Trick or Threat: The Monsters Lurking Behind Domains

Threat hunters are the ghostbusters of the cybercriminal underworld, to proactively detect and banish the monsters lurking in our midst. When considering the threat-hunting process, however, most people skip to the part where the hunters seemingly dive headfirst into a complex mission of reverse-engineering attacks and looking for evidence of compromised systems in the protected environment. While this is certainly an important element of any operation, the value of investigating network-based indicators of compromise should not be neglected. More specifically, logs of domain names touching the protected environment, and analysis of the records behind those domains, are frequently overlooked as a source of data for threat hunting. Yet, it is through investigating this one source of data that security teams can uncover critical intelligence to curb an attack sooner rather than later.

So, how can domain names be leveraged to reveal malicious campaigns wreaking havoc on one’s organization?

Domain Name System (DNS) and domain datasets offer a wealth of data that can be classified into two main categories: Characterizers and Connectors. The former refers to data points that tell you something about the domain or the actor behind it, be it their objectives or their modus operandi. The latter are the data points that link the domain or IP address in question to other infrastructure. Such connections allow you to pivot from one lead to the next, potentially exposing a wider campaign.

These leads could come in many forms, each providing varying value levels. Below, we explore five key areas that hunters can delve into to profile adversaries and determine what kind of risk their infrastructure might represent.

See More: Security on the Network: Protecting Non-sensitive Data

Monstrous Monikers

Often, threats hide in plain sight, ‘characterized’ by their domain name. If a well-known brand has a typo in its domain name, that is a big red flag and will be noticeable to many users or analysts. Cybercriminals are skilled at deception, though, and often attempt to disguise these malevolent domains by using homoglyphs or non-Latin and Latin characters that look similar or identical.

As a consumer, one way to quickly expose such attempts is to simply hover over the link. Most browsers will then display the full URL in the lower corner of your screen, which you can verify and decide to enter or stay clear. (For mobile browsers, tap-and-hold can pop up a dialog with choices that include copying the URL, which you could then paste into a text document to examine—but this is admittedly cumbersome.) On the hunter side, you have reason to dig deeper.

Nightmare on IP Street

All domain names will have at least one IP address, which is how it is identified to other devices on the internet. A lot can be deciphered through analysis of IP addresses seen in your logs once you are able to pinpoint the outliers. For instance, it would be unusual if a device only connects to one IP address for a full day; this could be a sign of malware infiltration. That should also ignite suspicion if you spot large amounts of data being transferred between a device and an IP address. Moreover, with the right kind of analysis, that IP address can serve as an excellent connector, which can propel an investigation forward in important ways.

Hunters should explore what other domains have been created that point to the same IP address and use this as an opportunity to follow the cybercriminal’s breadcrumb trail. Nevertheless, as mentioned earlier, the value of these data points could vary. An IP address with thousands to millions of associated domains would be next to impossible to analyze and spot patterns. Conversely, if it has just a few dozen domains, an analyst could quite easily step in and make sense of how they might be related to one another.

This can be useful in getting around the limitations of blocklisted domains. In fact, while blocklists are useful in eliminating established malicious domains, for adversaries, the ease and economy of setting up new infrastructure means there will always be more popping up. Conversely, blocking at the IP level can lead to false positives (and help desk calls) if the IP also hosts legitimate domains. “Reverse IP” analysis can help in both cases: by seeing the population of domains on an IP, the analyst can get a good feel for the nature of the IP. They can also watch the IP to spot new domains pointing to it, which can be an excellent way to get ahead of emergent campaigns.

Spook-tacularly Young

Next, is domain age. While not all young domains are bad, more often than not, bad domains are young. Therefore, you may want to stay wary of any that have been set up within the last 30 days. Of course, cybercriminals have been catching on to this and, in some cases, are choosing to hold on to their domains before weaponizing them, so domain “youth” is not a clear-cut sign of bad activity. One might say this is more of a trick than a threat; it could be indicative of virulent intent but not necessarily so.

Under the Invisible Cloak

When cybercriminals create a domain, they may choose to do so anonymously by adopting aliases since registrars do not require you to be truthful about your identity. Alternatively, they may choose to pay a small sum for a privacy proxy or use a domain registry that obscures identifiable information by default. Once again, private registration does not necessarily affirm wrongdoing, but it could be worth investigating. You may want to consider the location of the privacy proxy or whether they accept payment via bitcoin to determine if there is more than meets the eye. Some services have been more likely to supply privacy services to criminals as well, so perhaps, keep a watchful eye on those providers. In the case of domains spoofing well-known organizations, private domain registration can be a signal of malicious intent because well-known organizations rarely create privacy-shielded registrations, at least for their best-known properties.

History of Horror

This leads us nicely on to a domain’s Whois history. Although it can be tricky to view registration details if a privacy proxy is used, you may sometimes luck out and find clues. In cybersecurity, a common saying suggests the defender must get it right 100% of the time, while the adversary only has to be right once. Interestingly, the tables are turned in this scenario. 

One often hears it takes one mistake for an org to be breached, but the same is true for cybercriminals. One way to identify these is with a reliable source of Whois history data. A defender can effectively go back in time and find other characterizers and connectors (such as unique registrant email, physical addresses, organization or person names) in earlier Whois records for further inspection. It’s worth adding that current or historical Start of Authority (SOA) DNS records can also sometimes be useful data points for domains where the Whois data is privacy-cloaked.

Chilling Context

In addition to the above, context should always be taken into account. For example, does it make sense for the domain to have Mail Exchanger (MX) Records, and does it have a Sender Policy Framework (SPF) record to verify its credibility? Or could it be that the domain is sending out mass phishing campaigns? Do domains with a public-facing web page look sketchy? Does the organization and location behind a domain’s SSL certificate correspond with what you know about the domain?

Investigating connections among DNS records behind domain names is akin to running an insurance actuarial analysis. There is rarely one thing that proves high risk, but often a set of corroborating data points can paint a useful picture. And by asking the right questions about the data, we can build a more complete understanding of the threat. You want to begin by looking at one scary indicator, utilizing other data to provide context for analysis, then make use of ‘connector’ data to pivot to the next lead. The more you know about the adversary, the better prepared you will be to implement the necessary defenses.

Are you using domain names to trick threat hunters this Halloween? Tell us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

Image Source: Shutterstock

MORE ON DOMAIN

• What Is DNS (Domain Name System)? Meaning, Working, and Benefits
• DNSSEC: The Revolution Needed to Fix Our Domain Name System