Iris Spring 2018 “Beyond Whois” Release: More Efficiency, More Pivots, More Answers
At DomainTools, we are always striving to help our customers carry out their important work faster, more efficiently, and more accurately. To that end, today we are pleased to announce a significant update to our Iris Investigate platform, with three new features to help you better profile adversaries, map their infrastructure, and characterize suspicious domains. In light of the upcoming GDPR-related changes to Whois, two of these new features help you go “beyond Whois,” while the third helps you mine previous Whois records even more effectively.
The three new features in this release are Guided Pivots, SSL Certificate Profiles, and historical reverse Whois support in Iris Investigate. Here is what you can expect from these features:
Guided Pivots get at the heart of what Iris Investigate is designed to do: help you find the most relevant infrastructure, with the most context around it, as quickly and accurately as possible. Guided Pivots highlight the pivots that have a relatively low number of domains associated with them—the threshold is 500, but you can customize it to a lower number if you wish. This helps you zero in on the pivots most likely to represent relevant connections to your starting point, while avoiding wasted clicks checking pivots that have either no other domains, or too many domains to infer any connection, behind them. Guided Pivots are turned on by default, but you can disable the guides or change their thresholds from the new Settings menu above Pivot Engine.
Along with the highlights to guide you, we have added a feature called “Pivot Preview.” This gives a summary of the domains behind a pivot, including their risk scores, and how much overlap there is between those pivots and what you’ve already got in your results set. Pivot Preview can help confirm whether or not you want to move forward with a given pivot.
SSL Certificate Profile: SSL certificates have proven to be one of the best “beyond Whois” datasets for characterizing domains and finding connections to related infrastructure. With this release, Iris Investigate has a new SSL Profile data panel that lets you examine certificates in detail, and in some cases, to find additional pivots that would not have been available elsewhere.
An SSL certificate (technically a TLS certificate in many cases—we collect ‘em all) contains a lot of information about its subject. Some of this information can help you determine whether you’re looking at a suspicious domain. Examples could be:
- Subject’s Common Name doesn’t match the domain name, or the domain name doesn’t match a domain name or IP address found in the Subject Alternative Name extension (if it’s present).
- The certificate is expired
- Domains in Subject Alternative Names section are suspicious or malicious (you can determine this by pivoting on them)
- Key size is small (1024 bit or smaller, to get extra nerdy about it!)
Regarding Subject Alternative Names—that field can be a gold mine for pivoting, as it may contain other domains closely related to the main one. With this release, you can pivot on those domains individually or create a query with all of them, much as you can in the pDNS data panel.
Historical Reverse Whois matches: with this release, you can now find historical matches on three query terms: email, registrant, or “Whois record contains.” Those who are familiar with the “add history and get…” link in our classic Reverse Whois will understand the significance of this capability in Iris Investigate. With this release, when you search or pivot on any of those fields, you will now see domains that historically matched (or currently match) the term. If a malicious actor registered domains under a specific email address in the past, and stopped using that address, you can use Iris Investigate to find those previous domains—even if they’ve been expired for years. Additionally, we now indicate whether a domain is active or inactive. The definition for that, incidentally, is quite specific.
- Active: the domain is currently registered (hasn’t expired), and/or is currently delegated in DNS. (Be aware that there are certain cases where a non-registered domain can resolve—such as when a domain is sinkholed, or when an ISP points non-resolving queries to a “helper” page)
- Inactive: the domain is not registered and is not delegated in DNS
When we have historical matches for the query term, the domain row will contain a prompt that takes you to Whois History, and specifically to the most recent record that matched the term.
This feature is also enabled by default, but remember, it only affects certain query types: email, registrant, and “Whois record contains.” If you’d prefer not to see the historical matches, you can disable the feature entirely, or on a per-query basis; see the Iris Investigate User Guide for more details.
Threat actors are evolving; so is the regulatory landscape. But your needs—to assess risk, profile threat actors, map their infrastructure—remain constant. We trust that these new Iris Investigate features will be helpful to your endeavors.