The context for why Whois data is extremely relevant for cybersecurity is not obvious to most people. Unless one has a background in DNS, threat analysis or attack attribution, or has had a chance to exercise Whois data sets as an investigative journalist, security researcher or consumer/brand protection professional, chances are it might take some help to connect the dots on this topic. To that end, this week DomainTools has published a new white paper to briefly summarize the most common security-focused use-cases for Whois data.
When asked for the summary statement on ‘why Whois data’ or ‘why DomainTools’, I’ve often said “If you want to figure out who is behind a cyberattack, or want to map all the infrastructure owned or controlled by the attacker, Whois data is an irreplaceable tool”. This paper takes that answer and expands into the three critical efforts of risk assessment and mitigation, enumeration and correlation, and attribution and remediation. The paper also includes a handful of specific examples and context from some large organizations that use Whois data every day in improving their security profile and investigating threats.
We have a few purposes in writing the white paper. The first is to provide this context to organizations that are investing in their security postures and moving past basic endpoint or network security solutions to pursue threat intelligence or active threat hunting on their networks. As Boards and Executive Teams appropriately increase their investments in cybersecurity in 2018 and beyond, we’re seeing smaller or less security-mature organizations develop an interest in better understanding the context around attacks on their corporate networks.
A second purpose is to help inform the ongoing discussions around the future of Whois data, at ICANN, in the offices of European DPAs and beyond. It is imperative that the broad applications of Whois data to the security and stability of our global internet be taken at full measure as debates around the future of the public internet domain registry move forward.
I hope you find the paper informative.
