Iris Investigate Summer 2019 Features—Get ‘Em While It’s (Still) Hot!

Ever since we launched Iris Investigate in the fall of 2015, we’ve been hard at work on various enhancements to make it an ever-better tool for discovering, characterizing, and defending against nefarious Internet infrastructure. From various UI enhancements, to the addition to passive DNS data, each enhancement has been designed to help you find more answers, faster.

Today we launch another such enhancement. As many Iris Investigate users know, we actively scour the Internet for various datapoints about domains, IP addresses, and other infrastructure. With today’s enhancement, we are able to provide your Iris Investigate searches with more information in three key areas:

  • IP addresses for domains (actively resolved—more on this below)
  • SOA (start of authority) records for domains
  • SSL certificate hashes for domains

Let’s look at each of these in turn.

When DomainTools knows that a domain exists, we fetch various pieces of information about it in order to give you as complete a profile as possible. One of the things we do is perform a DNS lookup, and go grab the IP address for the domain. This is great for getting information about a lot of domains, but until now we’ve provided just a single IP for each domain, when in many cases the domain may have multiple IPs. With this enhancement, you’ll sometimes see multiple IP addresses for a domain in Iris. Note: this is still different from passive DNS—our active resolution doesn’t include hostname/subdomain data (since we can’t know or forecast all the possible subdomains), it doesn’t give first/last observed dates, doesn’t go back multiple years historically, and it has other limitations compared to pDNS. But the combination of active and passive DNS data for domains makes Iris very powerful for understanding online infrastructure.

Start of Authority (SOA) records are another type of registration record. While SOA entries can be fairly generic, there have been many cases where a domain had no identifying or linking information in its regular contact email fields, but did have a useful address in the SOA field. This sometimes leads to identification of an actor, and/or of additional infrastructure that they control. With this enhancement, our SOA record coverage expands and is refreshed more frequently.

SSL certificates are used by an increasing number of domains, as HTTPS supplants HTTP. These certificates can be a very useful linking datapoint, surfacing connections among domains where no other evidence of connection was available. Here again, this can be a difference-maker in characterizing or mapping adversary holdings. Today’s enhancement broadens our SSL certificate coverage and freshness.

These are just the latest in an ongoing succession of enhancements from DomainTools, all designed to help you find more answers, faster. We hope you find these helpful, and please feel free to drop us a line and let us know what you think!

Happy exploring!