Validating Suspicious Domains Using DomainTools
DomainTools is a company based in Seattle, Washington that helps enterprises turn threat data into threat intelligence. Their solutions include interactive research products, proactive alerting technologies, a predictive domain risk score analytic, enterprise-grade APIs and proven integrations with SIEM and SOAR products like DNIF. All of this is powered by the largest domain name and DNS dataset available anywhere.
Investigations require drill-downs to achieve meaningful results; these, in turn, lead to a more secure organization. When you integrate DomainTools threat intelligence with the DNIF analytics engine, you improve visibility while adding context to your data. DomainTools’ large and heterogeneous collection of data is drawn from OSINT (open-source intelligence) and historical records. This data is dumped into a central database. DomainTools stops security threats from disrupting organizational flows while delivering actionable intelligence, risk scores and forensic maps.
In September 2015, DomainTools introduced Iris, a flagship offering that combines enterprise-grade domain and DNS-based intelligence with an intuitive web interface, helping security teams quickly and efficiently investigate and prevent cyber threats. The Iris Enrich API enables large-scale enrichment of domain names present in a network environment, typically found in web proxy logs and DNS data. The Iris Enrich API can enrich 600 domains per minute with attributes including proximity- and threat profile-based domain risk scores, WHOIS, IP, active DNS, website and SSL data. The DomainTools risk score is built on proprietary machine learning classifiers and is informed by their comprehensive domain name dataset. By enriching all outbound connections to domains with the Iris dataset, you can facilitate threat hunting and actively seek out traffic from domains on your network which you previously didn’t recognize as suspicious. This also helps you to tie alerts together to guide you in creating the right incident response plan, and to create more precisely targeted alerts that don’t waste your analysts’ time.
So, let’s get started!
Identify Flagged Domains
_fetch * from event where $Intel=True AND $ViolationField=DOMAIN AND $Duration=1d group count_unique $Domain limit 100
Here, we fetch data based on two conditions:
$Intel=Truespecifies that we want intel data from our enrichment plugins
$ViolationField=DOMAINspecifies that we want events where the domain is the suspicious component.
Gather Domain Details
_fetch * from domains limit 1 >>_lookup domaintools get_parsed_whois $Domain >>_checkif int_compare $DTResponseCode = 404 exclude >>_field $CurrentDate time_delta @now + 0d >>_field $DomainAge diff_day $CurrentDate, $DTCreatedDate
Next, we will calculate domain ages. Calculating domain ages helps us recognize young domains in the network.
- The function we are using here is
get_parsed_whois, which returns parsed information extracted from the most recent raw WHOIS record.
- The response code 404 means the WHOIS record for a particular domain or IP is not available. We exclude that data from records using
- We use
\_fieldto calculate the age of a domain based on its date of creation and the current date. We can see the
$DomainAgefield in the results.
Check the risk score for domains
_fetch * from domains limit 100 >>_lookup domaintools get_domain_riskscore $Domain
We want to check the risk score for a domain.
We will use the
get_domain_riskscore function. This function returns risk scores and threat predictions based on DomainTools’ proximity and threat profile algorithms.
Evidences associated with the risk score
_fetch * from domains limit 100 >>_lookup domaintools get_domain_riskscore_evidence $Domain
We want to check the evidence used to calculate the risk score for a domain.
get_domain_riskscore_evidence function returns risk scores and threat predictions based on DomainTools’ proximity and threat profile algorithms, as well as evidence for the resulting categorization.
This is useful for in-depth domain investigations.
The Iris Enrich API is designed to support enrichment of every domain name observed on a company’s network, typically sourced from web proxy or DNS logs and surfaced in a SIEM or custom-built analytics platform. We can retrieve almost all the details for a domain in a single short query.
_fetch * from event where $Enrich=True limit 1
As demonstrated in these screenshots, the DomainTools Iris Enrich API provides the most comprehensive report on a given domain. For more information, or for a demo of DomainTools’ and DNIF’s joint solutions feel free to pingback in the comments or checkout the: Domaintools Github repository and video:
Thank you, and happy DNIFing!