It’s no longer enough to focus on keeping threat actors out of an organization’s network. Multiple cybersecurity incidents have repetitively proven that intruders could sit inside networks undetected for weeks or months.
Threat intelligence feeds can help detect suspicious activity, map out Internet footprints, and conduct cybersecurity investigations, among other purposes. Such feeds could include multiple data sources, ranging from malware databases, WHOIS domain records, IP intelligence, Domain Name System (DNS) databases, and more.
But why should you be interested in using all that data? This post looks at a few use cases.
Detect Possible Phishing Domains and Subdomains
Combined Data Sources: Typosquatting Data Feed, Newly Registered & Just Expired Domains Database, and Subdomains Database
According to Verizon’s (News - Alert) 2020 Data Breach Investigations Report (DBIR), 22% of breaches involved phishing. The malicious emails may contain malware or impersonate suppliers, CEOs, other entities, and sometimes ride on current events. To execute attacks smoothly, threat actors mostly use look-alike or typosquatting domains and subdomains.
Including cyber threat intelligence feeds that return typosquatting domains could help protect an organization’s workforce from phishing attacks. A peek into a typosquatting database and a newly registered domain (NRD) data feed, for instance, revealed that 72 new domains containing the string “indiancreek” appeared on the DNS on 11 March 2021.
A total of 337 subdomains with the string “indiancreek” were also found in a subdomain database.
Indian Creek Island is an exclusive island that’s home to high-profile personalities, including Ivanka Trump and Tom Brady. Its official domain is indiancreekvillage[.]org. The look-alike domains and subdomains could be used to imitate the village administration and even residents in phishing emails.
Check Domain Reputation
Combined Data Sources: DNS Database, Passive DNS Database, Blocklist Engines, SSL Certificate Chain Intelligence
Part of a good cybersecurity strategy is detecting intruders in a network. Domains that appear in network logs can be run against different cyber threat intelligence feeds to check for inconsistencies and problematic configurations.
Reputation scoring can be implemented where domains with the most number of misconfigurations get the least score and should thus be flagged. The URL billing[.]netflix[.]user[.]solution[.]id2[.]client-redirection[.]com, for example, has the following configuration:
- A record: 204[.]11[.]56[.]48
- No mail server found
- Nameserver: ns1626[.]ztomy[.]com
- No Secure Sockets Layer (SSL) certificates
Having no mail server could mean that the domain owner does not want to receive emails. The absence of SSL certificates, on the other hand, doesn’t add up since a company like Netflix would certainly always configure one for its websites. Additionally, what do malware databases and blocklist sites say about the URL?
Various engines, including ESET (News - Alert), Kaspersky, and Sophos, in fact, reported the domain malicious. Furthermore, a passive DNS database associates the IP address and nameserver to hundreds of other domains, some of which are also tagged malicious.
Expand Indicator of Compromise Lists
Combined Data Sources: IoC Lists, Historical WHOIS Database, IP Netblocks Database, Passive DNS Database
In addition to blocking indicators of compromise (IoCs) of known threats, organizations can also stay better protected when exploring domains and IP addresses connected to them. A recent investigation into Ramnit IoCs, for instance, was able to expand the IoC list.
The expansion was done by looking into the IoCs’ historical WHOIS records and looking for domains and IP addresses that share the domain’s WHOIS information. An IP netblocks database was also one of the threat intelligence feeds used to determine the range of the IP addresses.
---
A cybersecurity system is often only as good as its data sources. Weak or incomplete data could result in weak defense. Gleaning intelligence from various and combined threat intelligence feeds can help organizations protect their networks and, at the same time, detect intruders that could have made their way in already.
