Everything You Wanted to Know About DomainTools Threat Intelligence

DomainTools Webinar hero image

With the recent launch of our Cyber Intelligence Marketplace, we’re excited to continue our blog series highlighting each of our partners. In this blog, we would like to highlight DomainTools. DomainTools is one of our long-standing partners. The Threater Intelligence Marketplace has two cyber intelligence feeds from DomainTools including a Domain Hotlist and it’s new IP Hotlist offering.

Who is DomainTools? Tell Us About Yourself?

DomainTools is a cyber threat intel company that focuses on capturing data about online infrastructure. Long-timers in the industry will recall that we used to be popularly known as “the Whois company,” because so many individuals and organizations relied on DomainTools for that information. However, from the start, we collected much more than Whois data, but maybe even more importantly, we a) saved everything, and b) cross-indexed much of it, allowing for various unique ways to query the data to find out more about digital infrastructure and the entities who control it.

How Does DomainTools Collect Intelligence?

There’s no single answer to this question, because there are so many different types of data we collect! But it is a combination of technologies, relationships, and know-how. A lot of folks don’t realize that there is no official centralized repository of information about all of the nearly 400 million domains in existence today (to say nothing of the many millions more that have come and gone over the years)–even ICANN itself doesn’t have something like that. We spent many years developing a variety of collection methods, scaling them, and processing the data to make it consumable by the various tools and functions that use it.

What makes DomainTools’ Threat Intelligence Unique?

In some ways, our ultimate vision is to provide continual snapshots of the entire Internet, so that we have the picture of the whole thing at any point in time. There are almost uncountable interconnections between domains, subdomains, IP addresses, SSL certificates, web server content, and many other data points, that help build the picture of what any given piece of infrastructure is “about.” Illuminating these data points and their connections is at the heart of what we do, because it is that context that helps an analyst – or our own machine learning risk scoring tools – evaluate the risk level of a given domain, or an IP address in terms of the domains it hosts. If the data is incomplete, or stale, the picture for the analyst is less reliable. Thus, it is our bread and butter to be the best in the world at collecting, processing, and provisioning infrastructure data.

What Types of Threats will DomainTools Protect Customers From?

One important clarification: DomainTools itself provides data, and tools for understanding the data, to help people or technologies do the protecting. That’s where partners such as Threater are so important: it is your technologies that put our data to work, protecting networks and the people who use them! But the threats we can help uncover range from phishing, to malware, to spam, to fraud, and just about any other kind of malfeasance you can think of. From the standpoint of our machine learning classifiers, they do focus on phishing, malware, and spam. But from those categories, many other kinds of threats are built. Take ransomware, for example – phishing is still one of the main incursion vectors for ransomware attacks, and C2 domains are one of the main ways that tooling is installed, data exfiltrated, etc. So having good characterization of malware and phishing domains is bigger than just those specific types of activity.

Talk to us about the exciting new IP Hotlist intelligence?

In the old days of network security, there was a lot of focus on inbound threats – “what evil packets are being sent toward my network?” But now (and this has been true for many years), the majority of incursions are made possible by traffic that goes out from sources inside the protected environment, to IP addresses on the Internet that have domains controlled by malicious actors. So in a sense, the domain is the key to characterizing the threat, but from an alerting or blocking point of view the IP address is where the action happens. IP hotlist looks at IP addresses specifically through the lens of what domains are hosted on them, and how malicious and active those domains are. If an IP address has a preponderance of malicious domains on it, and if we have observed recent (24 hours) traffic to hostile domains, that IP lands on the Hotlist. Out of all the billions of routable IP addresses out there, this is our distillation of what the network defender really needs to care about, and act upon, right now.

What’s One Interesting Attack/Threat Trend You Are Seeing?

With apologies for not being especially original in this answer, it’s hard not to call out the latest ransomware developments here. While there actually isn’t a whole lot that is particularly new or innovative in the malware itself, the methodologies of the ransomware groups, from RaaS (ransomware as a service) to affiliate programs, and the proliferation of ransomware capabilities is concerning. If there’s a silver lining, though, it is that preventing ransomware is not magic. An incursion (almost) always relies on actor-controlled Internet infrastructure for various stages, and if you have good intel on that infrastructure, it is very realistic and achievable to thwart ransomware. We expect that one of the successes of the DomainTools – Threater partnership is going to be that our data helps Threater customers stop this harmful species of attack.

Hope you enjoyed learning more about DomainTools threat intell feeds! In case you didn’t get to see it live, you can watch a recording of our joint webinar to hear Threater CRO Todd Weller and DomainTools Security Evangelist Tim Helming walk through our partnership.

Want to learn more about Threater’s Cyber Intelligence Marketplace? You can read our blog, watch our webinar, or read our FAQ to get all the details. Or better yet, schedule a demo or sign-up for a free trial and see Threater in action!

See Threater in Action