Powered by the fastest domain discovery and risk assessment in the industry based on more than 20 years of domain and DNS history, DomainTools Iris Detect uncovers newly associated variations of domain names within minutes of their existence, enables ongoing monitoring and alerts, and provides an easy way to report risky domains.

The fast and global discovery of new domains allows you to stay ahead of bad actors, gain valuable insights into key data (like Whois, screenshots, associated risk scoring, and more) to quickly assess risk, watch domain activity, and take action on identified threats.

Iris Detect not only discovers newly registered domains for the terms you’re monitoring, it also watches those domains over time, notifies you of changes.

Iris Detect: Identify risk and take action

The post DomainTools Iris Detect appeared first on DomainTools | Start Here. Know Now..

Enable Intelligent Security Solutions

Powered by nearly two decades of industry research and the largest, most comprehensive domain and DNS repository, DomainTools Iris Enrich enables workflows with the rich context needed for quick triaging, empowers automated investigations with leading domain and DNS data, and enriches threat data to establish rule-driven actions.

The interoperability of our data allows you to enrich valuable threat telemetry and insights from past investigations, gain new context to empower your security ecosystem, enable intelligent security workflows, and automate investigation workloads.

Iris Enrich provides access to an extensive threat intelligence dataset and makes it easy to connect security solutions, share rich context, and improve threat protection and response actions across solutions and teams.

The post DomainTools Iris Enrich appeared first on DomainTools | Start Here. Know Now..

For your convenience, we’ve included the video transcription below

Profile Adversaries and Their Infrastructure

Current detection technologies such as CrowdStrike Falcon can provide a wealth of information on malicious activities within an organization and can identify the domains or IP addresses associated with attacks or data exfiltration. But, because threat actors rapidly “burn” infrastructure, a reactive approach to IoCs can leave you exposed to new attacks.

Fortunately, it’s possible to take a more proactive stance by profiling adversaries and their infrastructure. This allows you to prioritize blocking and detections around domains and IP addresses that may be in the process of being weaponized.

DomainTools Iris provides predictive risk assessments and DNS infrastructure intelligence within the CrowdStrike Falcon platform, to enable rapid, in-context profiling of domain observables.

This risk assessment, which comes from the proprietary DomainTools Risk Score and the DomainTools Threat Profile dataset, allows you to make informed decisions about defensive or forensic actions. When a deeper investigation is warranted, you can launch DomainTools Iris directly from the Falcon card, without disrupting your current investigation within Falcon.

The DomainTools Risk Score predicts how likely a domain is to be malicious, often before it is operationalized. This can reduce the window of vulnerability between the time a malicious domain is registered and when it is observed and reported publicly as a component of an attack.

DomainTools Threat Profile provides further predictive analytics by giving security practitioners insight into which domains possess characteristics indicative of “malicious intent.” These algorithms analyze the intrinsic properties of the domain and provide phishing, malware, and spam scores for the investigated domains.

DomainTools Iris App

The DomainTools Iris Threat Intelligence App fits easily and naturally into your Falcon workflows. The app’s page in the Crowdstrike Store describes what the app does, but also serves as a jumping-off point for investigations into adversary infrastructure. You can enter a domain name in Global Search, here. In this example, Falcon itself did not see this domain in the environment, but the DomainTools tab will tell us more about it.

Another common way to begin your investigations is triaging alerts. Here, a critical incident has occurred. In Falcon, you can learn more about the incident through a rich variety of drill-down capabilities. In this case, drilling all the way down to DNS activity provides details on a specific domain that received ping traffic from the protected environment. Once again, from the DomainTools tab, proceed directly to Iris for a closer look.

Once in the Iris interface, you can see additional enrichment data about the domain, including registration, hosting, screenshots, and more. You can pivot off of any of the datapoints to find linked infrastructure that may be part of a larger attack campaign. This is one of the ways to shift from reactive to proactive–Iris often lets you see infrastructure that may be dormant now, but will be activated later as part of an ongoing campaign. The infrastructure you illuminate here can be exported for later use in detection engineering or blocking rules.

The post DomainTools Iris App for CrowdStrike Demo appeared first on DomainTools | Start Here. Know Now..

