Changes

* In the public forum, [[Steve DelBianco]] asked the Board if they would support updating contracts to enforce DNS abuse mitigation across the industry. [[Becky Burr]] said [[Contractual Compliance]] believes it has the right tools for right now.  

* In the public forum, [[Steve DelBianco]] asked the Board if they would support updating contracts to enforce DNS abuse mitigation across the industry. [[Becky Burr]] said [[Contractual Compliance]] believes it has the right tools for right now.  

* In the [[NCSG]] membership meeting, [[Theo Geurts]], of [[Realtime Register#RiskReact|RiskReact]], presented a demonstration of [[Realtime Register]]'s DNS abuse monitoring system<ref>[https://realtimeregister.com/blog/security-threat-monitoring-beta/ Security Threat Dashboard, Realtime Register Blog]</ref> and discussed the implications of a couple of significant findings:

* In the [[NCSG]] membership meeting, [[Theo Geurts]], of [[Realtime Register#RiskReact|RiskReact]], presented a demonstration of [[Realtime Register]]'s DNS abuse monitoring system<ref>[https://realtimeregister.com/blog/security-threat-monitoring-beta/ Security Threat Dashboard, Realtime Register Blog]</ref> and discussed the implications of a couple of significant findings:

# 82% of malicious activity is happening at the [[URL]] level, and thus, out of the technical and policy reach of ICANN's contracted parties. Abuse happening at this level falls under the remit of resellers and web hosters.  

*# 82% of malicious activity is happening at the [[URL]] level, and thus, out of the technical and policy reach of ICANN's contracted parties. Abuse happening at this level falls under the remit of resellers and web hosters.  

# [[Compromised Domain|Hacked websites]] are now overtaking [[Malicious Domain|maliciously registered domains]] in terms of DNS abuse, which limits access to investigative tools and necessary evidence to catch the perpetrators. Regulation flowing down the hierarchy cannot reach this type of activity because the hackers do not provide accurate email addresses, money trails, or registration data. At best, investigators may find something in the payload. In turn, phishing attacks can go unnoticed and unpunished.

*# [[Compromised Domain|Hacked websites]] are now overtaking [[Malicious Domain|maliciously registered domains]] in terms of DNS abuse, which limits access to investigative tools and necessary evidence to catch the perpetrators. Regulation flowing down the hierarchy cannot reach this type of activity because the hackers do not provide accurate email addresses, money trails, or registration data. At best, investigators may find something in the payload. In turn, phishing attacks can go unnoticed and unpunished.

** [[Samaneh Tajalizadehkhoob]] said ICANN's [[OCTO]] is wondering how to choose which [[RBL]] to use because the office is developing a methodology for selecting RBLs, and Theo responded: look at the metrics (where they get their data from, check for alignment with what you are looking for, a large number of hits).

** [[Samaneh Tajalizadehkhoob]] said ICANN's [[OCTO]] is wondering how to choose which [[RBL]] to use because the office is developing a methodology for selecting RBLs, and Theo responded: look at the metrics (where they get their data from, check for alignment with what you are looking for, a large number of hits).

** [[Stephanie Perrin]] explained that much of the activity is not DNS abuse and perhaps not even criminal; so, how do we regulate this realm? ''Theo explained that he only looks at RBLs that focus on DNS Abuse (and [[CSAM]], which is automatically taken down)''. Also, how do we regulate state-sponsored mischief?  

** [[Stephanie Perrin]] explained that much of the activity is not DNS abuse and perhaps not even criminal; so, how do we regulate this realm? ''Theo explained that he only looks at RBLs that focus on DNS Abuse (and [[CSAM]], which is automatically taken down)''. Also, how do we regulate state-sponsored mischief?