The ability to quickly gather actionable threat intelligence gives an organization the vital information needed to make informed decisions early on in the incident response process. With human error still being one of the top intrusion tactics, the odds of an organization experiencing a breach is no longer a matter of if, but a matter of when.

DFLabs’ integration with DomainTools is focused on empowering network defenders by automatically gathering actionable threat intelligence from one of the industry’s leading platforms to quickly prioritize and contain would-be attackers. DFLabs and DomainTools together arm security analysts with real-time intelligence and automated containment capabilities to lessen the chance of an intruder accomplishing their goals and causing irreparable damage to an organization’s operations and reputation.

The Problem

Phishing attacks are one of the most successful means of an initial intrusion into a networked environment. Even with tireless user training, somehow these adversaries still find a way to deceive users into falling for their tactics.

Since human error is hard to predict and defend against, security professionals need to be able to detect and remediate a user’s lapse in judgement. Without the ability to detect and quickly respond to phishing-based attacks, organizations run the risk of having intruders lying in wait until their goals have been achieved and the damage has been done.

Security Operation Center (SOC) managers are typically faced with these daily challenges and need a solution for their organization to be able to overcome them:

How can incident responders protect their assets against phishing attacks?

How can organizations quickly respond to attacks involving human error?

How can organizations prevent attackers from lying dormant within their networks for long periods of time?

DFLabs and Domain Tools Solution

DFLabs’ integration with DomainTools provides organizations with the tools necessary for security professionals to quickly identify, prioritize and remediate potential incidents through the use of real-time threat intelligence combined with automation power to orchestrate immediate action across an organization’s environment. Security operations teams can combat conditions created by social engineering attempts and immediately contain suspicious user activity before damage can be done to the organization.

About Domain Tools

DomainTools helps security analysts turn threat data into threat intelligence. They process indicators from an organization’s network, including domains and IPs, and connect them with nearly every active domain on the internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

The goal of DomainTools is to stop security threats to an organization before they happen, using domain/DNS data, predictive analysis, and monitoring of trends on the Internet. By collecting Open Source Intelligence (OSINT) data from many sources, along with historical records, in a central database, DomainTools indexes and analyzes the data based on various connection algorithms to deliver actionable intelligence, including domain scoring and forensic mapping.

DomainTools has over 10 billion related DNS data points to build a map of ‘who’s doing what’ on the Internet. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work.

Use Case

Now let’s look at a simple use case in action.

An alert is received from an organization’s security information and event management (SIEM) tool for abnormal activity from a user’s email account. A large number of emails were sent from the user’s account to multiple recipients in the organization. Upon the receipt of the alert, IncMan SOAR, DFLabs’ SOAR platform, automatically begins to gather incident evidence.

The email’s domain, IP, and email reputation are checked through DomainTools’ extensive reputation service. Once these scores have been evaluated, IncMan issues a conditional statement. If either the domain, IP, or email scores a risk reputation of more than 50, IncMan will then query the organization’s email service to gather all additional recipients who had received the suspicious email.

Based off the results of the query if any additional users received the email, IncMan issues a request to block the sender and gather the associated attachment from the email. After the sender is blocked and the attachments are gathered, IncMan updates the current incident with the additional victim users and creates an incident ticket within the organization’s ticketing system.

While the email is being evaluated, IncMan simultaneously begins to gather information regarding the initial affected user. The organization’s directory service is queried to collect the user information and the endpoint detection and response (EDR) solution is queried for running processes on the user’s system.

The system’s attributes are gathered and IncMan begins to issue a search for additional events the affected user may have generated. Once this information is gathered, IncMan comes to its second conditional statement. If the SIEM query returns additional events for the affected user, the user’s account is automatically disabled, and their password is reset. An email is then sent to both the affected user and the security team alerting them to the password update and the new incident. Once the troubleshooting ticket is opened and the email notification is sent, the security team can begin to investigate the incident.

Summary

With phishing attacks and other intrusion techniques still plaguing organizations on a daily basis, speed is of the essence. Phishing continues to be a very successful intrusion tactics and human error is extremely hard to predict and defend against. If a phishing intrusion is not quickly identified and remediated, attackers will linger within a network undetected until the maximum damage is done.

Together DomainTools and DFLabs can automatically add contextualized threat intelligence to a security incident and orchestrate the response actions needed in an automated manner, before a human analyst has even been notified of the incident, saving valuable time. Incident data can be quickly and efficiently gathered allowing rapid incident prioritization and automatic response to an incident in a matter of seconds from receiving the initial alert, while the orchestration of an organization’s network and security products enables containment of an incident before damage can be carried out environment-wide.

Please enable JavaScript to view the comments powered by Disqus.