For your convenience, we’ve included the video transcription below

Confidence In The Data

Welcome. In this video we’re going to be taking a look at the DomainTools App for Splunk and Splunk Enterprise Security. The DomainTools App for Splunk leverages our Iris dataset which is Comprehensive, Accurate and Timely. We’re tracking over 330 million active domains and we’re picking up hundreds of thousands of newly registered or discovered domains every day. Our rich historical repository of DNS and registration data allows us to connect the dots on malicious registration activity and powers our Domain Risk Score methods.

For example, when we look at a domain like owa-office3365[.]com, you’ll observe that we really have four risk scores for this domain. The first we’ll look at is our Proximity score. Proximity let’s us know how close a domain is to existing known bad domains within our dataset. So we can explore things like the hosting infrastructure behind the domain or registration details around the domain. Both of these let us know this domain is in close proximity to existing bad domains within Iris.

Our machine learning classifiers are more predictive in nature. They’re looking at the features like the domain name string, the age, the infrastructure and the registration details behind the domain. For example, today we have a high level of confidence this domain was registered for the purposes of phishing as noted by the 98.

Enrich And Hunt With The Iris Dataset

The Iris Enrich API was purpose built for large scale event decoration meaning we can enrich proxy logs, DNS query logs, or email domain logs within your SIEM. What are we hunting for? Things like young/newly registered domains or newly observed domains, domains with high Risk Scores, specific adversary infrastructure details things like hosting providers or registrars, name servers, mail servers, SSL certificates and more. Domains that have been tagged via our Iris investigation UI, or targeted phishing domains that are attacking a keyword or brand that you’re keeping an eye on.

Where To Find The DomainTools App For Splunk And Splunk ES

We can get started in Splunkbase where you can find the DomainTools App for Splunk and Splunk Enterprise Security. Once it is installed on your search head or your search head cluster, you can drop your API key in, configure your base search and we’re off and running with enrichment. We’ll start by looking at our DomainTools threat hunting dashboard. This dashboard is meant to give us a quick look at the details of the domains that we’ve spotted in your logs over the last 24 hours. We can help flag out things like those young domains so if a domain was registered 5 days ago and is emailing your finance department we’re going to find that here. Newly observed domains so domains we haven’t spotted before in your logs. Domains that score highly for a machine learning score for either malware, phishing or spam.

How DomainTools Defines Dangerous Domains

When it comes to looking at the risky domains, we can look for specific registrar activity, specific SSL certificate details. We can also flag out dangerous domains. Dangerous domains are a blended score for us here at DomainTools. What we’re looking at when it comes to dangerous domains are both the Risk Score threshold for our machine learning classifiers for malware or for phishing or our Proximity threshold. So we’re looking at both of those together so you have to close to known badness and look like a phishing or a malware domain here. So our starting point domain that owa-office3365[.]com would certainly qualify here.

Capabilities Within the DomainTools App for Splunk and Splunk ES

Live Lookups And Hunting For Correlated Domains

We can perform live lookups inside of our app meaning we can go perform a live lookup against the API and pull that data directly into Splunk without having to leave. So we can pull this data in and look at the most recent registration details, hosting infrastructure details, any registrant details we might have gotten. And also the most updated Risk Scores as well. We can quickly craft a query here that allows us to look at the rest of the KV store that we’re populating with data to hunt for correlated domains. So we can look for things like the hosting ISP providers, so maybe hey there’s a couple of specific hosting providers we want to keep an eye on. Or we can look at things like name servers, registrars, TLD spaces, certs, anything really that can potentially be useful when it comes to an investigation but we populate this data for 30 days by default in the KV store.

Automate Phishing With PhishEye For Splunk

We can automate our phishing detection so if we’re tracking specific keywords or brands with our PhishEye tool and hunting for lookalike domains on a daily basis, we can pull those directly into Splunk. So we can identify these spoofed domains as they are registered or discovered, we can generate this list and ingest it automatically daily into Splunk and then we can monitor logs for specific phishing domain activity.

