[Accred-Model] Letter to ICANN from RiskIQ

Rubens Kuhl rubensk at nic.br
Mon Apr 23 14:57:17 UTC 2018 


> Em 23 de abr de 2018, à(s) 01:36:000, <trachtenbergm at gtlaw.com> <trachtenbergm at gtlaw.com> escreveu:
> 
> Rubens,
> 
>> Those can be used to do some correlations, but other factors such as name servers, IP address and target URL (if hiding in a redirection chain) are useful as well.
> 
> 
> Name server and IP address are often not useful, especially with email based attacks, which is the majority of attacks now, because the bad guys use the registrar's nameservers and a third party mail server. In other words it doesn't tell us anything to see that the domain has Microsoft or Google or major registrar MX records and IP addresses.

One of the largest operations we did had exactly name servers as the commonality among dozens of registrations. They were used to provide reverse DNS services so the e-mail sending Cloud VMs ranked more trustworthy at e-mail systems. That perpetrator was the first to be "honored" with a network-wide null-route in order to prevent its registrations from continuing. So, perhaps that information could be useful but the availability of WHOIS made the later to be pursued more often ?



> Similarly, there is no target URL since the attack is not content based.

I would also call exploits sent as attachments as content, and that's why mail security rules usually address those, and there is also a threat intelligence exchange of fingerprints to respond faster to such threats.

> 
>> A registrar has access to registration data and can act based on that. So, if someone detects that example.example is a security threat, it can raise that issue with the registrar and that registrar can correlate to other domains registered by the same wrong-doer. There is no secret sauce, and this happens in large amounts everyday.
> 
> 
> No offense to my registrar friends but they are generally not going to do this kind of investigation and definitely not en masse as would be required if there is no registrant name and email. Basically, you would be shifting the investigation burden to the registrars. Why don't you ask them what they think of that idea and whether it is likely to happen. And that is just the major registrars - the smaller ones generally won't even investigate and say they have no duty to.

Being a registrar with 3.2 million domains I can tell you that it's not a big of a deal to do such investigations. We also have found that DNS-related fraud is highly correlated to payment fraud, and that every $ we put on it gets us less payment fraud, and keeps us inline with card brands requirements of chargeback volumes.

But for every contracted party not willing to handle investigations, there will be someone out there that would like signing an agreement to get access and do the investigation for them. For instance, like the recent CoCCA/SDF agreement (https://cocca.org.nz/#news <https://cocca.org.nz/#news>). Data controllers can outsource processing activities, including abuse investigation, provided GDPR is also followed along the process.

And even if a 3rd party could use layered WHOIS access to investigate, registrar willingness to combat abuse will still be required in order to do enforcement. And that is true today before May 25; GDPR doesn't change who wants to fight abuse and who wants to turn a blind eye to it. Even the ability to determine who are good in doing it and who are not is also not hampered, since registrar on record is still listed at public WHOIS.



> 
>> Both investigating and enforcing can be done by registrars or thick registries (if they continue to exist after GDPR). Detecting can be done both by registrars and by 3rd parties, and in my experience the best results come from all doing it: we run some pattern detection filters on the stream of new registrations and get threat feeds from the "usual suspects" (OpenPhish, PhishTank, ShadowServer etc.).
> 
> 
> See above- not going to happen.

As a strong leader once said, "I find your lack of faith disturbing".
If you are willing to put up with auto-translate of a foreign language, you can see my presentation at a local network operators group on this a few months ago:
https://www.youtube.com/watch?v=S--UIH_Prc8 <https://www.youtube.com/watch?v=S--UIH_Prc8>



> 
>> EDPB, known before May 25 as WP29. "The role of the EDPB will be to ensure the consistency of the application of the GDPR throughout the Union, through guidelines, opinions and decisions."
> 
> 
> Yes - But they won't give specific guidance before May 25. That much is clear.


That's their discretion, and as public officials, they know the impact of their actions. But I am not willing to replace the lawful position of a public servant chosen by an elected official with mine just because.



Rubens


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/accred-model/attachments/20180423/ab22ca78/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 528 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/accred-model/attachments/20180423/ab22ca78/signature.asc>

More information about the Accred-Model mailing list