David Barnett's Brand Protection Articles: Assessing and mediating the digital risk landscape for a brand

Introduction

For modern businesses, an Internet presence is a key part of day-to-day operations, both in terms of their own corporate infrastructure and their interaction with customers. However, the ease and low cost of access to online content, combined with the ubiquity of Internet use, means that online channels present a very attractive environment for bad actors to abuse trusted brands for their own gain. Traditional areas of infringement - including counterfeiting, online fraud (such as phishing) and piracy - continue to remain popular, in addition to other types of content which can be damaging to company revenue, reputation, or customer experience^[1]. These might typically include categories such as traffic misdirection, false affiliation, potential brand confusion, or negative comment and activism^[2]. Additionally, new types of content (such as 'Web3' areas including NFTs and blockchain domains^[3]), and new online channels, are continually emerging.

Other kinds of digital risk, such as the growth in the prevalence of malware and ransomware, instances of DNS attacks and distributed denial-of-service (DDoS) attacks, and other direct attacks against company or employee infrastructure (such as social engineering and BEC (business e-mail compromise) attacks, are also of concern. Frequently, these areas are also linked, with (for example) phishing increasingly recognised as the most common attack vector for malware distribution^[4].

This threat landscape produces an environment in which the protection of company brands is ever more important. A robust cybersecurity posture needs to encompass protection of official corporate portfolio domains (i.e. domain-name management and security) and tackling third-party activity on the open Internet ('outside the firewall') (i.e. 'classic' brand protection - which itself needs to consist of monitoring for threatening content and enforcement against infringements). Only by having both elements working successfully together can an organisation be confident that they are adequately protected from cybersecurity risks^[5].

Before an effective ongoing programme can be put in place, it is essential to conduct an assessment of the pre-existing landscape, to determine the main issues and areas of risk, and work out where remediating action will be required going forward. Additionally, it is often necessary to attempt to numerically quantify the scale of the issue, so that determination can be made of the likely return on investment of a cybersecurity programme, and thereby justify the spend to management.

Assessing the landscape

i. The corporate domain name portfolio

The set of domain names owned by a company will typically include the 'core' or 'critical' domains used in the day-to-day execution of business (such as those providing infrastructure for their websites and e-mail) and a broader set of 'tactical' domains, held to prevent them from being acquired by third parties, or intended for future use relating to new brand or product launches, or geographical expansion.

When considering the protection of corporate domains, there are a number of security products available, particularly where the domain-name management is overseen by an enterprise-class registrar. These products are designed to address a range of security issues, such as the risks of DDoS attacks (addressed by DNS hosting redundancy), hacking and site re-direction (by DNSSEC^[6]), spam, e-mail spoofing, and phishing (by SPF^[7], DMARC^[8] and DKIM^[9]), unauthorised DNS changes and domain hijacking (by MultiLock), and use of unauthorised certificates (mediated by the use of CAA^[10] records). Implementing all of these measures for all corporate domains would generally be prohibitively costly, and therefore it is important to be able to identify the most business-critical domains, where the greatest levels of protection are required. An effective enterprise-class registrar will typically have technology to assist brand owners with making these determinations.

It is also generally advisable for brand owners to review their portfolio of tactical domains and determine where additional registrations may be required. Again, registrars geared towards the provision of services for large corporations will generally be able to assist with this determination. Typically, this assessment will include a domain availability analysis, where domain names consisting of key brand terms (particularly the brand name itself) as the second-level domain name (SLD)^[11], across the full set of possible domain-name extensions (top-level domains, or TLDs), are investigated to see whether they are currently owned by the brand owner, are owned by third parties, or are available for registration. Where domain names are owned by third parties, it may be appropriate to launch enforcement or acquisition actions, depending on a number of factors (such as whether the domain name constitutes an infringement of intellectual property, or whether the brand owner would like to take ownership of the domain), or to monitor the domain name for future changes to site content or configuration features. These might include the presence of (for example) MX^[12] records, which can indicate that the domain is being 'weaponised' for use of its e-mail functionality.

When considering which available domains may be desirable to register, there are several points to bear in mind. The most relevant domain names are likely to be those where the SLD consists just of the brand name itself. In general, it will be advisable to register these domains across all common TLDs and those corresponding to countries where the company has current or planned business operations. However, previous studies have established that there are also specific ('high-threat') TLDs which tend to be generally popular with fraudsters and infringers^[13] (for example, those where the domain-name providers offer low- or no-cost domain registrations or have lax registration security policies^[14]), so it may also be advantageous to secure key domain names across these extensions to prevent them being utilised elsewhere. Outside of these areas, domain names including high-relevance keywords, or typo / character-substitution variants commonly used by bad actors, may also be worth securing. For example, accented or non-Latin characters which appear visually similar to ordinary Latin characters, or replaced characters which are adjacent on standard keyboard layouts, are commonly used by infringers to create typo domain names which are deceptive or designed to collect misdirected web traffic^[15,16]. However, a defensive policy can only take a brand owner so far; in practice, there are infinite variations of official corporate domain names which can be registered by bad actors, so management of a comprehensive corporate domain portfolio should always be accompanied by a robust brand-protection solution to monitor potentially harmful third-party activity.

