THE TIBERIUM BLOG - recent events, threats, and all things cyber

Chapter 1: Classifying domains using RDAP

Using TTP-based intel to classify malicious domains 

Introduction 

This blog series will show how Tiberium harnesses intel around attackers’ tactics, techniques, and procedures to classify malicious domains as part of our FROST and MYTHIC 24/7 MSSP services. 

Preventative security is cool. Having the ability to think several moves ahead of an attacker, identifying their presence while they still think they are invisible, and manning the barricades long before an attack has been issued – it’s the ultimate blue teamer’s dream. 

However, getting to this point can often be challenging in a world filled with IOC-based threat intel. Therefore, this blog series will talk a little about how Tiberium makes use of threat intel beyond the expected to proactively detect maliciousness, tapping into intel around attacker tactics, techniques, and procedures (TTPs). For clarity, we’ll keep it focused on just identifying malicious domains in this first blog series – but there will be plenty more where that came from.  

The domain flow 

To set the scene, we are using Azure Sentinel as our SIEM, and within Azure Sentinel, we can identify domains to investigate through either: 

  1. Entities within incidents (reactive) 
  1. Domain/URL fields in the DeviceNetworkEvents table (reactive) 

Once we have a domain we want to investigate, we send it to the Tiberium EntityEnricher service, which calls all the relevant microservices we’ve built to enrich our understanding of the entity using TTP and IOC based intel.  

We will talk through the RDAP microservice for this blog, one of the simplest yet effective TTP-based intelligence sources for finding malicious domains.  

A brief history of WHOIS 

To talk about RDAP, we first need to quickly dip our toes into the aged water of WHOIS.  

WHOIS is a protocol used for identifying domain owners and their contact information. You can query a domain using WHOIS and the database returns a record of all names and contact info associated with the individuals/companies that registered the domain, registration dates, expiration date, and the name servers.  

There are quite a few drawbacks with the WHOIS protocol, however: 

  • Non-standard format for output  
  • Insecure connections (using port 43 with no encryption of data between server and client) 
  • No international support 

RDAP > WHOIS 

Now that we’ve addressed WHOIS we can talk openly and candidly about the new kid on the block – RDAP.  

RDAP addresses a lot of WHOIS’s deficiencies, giving us the ability to securely (through HTTPS) query domains and receive results in standard JSON format, and this can all be done from a simple to use API. 

With these extra capabilities, we’re now able to automate domain lookups to the nth degree – but what is it exactly we’re doing this for? 

The registration date tell 

In a study conducted by Palo Alto in 2019, it was discovered that 70% of newly registered domains (that is domains registered/reregistered in the last 32 days) are found to be malicious.  

This maps to the MITRE ATT&CK framework nicely (https://attack.mitre.org/techniques/T1583/001/) – domains are often registered and then quickly used for phishing attacks drive-by compromises or as command and control (C2) servers. This makes sense, an attacker may need to feed a PWND endpoint instructions from a C2 server – but to do this, they’re going to need to own a domain to send these instructions from! Specifically, if they use Cobalt Strike DNS beacons, which is a favourite technique for ransomware groups. 

It’s clear that the domain registration date is a seriously useful piece of intel that we can use when classifying a domain as malicious. Our usage of it goes far beyond just seeing if it’s newly registered. All we’ve got to do now is pull these pieces together… 

How we use RDAP to enrich domains found in Azure Sentinel 

This RDAP lookup flow fits neatly into our entity enrichment microservice architecture, and as such, we can demonstrate this flow from a high level. 

And voila, we now have a genuinely useful piece of intelligence that we can use to classify malicious domains – and we obtained it not from IOCs but from understanding attackers’ TTPs and working backwards. But, alas, this is only one of the veritable smorgasbord of domain enrichment microservices we have built at Tiberium – and we haven’t even spoken about how we use these microservices to quantifiably classify a domain as malicious or not!  

Interested in finding out more? Follow us on LinkedIn and Twitter to see the next blog on classifying malicious domains

Blog subscription banner
Share on: