The Internet can be a great place to hide. There are over 300 million domain names, over 4 billion IP addresses and many more nameservers, hostnames and email addresses within the infrastructure of DNS. Criminals make use of all of these resources to attack their targets, moving often and hiding in plain sight behind Whois privacy and shared hosting environments.
Within this context, threat intelligence analysts and incident response professionals must make critical decisions about proper defenses or countermoves. They need reliable information quickly, and must arm themselves with the best tools and data in order to expose threat infrastructure and defeat criminal networks. As of September 15, they have a potent new tool in the fight—DomainTools Iris.
Iris is a proprietary threat intelligence and investigation platform that combines enterprise-grade domain and DNS-based intelligence with an intuitive web interface designed to security teams quickly and efficiently investigate potential cybercrime and cyberespionage.
DomainTools emphasizes several specifics on how Iris delivers on its customer promise :
- Better Data Yields Better Answers—Over the course of 15+ years, DomainTools has amassed the world’s largest database of domain profile information help teams avoid the blind spots that often stymie investigations relying on inferior data sources.
- Designed By Investigators, For Investigators—DomainTools’ development team, many of them seasoned investigators in their own right, worked with some of the best security teams in the world to build a tool that reflects their best practices and methodologies.
- Changes the Economics of Attribution—The expense of hiring external expertise or assigning internal resources to adversary analysis has always been prohibitive. DomainTools Iris seeks to change the equation, enabling high-confidence profiling and attribution at costs far below traditional means.
- Provides Visibility Beyond the Firewall—Simply identifying malicious domains and IP addresses doesn’t protect organizations against the extended networks operated by threat actors. Iris gives organizations the ability to create forensic maps of criminal activity to triage threat indicators, assess risk, and prevent future attacks.
Inside the SOC :
There are specific ways in which security teams use DNS profile data in their moment-to-moment operations. Fundamentally, they continually seek the answers to two key questions: who is attacking me? and what is the extent of their infrastructure? The answers to those questions help teams align their defenses with the threats they face.
The starting point often is a single IOC (indicator of compromise). Using Iris, the investigator then surfaces a larger network of connected infrastructure.
In the context of a “continuous security” model, they can use the intel data across tenses of time :
- Present: with a map of infrastructure connected to the original IOC, teams can immediately lock down against the extended list of assets, e.g. in firewall/IPS/UTM rules
- Past: analysts can query archived logs and alerts for the now-expanded list of infrastructure, to see if threat actors were previously operating on their network
- Future: DomainTools offers monitoring tools (separate from Iris) that allow the tracking of new registrations, hosting changes, and more, which can help defenders stay ahead of attackers’ moves
Who Uses Domain Profile Threat Intelligence Data?
Many of the largest organizations in the world, across all major verticals, are already power-users of DomainTools. Not surprisingly, these tend to be sophisticated shops that often consume threat intelligence data at large scale via APIs. With Iris, DomainTools intends to democratize threat intelligence by bringing this power to a much broader spectrum of organizations.