Cyber Threat Intelligence on the Up and Up
Blog Product Updates Company Updates

Whois and Passive DNS Data: Together Again for the First Time

When DomainTools first launched Iris Investigate, it was an initial step in a worthy journey to deliver an increasingly powerful browser-based product for indicator enrichment, threat investigation, and actor profiling. Reception for Iris Investigate has been even stronger than forecast, with over 200 enterprise security teams using Iris Investigate in their workflows in the first year since launch. Today we take another significant step towards our goal by announcing the deep integration of multiple leading ‘passive’ DNS data sets including the highly regarded Farsight DNSDB. This new release also includes an API for the essential DomainTools data sets inside Iris Investigate.

Whois and passive DNS are the chocolate and peanut butter of forensic data sets for many security researchers. Most of our enterprise customers farther along the maturity curve are consuming both, and often doing so as separate feeds and separate contracts in order to have confidence they have their hands on the best quality data available for their important work. But many security teams lack either the budget, the backend datastores, or the patience to customize at this level. With today’s release, DomainTools brings the highest quality data sets together within the Iris Investigate platform, making threat intelligence workflows faster, more powerful and much more accessible.

Passive DNS data excels at giving our customers better answers when they are starting with IP addresses as the IOC (indicator of compromise), when they are investigating badness at the subdomain level, and when understanding the configuration of internet resources at a specific point in time is critical to their reporting and response. It is an ideal complement to the Whois and Active DNS data that for years has made DomainTools the go-to resource for domain and IP profile data.

The inverse is also true: Whois data coupled with passive DNS shifts an investigation from often inconclusive IP data to specific domains and threat actors. Iris Investigate was purpose-built to enable precisely those kinds of pivots, and that makes it ideally suited to extract deeper meaning from a passive DNS query. A truly comprehensive view of a threat can only be obtained by taking a holistic approach that combines infrastructure, actor information, and enriching profile data such as screenshots or web server data.

At DomainTools we’ve earned a reputation for having the world’s best Whois data and tools, and for giving our customers answers that nobody else can deliver. We’ve honored that legacy by building the very best passive DNS data into Iris Investigate workflows. In doing so we’ve expanded the ability of Iris Investigate to give you more and better answers about domain names, IP addresses, hostnames, email addresses and more. If you are a current DomainTools customer, or are simply someone who has always wanted to see the best Whois in line with the best passive DNS data, I encourage you to connect with us or drop by our booth #N3123 at RSA Feb 13-16 in San Francisco.