Featured Image: How Do You Know When a Domain Is a Threat?

Hyas Blog | How Do You Know When a Domain Is a Threat?

HYAS Protect uses advanced threat assessment to flag suspicious domains before they can strike.

Have you ever wondered how a vendor scores domains? I mean, what happens on the back end? Is it just using a static or dynamic list of bad domains sourced from various intelligence feeds that researchers build or does it use a form of artificial intelligence to determine if a domain is malicious based on a set of data sources compiled together?

The complexities of the contemporary threat landscape make scoring domains especially challenging. However, if we understand the basic techniques that bad actors employ when using domains in their attacks, we can reliably predict whether a given domain is likely to be used maliciously or not. As a matter of fact, the process is fairly straightforward.

Once deployed within the infrastructure, malware will typically send out a request to its associated command and control (C2) server to let the threat actor know it has been deployed, is running correctly, and beaconing appropriately. This request commonly goes outbound to a domain that a threat actor has registered, and by analyzing some of the steps required to use a domain, we can detect malicious activity. 

HYAS has pioneered the creation of this process, which we call the Watch Engine. The Watch Engine works in an intelligent manner by analyzing domains that HYAS Protect detects on a global scale across all of our clients. HYAS Protect leverages both machine learning and a large number of intricate logic gates to identify suspicious DNS queries. When a domain has been flagged as suspicious by the system, it is then moved into our active Watch Engine. This engine takes in hundreds of thousands of domain-relevant active and historic intelligence inputs and combines that with query patterns, query deltas, and other behavior across all HYAS Protect customers. Ultimately, the Watch Engine decides if a suspicious domain should be blocked, generate an alert, or if it proves to be benign, have its threat level reduced.

For example, if HYAS Protect knows that a particular domain was purchased from an Indian domain registrar via cryptocurrency by a buyer originating from a Russian IP address, there are enough odd indicators to raise suspicion. Even if that particular domain has not yet been used for anything malicious, the breadcrumbs indicate a likelihood that it will, allowing HYAS users to cut it off months before it shows up on any industry block list. 

Another example of the Watch Engine in action involves taking common TTPs from an adversary and configuring them into patterns and types, such as taking nameservers that are used frequently by adversaries. Below is an example of how we can take advantage of this use case and block domains associated with TA551.

{
  "name": "Block TA551 domains",
  "condition": {
    "@type": "and",
    "conditions": [
      {
        "@type": "registrar_name",
        "pattern": "key-systems"
      },
      {
        "@type": "or",
        "conditions": [
          {
            "@type": "nameserver_name",
            "pattern": "dnspod.com"
          },
          {
            "@type": "nameserver_name",
            "pattern": "cloudflare.com"
          },
          {
            "@type": "nameserver_name",
            "pattern": "geoscaling.com"
          },
          {
            "@type": "nameserver_name",
            "pattern": "emailverification.info"
          }
        ]
      },
      {
        "@type": "or",
        "conditions": [
          {
            "@type": "domain_name",
            "pattern": "\\d{4}"
          },
          {
            "@type": "domain_name",
            "pattern": "\\d{3}"
          },
          {
            "@type": "domain_name",
            "pattern": "\\d{1}."
          }
        ]
      }
    ]
  },
  "action": "block"
}

Learn more about HYAS Protect and our proprietary Watch Engine technology by requesting a demo today!