Newly Seen Domains Security Category

Overview

"Newly Seen Domains" (NSD) is a  security category that identifies domains that have been queried for the first time within the past 24 hours by any user of Cisco Umbrella DNS service (including the free OpenDNS service for home users). This security category works the same as any other security category and can be enabled as part of an existing security setting or a new one. Domains stay in the list for a period of 24 hours.

How We Define a Domain as “Newly Seen”

New domains are often 'spun-up' as part of new malware campaigns; the bad actors behind the campaigns use new domains because they’re not known to traditional signature-based methods of blocking known bad websites. For instance, a phishing campaign might create a new domain to go along with a major spam campaign encouraging people to click on a link. The link isn't known to be part of this campaign just yet and isn't blocked by standard lists of known-bad domains—and before it’s added to those lists, there’s plenty of time for criminals to exfiltrate data, install malware and get inside a network.

The Newly Seen Domains (NSD) security category works by checking our DNS logs to see lookups for domains that we have never seen lookups for in the past. Due to the volume of invalid queries we see, for a domain to get marked as newly seen, we must see the client’s query get properly answered. Once a domain is first seen, it's added to a list for 24 hours. After that, the domain will no longer be ‘newly seen’ and will be removed from the list.

A report records the category that a domain was under at the time it was queried, so if a domain has been categorized as 'newly seen' when it was queried, it will report as such in the Activity Search or Security Activity report. However, once the domain has expired from the list, pivoting on that domain against current data about it—especially using our new Destinations or Identities reports, or the Investigate Console, or Investigate API—will no longer show that domain as 'newly seen.’ In short, revisiting a domain several days later may no longer show it as 'newly seen' in Umbrella. This is as designed but may lead to some confusion initially.

The only real definition of a 'newly seen domain' is exactly that—it's newly seen. As a result, a significant portion of the domains that are categorized as ‘newly seen’ will not, in fact, be malicious and detections of good domains are expected to occur with this security category. We have taken some precautions against this happening, especially for certain services and CDNs like Akamai and Cloudfront that generate randomized subdomains to serve content. We've also used our traditional assurances against highly popular domains, such as Facebook and Google, to ensure these are not included. 

Additionally, only fully-qualified domain names (second-level domain or a subdomain of a second-level domain) are considered to be 'domains' that are newly seen — top-level domains and country-code top-level domains are not included in 'newly seen domains' so as to not block large groupings of domains.

Important Notes About Implementation

Given that some unwanted detections can be expected, we highly recommend that you start using this report in 'audit mode' or 'detect only mode' without blocking or taking any action. By default, anyone with this category available in their security settings will see 'newly seen domains' as detections in the reports. This effectively means the feature is enabled without any blocking by default. In most cases, you should use reports to see what traffic is matching the category and use that information to research these domains in more depth to see if they could potentially represent a security threat rather than automatically blocking.

Another major caveat is that the first query to the domain will be allowed; this is simply because we have never seen a query to that domain before and as such, it hasn't been processed by our logging systems to be included as part of the 'Newly Seen Domains' category. The time gap between when a domain is first queried and before it appears in the list of domains matching the category is only about five minutes, but can extend beyond that because we don't necessarily process 100% of the DNS query logs we see (due to processing time and volume).

Important note: Due to the scale of Umbrella’s DNS logs we don’t process all of them in the system that identifies newly seen domains. Instead, we take a representative sample to ensure we categorize the majority of new domains in a timely fashion. However, this means that for very low volume domains there might be a delay in their categorization because these queries might not initially appear in the sampled dataset.

Proxying Newly Seen Domains: Customers taking advantage of the Umbrella Intelligent Proxy will also see that some domains in the NSD category are proxied.  This is as designed. Our Umbrella Labs team is using the data gathered through proxying these new domains to determine if they should be added to the malware categories immediately.  One side-effect of this is that non-standard traffic that is sent to a 'newly seen' domain that is also being proxied will be dropped at the proxy level.  The intelligent proxy only proxies ports 80 and 443, the ports traditionally used for web traffic. 

This happens automatically when the proxy is enabled, whether or not the category is blocked.  To have a single newly seen domain not be proxied, add it to the appropriate allow list.

More information can be found here: Enable the Intelligent Proxy

Turning on Newly Seen Domains

The Newly Seen Domain security category can be enabled like any other under Policies > Security Settings, then editing an existing security setting. Or, it can be done within the policy configuration wizard itself.

And Newly Seen Domains can be filtered for in certain reports, such as Activity Search.