Bring Actionable Threat Intelligence Into Splunk

We can bring actionable threat Intel into Splunk from using the Iris investigate UI. In that UI, we can highlight and then tag domains. These tags are local to our account but they will flow out on API calls. So if we tag a domain in the Iris UI and then we catch that domain in a log 6 months, 8 months, 10 months later, that tag is going to flow through so we can either trigger notable events with our tags or suppress them. Speaking of, our Enterprise Security tab allows us to manage and customize any of the “out-of-the-box” correlation searches that the DomainTools provides. And Our integration within the notable event framework allows us to pop directly out to our Iris investigation platform or go directly to that live lookup page if we want to stay inside of Splunk but either way we can get a deeper dive on a specific domain.

The DomainTools App for Splunk allows us to convert our enrichment into threat intelligence, allows us to understand the risk factors of domain names that we’re finding in our logs, allows to precisely target our threat hunting on domain ownership hosting providers within our logs, it allows us to surface meaningful alerts and filter out noise. And it allows us to classify domain names based on their likely malicious use.

The post DomainTools App for Splunk and Splunk Enterprise Security appeared first on DomainTools | Start Here. Know Now..

DomainTools Iris Investigate

The rich context you need for an indicator is available at your fingertips… Enter DomainTools Iris Investigate.

Through the most comprehensive data set with nearly two decades of industry research and the largest domain and DNS repository, Iris Investigate identifies threats, maps threat-associated infrastructure, enables specific advanced search combinations, and supports deep-dive investigations.

See Threats in Context

With our flexible interface, you can customize your searches and investigation pathways to suit your work processes. Predict the risk of indicators and associate clear identification of infrastructure connections, guide investigations, uncover threats, and track threat actors.

With DomainTools’ robust data your investigations are powered by highlighting broad-ranging connections between registration and infrastructure data to map threats and threat actor activity.

The post DomainTools Iris Investigate appeared first on DomainTools | Start Here. Know Now..

For your convenience, we’ve included the video transcription below

Greetings and welcome to the use case overview for Brand Protection with DomainTools Iris. When it comes to leveraging domain registration data for brand protection, we can sort the malicious domains that we come across into two broad buckets. One is domains that are targeting external users, these may be domains that are looking to capitalize on our brand to target our customer relationships, so they could be used for credential harvesting.
Leveraging Domain Data for Brand Protection

So think of the endless number of fake Netflix login pages or Comcast login pages targeting users right now. They may be looking to use these domains for payment skimming so the Magecart group in particular has look-alike domains when they are breaking into your e-commerce pages. They are going to use it to sell counterfeit goods, they may be used to drop ransomware onto a system. These domains are targeting external users and could also be targeting our business relationships, so you may be a part of the long tail vendor chain for someone for the way they are utilizing your brand for business email compromise phishing, wire fraud or to gain initial access or to gain lateral movement, once they have that initial access through lateral spearphishing. We also have domains that are targeting our internal users, these are also going to be used for credential phishing, they could be targeting your vendor relationships, so they could use say your identity access management or a single sign on providers in conjunction with your brand to target your internal end users, internal end users, your office suites, your cloud providers. Those different vendor relationships you have are ripe for abuse, same for business email compromise phishing, they could be utilizing your brand just to get wire fraud directly from you or to gain initial access ahead of a data breach or planting ransomware across your network.

Domains Targeting External & Internal Users

Now when it comes to the remediation cycle for these, for domains that are targeting external users we want to discover those, investigate, monitor, and then initiate a takedown. Sometimes this process will happen very quickly or sometimes you may do the model and have to keep an eye on them for a longer period of time. For domains that are targeting your internal users, that cycles very similar but you do have an option to block, so when you discover you can block and you can also block after you have investigated if you find additional domains that could be used to target you across malicious actor infrastructure, you can block those as well.

Brand Protection with Iris: Discovery Options

Now that discovery phase is really important, Iris can help in a lot of different ways, for here knowing is half the battle. The easiest ones are going to be things like hey domains that begin with our brand, or contain our brand or end with our brand, just in the domain name string itself, you are going to find a lot there, if you have got a popular brand.

