Security Intelligence Services

WHOIS

Use registration-based correlation to expand your knowledge of the adversary

Give It a Test Drive

What is the WHOIS data set?

Thousands of times a day, domains are bought and transferred between individuals, and domain registrants must provide information about themselves when registering one. This information gets stored in a WHOIS record associated with the domain.

WHOIS is a protocol that lets anyone query for ownership information about a domain, IP address, or subnet. RiskIQ has a vast repository of WHOIS data, which is available to query for registrant information.

How Can it Help?

Attackers need to establish infrastructure to conduct their attack from and communicate with their malware.  Often times attacks register multiple domains at the beginning of an attack campaign for use during all phases of their operations.

WHOIS data can provide an organization with insight into who is behind an attack campaign. Using domain registration information, an organization can unmask an attacker’s infrastructure by linking a suspicious domain to other domains registered using the same or similar information.

How to Use It:

  • Identify additional domains registered using similar information
  • Determine the maliciousness of a given domain or IP address based on ownership records
  • SIEM event enrichment
  • Domain enrichment to proactively hunt for threats

RiskIQ offers API access to our WHOIS repository to provide analysts with the ability to correlate domains based on registration information. Give it a Test Drive

Additional Resources

Interested in enhancing and enriching your organization’s security operations and incident response activity even further? Then check out:

RiskIQ’s PassiveTotal API