Home ShopTalk Bad Will Hunting: DomainTools Scours for Cyber Security Threats

Bad Will Hunting: DomainTools Scours for Cyber Security Threats

For years, Seattle’s DomainTools was recognized as the go-to resource for domain profile information and Whois data.

Then, in 2014, the company made a decisive pivot into cyber security. Logic would dictate that every security investigation starts by pursuing who is behind the attack. Tracing IP routes and then understanding what other Internet resources are owned or controlled by the attackers are both central to the DomainTools repertoire.

We sat down with DomainTools executives, Tim Chen and Tim Helming, to see how the good willed hunts are going to ferret out the ill willed intentions of hackers.

Tim Chen was appointed as CEO during the May 2009 spin out of DomainTools from Thought Convergence, Inc. Before joining DomainTools, he spent a year as TCI’s Vice President of Corporate Development and 2.5 years leading the domain acquisition efforts for Internet REIT, one of the first venture funded domain investment companies.  A Phi Beta Kappa graduate of Haverford College, he has an MBA from Stanford University.

Tim Helming has over 13 years of experience in cybersecurity, from network to cloud to application attacks and defenses. Prior to joining DomainTools, he helped define and launch some of the best-selling SMB security appliances in history during his tenure at WatchGuard. Tim has spoken at security conferences, media events, and technology partner conferences worldwide.

Seattle24x7: What was the actual pivot point for DomainTool’s new direction and mission?

Tim Chen: This came from our customers. We had some large customers who let us know about these security use cases prior to 2014. That started to happen more often, and as we gathered data on how many of our customers used our data for security-related purposes, we realized there was a big opportunity there and there’s a lot more we can do for those customers.

Seattle24x7:  Your product Iris examines DNS Datasets to expose perpetrators. Is this type of information definitive? Are there ways that hackers can spoof their DNS identities? What other analyses does Iris perform?

Tim Helming: There are multiple data sets in Iris, some of which are DNS and some of which are other kinds of data such as screenshots, or web server information, and all of those can potentially play a role in any given investigation.

We collect many, many different data points because any one of them can be an important connector to build a map of an adversary’s holdings. As to whether the information is definitive, this information is empirical and exists in resources like registries and registrars, Whois records, that sort of thing. We aren’t presenting opinions or deriving interpretations.

This doesn’t mean it is necessarily accurate information about the hackers, who absolutely spoof their identities. Domain registrars do not force you to be truthful about who you are.

For example, Superman has tons of domains, Darth Vader has tons of domains. Now, although these are spoofed names, the people behind these spoofs often reuse the information they used to register domains, whether that’s a name or an address or an email address or phone number. (They reuse them because it’s fast and/or economical, etc.)

When they’ve done that, you can map all of those things to get an idea of how big they are or what their assets are like, but interestingly, sometimes they don’t repeat everything. There may be an element that’s exposed that reveals identity. They might have 10 domains, nine of which are anonymously registered and the tenth one might have an email address that’s exposed. You know they’re related because they share an IP address/screenshot/ or because the domain names are similar or registered on the same day. Therefore you may have very strong circumstantial evidence that the email you discovered is tied to those other domains.


Seattle24x7:  Are security companies the principal clients of DomainTools for your cyber threat intelligence software? What other types of companies are using, or would benefit, from the technology?

Tim Chen: To clarify, there is no installed software, it’s a browser-based delivery, or very often customers connect via our APIs.

While there are security companies that are using our intel and data, any company can benefit from this kind of intelligence. As we have seen so often this past year alone, hackers are not discriminating between consumers, small businesses, large enterprises, or governments. Anyone with a website is potentially at risk.

Seattle24x7:  Earlier this year, DomainTools sponsored a survey with an interesting title:  Threat Hunting: Open Season on the Adversary Survey.  The research revealed that 85 percent of enterprises have already some form of Threat Hunting to aggressively track and eliminate cyber adversaries as early as possible. Has Threat Hunting become the most effective cybersecurity countermeasure as a “best practice?”

Tim Chen:  It’s very important, there is no doubt about it, but it would be hard to say this is the absolute most effective security measure. Part of the reason it’s so important is the fundamental mindset shift that occurs within the organization. Instead of waiting for something bad to happen, I’m going to assume something bad is happening, or will, 24/7/365.

Now if I have that mindset, I’m prone to catch things and if I augment that with the skillset of experienced threat hunters, I am going to catch more. It’s not fool-proof or 100% effective, but you will catch more –  and earlier – than if you wait to find out the hard way. If you build the security mindset throughout your company, employees could be a great sensor point and think twice about clicking on an email. Instead of looking at your employees as a danger, look at them as a sensor network which can alert you to malicious activity before it causes harm.

Seattle24x7: Is it safe to say that the digital fingerprints left by hackers are not invisible? For example, the hacking of the Democratic National Committee emails that were exposed through WikiLeaks were traced back to a spoofing incident that was phished by a known entity. I believe that news reports revealed the phishing originated from outside of Russia, but the hackers were known to have worked with the Russian government in the past. Was the confidence level of the identification 100%?  Are you aware of how the determination made? 

Tim Helming: There are often quite strong circumstantial markers of where an activity came from. Sometimes some of the strongest ones are in the data we collect, like Whois records, that will show a domain was part of an attack was registered in a certain country, or by a person who seems to be in that country.

