DomainTools Use Case Series
As threat actors attempt to exploit trusted relationships, such as customer relationships or business and supply-chain relationships, brands are vulnerable to impersonation. Iris Investigate enables users to identify and map threats to their brands, internal teams, and customers.
Some examples of ways threat actors attempt to exploit their target customer relationships include:
- Credential Harvesting
- Payment Skimming
- Spear phishing-driven tech support or bill payment scams
- Counterfeit products
Threat actors targeting business or supply-chain relationships often attempt the following attack objectives:
- Conduct financial theft, often through business email compromise (BEC) or wire fraud
- Establish initial access to an organization’s internal network through spear-phishing attacks
- Move laterally through corporate systems or partner systems after initial access has been established
Domains are often used to target internal corporate users, attempting to gain access to
- Identity and access management systems or single sign-on providers,
- Office suites,
- Cloud providers.
Once access beacheads are established, threat actors can convincingly impersonate corporate users, enabling business email compromise (BEC), harvesting of corporate data, or implantation of malware, such as ransomware.
The short video, Brand Protection in Iris Investigate, will walk you through the context around how organizations and their brands are often targeted by attackers via domains, give you an introduction to brand monitoring in Iris Investigate, and show an example of how Iris Investigate was used to identify and track a major, real-world example of a brand-targeted campaign.
The process that we used to identify and map the Sagawa attack is one that any user can replicate to monitor threats to their own brands in Iris Investigate. At a high level, the process is as follows.
- Set up searches in Iris Investigate to discover potential threats
- Investigate threats and their connected infrastructure
- Use wildcards to search Passive DNS (pDNS) to identify subdomains that may be leveraging your brand
- Export relevant information to support blocking and takedown
- Use the search that you created to monitor for new threats as part of your regular workflow
By following these steps, you can implement a straightforward workflow for protecting your brand.
Setting Up Advanced Searches
Advanced Search is a powerful tool to help you identify threats on the open web. To set up an Advanced Search to monitor domains associated with a brand or keyword, follow the steps below:
- Start by creating a new investigation.
- Instead of entering an IOC to begin your investigation, go to the Advanced Search pane and select custom parameters to return information about specific brand-related threats. Consider using the following search components to help craft your search:
- Key Terms
- Use <domain> Combined With <Contains>, <Begins With>, or <Ends With> to find domains that have components of your brand or key term included in their names.
- Search expansion
- Expand your search to add variants of your brand name. For example, if your brand is “domaintools,” consider using “OR” inclusions to also search for “domaintoois,” “domalntools,” “d0maint00ls” or other similar-looking terms.
- Consider expanding your search to look for other organization indicators that might be impersonated, as well
- Company Name
- <Registrant Organization> <Contains> or <Begins With>
- <SSL organization> <Contains> or <Begins With>
- <SSL subject> <Begins With> (be sure to use formatting cn=brandname as the search term format)
- <Email Domain> <Begins With>
- <MX record> <Begins With>
- Contact Information
- <Contact Street> <Contains>
- <Contact Phone> <Matches>
- Expand your search to capture <Google Analytics> codes <Matches> to those used on your actual websites. Sometimes, when threat actors scrape your login pages to recreate them, they may not scrub your tracking code from the HTML. This can be a good way to track those who may be mimicking your site. (If you don’t know what your Google Analytics code is, you can search for your domain in Iris Investigate and find your Google Analytics code listed in the Pivot Engine table.)
- Company Name
- Search narrowing
- Narrow your search with “AND” and parameters like <Create Dat> <Greater Than or Equal To> a given time to find all domains that have been registered after a certain date
- Narrow your search with “AND” and parameters with <Does Not Match> criteria to exclude known components of your infrastructure, such as your owned domains or IP addresses.
- Consider preemptively running a search to identify all of your legitimate, company-owned infrastructure and tagging all of those domains as ”Company Owned”. Then, narrow your search by creating an “AND” statement with <Tags> <Does Not Contain> Company Owned. Then, narrow your search by creating an “AND” statement with <Tags> <Does Not Contain> Company Owned. This will exclude your owned infrastructure from the results set.
- Add “OR” criteria nested within your “AND” criteria to further refine your results by clicking the expand your search button within an “AND” section.
- Once you have crafted your search components, view your results in the Pivot Engine tab. Note that you can continue to expand or refine your search with inclusions and exclusions until you are satisfied with the results in the Pivot Engine.
- Key Terms
Investigating Search Results
- Prioritize domains for investigation
- Pivot through associated data to identify new threats
- Bring newly identified threats into your investigation
Prioritize Domains for Investigation
- Consider sorting by Create Date to view the most recently registered domains first, or by Domain Risk Score to see the highest-risk domains first, enabling you to prioritize your investigation and triage those that pose the greatest risk first.
- To see more detail on a domain or Domain Risk Score, open the Inspect pane. The Inspect pane shows you additional information about the domain, including a more granular breakdown of the Domain Risk Score. An Overall Score of 100 indicates that a domain has appeared on a blocklist that DomainTools ingests. Scores under 100 serve as predictive indicators of how likely a domain is to be malicious. Scores come from two distinct algorithms: Threat Profile and Proximity. Threat Profile delivers scores by leveraging distinct machine learning algorithms that model how closely the domain resembles others used for phishing, malware, or spam. Proximity examines how closely connected a domain is to other known-bad domains. The strongest signal from either of those algorithms becomes the Overall Score.
