WHOIS Records

WHOIS data, an internet database of ownership information about a domain, IP address, or subnet, can give an organization insight into those behind an attack campaign. WHOIS data helps determine the maliciousness of a given domain or IP address based on ownership records. Using domain registration information, an organization can unmask an attacker’s infrastructure by linking a suspicious domain to other domains registered using the same or similar information.

What to Look For

 

  • Allows for attack timeline analysis based on domain registration and update or expiration time periods
  • Leverage history (hosting/record) to identify trends or specific patterns in data for a given owner or set of owners
  • Use the content of the various WHOIS fields to find other records that share similar patterns or exact values

Questions to Ask

 

  1. How long has the domain been registered or owned?
    New or recently created domains may help confirm suspicions about malicious activity, as many domains are registered shortly before staging an attack. This may indicate dedicated attacker domain ownership and can strengthen an observation’s value as an indicator of compromise. On the other hand, domains with older registration dates may indicate the use of compromised hosts, hijacked domains, or purchase of older domains from a reseller service.
  2. Is the WHOIS record privacy protected or using a 3rd-party provider’s information to obscure the real identity of the registrar?
  3. Does any data supplied by the user appear to be unique (i.e. spelling errors, strange names, conventions observed across multiple domains, etc.)?
    Even if a set of domains do not share obvious commonalities such as the domain registrant name or email address, relations may be possible to establish based on multiple matching attributes such as domain registrar, nameserver domains (and 2nd order nameserver domain ownership), registration timeframe, and registrant contact email domains.
  4. Do the nameservers listed on the WHOIS record appear unique or reveal any additional infrastructure that may be related?
  5. Does the WHOIS record have any history associated it? If so, how long and what information has changed?