For decades the free Alexa Top Million websites list has been used by tons of organizations, researchers and security products as a whitelist of benign websites.
The thinking goes that if a website is one of the most frequented on the Internet it’s probably safe. (Or at least not wholly evil. You can’t really say any site is 100% safe because there’s always the possibility that the site has been hijacked or it has inadvertently allowed malicious content to be posted.) While not foolproof, whitelists like the Alexa Top Million are valuable as a coarse-grained way of culling out domain names that have a high probability of being safe. Then you can focus on the domain names left over.
This is useful in security controls all over your network including:
- SIEMs
- Web access through NGFW
- Incoming email security
- Threat hunting
Basically, anywhere you encounter a domain name – it’s valuable to know as much as you can about that domain and how common it is in the larger world.
However, Amazon announced last year that they will be "retiring Alexa.com on May 1, 2022”. So, if you’re using it now, that will fail in just a few weeks. Chances are that more than one of your security technologies will be impacted by this, but you may not notice it right away If you’re using it (and it may not be obvious if you are…need to ask around), you should plan to do something about that in the next couple weeks.
In this webinar, we will look at possible options for replacing the Alexa list and we will dive into the arcane world of ranking top websites. In addition, we’ll explore how effective top websites are as a security technology for identifying likely benign sites.
There are alternatives including:
- Cisco Umbrella
- Majestic
- Quantcast
These lists are not created equal however. They’ve all got different viewpoints on what “top domains” means, so their overlap with Alexa and each other is small, especially down at the bottom of the lists. We’ll explain the differences and show you the overlap between them, and we’ll talk about the practicality of aggregating multiple lists into an average ranking. A group of researchers has already worked on that very idea and have developed a resource called Tranco which we will introduce you to.
No matter how you determine a “top X websites” list it will have its limits in terms of security value because lists can be manipulated and popular doesn’t necessarily mean safe. You really need a lot more information about a domain name to determine its risk. That’s where our sponsor, DomainTools, comes in. Aaron Gee-Clough is a security researcher at DomainTools and will be joining me for this session which is actually Aaron’s idea because his team has been working on where to go from here with regard to their Iris product when Alexa shuts down.
Please join me for this practical and educational real training for free session.