Top Whois, DNS, IP and threat intelligence data provider. We provide APIs, databases, and tools.
Many cybersecurity investigations can easily begin with a check on a domain of interest’s WHOIS record. It’s a simple way to find out more about who may be behind an attack. In this day and age, WHOIS records are increasingly redacted, however, that is likely not enough.
Investigations need to consider a variety of other factors and sources of information. That is where consulting various threat intelligence feeds come in. In fact, security analysts and researchers can use a combination of cyber threat intelligence feeds to enrich investigations and prioritize security events.
In this article, we explore examples that illustrate the use cases and benefits of leveraging cyber threat intelligence feeds.
You can use a combination of cyber threat intelligence feeds that provide WHOIS, IP geolocation and netblocks, subdomain, website contact and categorization, and typosquatting data to do the following:
Analyzing Attack Surface and Third-Party Risks in Practice
Back in 2017, PayPal’s new acquisition TIO Networks suffered from a breach, possibly affecting 1.6 million of the payment processor’s customers.
We wanted to see if the perpetrators could have bulk-registered similar-looking domain names since the attack a few years ago. So we conducted a Domain Discovery analysis for the string “tionetworks” and identified 36 domains. A Subdomain Discovery query, meanwhile, let us identify 4 subdomains containing the string.
More recently, a November 2020 Typosquatting Data Feed check for the strings “paypal” revealed at least 92 potential look-alike domains, excluding misspelled variations. However, we did not identify any domain with the string “tionetworks” during that month. This indicates that suspicious bulk registrations in that case probably concerns the Paypal brand as a whole, but no longer relates to TIO networks specifically.
Subjecting those 92 domain names to a bulk WHOIS lookup told us that only six of these could be publicly attributed to PayPal. Any of the 86 remaining domain names could theoretically figure in related attacks since ownership attribution is unclear. We also checked TIO Networks’s tionetworks[.]com domain’s WHOIS record details, and those match the record of its parent company Paypal since late 2017.
With the purpose of identifying websites that might currently be active, a Screenshot Lookup told us that 10 of the domains hosted content, although nine showed a 404 error page with a redirect button that does not seem to lead anywhere for now. The remaining domain led to a live (though likely parked) page.
We looked at several of the pDNS records of the 86 non-publicly attributable domains and found that these resolved to at least 11 IP addresses that may be of questionable nature. Additionally, a Reverse IP/DNS Lookup showed that at least 2,769 domains resolved to the 11 IP addresses at some point in time.
A closer look at these non-publicly attributable domains and connected IP addresses through VirusTotal helped us identify several properties flagged as “malicious” or “suspicious.”
Alert fatigue is real and needs to be addressed as much as possible. Enhancing your security platforms’ capacity to reduce false alarms is one way to go about that. Platform access to WHOIS, IP geolocation and netblocks, pDNS, subdomain, website contacts and categorization, and typosquatting data can make the following possible:
Better Security Alert Prioritization in Practice
Every corporate IT security team typically keeps network logs to monitor for threats. So let us say in this example that a company’s network alerted its cybersecurity team to the 30 IP addresses in the list below.
How should the team prioritize the said alerts?
One way is by using an IP geolocation tool along with a list of the world’s top cybercrime hotspots, such as that kept by the Global Tech Council. IP Geolocation Lookup would tell analysts that nine of the IP addresses point to commonly cited cybercrime hotspots. It might also be a cause for concern if the company does not serve areas where some of the IP addresses point to, and this information could be used for alert prioritization.
For more information about IP ranges, IP Netblocks API calls or Database access would give abused contact persons’ names, email addresses, and phone numbers. The IP addresses’ ISPs can also be found and contacted for owner identification or takedown requests if needed.
Consulting an open-source intelligence (OSINT) resource like AbuseIPDB would also help confirm suspicions. Once done, security analysts would find that 13 of the flagged IP addresses are spotted as malicious. From there, analysts can widen the scope of their investigation by searching for potentially related domains using a reverse IP/DNS search tool. Doing so for the 13 IP addresses would provide a list of 312 domains.
These are just two of several ways by which threat intelligence feeds can help organizations enrich their investigations and prioritize events. Cyber threat intelligence feeds can also prove useful in other cybersecurity applications, including phishing and brand protection, and threat hunting.
Create your free account to unlock your custom reading experience.