A New Way to Pinpoint Dangerous Infrastructure
Blog Product Updates

The new “Hotness” at DomainTools, Introducing Domain Hotlist

In 2018, we announced our Domain Risk Score, powered by machine learning classifiers, to predict and identify domains our data indicates were likely registered with malicious intent. One of the critical challenges in effectively leveraging Domain Risk Score is identifying those domains most likely to pose a threat at any given time, so that organizations can focus their blocking and detection efforts. To support this use case, we are proud to announce Domain Hotlist, a predictive, prioritized, and easily consumable block list that identifies active, high-risk domains—empowering organizations to proactively guard against relevant, emerging threats.

All domains included in the Domain Hotlist are both highly risky and currently active; in other words, operational. This list gives customers a relatively small, easy-to-manage, focused set of domains that they can use to track, monitor, and alert on active malicious domains on their network.

What is Domain Hotlist?

Domain Hotlist includes only domains meeting two basic criteria:

  1. The domain has received a high score from our Domain Risk Score. Specifically, a score of 90+ on one of our Phishing, Malware, or Spam classifiers, or a Proximity score of 70+
  2. The domain has exhibited activity online recently. For example, the domain has observed passive DNS (pDNS) activity during the last day.

Domain Hotlist itself contains both domain names and DomainTools’ Risk Score component scores (Phishing, Malware, Spam, and Proximity). The list is generated daily, providing the most current scores for active domains each day. In addition, domains appear on the list in a ranked order, with the most concerning domains at the top.

Because the list is made from active telemetry, such as pDNS, the makeup and number of domains on the Hotlist may vary day-to-day. Given that, it’s our initial expectation that the list will contain approximately 1 million domains each time it is generated.

Domain Hotlist Components: pDNS Traffic, Historical Data, Predictive Analytics, Proximity.


Using Domain Hotlist

Because Domain Hotlist is a relatively small list focused on domains with recently observed activity, it opens up new possibilities for use in an organization.

Active Blocking and Rule-Driven Actions

Institute preemptive blocking and establish rule-driven actions based on identification of operationalized domains

Domain Hotlist gives organizations an easy-to-ingest block list based on pDNS activity and predictive risk scoring built on nearly two decades of domain and DNS expertise, so organizations can inform Firewall or DNS block rules for active blocking. Existing systems or tools can take actions on domains appearing in the list according to pre-established rules based on specific Risk Score value thresholds.

Log File Enrichment

Automate enrichment to inform your workflows

Leverage Domain Hotlist as a prioritized list of potentially malicious domains to enrich your log files. Proactively identify Indicators of Compromise (IOCs) and create actions to complete remediation workflows.

Data Augmentation

Leverage operationalized data to deliver insights

Augment your existing data set with the Domain Hotlist to support prioritized investigations and incident response processes that leverage the breadth and quality of DomainTools’ data, nuanced cybersecurity understanding, and machine learning expertise.

Activity Tracking

Monitor attack progression

As a leading indicator of malicious intent, when a domain on the list is detected, actively track activity associated with that domain to observe behavior and determine objectives.

Abuse Detection

Identify domains registered with malicious intent

Service providers can use the Hotlist to provide an early, independent indicator of fraudulent activities on owned infrastructure to more rapidly identify abuse.