A newly observed domain is a Uniform Resource Locator (URL) with a newly registered domain name that recently became active in the Domain Name System (DNS). When someone registers a domain name, he may not immediately use it. Once he creates URLs connecting to that domain and the URLs begin resolving in the DNS, they become newly observed domains.
Security products, such as enterprise firewalls, block newly observed domains since threat actors are known to use them in cyber attacks like phishing, malware distribution, and spamming.
Read More about “Newly Observed Domain”
In the past, cybercriminals got away with using new domains in their malicious campaigns since security systems were taught only to block known malicious domains or properties that have already figured in cyber attacks. New domains were allowed in networks since they did not have a tarnished past.
These days, the cybersecurity community has adapted. New domains are now considered risky, and blocking them is among the usual best practices. Newly observed domains are among the categories that security systems can block.
What’s the Difference between Newly Observed Domains and Newly Registered Domains?
People might confuse newly observed domains with newly registered domains (NRDs), but they have a distinct difference. NRDs are domain names that have recently been created. In this case, the domain owner or registrant has just undergone the registration process involved in domain creation.
NRDs remain NRDs until their registrant starts resolving them to the DNS. A DNS resolution means that the domain name has an associated Internet Protocol (IP) address and can already be found on the Internet. The first time the NRD is observed in the DNS allows it to be classified as a newly observed domain.
How Do Newly Observed Domains Pose Threats?
While there are many legitimate reasons why people register and use domain names, some have nefarious intentions. When a domain and its URLs become accessible through the Internet, they can be used in the following forms of cyber attacks:
- Phishing and credential theft: Phishing has become a household name in recent years, and we should never forget that the end goal of this attack is to steal the victims’ sensitive information. Phishers can use newly observed domains to do that. For example, they may register bayire[.]com and activate the URL https://onlinebankofamerica[.]bayire[.]com to target Bank of America clients.
- Malware distribution: Threat actors may also use newly observed domains to host botnets. When Internet users visit these websites, their computers get infected with malware. The victims’ systems become slaves to the malware operator from then on. They can be used to attack an organization’s systems or send spam.
- Brand abuse: Newly observed domains can also be used to imitate legitimate brands, especially popular ones. For example, they may use louisvuttun[.]xyz to pose as Louis Vuitton. While these types of domains can be used in phishing activities, they can also be used in selling counterfeit products or tarnishing the name of the impersonated brand.
Should You Block Newly Observed Domains?
Threat actors can put new domains into action within minutes of registering them. For this reason, most security firewalls and DNS filtering systems block newly observed domains by default.
As a general rule, blocking newly observed domains is the safest strategy. However, this could also result in false positives. Several users have complained about DNS filters blocking legitimate domains, especially when the security system in use is not very accurate.
If the same thing happens when you use firewalls and DNS filters, the best workaround would be to set the system to monitor or quarantine newly observed domains instead of turning off the filter altogether.
Turning it off would immediately allow all newly observed domains, including dangerous ones, within your network. On the other hand, monitoring them would at least allow you to examine the URLs first.
Domain names are indispensable online but not all are safe to access. While most security systems have already been taught to keep a lookout for newly observed domains, it would also be wise to check the URLs of the websites you are visiting.