Passive DNS

Looking in Passive DNS and utilizing your brand in wild card searching to see if you are being utilized in any subdomain activity. In this case we are hunting for bank login but we picked up Chase, a domain that is spoofing Chase as well here so that long URL there could be used to trick a user, right they might not see that it’s out of a dot cf so if they’re on a mobile device that can be tricky to see the full URL. But hunting for Passive DNS here you can find all of the different registered domains that are utilizing your brand as a subdomain and then export them into the Iris Pivot Engine.

Google Analytics

We can also do discovery via Google Analytics codes, these trackers are used on your site to take a look at the traffic that there getting but there often picked up when bad guys are looking to scrap your login page they’ll pull those in almost on accident f they are very lazy they will just leave those up and when we go hunting for those in the wild we will just pick those up.

So here we can see we have 170 domains or so that are utilizing the JP Morgan analytics tracker code. If we get a better look at those, we can see clearly that a lot of these have nothing to do with JP Morgan, the one on top there we’re observing on a blocklist today, that’s why we see that Risk Score of 100. The other ones below there that have a little broken paper clip next to them, tell us that these are inactive domains, so they are either older domains that were owned by JP at some point in the past or they’ve infringed them and taken them down.

Whois

Within Iris the data set, we have got a lot of other discovery options that are available, our Whois data is that we pull we’re getting itless frequently but certainly some registrars are still passing us that data, so looking for maybe your street address or your phone number within those registrations can be very helpful.

SSL

Looking in the SSL certs that we are pulling in to find the subjects that it might contain either your full brand name or a partial matches can be helpful. Same for hunting in SOA records, looking where folks might spoofing for your domain name there as well, looking at mail servers that might contain your domain name or your brand name rather or the SSL org also another way to go hunting for your particular brand within our data set.

You know when we are doing these types of broader hunts, it can be helpful up front to tag our own infrastructure, so run an investigation across all of your own infrastructure and then give that a tag, we can then take that tag and filter that out when we are doing our searching for potential infringing domains out in the wild. So, we are always filtering out the noise that might be our own registered domains.

Iris Investigation Walkthrough

Now we’ll run through a sample investigation targeting brand protection here inside of Iris. This particular investigation starts with a Japanese shipping and logistics company, Sagawa. We picked up hundreds of spoofing registrations occurring over, starting in late 2018 and going on through 2019. They were leveraging this brand, they were sending out SMS messages to end users saying hey your package was unable to be delivered. You can go here and download an application to track the package in real-time. So, this is the landing page of one of those sites that are under an effort to get someone to grab that APK onto their device. Once that APK is on their device it starts to hunt for their banking login information and it starts redirecting users who are trying to go to their bank login page to the spoofed sites here. So, here’s a quick collection of the screen shots that we pulled from some of the spoofing sites ofthe banking providers us there. Very convincing. Now this is at scale, we picked up thousands of registrations if we combined this with the Sagawa domains between 2018-2019 again targeting Rakuten, Softbank, DoCoMo, KDDI and Yahoo. The Yahoo ones in particular are also very convincing, trying to pull those credentials.

Iris Pivots

Now when we explore these domains within the Iris data set, we have a lot of options at our disposable for pivoting right, so right away for yahoo-accounts[.]com. The 100 lets us know that it’s on a blocklist, that IP address there is highlighted, letting us know that that’s going to be helpful for us but we’re pulling in names server data, registrar data, contact data the SLA records or Whois if we can get those SSL certificates, analytics codes, redirects, mail server, SPF info, all that data can useful in an investigation in particular in this investigation here. If we were to look for an IPV4 and take a look at the other domains that are hosted there by expanding here, we’ll see that hey it’s not just yahoo-accounts but it’s a large collection of Yahoo, Softbank, Rakuten, Docomo all kind of cohabiting that same IPV4 address. Over the course of this particular investigation we were able to expand and pivot to bring these things in, but we’re also looking at things like registrant orgs. So here we see ones that are tied to a couple 100 registrations within our data set. Getting a better look at those and tell us hey those are also connected to our starting point. Not only do we see Yahoo, Rakuten, Apple but also the more generic support-039.info. Those are probably targeting other brands at the subdomain level, we can go hunting for that back in our Passive DNS data Pane.

