Jonathan Zhang

CEO of threatintelligenceplatform.com & whoisxmlapi.com, infosec thought leader and adviser

7 IoCs You Can Collect with the Aid of a WHOIS Database Download

It’s no secret, the Word Wide Web is chock-full of threats. In the past 14 years or so (from 1 January 2005 to 30 June 2019), the Identity Theft Resource Center (ITRC) has recorded 10,502 breaches that led to the exposure of more than 1.5 billion records. This has led many to believe that getting compromised is a matter of when and not if.
Any entity that has an online presence is at constant risk of getting hit by a cyber heist or attack. While organizations that have sufficient resources to enhance their cybersecurity posture by purchasing the latest solutions and hiring the most skilled personnel are expected to spend as much as US$103 billion for their IT security needs, small businesses may not be as fortunate. That, however, doesn’t mean they need to suffer the dire consequences that come with a breach.
Organizations that may not have a big-enough cybersecurity budget can rely on less costly but effective means to beef up their digital protection. They can, for instance, gather their own threat intelligence to enhance the capabilities of their existing solutions, thus dispelling the need to buy more advanced software or upgrade hardware. Protecting against threats and mitigating risks, after all, are all about blocking unwanted access to Internet-facing infrastructure, which requires a reliable source of information that won’t cost an arm and a leg.
A good means to get reliable and accurate indicators of compromise (IoCs) is a WHOIS database download. Because all domain owners are legally sanctioned to register their properties, a WHOIS database that covers as much of the TLD space as possible would be a handy reference. With it, companies can obtain a lot of information on possible threat sources that they need to pay close attention to. These include:
1. Domain name: Security news sites are a veritable source of information on the latest threats. Security blogs and threat articles also list IoCs that users should keep an eye out for. Add all domains, subdomains, and IP addresses related to threat actors to your blacklist to prevent attackers from gaining access to your online properties, especially if your solutions currently don’t block them.
2. Registrar’s name and contact details: Not all registrars have the necessary processes or resources to do background checks on potential domain owners. Crosschecking the registrar’s name with the available details in the database (company street and email address, phone and fax numbers, WHOIS server) can help them verify if a domain is safe to access or not.
3. Nameservers: Legitimate entities would make sure their servers are threat-free. That said, running a domain’s nameservers against a list of known command-and-control (C&C) or malicious servers is also a good idea. This will help organizations identify and possibly include questionable nameservers in a blacklist that they can integrate into existing security solutions.
4. Domain registration, update, and expiration dates: Cybercriminals and attackers put up and take down websites on the fly to evade detection and blocking. Keeping tabs on suspicious-looking newly registered sites through domain spoofing or else is thus a good way to ensure that malicious entities are not priming your company for an attack.
5. Domain status: The Internet Corporation for Assigned Names and Numbers (ICANN) regularly audits WHOIS records to keep the Web safe for all users. A secure site is thus marked by the organization as “OK” in the database.
6. Registrant’s name and contact details: Though cybercriminals and attackers can hide behind aliases, it would still do companies well to take a closer look at who owns a website that is, for instance, trying to establish a connection with theirs. Verifying the accuracy with simple Web searches of registrants and their contact details can add another layer of protection against those who may have malicious intentions against your business. This is a good way to check if the people you’re doing business with are not threat actors in disguise.

Note, however, that some registrants may have opted for private or anonymous registration but that doesn’t mean they’re bad actors. They may just be protecting their privacy from online solicitation, phishing, and other digital threats.
7. Administrative contact’s name and details: Like the registrant information, these can easily be falsified as well. But crosschecks with the other available data can help companies spot anomalies and flag suspicious-looking entities as potential threat sources. Constant vigilance against these would improve their protective stance.
Security amid an ever-increasing number and growing scale of digital threats requires not just reactive but also proactive protection. Organizations need to defend against not just known but also unknown threats that even the best solutions that money can buy may fail to guard against. And that can only be addressed with the additional threat intelligence that tools like a WHOIS database download can provide.
When choosing an effective WHOIS database download, look for one that provides not only the latest information on domains but also historical data. Any domain with a shady past should definitely be included in any company’s blacklist. If a domain has been compromised once, that means it lacks protection and so is highly likely to be used over and over for malicious activities. The database you are considering should also be comprehensive. It should cover not just commonly used gTLDs like .com, .org, and .net but also the less used newly created gTLDs (.biz, .mobi, .info, etc.) and ccTLDs (.ru, .tk, .uk, etc.), which cybercriminals and attackers prefer to use in order to cover their tracks.
A database that has an expansive list of domains enough to cover the huge Internet base (to date, this would amount to around 6 billion WHOIS records) is a good bet. Last but not least, as many as 380 websites are created every minute so make sure the database you are eyeing is regularly updated to keep up with the Internet’s growth.
Gathering your own threat intelligence—the key to a better security posture—shouldn’t cause you to break the bank. If you can’t afford the best solutions, be resourceful and innovative instead.

Tags

More by Jonathan Zhang

Topics of interest