Partner Spotlight: Quickly Uncover Malicious Domains With DomainTools
By Glenn Wong on December 1, 2016
Use DomainTools and Recorded Future together to easily find and identify related malicious domains.
This is part of a series of blog posts on useful “all-source analysis” research and collaborative approaches using Recorded Future and our OMNI Intelligence Partners.
Domain profile and threat actor data from DomainTools can be accessed via an extension built into Recorded Future Intel Cards. Incident responders can quickly uncover other domain names controlled by the same actor, and can prioritize their response with a DomainTools risk score that reveals how connected an indicator is to known-bad infrastructure.
Malicious actors understand how information sharing between organizations can weaken the effectiveness of their attacks when their IPs and domains show up on blacklists. To counter this, attackers will register multiple domain names and setup their own hosting infrastructure; sophisticated actors go further and create entire identities or assume a compromised one.
Most incident responders can’t see the full scope of the attacker’s capability when they’re responding to an alert or reviewing a threat feed. They often must wait until that infrastructure is used against them, forcing a reactive response and wasting resources as they struggle to link existing intelligence to new indicators.
Spearphishing attacks are especially difficult to defend against, because the entire point of the attack is to deceive users with look-alike domains created for one specific organization.
Effective security researchers require reliable, fast context about the threat actors and networks responsible for suspicious activity.
The DomainTools extension delivers this context and enables pivoting for domain and IP indicators found elsewhere in Recorded Future’s dataset with parsed Whois data on the Domain and IP Address Intel Cards.
It then goes deep into DomainTools datasets to uncover other domains hosted on the same IP addresses or linked to the same registrant. Incident responders will get an immediate sense of the actor’s intentions by reviewing other domains they’ve registered.
The extension also brings the DomainTools reputation score to the Domain Intel Card. This unique metric extends the coverage of existing blacklists to include other domain names that are closely related to known-bad domains, actors, and IPs.
A score in the range of 70 to 99 indicates a strong likelihood that the domain will be used for malicious purposes even though it’s not yet included in leading threat intel feeds. This enables a proactive response, and gives responders an initial threat indication to prioritize further research.
Earlier this year Proofpoint published an analysis of the Locky ransomware,1 and among the technical details of the analysis was a list of Locky C2 sites. To illustrate the combined investigative power of Recorded Future and DomainTools, we look in detail at one of them: hxxp://qpdar[.]pw/main.php.
We start by looking up this domain on a Recorded Future Intel Card:
Within the context section, we see many domains of seemingly random strings — an indicator that this domain is associated with a DGA. Using the DomainTools lookup, we find additional information to further our investigation:
First, it’s worth noting that DomainTools has given this domain a risk score of 100, which is consistent with our original source for investigating the domain.
Second, from the Whois record we get the name, address, and email of the registrant (Matthew Pynhas, [email protected][.]com), and that this identity is linked with over 8,000 other domains.
Third, we see a sample of those domains, which appear to be comprised of random strings as well. Interestingly, whereas the context domains found through Recorded Future sources appear to have country-level TLDs (e.g., .it, .ru, .uk, .pw), those shown in the DomainTools sample show more organizational-centric TLDs (e.g., .com, .info, .org).
Of course, we also get the IP address that the domain qpdar[.]pw resolves to 212[.]61[.]180[.]100. Clicking on the IP address from within the DomainTools lookup we can quickly pivot to an IP Address Intel Card for more information:
While this IP address does not appear on any of the over 40 open source threat lists Recorded Future collects, other sources (e.g., VirusTotal, Phishtank) factor into a “Malicious” score of 72. For reference, the DomainTools lookup is also available from an IP Intel Card; the results show a sample of the domains that resolve to the same IP, as well as a raw reverse Whois lookup for the associated IP CIDR range (which appears to be registered in the Netherlands):
Using the DomainTools lookup in Recorded Future’s Intel Cards gives threat researchers quick and easy access to domain registration information that can be used to pivot and expand the scope of an investigation. The example above, which took a single domain from a published report, led to an expanded understanding of the risks and related indicators, including other suspicious domains and IP addresses and revealed a possible threat actor or security research persona.
This was all possible with just a few clicks, making it easy for analysts to quickly assemble relevant threat information.
DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network and connect them with nearly every active domain on the internet. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work.
1Forcepoint published a similar analysis around the same time.