A New Way to Pinpoint Dangerous Infrastructure
At DomainTools, we’re all about helping defenders, responders, and other infosec practitioners identify and characterize malicious online infrastructure. Today I’m pleased to share some details about two new offerings that will help with exactly that: IP Hotlist and Hosting IP Risk Feed.
This isn’t our first foray into risk scoring, of course; our Domain Risk Score has been in production for several years and is being used by teams around the world for everything from alert triage to network security block-lists to investigation guidance. Almost as soon as we released the Domain Risk Score (well, technically, even before we released it!), we received a very logical question: Can you do the same thing for IP addresses?
So now, our answer is “yes,” with the important proviso that the lens through which we evaluate the IP addresses is the domains hosted on them. (So, for example, these products aren’t designed to catch residential IP addresses that are recruited into botnets.) Let’s take a look at what these two related but different IP risk products are.
IP Hotlist
From prevention through detection and mitigation, many security technologies across the spectrum center on the IP address as the object for rule creation. If you’re running that sort of gear—and if you’re an infosec pro, you definitely are—you need reliable data on which to build blocking or detection rules for IP addresses. The IP Hotlist is designed to identify the very riskiest population of hosting IP addresses. Two main criteria define this list: the percentage of known malicious and predicted malicious hosted domains and the level of traffic the address is receiving (specifically to high-risk domains), as measured in Internet-wide passive DNS collection. The Hotlist is an ideal database for high-confidence block list and detection rules. Typical Hotlist size is between 40,000 and 60,000 IP addresses.
What determines how an IP address lands on the Hotlist? What we want to get to are those domains that are both hostile and active. There’s a lot of hostile-but-dormant infrastructure out there. While that’s still important to know about from an investigative point of view, the most critical “do-I-need-to-worry-about-this” IPs are the ones that are controlled by malicious actors and are getting traffic, presumably from victim environments. We are especially proud of the chocolate-and-peanut-butter combo of our risk scoring and the outstanding passive DNS data we get from Farsight Security and our other passive DNS providers.
Hosting IP Risk Feed
Here’s a little peek behind the curtain at DomainTools: we debated whether it made sense to call this product “Risk Feed” and not something else, because, unlike the Hotlist, the IP addresses in this feed are not necessarily risky. The Hosting IP Risk Feed is a daily feed of all IP addresses found to be hosting at least one domain. So, unlike the IP Hotlist, this feed includes any actively-hosting IP, regardless of its risk level. But because we still include the percentage of known malicious and predicted malicious domains for each IP in the feed, we consider its orientation to be based on the question of risk, hence the name. But there’s a lot more than just addresses and risk scores: the Hosting IP Risk Feed also contains detailed data fields enriching the IP. Ultimately, no one is in a better position than you to decide what constitutes high risk in your particular environment, so the Hosting IP Risk Feed gives you the building blocks to create a highly-customized IP list based on your own criteria. For example, you might have a significant interest in IP geolocation. Perhaps for your organization, traffic to IPs in certain regions will always be considered high risk, regardless of other criteria. The Hosting IP Risk Feed will let you create detections or blocks based on that. Or, perhaps you want to combine various fields, such as country, ASN, Domain Risk Score, etc, for your rules. The breadth of data in the feed makes this a simple matter of some scripting against the feed (which is a simple flat file).
We are delighted to debut these important tools in the fight against hostile online infrastructure. If you’d like to find out more about IP Hotlist or the Hosting IP Risk Feed, please contact us.