Executive Summary

Between February and March of this year, CyberStash saw an increase in blocked network connections per day from 185 million to 221 million. This represents an alarming 20% increase in one month. If this trend continues, the total number of network connections blocked by the CyberStash Cyber Threat Intelligence Gateway will increase by over 1.5 billion or 30% from February levels. Over 50% of these network connections are being blocked as a result of threat intelligence blacklists and over 40% of connections are being blocked based on GEO-IP policies.

DomainTools, one of our strategic threat intelligence partners, recently made available a free, curated list of high-risk COVID-19- related domains. This is an admirable move by DomainTools and their desire “to support the community during the Coronavirus crisis.”

As a service to our customers and consistent with our vision of making threat intelligence actionable, we have quickly moved to integrate this threat intelligence into the CyberStash Cyber Threat Intelligence Gateway. 

In this article we will look at:

Observations

The increased volume of blocked network connections that we are observing is being driven by three specific factors: 

1. Increased network traffic as organisations scramble to open their networks to a significant, unexpected increase in remote users;

2. Greater threat volumes with opportunistic threat actors taking advantage of the Coronavirus pandemic

3. Tighter policy controls as customers look to improve network defenses and reduce risks amidst an expanded attack surface.

Threat actors are taking advantage of the COVID-19 pandemic to launch cyberattacks, including phishing campaigns. This is validated by data from DomainTools which shows a significant increase in domain name registrations per day relatedto COVID-19 terms.

Registered COVID-19 Related Domains Per Day

The figure below shows a massive uptick in domain registrations that started March 14, with more than 3,500 new domains being registered daily thereafter.

While recent data shows a decline in the volume of daily registrations from peak levels, they remain at elevated levels. According to DomainTools, the list has proven to be quite volatile and immediately responsive to changing news regarding COVID-19.

COVID-19 Threat List Details

In order to identify and categorise threat intelligence specifically related to COVID-19, DomainTools took into account four distinct considerations:

List Criteria

Terms and Variants

COVID-19 Threat List Details

Risk Score

Using COVID-19 Threat Intelligence in the CyberStash Cyber Threat Intelligence Gateway

Consistent with our mission of making threat intelligence actionable, we’ve made the DomainTools’ COVID-19 threat intelligence available to all CyberStash customers. Specifically, we’ve made available two automatic domain blacklists.

Terms and Variants

1. COVID-19-DomainTools-99 is a list of COVID-19-related domains with a Risk Score of 99 and higher. This list currently contains over 50,000 domains and represents a very high to definite level of confidence that the domain is malicious.

2. COVID-19-DomainTools-70 is a list of COVID-19-related domains with a Risk Score of 70 and higher. This list currently contains over 90,000 domains and represents a medium to high level of confidence that the domain is malicious.

We recommend that customers treat the blacklist with Risk Scores of 99 and higher as a blacklist and treat the broader list with Risk Scores of 70 and higher as more of a “watch” list.