Domain Discovery Feed, IP Hotlist, and Hosting IP Risk Feed provides security teams with visibility into risk levels of domain and IP traffic through multiple inputs to strengthen network defense
SEATTLE – DomainTools, the leader in domain name and DNS-based cyber threat intelligence, today announced Domain Discovery Feed, a real-time daily list of all newly-registered and newly observed domains identified by DomainTools’ globe-spanning detection network, the industry’s most complete feed for new domain information.
In addition, the company announced a new line of IP Risk products to identify potentially dangerous infrastructure based on hosted domains. The IP Hotlist is a highly curated daily list that contains the riskiest IP addresses on the Internet that have had traffic to malicious domains while the Hosting IP Risk Feed contains all IPv4 addresses hosting at least one domain, regardless of traffic or risk. Both IP Risk products leverage DomainTools predictive DomainTools Risk Score technologies.
DomainTools introduces Domain Discovery and IP Risk Feeds to predict new and existing dangerous Internet infrastructure.
Security teams need reliable inputs on the risk level of the domains and IP addresses seen in their traffic flows in order to improve situational awareness and to ward off incursions that may be underway. With an increasing amount of DNS traffic being encrypted, IP-based indicators are critical. And as more network defenders are looking to the identification of new domains as a signal of risk一thousands of newly registered domains are used every day for phishing, ransomware, credential harvesting, fraud, and more一they need to be able to cross-check brand-new domains against domains seen in web proxy or DNS resolver to reveal traffic to potentially harmful infrastructure.
DomainTools now offers three new feeds, each with a specific area of focus, to help with these needs:
IP Hotlist: Designed to identify the riskiest population of hosting IP addresses. Two main criteria define this list: the ratio of high-risk to legitimate domains hosted in the IP, and the level of traffic in the last 24 hours that has known or predicted malicious domains, as measured in Internet-wide passive DNS collection. The Hotlist is an ideal database for high-confidence block list and detection rule creation. The typical Hotlist size ranges daily and fluctuates between but can exceed 40,000 and 50,000 IP addresses.
Hosting IP Risk Feed: A daily feed of all IP addresses found to be hosting at least one domain. As with the Hotlist, a risk indicator is given to the IP address based on the population of domains it hosts. Unlike the Hotlist, however, this feed includes any actively-hosting IP, regardless of its risk level, and the IP Risk Feed also contains detailed data fields enriching the IP. This makes it ideal for users who wish to apply their own criteria to evaluate IP addresses for risk or characterize them for other purposes. Typical Risk Feed size ranges daily and fluctuates between but can exceed 15 and 20 million IP addresses.
Domain Discovery Feed: A simple text file of newly-registered and newly observed domain names. This gives users maximum flexibility for using the new domain information to create alert or block rules for network or host defenses. Security Information Event Management (SIEM) platforms, Threat Intelligence Platforms (TIP), and a variety of other log and event aggregation sources can capture domains accessed from the protected environment; scripts that check these domains against the Domain Discovery Feed can then raise alerts when traffic to matching domains is observed. In some environments, a zero-trust policy toward new domains is employed; in such cases, the Domain Discovery Feed can enable the creation of automatic blocking rules for most traffic, or quarantine/inspection rules for SMTP and other protocols that can accommodate various dispositions.
“With nearly 20 years of experience gathering, processing, and provisioning domain-related data, DomainTools has built unmatched capabilities for detecting the presence of new domains, as well as changes to existing ones, making Domain Discovery Feed the most accurate and complete industry feed for harnessing new domain intelligence,” said Dan Fernandez, Senior Product Manager at DomainTools. “The new IP Risk products, IP Hotlist and Hosting IP Risk Feed, are unique because unlike traditional IP reputation lists, they use predictive assessments based on DomainTools Domain Risk Score to reliably predict how likely a given domain is to be malicious, even before the domain has been weaponized, to pinpoint and characterize the most dangerous infrastructure on the Internet.”
DomainTools empowers security professionals to get ahead of attacks by identifying attacker infrastructure, getting immediate context and visibility on threats,and making faster risk assessments, thereby dramatically improving the security posture of their organization. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at https://www.domaintools.com or follow us on Twitter: @domaintools.