DomainTools: “make the Internet a safer place for everyone”

The phrase that has become the anthem of the cybersecurity industry is: “prevention is the best solution.” And while there are many tools that can help prevent an attack, threat intelligence remains one of the most sophisticated and working approaches.

Suffering from a cyber attack seems like an inevitable reality for every organization, whether big or small. And while there are many protective measures to implement, one of the most advanced and modern preventive solutions is threat intelligence. It allows organizations to analyse, understand, and mitigate possible dangers, and hence always be one step ahead of the attackers.

Chad Anderson, Senior Security Researcher at DomainTools, told us about the importance of threat intelligence in corporate settings and shared what new threats we might see emerge in the near future.

Tell us a little bit about your history. How did DomainTools originate?

DomainTools originated around 2002 and began its life historicizing WHOIS records, basically the ownership records for domains on the Internet. That then spread into historicizing DNS information, which is the phone book of the Internet. Initially, this was all for domainers, people speculatively purchasing domains for resale, but in later years, it became apparent that having this historical view of the Internet was more useful for researchers and security experts discovering what the Internet looked like on a particular day or what malicious infrastructure looked like at a particular time. This led to the current iteration where the company has pivoted to be a threat intelligence firm providing researchers, journalists, and defenders with access to its 20+ year historical data set of Internet infrastructure data.

At DomainTools, threat intelligence is the main focus. Why is it so essential?

Anyone can collect data about objects on the Internet as it’s all open protocols. Taking that data and distilling it into intelligence, either through manual processes by knowledgeable researchers or through machine learning algorithms that do predictions based upon feature sets creates something essential in a space flooded with maliciousness. Phishing, malware, ransomware, business email compromise (BEC), and other threats abound on today’s Internet, and it’s near impossible to catch them all. Threat intelligence allows you to make accurate predictions about a potential threat before it affects your clients. Combining our intelligence with their own data from firewall logs and user endpoints allows companies to generate their own, even more accurate intelligence product for defending their users. This practice is invaluable for defenders.

What types of attacks do cybercriminals usually carry out using malicious domain names?

Rarely does an attack not involve a domain name. Even rarer is that an attack doesn’t involve some sort of interaction with a computer network at all. That said, I would say the most common use of a malicious domain is for credential harvesting by phishers. Phishing is so prevalent because attackers can now resell those credentials as initial access brokers (IABs) to ransomware affiliates or use the credentials themselves to profit off the user. As phishing domains get squashed rather quickly by defenders, new domains are constantly being registered, which allows for the attackers to continue to have the upper hand.

Besides various solutions to enhance security, you also provide forensics and incident response. Can you tell us more about the recovery process after an incident?

Post-quarantine and other remediation steps, a large part of the forensics process may rely on historical data: logs collected by endpoints affected, data found on machine images, and a whole host of other possibilities. Often, attackers will have already burned their infrastructure, so these incident responders will rely on tooling like that provided by DomainTools to look at a historical view of the Internet and rebuild what happened with a hopeful goal of attribution to a specific threat actor.

What new challenges did the COVID-19 pandemic present in your field of work?

COVID-19 flooded the public mindshare and led to a vast registration of domain names like nothing we had ever seen before. Along with taxing our systems, it sent a lot of the predictive models that various companies used to determine the maliciousness of new domains into a state of disarray. This cascaded down to us, our own predictive models, and into the intelligence we could provide about these new swaths of domains. The challenge here became one of repairing those models, making them more robust, and still finding ways to hunt for maliciousness in those daily masses of registrations. We were able to accomplish all of that by applying heuristics informed by industry experience and refining them into new tooling to spot anomalies across domain registration patterns.

Threat hunting has gained popularity recently - how does it work, and what are the benefits?

Threat hunting is taking the process of defense in cybersecurity and flipping it into a proactive mode. A threat hunter tries to predict how their organization will be attacked, the modes that the attacker will employ, and then to hunt for those out in the wild. Defenders basically got tired of being a purely reactive organization and have since found threat hunting very effective at finding potential malicious activity. For instance, taking the name of your organization, running through all of the potential permutations for a phishing domain that looks similar, then looking for registration of those domains enables defenders to be a step ahead of the attacker. No better intelligence exists than that level of predefined insight.

Brand protection is receiving more recognition nowadays. However, this term might still be a new concept to some. How can a brand be taken advantage of for malicious purposes?

Brand recognition is such a powerful thing and can be wielded to trick customers, employees, and ruin corporate reputations alike. More and more companies are finding it valuable to monitor the domain registration space for instances of their brand either being used for potential attacks against their own infrastructure or against that of their customers. In the world of supply chain attacks that leverage third-party vendors to then work into a final target, companies are even finding it important to monitor the brands of their own vendors in case that vendor doesn’t have the resources to do it themselves. Trusted, recognized names can be leveraged for just about every type of Internet scam out there, from nation-state espionage to run-of-the-mill cybercrime.

What new threats do you think companies should be ready to tackle in 2022? What tools should they have in place?

We’re seeing an increase in the creativity of phishers and ransomware affiliates as users have become keen on the most basic of scams. Multi-stage opt-out scams which lure the user into trust by getting them to call a local phone number where the operator convinces them to open a malicious file, or long cons that slowly build trust with users through an email chain are all becoming common. These types of scams slip right by traditional methods since they contain only text and no sure-fire malicious content. Tooling like EDRs and XDRs oftentimes protect against the final stage payload these scams deliver, but attackers are even finding ways around those. The best defense you can have in place, after following general best practices, remains education for your people.

Share with us, what’s next for DomainTools?

Recently, DomainTools acquired Farsight, a company which specializes in passive DNS data, the anonymized collection of the first and last time a DNS question has been asked with a unique response. This is another valuable tool set for defenders reconstructing an attack. Combined with the active collection of records that DomainTools does, it creates a one-stop shop for defending networks with infrastructure intelligence. As we continue to group, DomainTools looks toward other projects that can aid in our corporate mission to “Make the Internet a safer place for everyone” by providing high-quality data sets and tooling to defenders.