Many modern enterprises today have found Security Information and Event Management (SIEM) tools to be invaluable. The reason for this is that these tools have become the eyes and ears of cybersecurity teams, providing them with the ability to identify network concerns and monitor threats.
Yet even the most popular SIEM tool lacks the capability to understand key aspects of a cyber attack, which is crucial for overall situational awareness. This kind of awareness is primarily concerned with reinforcing defenses at all stages of a security cycle — starting from prevention to detection all the way up to mitigation — that ultimately contribute to predicting and preventing future attacks.
Since most network threats today have to do with abusing domains, these SIEM tools can only provide part of the details required. They can tell you the “what” but not always the “who” in an incident, which is essential in assessing risks and improving their defenses.
Additionally, a flagged malicious or suspicious domain is usually just part of a bigger picture. There may be other connected domains, especially if the attack is carried out by a cybercriminal ring. After all, many cybersecurity practitioners have come to learn that knowing the source of an attack could lead them to ways to prevent another. But this requires identifying all the parts of a complex network.
What Most SIEM Tools Do Not Cover
SIEM has become an indispensable component of compliance and threat analysis procedures. But despite being able to provide relevant details on what’s happening within a company’s network, many SIEM tools lack the capability to connect the information gathered on various domains. This is especially true when dealing with more than one attacker.
When talking about cybercrime such as phishing, malware attacks, spamming, botnet-instigated attacks, brand abuse and the like, threat actors use at least one domain or IP address for their vile deeds. That is, cyber threat investigators need to follow several leads so specialists can identify the connections between domains, nameservers, and other data points. This then allows them to paint the bigger picture and identify all the components of an attack. This process is called forensic domain mapping.
What Is Forensic Domain Mapping?
In essence, forensic domain mapping is finding out the relationship between domains based on several data points. It aims to gather as many concrete pieces of information as possible connected to an offending domain. These validated fragments of data are then used to establish links between the original malicious domain and the entire web of other online holdings related to an attack.
But building a forensic domain map is now more challenging than it was before. This is especially true since domain privacy was introduced back in 2003. However, there are still ways for a company to determine links between a domain owner and a network of IP addresses. One way of doing so is by looking at registration records from a WHOIS database download.
What Can a WHOIS Database Download Contribute to an Ongoing Forensic Investigation?
A WHOIS database download provides users with information on active domains that span both the gTLD and ccTLD spaces. This means you can access details on domains that have extensions such as .com, .net, .uk, .ru, and many more.
To streamline the forensic domain mapping process, for instance, many data points can be used from such a service including:
- Registrant’s contact information: In some cases, this can help users identify the actual domain registrant. This can serve as a starting point for creating a web of connections by identifying all domains that the same registrant owns. This tells you what organization the owner is affiliated with, along with where to find and how to contact him. An obscure location (a mismatch in company name and address, perhaps) can be an indicator of malicious intent.
- Registrar: If a domain’s WHOIS information has been kept private, you can still see details about the registrar. In such cases, specialists can contact the registrar to find out more about the domain’s owner. This will, of course, require subpoenas and other similar documents.
- Domain registration and expiration dates: Cybercriminals often register multiple domains to evade detection and blocking. Thus, domains that do not seem to be related but have the same registration dates could be considered malicious.
All of these details can be used to provide additional insights on malicious entities during cyber investigations. This knowledge is especially valuable in case of a security event to quickly identify the extent of a network attack before things get worse.
It is no secret that companies, particularly large enterprises, depend on SIEM tools to reinforce their cybersecurity defenses. Yet not all of these solutions cover everything, especially with regard to external domains. For this, WHOIS Database Download can be employed to gain valuable insights that can assist in completing forensic investigations.
Go to Source