- Follow the investigative pathway, identifying domains with connected infrastructure by looking for Guided Pivots. Guided Pivots highlight attributes connected to other infrastructure that is likely relevant to the investigation. For example, if an IP address is associated with thousands of domains, it’s likely public infrastructure, so other domains that share that IP are unlikely to be related or of significant investigative value. However, if a domain is on an IP with only a few other domains, those domains are more likely to be related. Guided Pivots highlight those scenarios where connections are not only present, but also of an appropriate scale where they are likely to be relevant.
Pivot Through Associated Data
- Pivot with Guided Pivots from the Pivot Engine by using the Guided Pivot indicator to see which attributes are likely connected to other relevant infrastructure. Attributes associated with Guided Pivots will be highlighted in blue.
- Right click on the highlighted attribute to see a summary of the connected information. This summary shows you how many domains share the Guided Pivot value and the average Risk Score for all of those domains. It also presents you with options for further investigation.
- Click the magnifying glass to open the Pivot Preview Pane. The Pivot Preview Pane shows you associated domains, each domain’s Risk Score, and its activity status. (Note that you will see a broken link icon next to inactive domains. Domains without this indicator should be considered active.)
- Review the list in the Pivot Preview Pane for other domains that may be relevant to your investigation.
- Open the Stats Pane to better see patterns in the data and to identify useful Guided Pivots across all search results.
- Identify those domains that you would like to action in relation to your investigation, as displayed in your Pivot Preview Pane. Click the Expand button at the bottom of the Pane to bring these domains into your investigation.
Using Wildcards in pDNS
While searching for domains and connected infrastructure can be incredibly effective ways to identify and track threats, threats are often hiding in subdomains of otherwise benign-looking domains. In these instances, you can leverage passive DNS (pDNS) to identify domain-to-IP mappings observed “in the wild” across the globe, as captured by the industry’s leading pDNS providers. This data gives you insight into
- All domains observed on a given IP address,
- IP addresses that a given domain uses, or has used,
- When DNS requests for a given domain first appeared, and
- Subdomains tied to a given domain, or observed on a given IP address.
Leveraging pDNS can be a great way to identify subdomains that may be relevant to your brand protection efforts.
- Identify new subdomains that may be impersonating your brand by using the pDNS view to conduct wildcard searches or to investigate traffic associated with specific domains.
- When you identify a subdomain that impersonates your brand, expand your search to bring the domain into your Iris search.
- If you believe all results to be relevant, you can use the Send Domain Results to Pivot Engine feature to automatically bring all of the domains from your pDNS search into your Pivot Engine results set and add each domain to your Advanced Search inclusions.
Exporting and Sharing Your Investigation Results
Once you’ve brought relevant threats into your investigation and explored the rabbit holes, you will likely want to share this information with your teammates or export your results so that you can action them in other systems. With Iris Investigate, you can:
- Tag domains as threats to support other investigative work
- Save and share your search hash so team members can follow up on your investigation or leverage components in new research
- Copy domains to your clipboard
- Export Pivot Engine data to CSV, STIX XML, or STIX JSON to ingest into other systems, use in reporting, or trigger takedowns
- Export details on a single domain to a PDF
- Export your investigation results to a PDF
- Export your investigation results or relevant domains into one of DomainTools’ many owned or certified integrations
Using Your Search for Daily Monitoring
You can use the skills you already have learned to set up a process for monitoring new domains that meet your search criteria.
- Once you believe you have a solid search to monitor a given set of criteria, select and tag all search results for your investigation with a new tag related to your search.
- Add an exclusion criteria to your Advanced Search for <Tag> <Does Not Match> the tag name that you created for your search.
- Save your search hash.
- The next day (or after some other designated period), either
- Open your investigation from your Investigations list and rerun your search, or
- Paste your saved search hash into either the search bar or into the Import a New Search box to re-perform the search sequences from your previous investigation.
- Because all of the results from your original search should be tagged and excluded, only domain results that are new since your last search should return, because they will not yet be tagged.
- Export those new domains to feed into other platforms or to report for takedown.
- Tag your the domain results with the tag created to track domains for this investigation, so that they will be excluded from the results set next time you run the search.
- Continue to rerun this search to monitor for new domains that meet your criteria, as indicated above.
Iris Investigate is a powerful analysis tool, with a strong brand monitoring capability. By following the steps outlined above, you can:
- Set up an Advanced Search to track potential threats to your customers or brand,
- Prioritize domains for investigation,
- Pivot through search results and linked infrastructure,
- Perform and refine pDNS searches to identify malicious subdomains,
- Bring new domain threats and domains tied to identified high-risk infrastructure into your investigation to expand your search results,
- Export and share the results of your investigation, and
- Monitor daily for new threats related to your refined search.
We at DomainTools hope to help empower you and your teams to more proactively identify, investigate, and action threats in the wild. Please contact us or reach out to your account manager with any questions you may have. Happy hunting!
If you’re already an Iris Investigate user, log into your account to see the step-by-step version of this blog post, guiding you through the entire process with directed screenshots. Or, visit the Iris Investigate User Guide for more information on how to get the most out of Iris Investigate.