Never Bring Newly Registered Domains to a PDNS Fight

December 22, 2016, Mike Wyatt


Tracking newly registered domains is rarely enough to keep your organization safe—but too much data without the right tools can leave you just as much in the dark.

Over the past few months, I’ve had my fair share of conversations about what it means to have comprehensive coverage outside an organization’s firewall—the threat landscape is changing, and there’s a lot of misinformation out there about what needs to be done from an infosec perspective to keep up. Although it’s widely known that data is the answer, what data you need and how to wield that data is what’s confounding security professionals.

Security outside the firewall is an important topic, especially with all of the chatter about Internet of Things (IoT) devices implicated in recent record-setting DDoS attacks. And speaking of distributed devices, workforces that are becoming less centralized and relying on personal devices to do their jobs effectively require a new approach by their employers when it comes to protecting the corporate network from external threats.

Because corporate attack surfaces are changing, threat actors are also changing their techniques. Defenses have evolved to neutralize entire classes of attacks, so attackers are going back to the basics by relying on simpler, less sophisticated attacks such as directly scamming end-users with high-volume phishing campaigns. These attacks are cheap to execute, and since they cast such a large net on a wide spectrum of potential victims, they are proving to be incredibly efficient in breaching sensitive data. Like their corporate counterparts, threat actors put a significant amount of focus on the cost-benefit analysis of their activities: simple is easy, easy is cheap, and cheap means a higher return on investment.

This new reality makes comprehensive coverage for network defenders hard. There are so many data points to consider that sometimes I wish we could just go back to the basics by simply tracking newly registered domains. Remember the days when an organization could easily block entire subnets or “bad neighborhoods,” on the Internet such as the Russian Business Network and EstDomains? But that’s no longer the case, and today, most of the assets within a threat actor’s inventory are short lived. Free domains, free email addresses, bulletproof hosters, and everything else “as-a-Service” make it easy for a threat actor to remain anonymous and move around in stealth mode, especially to those who are only tracking domain registrations.

It’s now accepted that fighting these new breeds of attacks requires lots of data. In a modern security program, an emphasis is placed on being able to pivot between data sets available to analysts. But with the massive amount of different data sources available, and no shortage of places to pivot between, making sense of things can be overwhelming. With data sets like WHOIS, Passive DNS, SSL certificates, raw port scans, mobile applications, file hashes, blacklists, and content collected from the web, etc. readily available, it’s no wonder that analysis paralysis is a significant issue for security practitioners. When you factor in the expensive support structure needed to process all this data, it becomes even more daunting. A sizable team of analysts, engineers, and data scientists are required to extract indicators, correlate events, and provide the context needed to make intelligent decisions at scale—and by the way, most of this information comes from assets that are not under their control.

Trust me; it’s quite an undertaking—and what inspired RiskIQ to acquire PassiveTotal. PassiveTotal provides a simple, intuitive interface with which analysts can pivot between the many different types of data required to defend an organization, allowing them to understand the linkages between the many moving parts of modern attack infrastructure. We’ve invested significant resources in creating systems to correlate and provide data to enable analysts throughout their investigations.

Compromised infrastructure is something that has been trending upwards for years, and the most recent report that we released on subdomain infringement highlights the fact that most phishing actors are moving away from dedicated infrastructure to subdomains or compromised websites. Hyper focusing on one data set tends to leave people blind to all the badness happening around them and can give analysts tunnel vision

As I stated before, it would be great if we could just track newly registered domains or block known bad IP addresses to protect our businesses, but those actions only help in a few cases. For example, RiskIQ previously covered subdomain infringement, which requires Passive DNS to determine when a new subdomain is first observed and analyze all newly observed hosts containing a brand-infringing subdomain. We’ve discovered additional infrastructure by pivoting off of SSL certificates used by the Turla group. We continuously correlate malicious payloads with Passive DNS and WHOIS information to discover domain shadowing victims. We use raw content from our crawler to detect compromised websites and abused e-commerce software. We even continuously interrogate mobile applications and employ machine learning to detect reused scam and phishing templates where threat actors have made minor adjustments to their code to evade traditional signatures. We’re also improving our Traffic Distribution System (TDS) detection with our Associated List, and finally, we’re exposing trackers to help discover additional infrastructure during routine investigations.

The list goes on, and when you combine all of this stuff together, you’re left with a good amount of context. As an example, the following screenshot illustrates what it looks like when a dedicated IP address is serving a well-known exploit kit and employing domain shadowing:

Tracking newly registered domains is rarely enough to keep your organization safe—but too much data can leave you just as much in the dark.

Fig-1 If you don’t already have a PassiveTotal account, it’s free to sign up.

Here’s an example project inside of PassiveTotal from the Magecart blog post I referenced in the previous paragraph:

Tracking newly registered domains is rarely enough to keep your organization safe—but too much data can leave you just as much in the dark.

Fig-2 Projects in PassiveTotal give unprecedented context to investigations

There are plenty of other examples of just how much better it is to have a more comprehensive view with all of this data in the blog posts mentioned, and I encourage everyone to log in and try it out. The data can be addicting.

Stay safe out there, and happy holidays.

Share This