Is that definitive proof? Not really. You can go to the Whois record for microsoft.com and for reasons I just described, you can be pretty sure Microsoft registered it, but since the registrar doesn’t verify, you can’t be 100% certain unless you observe the person making the registration. I’m exaggerating a little to make the point—microsoft.com is absolutely legitimate—but it’s so easy to spoof domains.

I could go to GoDaddy to register a website and give an email address that uses a Russian TLD, such as ‘.ru’, and give an address in Moscow. But as an investigator you start to build the case when multiple clues are pointed in the same direction. Where is the domain registered, where are the name servers, what is the IP address, etc.? It is almost always a matter of circumstantial evidence, but the evidence can be strong. You can get to a high-enough confidence that enables decision making and reasonable inferences.

Seattle24x7: Has DomainTools investigated any of the other hacking incidents that have made headlines in recent years?

Tim Helming: While we do not provide investigative services, we do run our own investigations internally, out of curiosity or to exercise the product and data to make sure they’re as powerful as they can possibly be. Sometimes we will blog about investigations we’ve done (typically low-level phishing campaigns, not nation-state level hacks).

Seattle24x7: Is there a national clearinghouse for reporting phishing attempts that individuals can use? Like a “blacklist” against spammers?

Tim Helming: Yes, there are multiple places where you can report phishing. Google itself has a blacklist, the government has one, etc. For example, the concept of the RBL (Real-time blackhole list) has existed since before the Clinton administration. They store IP Addresses that are used to send unsolicited or undesired mailings, with the goal of stopping spam and junk email. It is free to use and open to the public.

Seattle24x7:  This month you announced the launch of another new product, PhishEye, which you describe as a simple yet effective new security solution that helps to prevent phishing attacks before they happen. What can you tell us about PhishEye? How can the mapping of domains in DNS expose phishing schemes?  Does the preventative measure against phishing need to occur ahead of a phishing attempt, in real time, or after someone has been phished?

Tim Helming: Phishing is the most often-used vector in successful data breaches; it targets an organization’s employees, its customers, or the world at large, with alarming effectiveness.

Domains are used in phishing attempts in interesting ways, such as spoofing a legitimate company or brand. As a simple example: spelling Microsoft with a 0 instead of o in the URL. Unassuming consumers could click on www.micr0s0ft.com and be shown a lookalike website, where they will proceed to try to buy a tablet or game console, enter private information, and then realize that they were duped when they do not receive the product.

PhishEye and Iris: a 1-2 Punch Against Phishers

Discovering suspicious or malicious domains is valuable, but it is often necessary to go deeper, to understand more about the threat actors who register these domains, and the infrastructure they control. DomainTools Iris provides unparalleled visibility into domains, registrants, IP addresses, and other profile information that helps complete the picture of an adversary. With a click, you can export the domains discovered in PhishEye into Iris. Then, by examining and pivoting on the multitudes of data points in Iris, you may discover much more about the adversary, in order to build more comprehensive defenses against them.

Not only does this hurt the consumer, it hurts the Microsoft brand name. PhishEye is designed to detect those patterns and flag them as soon as those domains are registered. It shows you existing and new domains that spoof legitimate brand, product, organization, or other names, so that security teams can carry out defensive or investigative actions against them.

PhishEye not only monitors for set domains that are flagged, but will help a team identify all of the spoofing possibilities. By the way—many of the spoofs are much more subtle and sophisticated than the simple swap of 0 for o. PhishEye catches many variants that are not at all obvious to the human eye.

Seattle24x7:   Does DomainTools have a security solution for threats against the Internet of Things (IoT)? Said differently, can IRIS be used to detect threats against IoT objects that are not in the human sphere?

Tim Helming: Yes and no. One of the big problems with IoT is a lot of devices are not treated like computing devices. They’re connected directly to the internet without any security. In these cases, not only are you not protecting them, but you also can’t even see what they are sending back and forth. If you are treating them like other computer devices, protecting them with firewall, IPS, etc., then you have similar options to what you have for investigating attacks on a laptop, server, etc.

For example, if you discover that an IoT device—say a webcam—is communicating randomly with the internet, and you discovered this because you saw in your firewall/DNS log, then you can use Iris to learn more about whatever it was trying to connect to. Perhaps it has become part of a botnet and is now sending spam across the internet.

One thing you can do is simply this: do not just plug your device into the router without knowing the level of protection installed on that device.

Solving this issue is complicated. One thing you can do is simply this: do not just plug your device into the router without knowing the level of protection installed on that device.

For consumers who want to protect their IoT devices, a lot of personal Wi-Fi routers do have some good firewall systems available, but those can be complicated to set up. Generally, the devices themselves can be configured to be more secure, but again, that is not easy for consumers in a lot of cases.

Yet another problem to watch out for is that some of these devices don’t let you change your password. By now, we know that having strong passwords is important, and knowing that anyone can look up the password of your baby monitor online doesn’t seem like the best idea. Hopefully soon there will be some improvements and IoT devices will be given the same amount of protection as other computing devices, either through the manufacturers or, if necessary, by regulation.

Seattle24x7: What future products and plans are on the roadmap for DomainTools going forward?

Tim Chen: Hackers are getting more sophisticated and we need to stay one step ahead of them. We are always looking for new data sources that we can select and cross-reference with existing data to provide more information and a better map to our customers. Beyond that, we are looking into other ways we can solve more specific problems, the way we did with PhishEye and phishing, because we know there’s a huge amount of power in this data that can be further realized. [24×7]


Previous articleBlocking the Ban: Amazon, Expedia and Microsoft Aid AG With Declarations of Support
Next articleWhat Would Tech Look Like Without Immigrants?