Knowledge Is (Fire)power!

| January 16, 2014

cybercrimeRemember when there used to be a debate about whether or when full-on cyberwarfare would be upon us? It’s safe to say that the debate is over, or at the very least that it has morphed into a more nuanced debate about what to do about it. Traditional security measures (firewalls, anti-malware scanning and reputation, intrusion prevention, encryption), are all proving to be necessary, but not sufficient, to protect resources. Raising the stakes even further, “resources” now indisputably includes physical resources, from critical infrastructure to consumer goods: the “Internet of Things” has a big bullseye painted on it.

All is not doom and gloom, though. A recent article on showed how some of the most cutting-edge technologies on the “light” side of the cyberwars enable organizations to research—and often pinpoint—attackers as part of an incident response. Perhaps more intriguingly, though, the same techniques can also help anticipate potential attack sources in order to proactively defend against them. Part of the new cyberwar debate, illustrated in the article, centers on which of those techniques are most valuable; there are opinions on both sides. But the common thread is that in all cases, it’s critical to understand more about “who is” behind the activities in question.

Enter DomainTools.

For incident response, the wealth of data that DomainTools has amassed, and the research tools that power deep inquiries into that data, give security, law enforcement, and other professionals the means to track down the sources of suspicious or malicious activity. Armed with a single domain name, the investigator can drill into current and historical Whois and DNS data to discover connections that lead to two major categories of knowledge: identity of the persons or organizations behind an attack, and domains that are affiliated with the attacker(s). (Often, it is actually the web of affiliated domains that leads to the identification of the bad actors.)

Beyond—or, in a way, before—the incident response, an emerging, and compelling, security approach that DomainTools can enable is proactive blocking or scanning of potential attack sources before they strike. From the incident response model, it’s easy to see how this proactive defense can work:

Suppose an attack originated from a domain which we’ll call Domain A. Let’s assume for this example that Domain A is not a hijacked legitimate domain (though this model is still valid even if it is). If the owner of A also possesses Domains B, C, and D, then it’s reasonable to put those domains in a higher risk bucket, even if no malicious activity has (thus far) been traced back to them. This information can be used with other defense measures, such as firewalls, intrusion prevention (IPS) systems, anti-spam, etc., to subject those domains to a heightened security posture (which could include outright blocking, increased logging, increased malware scanning, and other measures).

DomainTools can play a key role in developing either, or both, of these security strategies:

  • Comprehensive Whois records help ID millions of domains
  • Whois History can often surface important information about persons or organizations behind a domain, even in cases where many of the Whois records are privacy-protected.
  • “Connect the dots” with virtually any datapoint within the database of Whois records. Examples are email addresses, whole or partial physical addresses, phone numbers, person or organization names, and more.
  • IP address, name server, and other network data can help pinpoint the locations of known or suspected malicious activities, for investigation or proactive network defense, and are also key datapoints in connecting the dots.

Knowledge is (fire)power! If you haven’t used DomainTools to conduct a connect-the-dots investigation, don’t wait until an emergency to do so. Pick a domain—legitimate domains are just as useful for this as malicious ones—and explore. Give yourself a challenge to see how much information you can unearth—but beware: it can be engrossing!

If you’re not a DomainTools Enterprise or Professional member, contact us or set up a free trial so you can see how all of this works. You can strengthen your security posture, learn new techniques, and place yourself in the vanguard of cyberdefense strategy.



Category: cyber attack, cyberdefense, Incident Response, Internet of Things, security

About the Author ()

Tim Helming, Director of Product Management at DomainTools, has over a decade of technology product management experience. Areas of particular focus and interest are cybersecurity software and hardware, distributed storage and computing, and DNS/Whois. He has spoken at cybersecurity, technology channel, and media events worldwide.

Comments are closed.