Newly Seen Domains Security Category

Overview

"Newly Seen Domains" (NSD) is a new security category that identifies domains that have been queried for the first time within the previous few days by customers of Cisco Umbrella. This security category works the same as any other security category and can be enabled as part of an existing security setting or a new one. Typically domains stay in the list for between one to three days, but it isn't fixed to a set period of time.

How We Define a Domain as “Newly Seen”

New domains are often 'spun-up' as part of new malware campaigns; the bad actors behind the campaigns use new domains because they’re not known to traditional signature-based methods of blocking known bad websites. For instance, a phishing campaign might create a new domain to go along with a major spam campaign encouraging people to click on a link. The link isn't known to be part of this campaign just yet and isn't blocked by standard lists of known-bad domains—and before it’s added to those lists, there’s plenty of time for criminals to exfiltrate data, install malware and get inside a network.

The Newly Seen Domains (NSD) security category works by checking our DNS logs to see lookups for domains that we have never seen lookups for in the past. We notice a lookup from a client—whether or not that domain actually resolves to an IP address—and record that lookup as 'newly seen' if it's new to our records of DNS lookups. In some cases where a domain doesn't actually resolve, the domain will be getting 'pinged' by malware but won't actually have any content hosted there just yet. This often happens when the malware 'cycles' through hard-coded hostnames trying to find a command and control host to connect back to. This security category helps identify domains that fit that description.

Once a NSD is first seen, it's added to a list where eventually it will expire and no longer be ‘newly seen’. The expiry time depends on the characteristics of the top-level domain (TLD) and the provider of the IP space/registrant, in addition to the characteristics of the parent domain (2LD) if the newly seen domain is a subdomain. Some IP blocks are much likelier to host malicious domains, whereas others are more traditionally used for known-good content such as content delivery networks (CDN). Known-good content will expire more quickly than content on known-bad hosting blocks. 

A report records the category that a domain was under at the time it was queried, so if a domain has been categorized as 'newly seen' when it was queried, it will report as such in the Activity Search or Security Activity report. However, once the domain has expired from the list, pivoting on that domain against current data about it—especially using our new Destinations or Identities reports, or the Investigate Console, or Investigate API—will no longer show that domain as 'newly seen.’ In short, revisiting a domain several days later may no longer show it as 'newly seen' in Umbrella. This is as designed but may lead to some confusion initially.

The only real definition of a 'newly seen domain' is exactly that—it's newly seen. As a result, a significant portion of the domains that are categorized as ‘newly seen’ will not, in fact, be malicious and detections of good domains are expected to occur with this security category. We have taken some precautions against this happening, especially for certain services and CDNs like Akamai and Cloudfront that generate randomized subdomains to serve content. We've also used our traditional assurances against highly popular domains, such as Facebook and Google, to ensure these are not included.  

Additionally, only FQDNs (2TLD or a subdomain of a 2TLD) are considered to be 'domains' that are newly seen—TLD and ccTLD are not included in 'newly seen domains' so as to not block large groupings of domains.

Important Notes About Implementation

Given that some unwanted detections can be expected, we highly recommend that you start using this report in 'audit mode' or 'detect only mode' without blocking or taking any action. By default, anyone with this category available in their security settings will see 'newly seen domains' as detections in the reports. This effectively means the feature is enabled without any blocking by default. In most cases, you should use reports to see what traffic is matching the category and use that information to research these domains in more depth to see if they could potentially represent a security threat rather than automatically blocking.

Another major caveat is that the first query to the domain will be allowed; this is simply because we have never seen a query to that domain before and as such, it hasn't been processed by our logging systems to be included as part of the 'Newly Seen Domains' category. The time gap between when a domain is first queried and before it appears in the list of domains matching the category is only about five minutes, but can extend beyond that because we don't necessarily process 100% of the DNS query logs we see (due to processing time and volume).

Important note: A domain will enter the process to be flagged as newly seen not when it is first created or "seen" on an authoritative nameserver, but rather when it is sampled in a DNS query to our Umbrella resolvers. Not every DNS query to Umbrella is sampled, and therefore some very low traffic domains may not be flagged as newly seen immediately after the first DNS query hits our resolvers. 

Proxying Newly Seen Domains: Customers taking advantage of the Umbrella Intelligent Proxy will also see that some domains in the NSD category are proxied.  This is as designed. Our Umbrella Labs team is using the data gathered through proxying these new domains to determine if they should be added to the malware categories immediately.  One side-effect of this is that non-standard traffic that is sent to a 'newly seen' domain that is also being proxied will be dropped at the proxy level.  The intelligent proxy only proxies ports 80 and 443, the ports traditionally used for web traffic. 

This happens automatically when the proxy is enabled, whether or not the category is blocked.  To have a single newly seen domain not be proxied, add it to the appropriate allow list.

More information can be found here: Enable the Intelligent Proxy

Turning on Newly Seen Domains

The Newly Seen Domain security category can be enabled like any other under Policies > Security Settings, then editing an existing security setting. Or, it can be done within the policy configuration wizard itself.

And Newly Seen Domains can be filtered for in certain reports, such as Activity Search.