Using DNS Data for Cyber Intelligence

“On the internet, nobody knows you’re a dog”

—Peter Steiner, The New Yorker, 1993

This witty cartoon foreshadowed the current cyber threat landscape. Although the focus of this joke was individuals' identities, i.e., physical presence, “identity” today means more than, “Are you Katie Teitler and can you verify it?” Today, “identity” encompasses a holistic view of a person’s, company’s, or system’s use of digital resources. In other words, insofar as my digital identity is concerned, I am not just Katie Teitler as per my birth certificate; I am Katie Teitler, who works out of an office at a specific geographic location, using a certain internet service provider that assigns me an IP address of XX.XXX.XX.XXX. The resources I use daily include [X} applications and/or websites, and I access these resources via 3 different devices regularly. Lately, other factors like behavior and biometrics have started to bleed into an individual’s identity, too.

Yet, when we say “identity” in a cyber security context, fewer people think of IP addresses and domain names as part of identity. Why? Because these things are easy for an attacker to change or spoof. Because they’re tied to old models of networking. Because, perhaps, “identity” is now a much larger conversation than, “Who are you and can you verify it by providing the right credentials or exhibiting certain behavior.” But, by virtue of the fact that domains and IP addresses are easy for cyber criminals to attack or hijack, identifying and stopping malicious activity on these entities remains important. Though it might be tempting to ignore domains and IP addresses because they’re as easy to manipulate as is one’s hair color, organizations in highly targeted industries (e.g., government and defense) and which have sufficient resources should consider how tracking and mapping domain data can improve cyber posture.

Earlier this week, a team at DomainTools shared details of the company’s PhishEye and Iris platforms. Both technologies focus on network connections—identifying and mapping customers’ external exposures through domains and IP addresses—as a form of threat intelligence. More accurately, though, DomainTools is better classified as domain and DNS intelligence, which is of no less importance (though probably less buzzword worthy).

It’s all about the data

The key to DomainTools’ efficacy is a massive central repository of domain and DNS data. They leverage nearly two decades of data to look at the behavioral characteristics of domains to predict how likely the domain is to be surfaced for phishing, malware, or spam, as well as the proximity of a domain to known maliciousness (blacklists). Through a simple user interface, security operations, incident response, and forensics teams can view their company’s Domain Profile and leverage Guided Pivots to fingerprint threat actors—if an attacker is squatting on a domain, if new domains with similar names have been registered (e.g., benjerry.com/icecream vs. Benjerry.com/flavors, the latter of which is legit, btw), if a domain has been blacklisted previously, etc.

The idea behind DomainTools’ products, said Sr. Security Advisor, Corin Imai, is an open and safe internet for everyone. As she pointed out, though, “an open internet means attackers can abuse available data. Nearly two decades years ago when DomainTools was founded, we started by collecting data for things like lookups of assets. Nearly eight years ago, we made a strategic pivot into security—to help customers map the connected infrastructure of threats."

PhishEye is the company’s typosquatting variant tool. It looks across existing and newly-registered domains, as well as associated variants (see Ben and Jerry’s example, above), and determines a Proximity Risk Score. In the case of Ben and Jerry’s, the illegitimate domain returns a 404 error. However, threat actors commonly use associated domains to trick website visitors into filling out forms, clicking on malicious links, or downloading infected apps. In one recent case, researchers at DomainTools identified a malicious domain capitalizing on current COVID-19 fears. The newly-registered domain proclaimed to provide a heatmap of Coronavirus outbreaks. When an individual landed on the site, they were prompted to download the tracker via an app. The app, course, was malicious, serving up ransomware instead.

DomainTools’ flagship platform, Iris, is an investigation platform that gives SOC analysts and investigators better visibility into IoCs, whether they’re active, retired, or associated (but not necessarily registered by the organization), as well as monitor IP addresses, registrants (SSL/TLS certificates), and name servers. Iris integrates with customers' deployments of SIEM, SOAR, and threat intelligence platforms; analyzes workflow management; and applies a Domain Risk Score for each identified domain. Iris allows customers to see where attackers may be redirecting resources or users to malicious command and control, or where the company’s brand may be at risk due to an impersonation attack.

Enterprise-ready investigative capabilities

For large enterprises and government agencies that are highly susceptible to targeted and/or nation-state attacks, and which have the human resources to manage tools that look at domain-based risk, DomainTools can be an invaluable resource. Mapping connected infrastructure is a layer of security that would be valuable to any company. The reality is, though. that smaller organizations likely won't be able to take advantage of this level of scrutiny (which is why identity-focused tools such as endpoint security and UEBA have become so popular). That said, companies with hunt capabilities or internal investigative teams can connect the dots of cyber fingerprinting using DomainTools. During the demo, Ed and I saw how easy both PhishEye and Iris are to use, and the information provided can help users quickly turn network information into the rich context needed for response.