<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>One of the goals of threat research is to establish the adversary’s patterns of behavior. Why? So models can be created to predict their behavior, then proactively block them. The fact is, criminals and spies are still people, and people have patterns of activity. They often chose the same providers, same techniques, and same tools across multiple operations. "If it ain't broke, don't fix it,” as the saying goes.</p> <!--more--> <p><span style="background-color: transparent;">As part of ongoing research that will ultimately lead to what we'll call the "Internet Death Penalty Bundle,” recognizing outstanding achievements for registrars and network providers in the assistance of <span style="font-size: 12.1612px;">cyber crime</span>, we've been measuring abuse as a percentage of a provider's total portfolio. In this case, we're just examining Top-Level Domains.</span></p> <p><span style="background-color: transparent;">There are thousands of top-level domains (TLDs) with .com, of course, being the most popular. There are also some "free" top-level domains that often have a high-proportion of junk domains, if not overtly criminal ones. In this case, by examining ThreatSTOP data, we aimed to get a measure of maliciousness. This varies somewhat from the methods used by ICANN with their </span><span style="background-color: transparent;"><a href="https://www.icann.org/octo-ssr/daar">Domain Anti-Abuse Report Project</a></span><span style="background-color: transparent;"> (which I consulted on) and various anti-spam providers.</span></p> <p><span style="background-color: transparent;">ThreatSTOP ultimately works to protect against maliciousness and we usually don't have potentially-unwanted applications or other spammy-but-not-malicious indicators represented in our data. How we measure is first taking all TLDs that do not have at least 100 domains registered, getting a count of our own abusive hostname list and counting only occurrences of unique second-level domains. Then, calculating a percentage of the total number of abusive domains by the total number of domains registered by a given Top-Level Domain. Below are the Top 20 worst and all have a statistically significant percentage of abuse.</span></p> <p>.ki</p> <p>.nf</p> <p>.sx</p> <p>.so</p> <p>.sc</p> <p>.pw</p> <p>.su</p> <p>.tj</p> <p>.ug</p> <p>.to</p> <p>.biz</p> <p>.rent</p> <p>.sh</p> <p>.ms</p> <p>.mu</p> <p>.cx</p> <p>.mn</p> <p>.ac</p> <p>.ru</p> <p>.click</p> <p><span style="background-color: transparent;">Depending on the risk-appetite of false-positives, these can be safely blocked whole and entire until you get to .ru. (the TLD for the Russian Federation) In fact, blocking these 20 TLDs would block 25% of all abusive domains in our data. (Including many we do not yet recognize as abusive or those that become abusive later)</span></p> <p><span style="background-color: transparent;">This is just an analysis of one day's worth of data, but will be repeated for registrars and network operators to start creating near-time reports of which providers are those most likely to be used by criminals as motivation for those businesses to start cleaning up their acts.</span></p> <p>&nbsp;</p> <p style="text-align: center;"><em>Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?</em></p> <p style="text-align: center;">&nbsp; &nbsp; &nbsp; &nbsp;</p> <p></p></span>
![SolarWinds attackers targeted Government Agencies using theyardservice[.]com](https://www.threatstop.com/hs-fs/hubfs/Government%20-%20FB.png?width=600&name=Government%20-%20FB.png)
