April 22, 2019 / by Nishita Sangani / In siem , guides /

Validating Suspicious Domains Using DomainTools

DomainTools is a company based in Seattle, Washington that helps enterprises turn threat data into threat intelligence. Their solutions include interactive research products, proactive alerting technologies, a predictive domain risk score analytic, enterprise-grade APIs and proven integrations with SIEM and SOAR products like DNIF. All of this is powered by the largest domain name and DNS dataset available anywhere.

Investigations require drill-downs to achieve meaningful results; these, in turn, lead to a more secure organization. When you integrate DomainTools threat intelligence with the DNIF analytics engine, you improve visibility while adding context to your data. DomainTools’ large and heterogeneous collection of data is drawn from OSINT (open-source intelligence) and historical records. This data is dumped into a central database. DomainTools stops security threats from disrupting organizational flows while delivering actionable intelligence, risk scores and forensic maps.

In September 2015, DomainTools introduced Iris, a flagship offering that combines enterprise-grade domain and DNS-based intelligence with an intuitive web interface, helping security teams quickly and efficiently investigate and prevent cyber threats. The Iris Enrich API enables large-scale enrichment of domain names present in a network environment, typically found in web proxy logs and DNS data. The Iris Enrich API can enrich 600 domains per minute with attributes including proximity- and threat profile-based domain risk scores, WHOIS, IP, active DNS, website and SSL data. The DomainTools risk score is built on proprietary machine learning classifiers and is informed by their comprehensive domain name dataset. By enriching all outbound connections to domains with the Iris dataset, you can facilitate threat hunting and actively seek out traffic from domains on your network which you previously didn’t recognize as suspicious. This also helps you to tie alerts together to guide you in creating the right incident response plan, and to create more precisely targeted alerts that don’t waste your analysts’ time.

So, let’s get started!

Identify Flagged Domains

_fetch * from event where $Intel=True AND $ViolationField=DOMAIN AND $Duration=1d group count_unique $Domain limit 100

Here, we fetch data based on two conditions:

  • $Intel=True specifies that we want intel data from our enrichment plugins
  • $ViolationField=DOMAIN specifies that we want events where the domain is the suspicious component.
Malicious domains which are flagged by threat intel feeds

Gather Domain Details

_fetch * from domains limit 1
>>_lookup domaintools get_parsed_whois $Domain
>>_checkif int_compare $DTResponseCode = 404 exclude
>>_field $CurrentDate time_delta @now + 0d
>>_field $DomainAge diff_day $CurrentDate, $DTCreatedDate

Next, we will calculate domain ages. Calculating domain ages helps us recognize young domains in the network.

  • The function we are using here is get_parsed_whois, which returns parsed information extracted from the most recent raw WHOIS record.
  • The response code 404 means the WHOIS record for a particular domain or IP is not available. We exclude that data from records using \_checkif.
  • We use \_field to calculate the age of a domain based on its date of creation and the current date. We can see the $DomainAge field in the results.
WHOIS record information for malicious domains

Check the risk score for domains

_fetch * from domains limit 100
>>_lookup domaintools get_domain_riskscore $Domain

We want to check the risk score for a domain. We will use the get_domain_riskscore function. This function returns risk scores and threat predictions based on DomainTools’ proximity and threat profile algorithms.

Domaintools risk score for the domain

Evidences associated with the risk score

_fetch * from domains limit 100
>>_lookup domaintools get_domain_riskscore_evidence $Domain

We want to check the evidence used to calculate the risk score for a domain. The get_domain_riskscore_evidence function returns risk scores and threat predictions based on DomainTools’ proximity and threat profile algorithms, as well as evidence for the resulting categorization. This is useful for in-depth domain investigations.

evidences for corresponding risk score

Custom Enrichment

The Iris Enrich API is designed to support enrichment of every domain name observed on a company’s network, typically sourced from web proxy or DNS logs and surfaced in a SIEM or custom-built analytics platform. We can retrieve almost all the details for a domain in a single short query.

_fetch * from event where $Enrich=True limit 1
Custom enrichment in SIEM
Custom enrichment via dns or proxy logs

As demonstrated in these screenshots, the DomainTools Iris Enrich API provides the most comprehensive report on a given domain. For more information, or for a demo of DomainTools’ and DNIF’s joint solutions feel free to pingback in the comments or checkout the: Domaintools Github repository and video:

Thank you, and happy DNIFing!