 months ago

@apapaa please confirm you'd like to be listed as a contributor, thank you for your contribution!

apapaa commented 5 months ago

Hi @netfl0 - yes please. [Andrew Papastefanou, Talanos Cybersecurity]

@ryantxu1 . In relation to the takedown requests, I have bundled it under a main technique called "Attacker Infra Eviction". So it would be "Evict" > "Attacker Infra Eviction" > "Takedown Request".

I have sent a table of suggestions to @netfl0 on some of the other sub-techniques that could be listed here (such as "Rogue Device Removal"). So perhaps it is worth considering this entry in relation to that?

ryantxu1 commented 2 months ago

Hey @apapaa, would your proposed "Takedown Request" be a broader scope than "Takedown Domain Registration"? I'm definitely interested in hearing about your ideas on other techniques for "Attacker Infra Eviction". We're putting together a major addition to the Evict section here https://github.com/d3fend/d3fend-ontology/pull/240. I think it might make sense to bundle this in there.

d3fend / d3fend-ontology

DNS Eviction #199