Q: Why is DNS data important in threat investigation?
A: Government, law enforcement and enterprises use DNS data to investigate the organization behind a domain and map the online networks of criminal organizations in order to stop future attacks.
Actors borrow IP addresses but register domains, which means that domain names inherently reveal intent and are an important tool in cyber forensics. For instance, a maliciously registered domain dressed as a well-known brand can be used in phishing attacks to lure unsuspecting victims to websites that host malware.
Q: What data is utilized in DNS research?
A: When DomainTools first launched Iris it had the world’s best Whois data and tools and have now integrated multiple leading ‘passive’ DNS data sets including the highly regarded Farsight DNSDB. In doing so we’ve expanded the ability of Iris to give more and better answers about domain names, IP addresses, hostnames, email addresses and more.
Q: What sparked the need for the integration of passive DNS data?
A: Whois and passive DNS are the bread and butter of forensic data sets for many security researchers. Most of our enterprise customers further along the maturity curve are consuming both, and often doing so as separate feeds and separate contracts in order to have confidence they have their hands on the best quality data available for their important work. But many security teams lack the budget, the backend data stores or the staff to customize at this level. With this partnership, DomainTools now brings the highest quality data sets together within the Iris platform, making threat intelligence workflows faster, more powerful and much more accessible.
Q: How does passive DNA data work for forensic data analysis?
A: It is an ideal complement to the Whois and Active DNS data. Passive DNS data excels at giving customers better answers when they are starting with IP addresses as the IOC (indicator of compromise). When they are investigating badness at the subdomain level, understanding the configuration of internet resources at a specific point in time is critical to their reporting and response.
Q: How does Whois data work with passive DNS data?
A: Whois data coupled with passive DNS shifts an investigation from often inconclusive IP data to specific domains and threat actors. Iris was purpose-built to enable precisely those kinds of pivots, and that makes it ideally suited to extract deeper meaning from a passive DNS query. A truly comprehensive view of a threat can only be obtained by taking a holistic approach that combines infrastructure, actor information, and enriching profile data such as screenshots or web server data.