As the flood of malware and indicators of attack increases security analysts need access to more automated systems or risk being drowned looking into suspicious activity.
The latest comes from DomainTools, a popular service for domain name and DNS research, which last week launched its new Iris web site to help security teams quickly investigate indicators of attack.
The Seattle company has a huge repository of Whois data across all international top level domains as well as other useful information for analysts. Until now customers used APIs to bring its datasets into their event management analysis tools or used separate Web-based systems on DomainTools’ web site to look up historical data. The problem was those tools weren’t integrated, so analysts had to search for things individually.
With Iris “we’ve taken all our Whois data, fully parsed it, stored it in an extensible database, added all the DNS data stores … and then provisioned a tool that can look across all of this data,” CEO Tim Chen said in an interview.
In addition, Iris has a reputational engine that gives risk scores of domains based on a check of known blacklists. Finally, it can graphically show search results so analysts can better visualize information.
Infosec pros want tools that can be used at scale because they are seeing 10,000 domain names a day that get flagged by their alerting systems, Chen said.
The origins of suspicious email and URL addresses often need to be searched when seen by these systems. Some security software or services do what he calls passive DNS scanning, but Chen said DomainTools offers what he said in effect is a map of the Internet. He estimates the company has data on 280 million of the 300 million domains on the Web. And while a domain may now be private, if it has been public in the past DomainTools could have a record of it.
Information on who has registered a domain, IP address or email address can help analysts decide if something needs to be blocked — or malware has been on their systems for a while — giving context to code.
Iris allows analysts to open what it calls an investigation, which then keeps a record of all searches so the analyst can go back to confirm the steps taken. Search results can also be downloaded in a .csv file to be included in the analysts’ tools.
The goal of Iris is in part is to give medium-sized organizations better access to DomainTools services, as well as to expand the company’s brand in threat intelligence.
Tim Helming, director of product management, said a company could use Iris to investigate a phishing attempt which included a spoofed link to a malicious Google.doc document. com. A search would show information on the domain, including the registrant. The analyst can pivot to see what other domains this registrant has, such as spoofed bank names and other patterns.
“We can predict the badness of new domains as they come online and have been weaponized,” Helming said, “or existing domains that might be dormant that might be activated sooner or later.”
DomainTools sells its services direct.