The antimalware industry depends on continual learning. Our reaction to new threats can be tragically delayed, allowing many users to fall victim before we come to the rescue. There is a clear need to adopt new approaches that allow us to be more proactive, while avoiding false positives and without compromising the trust in our products. But how can we stay one-step ahead of cybercriminals when our virus labs are already bearing the brunt of an overwhelming amount of samples?

The antimalware industry is categorically neglecting a key feature that could stem the tide in our current predicament: WHOIS data. The moment bad guys register new and malicious domains they leave behind this valuable fingerprint from which we can predict their movements. Knowing how to process a simple factoid like a domain name can be the key to cracking an entire malicious operation before it even starts.

This talk is based on a yearlong experiment conducted in one of the most attacked countries in the world. Brazilian cybercrime has a huge impact on the local economy, targeting e-commerce and banking operations alike, and producing tons of phishing and malware attacks on a daily basis. The results of the experiment were astounding. By borrowing tricks and techniques from Brand Monitoring coupled with free or adapted resources, we were able to block malicious content up to 30 days in advance of criminal deployment.

Smart, simple efforts can place us at an advantage once again. In this daily race against cybercrime, shoot first, ask later may be our best hope yet.