DomainTools Iris App for CrowdStrike Demo
For your convenience, we’ve included the video transcription below
Profile Adversaries and Their Infrastructure
Current detection technologies such as CrowdStrike Falcon can provide a wealth of information on malicious activities within an organization and can identify the domains or IP addresses associated with attacks or data exfiltration. But, because threat actors rapidly “burn” infrastructure, a reactive approach to IoCs can leave you exposed to new attacks.
Fortunately, it’s possible to take a more proactive stance by profiling adversaries and their infrastructure. This allows you to prioritize blocking and detections around domains and IP addresses that may be in the process of being weaponized.
DomainTools Iris provides predictive risk assessments and DNS infrastructure intelligence within the CrowdStrike Falcon platform, to enable rapid, in-context profiling of domain observables.
This risk assessment, which comes from the proprietary DomainTools Risk Score and the DomainTools Threat Profile dataset, allows you to make informed decisions about defensive or forensic actions. When a deeper investigation is warranted, you can launch DomainTools Iris directly from the Falcon card, without disrupting your current investigation within Falcon.
The DomainTools Risk Score predicts how likely a domain is to be malicious, often before it is operationalized. This can reduce the window of vulnerability between the time a malicious domain is registered and when it is observed and reported publicly as a component of an attack.
DomainTools Threat Profile provides further predictive analytics by giving security practitioners insight into which domains possess characteristics indicative of “malicious intent.” These algorithms analyze the intrinsic properties of the domain and provide phishing, malware, and spam scores for the investigated domains.
DomainTools Iris App
The DomainTools Iris Threat Intelligence App fits easily and naturally into your Falcon workflows. The app’s page in the Crowdstrike Store describes what the app does, but also serves as a jumping-off point for investigations into adversary infrastructure. You can enter a domain name in Global Search, here. In this example, Falcon itself did not see this domain in the environment, but the DomainTools tab will tell us more about it.
Another common way to begin your investigations is triaging alerts. Here, a critical incident has occurred. In Falcon, you can learn more about the incident through a rich variety of drill-down capabilities. In this case, drilling all the way down to DNS activity provides details on a specific domain that received ping traffic from the protected environment. Once again, from the DomainTools tab, proceed directly to Iris for a closer look.
Once in the Iris interface, you can see additional enrichment data about the domain, including registration, hosting, screenshots, and more. You can pivot off of any of the datapoints to find linked infrastructure that may be part of a larger attack campaign. This is one of the ways to shift from reactive to proactive–Iris often lets you see infrastructure that may be dormant now, but will be activated later as part of an ongoing campaign. The infrastructure you illuminate here can be exported for later use in detection engineering or blocking rules.