ii. The Internet landscape

The first step in an online brand protection programme is often a one-off landscape audit, to determine the scope and scale of the issues, and determine which Internet channels present the greatest problems. Some of this assessment can be carried out using simple manual searches - for example, it may be beneficial (for brand owners associated with the manufacture of physical goods which may be subject to counterfeiting and other types of e-commerce infringements) to carry out a 'marketplace sweep'. In its simplest form, this involves carrying out searches for the brand name across a range of popular e-commerce marketplaces, to determine how many results are returned. Using assumptions about the proportions of listings which are typically infringing on each site (potentially combined with additional filtering if, for example, the brand name is a relatively generic term in its own right), it is possible to make a high-level estimation of the total number and value of infringing listings on each site, which can be used as an input for a potential return-on-investment calculation^[17].

However, in practice, a full assessment of the infringement landscape can be carried out only by a comprehensive brand-monitoring scan. Brand-protection service providers will typically use monitoring technology to carry out searches, which may incorporate keyword-based and image-search or matching components, often with elements of artificial intelligence or machine learning, to automatically categorise and prioritise results. In many cases, this is then accompanied by manual analysis, to exclude false positives and extract the most significant findings.

When carrying out any kind of online brand monitoring project, there are a number of factors to consider:

It is generally advisable to approach the problem holistically and cover as many channels as possible, typically incorporating (where appropriate) general Internet content (including branded domain names), social media, e-commerce platforms, mobile apps, and so on. This is important both because these areas are essentially just different environments where the same types of infringement can occur, and also because these channels are becoming increasingly interlinked, and the distinctions between them increasingly blurred.

Monitoring should make use of multiple data sources, in order to ensure that coverage is as comprehensive as possible. Typically these might include:

Internet metasearching and web crawling - This involves the submission of brand- and industry-related terms to search engines, analysing the pages returned, and crawling hyperlinks. Whilst it is not possible to identify all potentially threatening content via this route, it does address the areas of the Internet which have highest 'visibility' and are most likely to be encountered by general web users.

Domain-name zone-file analysis - Many brand-protection service providers will have access to zone files, which are datafiles published by the operators of registry organisations (the entities overseeing the infrastructure of specific domain-name extensions, or TLDs), and contain lists of all registered domain names across the TLD in question. By downloading and analysing these zone-files on a regular (typically daily) basis, and comparing current with previous versions, it is possible to identify the registration of new domains with names containing strings of interest (such as a brand name). This technique can yield comprehensive and timely detection of relevant branded domain names across TLDs where zone files are available; however, for some domain extensions (particularly country-specific TLDs), registries are not obliged to publish the zone files, so the information may be incomplete or unavailable. Some of these gaps can be filled in using other techniques, such as parallel look-ups (checking for the existence of 'cousin' versions of detected domains (i.e. those with the same SLD) across other domain extensions), or searches across the full set of TLDs for the existence of domains with specific name-strings (SLDs) of interest. The most sophisticated domain-monitoring solutions are also able to intelligently search for domains containing brand variants (such as fuzzy matches - including missing, additional, replaced, or transposed characters - or soundalike versions)^[18].

Direct site querying - For sites known to be of interest in advance of the monitoring (such as specific social-media platforms, e-commerce marketplaces, mobile app stores, etc.), it may be possible to search the sites directly using their own in-built search functionality or (if available) via an API, which provides relevant data in a structured, database-like format.

Phishing detection techniques - Some of the most egregious infringements (such as fake sites soliciting for the input of customer credentials) may not be accessible through any of the above monitoring techniques (for example, if the infringing site does not feature the brand name in the domain name, and is not linked-to from other sites which are indexed by search engines), and may be designed to receive traffic only (for example) via links in specifically-constructed e-mails. In these cases, it may be appropriate to augment 'classic' brand-monitoring methodologies with other techniques, such as the use of spam traps and honeypots, and other data feeds like customer abuse mailbox data and webserver logs^[19].

Determining where ongoing action is required

An initial audit of the pre-existing infringement landscape will help to identify the immediate areas of priority for ongoing monitoring, though it is generally advisable to maintain an element of holistic monitoring for the appearance of new threats across all relevant channels, combined with partnership with one or more consultancy providers who can advise on the emergence of new areas of potential concern.

In order to deal with identified infringements, the central idea is the use of enforcement techniques to ensure the deactivation of threatening content. The most effective enforcement programmes will offer a 'toolkit' of possible approaches, from low-cost, low-complexity, primary actions such as cease-and-desist (C&D) notices, through secondary approaches like host-level content removals or registrar- or registry-level suspensions, up to longer-term, complex tertiary approaches like domain-dispute processes and legal actions. This allows the brand owner to select the most cost-effective and efficient approach in any given case, whilst reserving other options for when escalation is required^[20]. Enforcement not only protects the brand and its customers, but can provide a deterrent effect to infringers and can be a pre-requisite for retaining IP protection.

