Cybersecurity Spotlight – Top-Level Domains (TLD)
What it is:
A top-level domain (TLD), or domain suffix, represents the right-most segment of a domain address, specifically the letters immediately following the last "dot" in the domain (e.g., ".org" is the TLD in www.cisecurity.org). Domain suffixes often identify a domain's ownership, purpose, geographical area, or group affiliation. Depending on the TLD, the ability to register a domain may be open to the public or restricted to authorized registrants. The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for maintaining a list of all active TLDs, as well as managing domains and IP addresses across the internet. The ICANN recognizes three main domain suffix categories.
- Generic Top-Level Domains (gTLD) - mostly unrestricted and open to anyone (e.g., ".com" and ".net"). New gTLDs can include almost any combination or format, as long as it doesn't conflict with one of the restricted TLD categories. This category includes two restricted subsets.
- Sponsored Top-Level Domains (sTLD) - restricted to specific communities (e.g., ".gov" for U.S. governments and ".mil" for the U.S. military).
- Generic Restricted Top-Level Domains (grTLD) - restricted to specific registrants (e.g., ".biz" is restricted for business and ".name" is reserved for individuals).
- Country-code Top-Level Domains (ccTLD) - two letters to identify a specific country or territory (e.g., ".us" for United States and ".cn" for China).
- Infrastructure Top-Level Domain - a single TLD, ".arpa," solely for the Internet Engineering Task Force (IETF). It stands for the Address and Routing Parameter Area, which is used exclusively for technical infrastructure activities.
Aside from these three main categories, ICANN also maintains special-use TLDs. These include ".example" for use in written documentation, ".invalid" and ".test" for use in testing, ".local" for private networks, ".localhost" for the user's system, and ".onion" for connecting to The Onion Router (TOR) network. These domain suffixes are all inactivated on the public internet.
Why does it matter:
TLDs are important to understand both from a cybersecurity perspective and to know how constituents will engage with and access your web presence. Certain TLDs, namely ".mil," ".gov," and ".org," are more reputable and have an inherently higher level of trust associated with them. One way election offices can ensure they are taking steps to ensure trust in their website is to register a ".gov" domain. The ".gov" domain suffix is restricted to verified U.S. government entities, which helps ensure legitimacy for visitors browsing U.S. government websites. Additionally, “.gov” domain owners are required to maintain a higher level of security and the federal government has implemented several cybersecurity controls in the underlying infrastructure, as compared to gTLDs, such as ".com" or ".net."
Acquiring a ".gov" TLD and training constituents to expect to see a “.gov” on official websites can help combat potential cyber-attacks and misinformation. Due to the restrictions for registration, “.gov” domains cannot be typosquatted within the same TLD, leaving illegitimate website replicas to use a gTLD, such as ".com." Additionally, as many users seek to access election office websites to obtain accurate information, ".gov" registrants can advise constituents that any website resembling their domain that does not end in ".gov" is illegitimate.
From a cybersecurity perspective, election officials should be aware of tactics used by cyber threat actors (CTAs) to exploit user familiarity with common TLDs when accessing links in emails and elsewhere. CTAs often attempt to spoof or typosquat trusted domains to socially engineer victims into interacting with a fraudulent website to steal sensitive information or infect victims with malware. These typosquatted or spoofed domains seek to exploit user oversight through deliberately creating misleading domains wherein the true TLD is hard to identify at first glance. For example, malicious actors may spoof “www.cisecurity.org” into “www.cisecuritу.org-user-login[.]ru/resources/user-login/” to trick victims into visiting a malicious site. In this example, the user may see “cisecurity.org” and consider it legitimate, but the letters immediately following the last “dot” are “ru,” which is the actual TLD and end of the domain name.
CTAs may also try to establish legitimacy by registering domains with country-specific TLDs, such as ".us" when not actually residing within the designated country. As a result, ccTLDs are not a reliable indicator of country of origin. Using these tactics, techniques, and procedures in combination, CTAs increase the likelihood of successfully carrying out a successful attack.
What you can do:
Election officials should assess their current web presence to identify their TLD and determine what may be appropriate for their organization. The EI-ISAC and CISA strongly encourage transitioning to the government restricted ".gov" sTLD. For more information on how to register a ".gov" domain please consult the CISA fact sheet “Leveraging the .gov” or visitDotGov.gov.
In addition, election offices should register or purchase common gTLD variations of their domain to help prevent CTAs from typosquatting a fraudulent replica of the election office domain under a different, but common domain suffix (e.g., ".com" or ".net").
Lastly, election office staff should make it a practice to closely examine domains before clicking a link, as the subtle changes in malicious domains are most often only noticeable upon close inspection. As a general rule, users should navigate to the link by searching for it, instead of following a link or typing the link directly into the address bar.
For information on commonly abused TLDs, please see SpamHaus' list of the Top 10 Most Abused Top Level Domains.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact firstname.lastname@example.org.