Read the original article: Beefing Up Third-Party Risk Management with Reverse DNS Search
Most businesses rely on third-party entities to outsource certain functions, save on costs, and strengthen their cybersecurity capabilities. While working with external providers makes perfect business sense, it also poses cyber risks. For instance, a global record label’s websites hosted by a third-party service provider became the latest victim of Magecart, a web skimming attack. The company is not alone to suffer such misfortune, however, as many data breaches are connected to third-party use.
Third parties usually need to access company networks and data to make these accessible to their contractors and employees. Hence, the chances of a data breach and other cybercrimes are magnified. But organizations can minimize risks through robust third-party risk management. As part of this, Reverse DNS Search can help by:
- Identifying hosts and domains related to a third-party website, IP address, or DNS record
- Determining if any of the domains associated with third parties are malicious and, therefore, pose risks
Let’s take a closer look.
Identify Domains Associated with a Third Party
Associations with malicious actors is among the telltale signs of third-party risk. For instance, suppose a third-party vendor or contractor is associated with malicious domains through its IP address, nameserver, or mail server. In that case, there is a possibility for attackers to get hold of its domain. By extension, your network and data could also be exposed.
To illustrate, we obtained 10 domains reported on PhishTank then used DNS Lookup tools to retrieve their A and AAA records. We ran the associated IP addresses on Reverse DNS Search to gain insights into how many other domains share them.
| Reported Domains | IP Address (A Record) | Number of Associated Domains |
|---|---|---|
| micr0s0ft-secure[.]nw[.]r[.]appspot[.]com | 216[.]58[.]217[.]212 | 10 |
| halifax[.]co[.]uk[.]login-review-7438[.]info | 146[.]0[.]76[.]81 | 13 |
| grupmabarfreefire[.]freefire-2020[.]my[.]id | 207[.]180[.]194[.]25 | 52 |
| mshardware[.]bizzrise[.]in | 162.[.]41[.]114[.]56 | 91 |
| sync[.]owaaccessvoice[.]ml | 198[.]12[.]250[.]51 | 99 |
| preorderatt[.]weebly[.]com | 199[.]34[.]228[.]54 | 176 |
| familynametees[.]com | 198[.]20[.]71[.]143 | 477 |
| secure[.]scotiaonline[.]com[.]noneed[.]uk | 209[.]182[.]213[.]43 | 549 |
| dns-e58d6[.]web[.]app | 151[.]101[.]65[.]195 | 5,100+ |
| cpsclanaudiere[.]org | 67[.]215[.]3[.]243 | 5,400+ |
Reverse DNS Search revealed that the IP addresses the domains were hosted on also served as hosts to dozens, hundreds, and even thousands of other domains. Some of these connections are probably fortuitous — after all, thousands of website owners may share an IP address due to their hosting configuration. Taking a closer look at the lists of associated domains, nevertheless, could provide some insights into malicious connections.
Determine a Third Party’s Association with Malicious Domains
It is also important to note that out of the 10 IP addresses in the table above, only 199[.]34[.]228[.]54 has been reported for malicious activities.
As such, looking into a third party’s IP address alone may not give you the whole picture. The connected domain doctorfix[.]org, for instance, resolves to 146[.]0[.]76[.]81 (one of the IP addresses in the table above). Running both the domain and IP address through a threat intelligence platform or third-party risk monitoring system that does not have a reverse DNS search feature would yield no warning signs.
However, performing a reverse DNS search on 146[.]0[.]76[.]81 would yield 13 domains sharing the same IP address:
Of these 13 domains, six have been cited for phishing and spamming activities by Spamhaus, specifically:
- cpanel[.]kopenvaarbewijs[.]com
- webmail[.]kopenvaarbewijs[.]com
- autodiscover[.]kopenvaarbewijs[.]com
- kopenvaarbewijs[.]com
- webdisk[.]kopenvaarbewijs[.]com
- realalphalife[.]com
Robust third-party risk monitoring entails that a third party’s domain associations through its IP address and other DNS records should also be investigated.
Third-party risk management is a vital part of cybersecurity. Without it, an organization’s cybersecurity posture remains weak and incomplete. Reverse DNS Search allows companies to get a better picture when it comes to assessing third parties. By integrating reverse DNS search into risk assessment systems and methodologies, enterprises not only determine if a third party is but also pinpoint which of its domains and DNS records can be a source of cyber risks.
Read the original article: Beefing Up Third-Party Risk Management with Reverse DNS Search