A key element of this aspect of the programme is the ability to prioritise the identified findings. Typically, a brand-monitoring solution will identify large numbers of findings of potential interest, and it is therefore essential to be able to determine which present the greatest level of actual (or potential future) threat, so as to be able to focus the initial enforcement efforts (or the targets for ongoing monitoring) in the most impactful places.

This prioritisation process can incorporate a range of different ideas:

To a high level, infringements can be categorised into a number of types (comprising categories such as phishing, traffic diversion, negative brand association, potential brand confusion, false affiliation, etc.), which can themselves be assigned severity classifications. The exact specifications may vary from one brand owner to another (based on industry area, individual views on level of threat, risk tolerance, and so on), but might broadly be categorised as lower-threat 'brand abuse' (covering unenforceable content or simple breaches of corporate guidelines), through 'brand infringement' (constituting contravention of intellectual property protection), up to 'brand fraud' (where the brand usage is actively criminal, such as phishing or the sale of counterfeits).

Individual infringements can also be analysed using algorithms to quantify the level of threat they pose (or are likely to present in the future). This methodology can use a variety of the website’s characteristics as its inputs, many of which can be applied even when there is not yet any active site content. These characteristics might include features such as:

(If present,) the nature of any active content on the website.
The similarity of the domain name to that of the brand owner's official website (or the presence of brand-name variations, typos, etc.).
The domain name extension (TLD) – of particular concern will be the use of a 'high-threat' TLD.
The amount of web traffic received by the site.
Characteristics of the registrant, registrar or ISP (hosting provider) (specifically taking account of features such as the use of privacy-protection services, webmail e-mail addresses, high-threat or non-compliant service providers, locations in countries where enforcement is difficult, etc.).
The presence of an MX record - this indicates that the domain has been configured to be able to send and receive e-mails and could therefore be associated with phishing activity.

Clustering technology can be used to group together related infringements on the basis of shared characteristics. This can be advantageous as it can help identify instances of serial infringers which may be targets for prioritised enforcement action, can reveal evidence of bad-faith activity (e.g. multiple distinct brands being targeted) which can help build a stronger case for enforcement, and raises the possibility of efficient bulk takedowns in a single action.

Conclusion

A thorough brand risk assessment is essential to ensure that the resources associated with a cybersecurity and brand-protection programme are focused in the correct places. Typically, this process involves:

An initial assessment of the key areas of concern, using:

(For the official domain portfolio,) a review of all domains in the portfolio, to determine: (a) which are the critical 'core' domains; (b) which security measures are currently in place for each domain; and (c) what are the 'gaps' in the domain portfolio.

(For general Internet content,) a broad sweep across a wide range of channels and using a comprehensive set of data-collection techniques.

Filtering and prioritisation of the findings to identify the targets for follow-up action (i.e. additional domains security measures to be deployed, requirements for additional defensive domain registrations, and the key third-party infringements requiring enforcement action or future monitoring).

Implementation of the above actions and ongoing monitoring.

It is also generally appropriate to include a subsequent periodic review process, to assess the impact of the programme and realign strategies where necessary. Impact is often measured through some sort of return-on-investment calculation, which can typically be much more robust once specific measurable mediating actions (such as enforcement takedowns) have been carried out^[21].

The choice of a suitable service provider with which to partner is frequently a crucial component of this process. An enterprise-class provider will typically be able to offer a more holistic range of security products and solutions, will avoid practices (such as the operation of domain marketplaces, and monetisation of trademarked domain names using pay-per-click links) which can contribute to fraud and brand abuse, and will typically operate under strict internal security policies to reduce the risk of hacks and data breaches^{[22,23,24,25]}. Use of an enterprise-class provider also generally improves the security posture of a brand owner, increasing the ease of access to - and lowering the cost of - cyberinsurance^[26,27]. Brand owners should also be mindful of their selection of suppliers and vendors more generally, as bad actors frequently target corporations via the weakest point in their supply chain, particularly at times of heightened vulnerability arising from external real-world events^[28,29].

References

[1] https://www.cscdbs.com/blog/brand-abuse-and-ip-infringements/

[2] https://www.linkedin.com/pulse/holistic-brand-fraud-cyber-protection-using-domain-threat-barnett/

[3] https://www.linkedin.com/pulse/rise-nft-david-barnett

[4] https://www.cisa.gov/stopransomware/general-information

[5] https://securityboulevard.com/2022/07/online-brand-abuse-is-a-cybersecurity-issue/

[6] DNSSEC = Domain Name System Security Extensions

[7] SPF = Sender Policy Framework

[8] DMARC = Domain-based Message Authentication, Reporting and Conformance

[9] DKIM = Domain Keys Identified Mail

[10] CAA = Certification Authority Authorisation

[11] The second-level domain name (SLD) is the part of the domain name to the left of the dot