Contact street addresses can also allow us to pivot us across the data that are connected to those same for email addresses. We run historical matches against our entire 20 year database pulling this database so we can find any older activity that might be tied to these registration details as well. Things like phone numbers, IPV4s, SSL certificates, all came in handy in this particular investigation and we ended up with like I said nearly 2,000 total domains that might be connected to various bits of infrastructure, registration details and web content that we pull into Iris. Once we have these larger lists it’s time to start thinking about blocking and tackling right. So when we found a bunch of adversary infrastructure in the wild, there are lots of different ways to get that out of Iris, primarily we can very quickly highlight all those domains and then copy them to our pasteboard so we can get them where we need to go. We also have the option to download the entire Pivot Engine via CSV or Stix 1.2, 2.0. and XML or JSON for the end users who need that out there.

Monitoring

And when it comes to monitoring them, Iris Pivot Engine is getting updated daily, so we are, you know, we are pulling in frequent pulls for Whois hosting infrastructure, mail server records as in SSL certificates. Changes across all of that could be clearly instrumental is saying hey now this was parked now its become active. Now you can pull screenshots and use that in our evidence as well. Now when it comes to remediation that kind of thing can be really helpful.

Takeaways about Takedowns

So some quick takeaways about takedowns. Your resolution time frames are going to vary wildly and the options at your disposal vary wildly based on the TLD space domain, based on the registrar, or the hosting provider, but regardless the one thing that you are going to need is data. That data can be found inside of our Iris platform. Maybe it’s the Whois abuse contact data, maybe it’s the infrastructure abuse contact data. But it can also take the form of historical screenshots, historical Whois data, or infrastructure observation details we’ve made either in the Pivot Engine or with the Passive DNS data. MX records also very helpful here. This is all going to help you when it comes to that takedown process when you are working with brand protection inside the Iris data set.

The post Iris Investigate Brand Protection appeared first on DomainTools | Start Here. Know Now..

For your convenience, we’ve included the video transcription below

Hello and thank you for joining. Welcome to our DomainTools Iris platform overview. Here at DomainTools, we have been powering investigations with our domain ownership, DNS observable and web crawl data for nearly two decades. In this video we are going to be taking a quick look at our Iris investigative platform. Iris brings together a lot of the data sets that we have gathered and allows us to easily uncover additional correlated malicious infrastructure and domain activity. With the Iris omnibox here, we can start an investigation with our IP address, and email address, an SSL certificate, a Google Analytics code and more.

Look-alike Domains

In this case, we are going to start with a domain, sagawa-app[.[com. This is a look-alike domain, targeting customers of a large Japanese shipping and logistics company, Sagawa. In the Pivot Engine we get a tabular view of the most recent data pulled for any data set that we are looking to gather. Ownership information, registrar and create date data, hosting infrastructure data, our web crawl data including Google Analytics code and Adsense trackers, mail server information, redirects, and SSL certs where available. The current contact info we have for this domain is redacted. But we can use our historical Whois tab to go back in time and take a look at what this data looked like when this domain was initially registered.

Here we can see the name, address and phone number of our registrant and we parsed out a yahoo.co[.]jp email address that we can right click to pivot on, to find any other domain in our data set that has been associated with it. This magnifying glass allows us to take a look at these domains before bringing it into the Pivot Engine, we can then determine whether they are relevant to our investigation. What we see here are 65 malicious domains targeting not only Sagawa but also Yahoo Japan, Softbank and Digi-Docomo, Rakuten, Apple, and more. A simple expand selection here will bring the rest of these domains into our Pivot Engine here so we can get a better look at what our threat actors are up to.

Historical Screenshots

Another useful feature inside of Iris, is the ability to look at our historical screenshots of domains. In this case, the Sagawa app domain shows itself to be a well-crafted look-alike, stealing the logo and layout of the real deal. However, we can see that our advisories have left a step by step guide for any unlucky visitor to follow that directs them to overwrite the security settings on their Android device and then grab a malicious application from a dropper domain, Sagawa.oicp[.]io. Using our Advanced Search interface, I am going to manually add oicp[.]io to the Pivot Engine. In this interface, you can drop up to a thousand domains at the same time or craft a more sophisticated query based off of the Pivot Engine data set. Create dates, Risk Scores, SSL certs, and etc are all played and can greatly assist in threat hunting.

