Cybercriminals often leave a lot of digital crumbs, and when organizations get attacked, finding those clues can help reveal who is attacking and why.
For 15 years, a small company called DomainTools, based in Seattle, has collected vast amounts of information about the Web: historical domain name registrations and network information, all of which are extremely valuable in investigating cyberattacks.
Using its tools makes it possible, for example, to see what other websites are using a particular IP address, what email address was used to register them, DNS servers and other information.
But DomainTools’ Web-based interface wasn’t designed in a way that reflected the workflows that investigators follow when probing cyberattacks and the speed at which they need to collate large amounts of information.
Even organizations that are quite advanced for cybersecurity investigations were cobbling together investigative methodologies “since they didn’t have the tools they needed in one place that embraced their workflows,” said Tim Helming, director of product management with DomainTools.
“These guys are pressured for time,” he said. “They need answers quickly.”
So the company built a new product, Iris, which is a Web-based platform that makes it easier for investigators to follow clues, keep track of how they found those clues and put together a clear dossier on a threat actor.
Domain Tools does offer APIs to its data sets, but many companies don’t have the resources to integrate them into their systems and still favor a Web-based interface, said CEO Tim Chen.
Iris keeps track of a user’s search history, which makes it easier to go back weeks after an investigation and figure out how a conclusion was made.
Anyone who has researched a dodgy domain name knows that it’s easy to go down a rabbit’s hole, starting with a single domain name and email address and hours later unfolding a mass of seemingly related data.
“We wanted to help people have a map back out of the rabbit’s hole,” Helming said.
Iris also has a visualization feature — similar to that in the popular open-source intelligence tool Maltego — which maps out whois data, IP addresses, domain names and other information.
Some improvements are smaller, such as the ability to input a long list of domains to investigate or export a .CSV file of parsed whois data, Helming said.
The improvements may help a company, for example, provide better documentary evidence for law enforcement or simply create new rules within network or host defense systems to block malicious behavior, Helming said.
Iris will be offered as part of DomainTools’ enterprise package. Typically, customers get customized pricing based on their needs and what other products they’re using, Chen said..
DomainTools has plans to expand. The company has more than 10 billion whois records, which holds a lot of potential for big-data style analysis that could be helpful to researchers.
The company’s goal is to eventually develop predictive intelligence capabilities that can be used to prevent attacks, Chen said.
“Once we do that, we will be able to surface interesting trends for our customers,” he said.