Home » Archive by categoryDomainTools 101

Hunting Grizzlies with DomainTools Iris

When we hunt, we’re usually starting with some kind of indicator that something bad has happened. These are often referred to as IOCs or Indicators of Compromise. When we get a good report like this one from Homeland Security, we can use it to help us find out more about a threat actor and their […]
Continue reading

DomainTools 101: Risky Business

I want to start the New Year by making a couple of predictions for how things will go in 2017. I’m going to predict that The Atlanta Falcons will beat the Green Bay Packers, that the Pittsburgh Steelers will lose to the New England Patriots and that the Falcons and Patriots will end up in […]
Continue reading

Rent an IP, Own a Domain

The other day I was on a mission to locate a contact of mine that lived nearby. I had an address, but no phone, or email address. So I got the GPS out, programmed in the address, and away I went. Arriving at the location, I turned into the driveway, and it was an apartment […]
Continue reading

DomainTools 101: Threat Hunting with a Machete, and a Scalpel

I’ve been fascinated by the attacks on the US political campaigns, their sites, and by the report from Threat Geek about the spoofed Democratic Campaign Committee donation page. It really got me thinking about how careful we need to be as consumers/donors with where we are spending or donating our hard earned cash. One of […]
Continue reading

Go Phish: How the English Language Helps Threat Actors

There is no getting around it. Even though it is a language built on rigid rules, there are so many exceptions, words that are close in meaning, sound and usage, it is common to make grammatical errors. Not so surprisingly, threat actors deploying phishing campaigns often use these grammatical imperfections to their advantage. A typical […]
Continue reading

DomainTools 101: Don’t Discount Subdomain Signals

“If it looks too good to be true, it most likely is.” This is a mantra I live by when sifting through email, social media, or surfing websites. In my experience, if the text is odd, or poorly structured, that is a clue; and most importantly, if there’s a suspicious structure to the domain, specifically […]
Continue reading

DomainTools 101: Blocking and Tackling Bad Domains

In my last post we covered some ways to look deeper into a report and find other connected domains that are part of the actors infrastructure. Let’s to continue to dive deeper and learn more. Reverse IP Pivot In our last post we uncovered an IP address that was being used to host the domain […]
Continue reading

DomainTools 101: I found this creepy domain, now what?

By Steve Butt, Sales Engineer Part 1 of a series of blog posts to help you be more effective in your investigations One of the many things criminals will do is buy up or register domains that have been allowed to expire. Many times companies will close shop and allow the domains they owned to […]
Continue reading