Domain Intelligence for Proactive Threat Defense by Jonathan Zhang


According to the World Intellectual Property Organization (WIPO), the volume of cybersquatting cases grew by as much as 12% in 2018, the highest in years. The introduction of more than 1,200 new gTLDs was believed to have widened cybersquatters’ playing field. The implementation of stricter data privacy regulations was also said to have a role in the rise in the number of anonymously registered domain names that potentially allowed cybersquatters to evade trademark owners’ prying eyes.

Meanwhile, the number of phishing attacks seen in the second quarter of 2019 eclipsed the volumes seen in the past three quarters. The total number of phishing sites detected by the Anti-Phishing Working Group (APWG) from April to June 2019 reached 182,465. Things turn for the worse when phishing attacks lead to a massive data breach, as we’ve seen happen several times. To date, each data breach incident can cost a company an average of US$3.92 million.

Organizations also faced 34% more DNS attacks compared to 2018, which could cost them an average of US$1.07 million in remediation on top of business downtime.

All that said, companies cannot rely on merely reacting to attacks; they need to ensure proactive protection by ensuring the security of their entire domain infrastructure. Whether they rely on an in-house or a third-party security provider, they can benefit from domain intelligence.

Improving Cybersecurity Posture with Data Enrichment

Organizations that have an in-house IT security team can safeguard their domains by:

  • Empowering security operations center (SOC) staff: Domain intelligence can provide SOCs with context and possibly attribution for the threat data they analyze. Using a reverse WHOIS API, for instance, allows them to conduct in-depth investigations on who owns a domain listed as an indicator of compromise (IoC) for an attack. Knowing that points to a specific adversary that they need to monitor for future attempts, thus avoiding compromise.
  • Enriching security information and event management (SIEM) solutions: Organizations can integrate domain intelligence into their SIEM solutions for faster threat identification. In short, security teams can feed IP, URL, and other domain data into their solutions so these can easily compare IoCs with log information to pinpoint and block all potential threat sources before these can do harm. This approach improves alert triage, but only if the domain intelligence source is accurate and regularly updated.
  • Enabling penetration testing with a security orchestration, automation, and response (SOAR) platform: Not all organizations have the resources to conduct penetration testing, which is a leading cause of cyber-attack unpreparedness. Most do not have the experts to perform such tests given the current IT talent shortage. That should not be an issue these days, however, with the introduction of SOAR platforms that can automate activities such as asset discovery scans, classification activities, and target prioritization, making it possible for security teams to operationalize their penetration testing efforts.

Those that rely on third-party service providers to beef up their cyber defense can also benefit from domain intelligence.

  • Managed security service providers (MSSPs): An efficient MSSP should be able to detect and prevent an attack before it can do damage as well as identify the characters behind an intrusion attempt with their email addresses, domains, and other information from WHOIS records. Learning about a domain’s reputation, for instance, can block access from a disreputable domain that could have ties to an ongoing attack, thus thwarting it in its tracks.
  • Managed detection and response (MDR) service providers: MDR teams can rely on WHOIS and DNS databases to answer questions relevant to their role, such as:

- Are the communications that reach client networks coming from potentially spoofed email addresses?

- Are specific categories of top-level domain (TLD) names often misused for fraud?

- Are there patterns among domain records that may help uncover large-scale criminal networks?

Cybercriminals are continuously enhancing tried-and-tested tools and tactics to inflict damage, and organizations with weak or inadequate defenses often end up their victims. Companies need to enrich their threat intelligence to block threats from the source and make sure their domains are not being used for malicious activities.

About the Author

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the Whois XML API family, a trusted intelligence vendor by over 50,000 clients.

November 21, 2019


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023