If it seems like DomainTools is all about the feeds recently, you’re not imagining things. Coming hot on the heels of our IP Hotlist and Hosting IP Risk Feed release, we are excited to debut our Domain Discovery Feed. Our customers have told us that this kind of information has been in considerable demand, and we’re here to help!
Any reader of this blog probably already knows that thousands of malicious domains are registered and used every day for phishing, ransomware, credential harvesting, fraud, and more. As a result, many security teams now use a domain’s age as a signal of risk, with brand-new domains standing out for extra scrutiny. Just like the name suggests, the new Domain Discovery Feed is a daily list of all newly-registered or newly observed domains identified by our best-in-class suite of infrastructure discovery technologies. You can cross-check the Domain Discovery Feed against domains seen in web proxy or DNS resolver logs to reveal traffic to new, and thus potentially harmful, infrastructure.
For Domains, Youth ≠ Beauty
Hundreds of thousands of new domains are registered every day (a typical count for this feed is around 350,000). Surprisingly to some, many, even most, of these domains are neutral. However, this still leaves thousands of malicious domains coming online each day. While it may not be true that most young domains are malicious, most malicious domains are indeed young. Since malicious infrastructure is regularly added to blocklists, and therefore “burned” from the malicious actor’s point of view, a constant stream of new domains must be created in order to continue nefarious operations. This is why more and more network defenders are looking to identify new domains as a signal of risk.
World’s Most Comprehensive New Domain Detection Technologies
Another surprise to some folks is that there is no officially-published list of new domains, not even from ICANN; beyond that, many top-level domains (TLDs) do not publish zone files. These factors can make the detection of new domains tricky. But with nearly 20 years of experience gathering, processing, and provisioning domain-related data, DomainTools has built unique capabilities for detecting the presence of new domains, as well as changes to existing ones. The result of this globe-spanning detection network is the industry’s most complete feed for new domain information.
Alerting, Blocking, Automating
The Domain Discovery Feed is a simple text file of domain names. This gives you maximum flexibility for using the new domain information to create alert or block rules for network or host defenses. Security Information Event Management (SIEM) platforms, Threat Intelligence Platforms (TIP), and a variety of other log and event aggregation sources can capture domains accessed from the protected environment; scripts which check these domains against the Domain Discovery Feed can then raise alerts when traffic to matching domains is observed. In some environments, a zero-trust policy toward new domains is employed; in such cases, the Domain Discovery Feed can enable the creation of automatic blocking rules for most traffic, or quarantine/inspection rules for SMTP and other protocols that can accommodate various dispositions.
If this sounds interesting to you, please get in touch and we’ll be happy to answer any questions!