Using Cyber Threat Intelligence Feeds to Enrich Investigations and Prioritize Security Events

Many cybersecurity investigations can easily begin with a check on a domain of interest’s WHOIS record. It’s a simple way to find out more about who may be behind an attack. In this day and age, WHOIS records are increasingly redacted, however, that is likely not enough.

Investigations need to consider a variety of other factors and sources of information. That is where consulting various threat intelligence feeds come in. In fact, security analysts and researchers can use a combination of cyber threat intelligence feeds to enrich investigations and prioritize security events.

In this article, we explore examples that illustrate the use cases and benefits of leveraging cyber threat intelligence feeds.

Manage Your Potential Attack Surface and Third-Party Risks with the Help of Threat Intelligence Feeds

You can use a combination of cyber threat intelligence feeds that provide WHOIS, IP geolocation and netblocks, subdomain, website contact and categorization, and typosquatting data to do the following:

• Enumerate the domain names that contain your company or brand name, find out who owns these potential typosquatting domains, and identify others that share the look-alike domains’ registrant email addresses aided by a WHOIS database.
• Find out where the IP addresses that make up your attack surface are located and who their Internet service providers (ISPs) are so they can help with possible takedowns aided by WHOIS and IP geolocation databases.
• Identify the IP netblocks connected to suspicious domains, who owns them, and if these have been reported for malicious activity using an IP netblocks WHOIS database.
• Determine other domains that share your IP addresses that may widen your potential attack surface with the help of WHOIS and passive DNS (pDNS) databases.
• Check if new subdomains that you did not create have been added to your infrastructure and monitor domains that contain your brand or company name in their subdomains with the help of a WHOIS database and subdomain data feeds.
• Pinpoint the categories the domains in your attack surface belong to and block these, if possible, using a WHOIS database and website contacts and categorization tools.
• Look for bulk-registered look-alike domains and who their owners are aided by a WHOIS database and typosquatting data feeds.

Analyzing Attack Surface and Third-Party Risks in Practice

Back in 2017, PayPal’s new acquisition TIO Networks suffered from a breach, possibly affecting 1.6 million of the payment processor’s customers. 

We wanted to see if the perpetrators could have bulk-registered similar-looking domain names since the attack a few years ago. So we conducted a Domain Discovery analysis for the string “tionetworks” and identified 36 domains. A Subdomain Discovery query, meanwhile, let us identify 4 subdomains containing the string.

More recently, a November 2020 Typosquatting Data Feed check for the strings “paypal” revealed at least 92 potential look-alike domains, excluding misspelled variations. However, we did not identify any domain with the string “tionetworks” during that month. This indicates that suspicious bulk registrations in that case probably concerns the Paypal brand as a whole, but no longer relates to TIO networks specifically.

Subjecting those 92 domain names to a bulk WHOIS lookup told us that only six of these could be publicly attributed to PayPal. Any of the 86 remaining domain names could theoretically figure in related attacks since ownership attribution is unclear. We also checked TIO Networks’s tionetworks[.]com domain’s WHOIS record details, and those match the record of its parent company Paypal since late 2017.

With the purpose of identifying websites that might currently be active, a Screenshot Lookup told us that 10 of the domains hosted content, although nine showed a 404 error page with a redirect button that does not seem to lead anywhere for now. The remaining domain led to a live (though likely parked) page.

We looked at several of the pDNS records of the 86 non-publicly attributable domains and found that these resolved to at least 11 IP addresses that may be of questionable nature. Additionally, a Reverse IP/DNS Lookup showed that at least 2,769 domains resolved to the 11 IP addresses at some point in time. 

A closer look at these non-publicly attributable domains and connected IP addresses through VirusTotal helped us identify several properties flagged as “malicious” or “suspicious.”

Enrich Your Security Platforms to Better Prioritize Alerts Aided by Threat Intelligence Feeds

Alert fatigue is real and needs to be addressed as much as possible. Enhancing your security platforms’ capacity to reduce false alarms is one way to go about that. Platform access to WHOIS, IP geolocation and netblocks, pDNS, subdomain, website contacts and categorization, and typosquatting data can make the following possible:

• Know when a suspicious domain was created, who owned it before WHOIS redaction, and what other domains share its registrant email address or other details aided by a WHOIS database.
• Identify the host IP address of a suspicious domain, where it is located, and if its location is a fraud or cybercrime hotspot using WHOIS and IP geolocation databases.
• Determine what ranges an IP address belongs to and who manages it in case you want it taken down with the help of WHOIS and IP netblocks databases.
• Enumerate other domains hosted on an IP address and if these are all being flagged by your platform aided by WHOIS and pDNS data.
• Find out how many subdomains a suspicious domain has, when these were last and first seen according to pDNS data, and if the dates coincide with cyber incidents using a WHOIS database and subdomain data feeds.
• Obtain an offending website’s contact information and see if its domain falls under a blacklisted category with the help of WHOIS and site contacts and categorization data.
• Check if the domain was bulk-registered and with what aided by a WHOIS database and typosquatting data feeds.

Better Security Alert Prioritization in Practice

Every corporate IT security team typically keeps network logs to monitor for threats. So let us say in this example that a company’s network alerted its cybersecurity team to the 30 IP addresses in the list below.

How should the team prioritize the said alerts? 

One way is by using an IP geolocation tool along with a list of the world’s top cybercrime hotspots, such as that kept by the Global Tech Council. IP Geolocation Lookup would tell analysts that nine of the IP addresses point to commonly cited cybercrime hotspots. It might also be a cause for concern if the company does not serve areas where some of the IP addresses point to, and this information could be used for alert prioritization.

For more information about IP ranges, IP Netblocks API calls or Database access would give abused contact persons’ names, email addresses, and phone numbers. The IP addresses’ ISPs can also be found and contacted for owner identification or takedown requests if needed. 

Consulting an open-source intelligence (OSINT) resource like AbuseIPDB would also help confirm suspicions. Once done, security analysts would find that 13 of the flagged IP addresses are spotted as malicious. From there, analysts can widen the scope of their investigation by searching for potentially related domains using a reverse IP/DNS search tool. Doing so for the 13 IP addresses would provide a list of 312 domains.

---

These are just two of several ways by which threat intelligence feeds can help organizations enrich their investigations and prioritize events. Cyber threat intelligence feeds can also prove useful in other cybersecurity applications, including phishing and brand protection, and threat hunting.