Guided Pivots

Now we can get a look at oicp[.]io. Here we can see the hosting IP is highlighted, a feature we call Guided Pivots. This feature allows us to highlight potential pivot points that are likely to be useful to an investigator. In this case, it is directing us to an IP address hosting only 26 domains. We can use the Preview Pivot Pane to get a look at these, and see that our actors are hosting not only an oicp[.]io here but also several other variants on that name. Note that 4 of these are scoring a 100 according to our Risk Score. This means we have observed these on third-party lists of known-malicious domains. But these 99s just below here haven’t quite made it to any traditional intel feeds just yet. Our predictive machine learning classifiers peg these as malware domains, so you will want to expand and bring these to the Pivot Engine and export the whole thing for blocking and hunting. Iris also includes a data Visualization tool. Here we can view the domains from our Pivot Engine and layer on any data points that we collect. In this case, we are looking at the hosting IP addresses and SSL certificates that are associated with our malicious domains. We can easily hone in on the dedicated infrastructure used by our advisories and expand our hunting and pivoting from there. Our Passive DNS partner data gives us a better look at the activity timeline for our dropper domain Sagawa.oicp[.]io. These in the wild lookups andresolutions, show us its current activity. We can use this data to hunt for additional malicious IPs, subdomains, SOA records, text records, and more.

I hope this demonstration has given you a better understanding of how our data sets are presented in the Iris platform and some ideas on making domain and DNS investigations more intuitive and comprehensive. Thank you for your time.

The post About DomainTools Iris Investigate appeared first on DomainTools | Start Here. Know Now..

Every day, your security teams are doing their best to make the right decisions about the risk level of threats to your organization. But as the amount of network traffic and alerts grows exponentially, this decision-making process becomes labor intensive and requires supporting cyber threat intelligence.

You’ve already got talented staff and workflows to understand your network but you need the insights to determine where to start and which action to take.

DomainTools Cyber Threat Intelligence

Empower your team with the immediate ability to detect, investigate, triage, remediate, and prevent threats with decades of industry research and the largest DNS data set.

And it’s flexible. Whether you leverage our UI or integrate our data into the solutions you’re already using, you’ll be able to discern which alerts you can ignore, and which need immediate action. Classify threats with predictive risk scoring and discover how widespread a campaign may be by mapping connected infrastructure.

DomainTools helps your team turn threat data into threat intelligence.

The post Empower Your Team With The World's Largest DNS Dataset appeared first on DomainTools | Start Here. Know Now..

The Internet teems with malicious infrastructure, operated by threat actors who use domains to spread malware, lure victims to phishing sites, and flood inboxes with spam. Meanwhile, security teams face a barrage of alerts and events, often without the context to tell them which of these represent serious threats. Security analysts and threat hunters need a fast, reliable way to know which domains observed in their environment present the greatest threat. Compounding the challenge, threat actors often register and use new domains to inflict damage before the industry lists of known-malicious domains catch up and “convict” the domains.

Domain Risk Score from DomainTools uses predictive algorithms to flag dangerous domains soon after they are registered, helping security teams to block dangerous domains before they are weaponized, or to effectively and efficiently triage domain-based alerts from their security systems.

Machine Learning and Predictive Insights

Two distinct and complementary algorithms power Domain Risk Score. Proximity to Known Maliciousness evaluates how closely connected a domain is to other domains that have been identified as malicious. Threat Profile uses machine learning classifiers to analyze intrinsic properties of a domain, identifying patterns consistent with malware, phishing, spam, or neutral domains. The result is a reliable prediction of whether a domain is likely to be malicious, and if so, what kind of risk it represents.

Use Risk Score in DomainTools Iris to evaluate domains surfaced as part of an investigation. Or use the Risk Score API for automated alerting or blocking on suspicious domains in your environment. As part of an integration with a SIEM, threat intelligence platform, or orchestration tool, Domain Risk Score helps analysts prioritize alerts, focusing on the threats most likely to harm the organization.

The post Domain Risk Score Overview appeared first on DomainTools | Start Here. Know Now..