RS.MI-3 / DE.DP-4 NIST Cybersecurity Framework v1.1

Takedown workflow with registrar + hosting providers

Demonstrate that the organization maintains an operational, documented takedown process with registrar and hosting provider contacts that enables rapid removal of malicious infrastructure impersonating the organization.

Description

What this control does

This control establishes a documented and tested workflow for rapidly taking down malicious or fraudulent infrastructure that impersonates the organization, such as phishing sites, typosquatted domains, or rogue mobile apps. The workflow defines roles, contact lists for registrars and hosting providers, evidence collection procedures, and escalation paths to expedite removal. It reduces the window of exposure during which attackers can exploit the organization's brand to harm customers or steal credentials.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Phishing domains impersonating the organization remain active for extended periods, enabling credential harvesting and account compromise
Brand impersonation sites defraud customers and damage organizational reputation while takedown requests languish without defined process
Lack of pre-established registrar and hosting contacts results in delays locating appropriate abuse channels during active incidents
Insufficient evidence collection during takedown requests leads to rejection by providers and prolonged attacker presence
Absence of legal or executive escalation paths prevents takedown of non-compliant or unresponsive hosting providers
Untested workflows fail during real incidents due to outdated contacts, missing credentials, or unclear role assignments

Testing procedure

How an auditor verifies this control

Obtain and review the current takedown workflow documentation including process flowcharts, runbooks, and role assignments
Verify the existence and currency of a registrar and hosting provider contact database including abuse contacts, portal credentials, and escalation procedures for at least the top 10 providers by market share
Select a sample of three takedown incidents from the past 12 months and trace each through the workflow to confirm documented steps were followed
Review evidence collection procedures and confirm they include screenshots, WHOIS records, SSL certificate data, page source, and HTTP headers as specified by provider abuse policies
Interview personnel assigned to takedown roles to confirm they understand their responsibilities and have access to necessary tools and credentials
Examine records of workflow testing or tabletop exercises conducted within the past 12 months to validate operational readiness
Review metrics tracking for takedown requests including time-to-submission, time-to-takedown, and success rates by provider and request type
Verify escalation procedures include legal counsel notification thresholds and executive sponsor involvement for high-impact or non-responsive cases

Evidence required Collect the takedown workflow documentation with version history and approval signatures, the current registrar and hosting provider contact database with last-verified dates, and case records from sampled incidents showing timestamps, evidence packages submitted, provider responses, and resolution outcomes. Obtain training or exercise records demonstrating workflow validation, and dashboards or reports showing takedown performance metrics across the measurement period.

Pass criteria The control passes if documented takedown workflows exist with current registrar and hosting contacts, evidence from sampled incidents demonstrates the workflow was followed with successful takedowns, and testing or exercises within the past 12 months validate operational readiness.

Where this control is tested

Audit programs including this control

Brand Monitoring & Lookalike Domain Defence

Lookalike domains, typo-squatting and brand abuse outside your own perimeter. The cheap part of "attack surface" most people…