Investigating a cybersecurity incident sometimes begins with a look at the WHOIS records of offending domains. A registrant name or organization, current or historical, could possibly point to who is connected to an attack. A public registrant email address, meanwhile, could let you expand the list of artifacts that your organization should block access to, possibly adding an extra layer of protection for your network.
You can get a lot more information from WHOIS records in some cases, specifically if you take the history of every domain of interest into consideration. A domain history checker can be of help there by easing the process of going as far back in time as possible into the activities a web property has been involved in.
Domain history checkers have various uses that include marketing and domaining but this post will focus on how they can help with cybersecurity.
Third-Party Risk Management
A study released in the first half of this year revealed that almost half (44%) of the organizations surveyed suffered from a data breach due to giving third parties unfettered and insufficiently secured access to their network.
Companies need to assess outsiders before allowing them to access their systems and data. They must ensure that third parties can only see and open files related to what the organizations hired them for. Prior to that, however, all external parties should have been vetted in terms of how secure their networks are. None of their domains should have been involved in malicious activities in the past, as that could translate to weak security, which could put their data and network at risk.
An example would be domains that share email registrants with age-old threats like Conficker, a worm that made waves as far back as 2008 but as a recent study revealed remains alive. A scrutiny of the known email addresses used to spread the malware over the years turned up more than 4,000 domains registered in 2019 and earlier. Without the help of a domain history checker, researchers may not have been able to determine that and steer clear of those dangerous web properties, which could possibly belong to a third party that you gave permission to access your network.
Threat IoC List Expansion
As has been mentioned earlier, using details found via a domain history checker, such as a registrant name, organization, or email address, can help companies avoid as many threat vectors as possible, thus improving their cyber resilience.
We have seen this approach applied to a disinformation campaign whose perpetrators’ domains were recently seized. Despite the authorities’ efforts, however, a few web properties that could prove harmful for visitors remain up and running.
In that particular case, a domain history checker proved very helpful, as it narrowed down the list of possible attackers to a single individual and email address. And armed with that information, additional domains and even nameserver addresses were also identified. All these could be added to blocklists.
Given the widespread practice of WHOIS record redaction for privacy protection, attacker identification has certainly become more difficult. Fortunately, it remains possible with a little more digging, specifically sifting through past records aided by a domain history checker.
Studies that expanded a list of publicized SolarWinds attack IoCs revealed that most of the domains used as entry points were not new. A sample domain whose most recent WHOIS record has been redacted is digitalcollege[.]org (even prior to repossession after takedown). But since it had historical records that could be accessed using a domain history checker, you could end up with a registrant name, organization, and email address that would be a starting point for an in-depth investigation.
Domain history checkers have other cybersecurity uses, of course, but the three featured here are probably the most useful given the current security landscape. Third parties can put your organization at great risk if not vetted as well as you could. Expanding IoC lists is a great way to beef up your network protection, as you cover as wide a base as possible. And given WHOIS record redaction, it has become way harder to get to the bottom of a cyber attack. Domain history checkers can help with all of those things.