A part of the industry for around twenty years, DomainTools uses active and passive DNS (Domain Name System) data to create cybersecurity intelligence for its customers. Tim Durant, Vice President of Channels and Alliances, explained:
“DNS is like the fingerprints or the activity on the internet. So we’re mapping all those fingerprints.”
With unique sets of data, providing a different picture of cyber threat infrastructure than that which is typically provided, governments, enterprises, and other cybersecurity companies all use DomainTools’s data.
Senior Cybersecurity Consultant, Oliver Tonge, added to this:
“One of the things we’ve done in the past is set up an account. Maybe there’s an incident around a particular brand; with access to such an account, [a customer] is able to get the most of our intelligence on that to build a story around it… It’s almost guaranteed that there’s something in our data to shine a brighter light on the activity of the threat actors.”
Having recently announced a new DomainTools product, Iris Detect, Durant was excited about the simplicity of the interface. Even for a person who lacks cybersecurity knowledge, it’s intuitive and easy-to-use. Someone could punch in the domain name of their company and very soon after have a reported risk score attached, showing the number of spoofs using that name, and the number of phishing threats as well. And it all happens close to real time.
“50 of the top global 100 companies use us already,” Durant noted.
How do DomainTools’ customers use this data?
According to Tonge, it depends on which industry the customer comes from. Whether banking, law enforcement, or government, each of these have their own use cases. Law enforcement, for one, is less interested in spam and phishing, but more interested in malware. Pre-emptively, DomainTools is able to provide intel on the infrastructure of threat actor activity pertaining to the industry in question.
This data is also used in post-incident scenarios. Say all the credentials from a domain were leaked, then DomainTools’s data and machine learning tools help to answer questions such as who was behind the attack, where did it come from, what infrastructure was deployed, and who else might be affected by this same, or similar, threat.
“It’s not just historical data, it’s also predictive data,” Tonge said.
And DomainTools doesn’t just provide data to paying customers either.
“Before the pandemic struck, there were about 6 domains globally with the term Covid in it or related to Covid. Not long after, that number went up to 64,000 domains. Some of them were legitimate, like government organisations providing Covid health infrastructure and community support. But you can guess the vast majority was illegitimate, capitalising on people’s fears,” Tonge said.
Spoof sites looking to rake in money and information from the concerned populace, DomainTools popped in to provide some guidance. Free of charge, they made available a site with Covid block lists to anyone on the internet as a continuously updated service. They offered the same with the start of the Russia-Ukraine war.
“One of the things that really drives everyone at DomainTools is the mission to make a secure and safer internet for everyone. And that’s a reward in itself.”
It’s a rewarding job, but it’s also a big one. As the industry moves forward, the data never stops coming in and neither do the threats. Catching 5-6 million newer, updated domains per day, DomainTools is kept busy. By presenting the data in a digestible and meaningful format to customers, this means sifting through billions of feeds of data at a machine scale. Even, Durant said, some of the largest technology companies have tried to do it themselves, only to return to the services of DomainTools.
“There’s always more than enough work for us to do,” he added. “We need to continue to find ways as we capture this data to make it useful and helpful to make the internet a safer place.”
Is it feasible that one day there will be a safe internet?
“I don’t believe there’s ever a 100% safe [internet]. There’s always that cat and mouse game. Someone who’s just ahead. It’s just the nature of bad players. We’re in the cyber world, what we’re talking about here, but it’s true in the real world. No bank is 100% safe from being robbed,” Durant said.
Slowly but surely, law enforcement is catching up to the bad guys, Tonge added. While the EU’s GDPR (General Data Protection Regulation) didn’t quite have the result that everyone was hoping for, the intent was good. Will we ever get there? Potentially not, but cybersecurity and law enforcement are not as far behind as they were just ten years ago. To make a safer internet, however, international cyber police cooperation is integral. Historically, investigators have been limited from policing cyber-crime if it crosses nation’s borders.
Yet overall, DomainTools is optimistic about the future of the internet, and their role in the making of its safety.
“Look at how many technology companies are in this space,” Durant said, gesturing around to the other attendees of Infosecurity Europe. “There’s a lot of smart people that are trying to solve a lot of hard problems.”