You and your security tools are constantly called upon to judge whether things like suspect outbound network connections and links in potential phishing emails are malicious, simply undesirable for the organization or legitimate and safe.
Unless attackers want to stand out like a sore thumb or be tied to one IP address that can be quickly shutdown, they have to use domain names like everyone else.
So, with most of the events you investigate there’s a domain name involved and that domain is so valuable in helping you recognize malicious intent. And I don’t just mean checking the domain against threat intel lists, although that of course is one step. But there is so much more.
- When was the domain registered?
- Is the domain registrant anonymous?
- How many other domains share characteristics with this domain?
- What is the email infrastructure for the domain?
- What is the website infrastructure for the domain?
- What is the DNS and IP data for this domain?
- What is the history for this domain?
In this webinar, I will show you how to analyze each of these data about the domain. I’ll show you why they are relevant and what characteristics are indicative of an attacker’s infrastructure.
Some of the techniques are candidates for automation and we’ll explore ways to leverage that.
DomainTools is my sponsor for this webinar and Tim Helming is a real expert in domain and IP data and how to mine current and historical Internet records to catch bad actors. Tim is helping me develop this real training for free event and he will also briefly demonstrate DomainTool’s Iris Investigation Platform. It’s awesome – I use it in my own investigations.
Please join me for this real training for free session.