What is website reputation?
Just like people, everything on the internet has a reputation. From websites to files to apps and beyond, there’s a history for each internet object, how it has behaved over time, and what relationships it has with other objects. And, just like with people, if an internet object is associated with a bad crowd that’s known for stealing information and spreading malware, then the object itself is probably bad too. In the case that a harmless domain gets hijacked to host a malicious website, then the domain’s reputation score will suffer. By association, the other sites linked to that domain may also see these consequences in their own reputations. To improve their reputations after being hijacked, benign objects will need to remain clean and unaffiliated with dangerous internet objects for several months or more. That’s web reputation in a nutshell.
The most important thing about any web reputation service is accuracy, which is usually determined by the breadth, depth, and variety of the data being used. The algorithms used to analyze the relationships between internet objects and determine web reputations must be continually trained by experienced human analysts, and the data they use must be continually refreshed. But with an accurate web reputation source fueling your URL filter, firewall solution, or other network appliance, businesses can rest assured that they’re well on their way to a resilient, proactive cybersecurity posture.
Why is web reputation important?
New websites and online threats have something in common: they both emerge at astonishing rates and often simultaneously. On top of that, dynamically generated web content, mashups, rapid deployments, website structure, and links change very quickly, creating major security gaps and ample opportunities for cybercriminals and malicious actors to cause damage.
Many websites lack enough security, while others are actually designed to take advantage of unsuspecting visitors. Internet users can be exposed to a wealth of threats, including phishing, keyloggers, spyware, drive-by malware and the many other types of malicious code, and these risks are only growing in number with every new website that appears. Legitimate sites get compromised or temporarily hijacked regularly. And malicious websites may shift rapidly between malicious and benign behaviors to avoid detection.
Website reputation intelligence helps protect internet users from known malware sources and malicious or inappropriate content on the internet, typically via a web or URL filtering solutions. As an example, if you’ve ever tried to access a web page at work and gotten a “website blocked” notification, then your company is using web filtering.
Administrators and security teams may choose to block a variety of content, both to protect their employees and guests from cybercrime, and to limit access to bandwidth and productivity drains like social media or video streaming sites. Additionally, some web browsers and internet service providers may also use web reputation to help keep you safe from malicious internet content. This type of protection is possible through website reputation.
When implemented correctly, web reputation intelligence can provide an accurate, up-to-date risk assessment of a given website at the moment a user attempts to access the URL, independent of its site category. This capability is extremely important because it ensures protection against sites that have only very recently been created, compromised or hijacked.
How do you determine a web reputation score?
To produce an accurate web reputation score, it’s important to consider a variety of factors and context. For example, a website that is well-trafficked, well-known and associated with numerous trusted IP addresses has a higher chance of being secure. But a relatively new or unknown URL may present a hazard. If that unknown URL is also associated with a suspicious or malicious IP, then the site poses a higher risk.
Here are some of the parameters that may be used in gauging website reputation.
- URL category
- Age of a URL
- History of a URL
- Domain reputation
- IP reputation
- Presence of downloadable files or code
- Previous association with malicious internet objects
- Current association with malicious internet objects
- Hosting location
- Real-time performance
- Website and/or network owner
- Presence on any block/allow lists
By analyzing characteristics like the ones outlined above and assigning levels of importance to them, you can get a very accurate, even predictive picture of the amount of risk a website is likely to pose.
What website reputation tools are available?
Website reputation tools can be broken out into several categories. The main types are as follows.
Every packet on the internet has a source and a destination IP address. Although you could block all communication to and from known malicious IPs, the shifting threat landscape and nuance, and context around IPs render this process less effective unless you have highly accurate, predictive threat intelligence. By incorporating real-time IP reputation intelligence, enterprises and technology providers can better protect their users and customers from IP-related threats.
Web classification, i.e., the act of categorizing a website or URL by its purpose, continues to be a challenge as new websites keep emerging. Most lists are unable to keep up with volume and speed to provide accurate classifications on new and changing sites. With web classification intelligence, also known as URL classification, enterprises and technology vendors can implement granular web access policies that address key concerns, including protection against online threat sources, bandwidth and productivity drains, legal and compliance liabilities, and more.
As more websites are created, organizations need finely tuned security to protect their users from malicious sites. With web reputation intelligence, a.k.a. URL reputation, enterprises and technology partners can assess a website’s reputation in real or near-real time, at the precise moment a user tries to access them. That way, users are protected from the pitfalls of web pages that are new, unknown, or that change risk status often.
Many of the most dangerous phishing sites are extremely short-lived, existing in the wild for minutes or hours, instead of days. Standard static phishing lists are too slow to keep up with the pace at which these threats evolve. With real-time anti-phishing intelligence, technology partners can perform site scans as a user attempts to access the site, alerting them to potential risk and blocking them from visiting a phishing page.
