Skip to content

Stakeholders

Many organizations may act in different stakeholder roles at different times. At small and midsize organizations, the same individual may act in different roles at different times. However, these different stakeholders have distinct capabilities and so we have organized them as separate. Even if one organization has different teams that act as different stakeholder roles, it may be helpful to attempt to contact the relevant team that performs a stakeholder capability.

It is important for incident responders to be mindful that not every stakeholder will have their best interests at heart. Contacted stakeholders may be distracted, immature, or at worst intentionally operating infrastructure to support abuse. Organizations doing the latter will be unreceptive at best and deceptive at worst. If you are unsure about whether to proceed with contacting a stakeholder, check with your peers.

Registrars

an organization that allows registration of domains under a TLD

https://www.icann.org/en/icann-acronyms-and-terms/registrar-en

Registries

organizations responsible for maintaining the database of domains for a TLD

https://www.icann.org/en/icann-acronyms-and-terms/registry-en

Authoritative Operators

https://www.icann.org/en/icann-acronyms-and-terms/authoritative-name-server-en

Domain name resellers

https://www.icann.org/resources/pages/reseller-2013-05-03-en

Recursive Operators

Organizations operating either a private or public recursive resolver

Network Operators

Organizations operating an autonomous system (AS). We assume an organization with this capability is not running a recursive DNS server. This column means netΉow and BGP data, and excludes (as a matter of a clarity choice here) passive DNS.

Application Service Provider

Software as a Service provider (like Google Docs), see https://www.iso.org/obp/ui/#iso:std:iso-iec:17788:ed-1:v1:en for SaaS definition.

Hosting Provider

https://en.wikipedia.org/wiki/Web_hosting_service. If the hosting provider is a bulletproof hosting provider or otherwise complicit in providing attack infrastructure, then at best there is no good that will come from contacting them and at worst it will expose the team to reprisals.

Threat Intelligence Provider

Threat intelligence providers aggregate, transform, analyze, interpret, or enrich intelligence to provide the necessary context for decision-making processes. CTI is considered as sharing and analysis only.

CSIRTs / ISACs

Computer Security Incident Response Teams / Information Sharing and Analysis Centers. This column models exclusively the capability of the team or center. Each CSIRT and ISAC also is an end user of services, a registrant, may be a threat intel provider, etc. When the CSIRT or ISAC (organization) is performing those stakeholder capability, use those columns.

Device, OS, & Application Software Developers

Software developers who write the code or develop DNS resolver software or are responsible for updating an imported DNS resolver version in their software project.

Domain Registrants

“an individual or entity who registers a domain name” https://www.icann.org/en/icann-acronyms-and-terms/registrant-en. In the case of the malicious registration rows, this stakeholder is modeled as the actual human who made the malicious registration.

End User

Everyone who uses the Internet (who is not performing one of the other stakeholder capabilities listed).

Law Enforcement and Public Safety Authorities

Government organizations with authority to enforce laws or act in the public interest. Such organizations typically become aware of an issue because of:

  1. Ongoing investigation in which LE technique gives unique insight.
  2. Victim complaints provide information indicating the abuse, often relying upon collaboration with technical SMEs to help the organization understand the evidence.

CSIRTs / ISACs

Computer Security Incident Response Teams / Information Sharing and Analysis Centers. This column models exclusively the capability of the team or center. Each CSIRT and ISAC also is an end user of services, a registrant, may be a threat intel provider, etc. When the CSIRT or ISAC (organization) is performing those stakeholder capability, use those columns.

Incident responder

The Computer Security Incident Response Team that is internal to the impacted organization.