The Business Value of Threat Intelligence with DomainTools
The proper function of the security operations center (SOC) is not to gather and investigate threats but instead to mitigate risk and get to the root-cause of an incident. Qualified alerts are hard to come by and the reasons are myriad.
- An anomaly could be benign, the result of a networking bottleneck, or a genuine security concern. Chasing down anomalies is literally like playing whack-a-mole without a cheat-code.
- Security point products often overlap. An anomaly could be seen as a rule violation in the SIEM, an IDS/IPS intrusion or a detection from an endpoint.
- False positives are too common. An enterprise network is always changing and connections to sub-nets change, IP addresses change, and software, OS upgrades, and patches are not always completed to endpoints.
Robust Threat Identification and Response
The biggest problem in any investigation is triage. Triage is a bit like the five “Ws” in journalism. When a journalist is assigned a story, they start by establishing who/what/where/when/why. The same parallel is applicable in cybersecurity. However, the problem for SOC analysts is complex, and too often, too manual. An analyst might try to first figure out if a threat is targeted at specific user groups or server groups. This established, the SOC tries to determine if malware is designed as ransomware, spyware, destroyware or otherwise. This process might also include trying to figure if certain ingress/egress points are exhibiting beaconing activity. All of these activities attempt to hold and harden one or two variables while trying to find a single-of-version truth.
It is no exaggeration to say that SOC analysts are always pressed for time. Excellence in the SOC is as much the sum of small things done well as much as it is the ‘ah-ha’ moment. To help the SOC analyst, tools should be able to combine a few of the Ws; there should be comprehensive visibility of both inside the firewall, and threat factors on the Internet, a tool should be preventative as well as providing detection, and the analyst should be able to initiate investigations based upon multiple factors beginning with the probability of risk.
For all of the things that can happen in PowerShell, or executables, or finding stolen identities, an effective cyber defense might include understanding domains. The Domain Name Systems is the set of protocols that associates computers, mobile devices, and infrastructure to the Internet. DNS servers are the go-between for devices and subnets and the various domain name registrar services run by Internet Corporation for Assigned Names and Numbers (ICANN-websites). Related DNS functions include the assignment of IP addresses to subnets and the internal DNS cache that allows a series of lookups permitting end-users to get onto the Internet.
Reduce Risk Exposure by Mapping Potential Threats
Both the DomainTools platform and domains offer visibility, historical context, and correlation of domains. The Iris Investigate platform domain intelligence and predictive Risk Scoring with passive DNS data to guide threat investigations and uncover connected infrastructure. PhishEye is used to disrupt phishing campaigns such as business email compromise attacks and can block lookalike domains before the adversary operationalizes them.
The most interesting platform though is the Domain Risk Score. Drawing upon data points from over 330 million current Internet domains, DomainTools Risk Score predicts how likely a domain is to be malicious, often before it is weaponized. The score comes from two distinct algorithms: Proximity and Threat Profile. Proximity evaluates the likelihood a domain may be part of an attack campaign by analyzing how closely connected it is to other known-bad domains. Threat Profile leverages machine learning to model how closely the domain’s intrinsic properties resemble those of others used for spam, phishing, or malware. The strongest signal from either of those algorithms becomes the overall Domain Risk Score.
For instance, a subnet server may not show characteristics of maliciousness, but if an adjacent server shows a probability of nefarious domains, that server would have an elevated risk associated. Newly observed domains are riskier than old domains. Visualization tools help with IP country codes.
Quantifying the Business Value of DomainTools
DomainTools commissioned IDC to quantify the value its platforms provided to its customers. In the companies that IDC surveyed, the average number of endpoints within the network was 440,000. There were several positive results that IDC could confirm:
- $830,100 worth of value on average
- Three-year ROI of 313%
- 42% fewer impactful security events
- In total, organizations lowered the risk of experiencing a major security breach on average by 19%.
The essence of what DomainTools does is reverse several key steps in the triage process. Instead of finding and correlating anomalies within the network and building out case details by comparing domains to external threat feeds or trying to predict servers that exhibit beaconing or spider routing behaviors, DomainTools cuts to the chase and determines the overall risk profile of each domain. The investigation then begins with the most exposed assets. The approach mitigates threats faster and saves SOC analysts time in their investigations.
If you would like to access more results from this report, download the Business Value White Paper.