There are a variety of ways website reputation intelligence can be used to improve security online. Here are some of the more common applications for web reputation, web classification, and IP reputation intelligence.
Strengthening web filtering gateways
Web filtering gateways typically layer multiple security services into a single platform to provide outbound filtering protection from malicious or unwanted websites. Gateways need to be told which websites are malicious or undesirable. While you could take a series of static lists of known bad URLs and IPs and join them together to try to block malicious websites, static lists can’t keep up with websites and IPs whose status switches from benign to malicious and back very quickly. Accurate, timely web classification, web reputation and IP reputation threat intelligence all work to improve the level of security the gateway can provide.
Securing wireless access points
A wireless access point (WAP) allows WiFi-enabled devices to connect to wired networks. Strong content filtering requires a careful balance between protecting users from risks while still ensuring they can access the content they want or need. Many content filters are based on a static list of known URLs, which are often out of date as soon as they are created and lack the nuance and context organizations really need. WAP vendors can incorporate real-time web classification and web and IP reputation services to build in web content filtering that can detect and block malicious activity accurately and before it hits the network. Providing this enhanced security benefit to their customers can also help WAP vendors differentiate themselves from their competition.
Enhancing the capabilities of next-gen firewalls
Next-generation firewalls (NGFWs) enforce security policies at the application, port, and protocol levels to detect and block sophisticated cyberattacks. But by themselves, NGFWs are unable to differentiate between benign and malicious IP addresses. NGFW vendors who incorporate web/URL classification and web and IP reputation feeds benefit from better visibility and control over the traffic that passes through the edge device.
Improving ADC solutions
Application delivery controllers (ADCs) work to improve the security, performance and resilience of applications that are delivered over the internet. As a natural entry point into a given network, ADCs face a growing number of threats from rapidly changing IP addresses, malware activity, DDoS attacks, and other inbound and outbound botnet traffic. ADC vendors who incorporate IP reputation intelligence gain better visibility into the context of inbound connections and can leverage that visibility to better detect and block malicious activity before it hits the network.
Webroot BrightCloud® website reputation services
Webroot offers a range of its BrightCloud Threat Intelligence services to help address numerous website reputation needs. Additionally, intelligence from each of these services is incorporated into the Webroot line of cyber resilience solutions for businesses and home users, ensuring all Webroot customers benefit from world-class threat intelligence.
- BrightCloud IP Reputation Service
Disabling communication to and from malicious IPs is a great way to help stop threats, but you need highly accurate, predictive threat intelligence to do it effectively. With up-to-the-minute IP intelligence, the BrightCloud IP Reputation Service scores IP addresses based on a reputation index to signal which may be a threat to users.
- BrightCloud Web Classification & Web Reputation Services
Web classification can be challenging for businesses looking to enforce user web policy compliance and restrict access to non-malicious sites. The BrightCloud Web Classification and Web Reputation services categorize the largest URL database of its kind, at a rate of 5,000 URLs per second, to help businesses enforce usage policies, preserve productivity, and protect themselves from legal liability.
- BrightCloud Real-Time Anti-Phishing Service
The internet is littered with phishing sites that are only live for a few minutes or days, meaning a static phishing list can’t hope to keep up. The BrightCloud Real-Time Anti-Phishing Service enables security vendors to leverage time-of-need site scans to prevent users from visiting sites that may try to steal sensitive credentials.
- BrightCloud Domain Safety Score (premium feature add-on)Available to technology partners as a premium feature add-on to the BrightCloud Web Classification and Web Reputation services, the Domain Safety Score can help address the issues HTTPS protocols may present, where categorization at the domain level may not reflect the actual path-level content. Network devices that do not or cannot implement SSL/TLS decrypt functionality due to limited resources, cost, or capabilities will be enabled to make better security filtering decisions in situations with minimal page-level visibility. Using the Web Classification and Web Reputation Services, organizations can implement and enforce effective web policies that protect users against web threats and prohibited content, even when encrypted through HTTPS.
- BrightCloud Threat Insights (service-specific add-ons)Threat Insights are available as an additional feature of BrightCloud Threat Intelligence services. They fall into three main categories: insights for the Web Classification and Web Reputation Services, IP Reputation Service, and Real-Time Anti-Phishing Service. In-depth Threat Insights specific to each service provide additional context on why an object received a particular risk/reputation score, allowing you to explore additional related objects for research, security decision-making, incident response and proactive blocking. Using our intuitive SDK or RESTful web service, technology partners can easily integrate Threat Insights into their own solutions.
Learn more about Webroot web reputation services and how they work here.