In 2018, we announced our Domain Risk Score, powered by machine learning classifiers, to predict and identify domains our data indicates were likely registered with malicious intent. One of the critical challenges in effectively leveraging Domain Risk Score is identifying those domains most likely to pose a threat at any given time, so that organizations can focus their blocking and detection efforts. To support this use case, we are proud to announce Domain Hotlist, a predictive, prioritized, and easily consumable block list that identifies active, high-risk domains—empowering organizations to proactively guard against relevant, emerging threats.
All domains included in the Domain Hotlist are both highly risky and currently active; in other words, operational. This list gives customers a relatively small, easy-to-manage, focused set of domains that they can use to track, monitor, and alert on active malicious domains on their network.
What is Domain Hotlist?
Domain Hotlist includes only domains meeting two basic criteria:
- The domain has received a high score from our Domain Risk Score. Specifically, a score of 90+ on one of our Phishing, Malware, or Spam classifiers, or a Proximity score of 70+
- The domain has exhibited activity online recently. For example, the domain has observed passive DNS (pDNS) activity during the last day.
Domain Hotlist itself contains both domain names and DomainTools’ Risk Score component scores (Phishing, Malware, Spam, and Proximity). The list is generated daily, providing the most current scores for active domains each day. In addition, domains appear on the list in a ranked order, with the most concerning domains at the top.
Because the list is made from active telemetry, such as pDNS, the makeup and number of domains on the Hotlist may vary day-to-day. Given that, it’s our initial expectation that the list will contain approximately 1 million domains each time it is generated.
Using Domain Hotlist
Because Domain Hotlist is a relatively small list focused on domains with recently observed activity, it opens up new possibilities for use in an organization.
Active Blocking and Rule-Driven Actions
Institute preemptive blocking and establish rule-driven actions based on identification of operationalized domains
Domain Hotlist gives organizations an easy-to-ingest block list based on pDNS activity and predictive risk scoring built on nearly two decades of domain and DNS expertise, so organizations can inform Firewall or DNS block rules for active blocking. Existing systems or tools can take actions on domains appearing in the list according to pre-established rules based on specific Risk Score value thresholds.
Log File Enrichment
Automate enrichment to inform your workflows
Leverage Domain Hotlist as a prioritized list of potentially malicious domains to enrich your log files. Proactively identify Indicators of Compromise (IOCs) and create actions to complete remediation workflows.
Leverage operationalized data to deliver insights
Augment your existing data set with the Domain Hotlist to support prioritized investigations and incident response processes that leverage the breadth and quality of DomainTools’ data, nuanced cybersecurity understanding, and machine learning expertise.
Monitor attack progression
As a leading indicator of malicious intent, when a domain on the list is detected, actively track activity associated with that domain to observe behavior and determine objectives.
Identify domains registered with malicious intent
Service providers can use the Hotlist to provide an early, independent indicator of fraudulent activities on owned infrastructure to more rapidly identify abuse.