Using TTP-based intel to classify malicious domains
Preventative security is cool. Having the ability to think several moves ahead of an attacker, identifying their presence while they still think they are invisible, and manning the barricades long before an attack has been issued – it’s the ultimate blue teamer’s dream.
However, getting to this point can often be challenging in a world filled with IOC-based threat intel. Therefore, this blog series will talk a little about how Tiberium makes use of threat intel beyond the expected to proactively detect maliciousness, tapping into intel around attacker tactics, techniques, and procedures (TTPs). For clarity, we’ll keep it focused on just identifying malicious domains in this first blog series – but there will be plenty more where that came from.
The domain flow
To set the scene, we are using Azure Sentinel as our SIEM, and within Azure Sentinel, we can identify domains to investigate through either:
- Entities within incidents (reactive)
- Domain/URL fields in the DeviceNetworkEvents table (reactive)
Once we have a domain we want to investigate, we send it to the Tiberium EntityEnricher service, which calls all the relevant microservices we’ve built to enrich our understanding of the entity using TTP and IOC based intel.
We will talk through the RDAP microservice for this blog, one of the simplest yet effective TTP-based intelligence sources for finding malicious domains.
A brief history of WHOIS
To talk about RDAP, we first need to quickly dip our toes into the aged water of WHOIS.
WHOIS is a protocol used for identifying domain owners and their contact information. You can query a domain using WHOIS and the database returns a record of all names and contact info associated with the individuals/companies that registered the domain, registration dates, expiration date, and the name servers.
There are quite a few drawbacks with the WHOIS protocol, however:
- Non-standard format for output
- Insecure connections (using port 43 with no encryption of data between server and client)
- No international support
RDAP > WHOIS
Now that we’ve addressed WHOIS we can talk openly and candidly about the new kid on the block – RDAP.
RDAP addresses a lot of WHOIS’s deficiencies, giving us the ability to securely (through HTTPS) query domains and receive results in standard JSON format, and this can all be done from a simple to use API.
With these extra capabilities, we’re now able to automate domain lookups to the nth degree – but what is it exactly we’re doing this for?
The registration date tell
In a study conducted by Palo Alto in 2019, it was discovered that 70% of newly registered domains (that is domains registered/reregistered in the last 32 days) are found to be malicious.
This maps to the MITRE ATT&CK framework nicely (https://attack.mitre.org/techniques/T1583/001/) – domains are often registered and then quickly used for phishing attacks drive-by compromises or as command and control (C2) servers. This makes sense, an attacker may need to feed a PWND endpoint instructions from a C2 server – but to do this, they’re going to need to own a domain to send these instructions from! Specifically, if they use Cobalt Strike DNS beacons, which is a favourite technique for ransomware groups.
It’s clear that the domain registration date is a seriously useful piece of intel that we can use when classifying a domain as malicious. Our usage of it goes far beyond just seeing if it’s newly registered. All we’ve got to do now is pull these pieces together…
How we use RDAP to enrich domains found in Azure Sentinel
This RDAP lookup flow fits neatly into our entity enrichment microservice architecture, and as such, we can demonstrate this flow from a high level.
And voila, we now have a genuinely useful piece of intelligence that we can use to classify malicious domains – and we obtained it not from IOCs but from understanding attackers’ TTPs and working backwards. But, alas, this is only one of the veritable smorgasbord of domain enrichment microservices we have built at Tiberium – and we haven’t even spoken about how we use these microservices to quantifiably classify a domain as malicious or not!