Detecting Malicious Domains
Internet domain records can represent one of the most overlooked sources of data for security analysis. As a threat hunter or security analyst, you’re likely swamped with indicators of malicious activity, such as network traffic patterns, issues reported by endpoints, and more logs from systems and application than you know what to do with. However, in the course of your investigations you will frequently come across a domain name, or series of domain names. This one source of information can unlock further conclusions, such as “Oh my, that host is infected with malware!“
Join Keith Hoodlet and Paul Asadoorian on our next Security Weekly webcast as they cover some basic tools and techniques to prime your organization for detecting malicious domains and the larger campaigns and actor groups behind them. Tim Helming of DomainTools joins them to show you how to interpret each of the many data points related to a domain. He will show you why they are relevant and what characteristics are indicative of an attacker’s infrastructure.
Questions to consider when evaluating domains:
- When was the domain registered?
- Is the domain registrant anonymous–and if so, who provided the privacy?
- How many other domains share characteristics with this domain?
- What is the email infrastructure for the domain?
- What is the website infrastructure for the domain?
- What is the DNS and IP data for this domain?
- What is the history for this domain?