In the digital world, domains are autonomous regions. They are the bodies that people, organizations, or nations use to maneuver, communicate, transact, or even cause harm on the Internet. Point of Interest investigations into domains is where cybersecurity and open-source intelligence converge.
OSINT is used to obtain information about domains to help recommend cybersecurity and information security strategies, understand incidents, and even determine the source of a threat. It is also used to determine whether or not it makes sense to partner or integrate with a third-party organization – not to mention an analysis as part of Know Your Customer (KYC) activities by financial institutions.
In the first two posts of this series, we explored OSINT techniques for investigating People and Organizations. You can also get access to our free report “How to Use OSINT for Security POI Investigations” where we take a deeper dive into automated threat detection and tools that will help to scale your POI investigations.
Our focus today: Domains. Some of what we will discuss is listed in the OSINT Framework, a prominent resource for OSINT investigators to learn the tools and concepts of their trade. It was created by Justin Nordine to help anybody get started and has become a mainstay and launching point for a lot of individuals and organizations. It provides a great bird’s eye view of a domain investigation, and we will cover several of the same tools and concepts. We will also dive a little more deeply into some of the challenges organizations will face as they look to make use of these techniques in their own security operations.
For most larger organizations, even tackling just these steps can be daunting, and that is where open security intelligence platforms come in.
Media Sonar focuses on open intelligence in capturing the profile of a domain along similar lines. To do this, Media Sonar consolidates countless different sources with a robust workflow and case management system to make it easy to find the information you need and then easily save it.
It reduces a lot of the hassle and makes it easier for companies to implement process, structure, and accountability around their investigations. But before we get into that, we will cover some basics of POI investigations for domains.
Source: OSINT Framework
OSINT Domain Investigations
There are a number of different reasons organizations will need to use open intelligence to investigate a domain. It might be necessary to look closely at a third-party organization in order to partner with them, establish an integration, or where financial organizations are concerned, this might be needed as part of KYC. At the other end of the spectrum, you can’t always tell who or what is controlling a domain, or the intent of its administrators. If for whatever reason a specific domain or IP address pops up on your security radar, you might need to find out more. The goal and purpose of your POI investigation will always determine what type of information you need to acquire, but OSINT can help and we will walk through some of the basic concepts.
Open-source intelligence is easy to obtain, and while some of the best sources are more difficult to access or use, there are some everyday online tools that everybody makes use of that help with OSINT as well. Let’s run through a few things that organizations can do.
Step 1: Domain Footprint
The People: Owners, Administrators, Actors
The first step you should take is to try to establish who registered the domain. Keep in mind that the information might be hidden or registrants might have provided false information – this data can point to whether or not a domain is tied to a specific third party. You can use services such as Who.is or ICANN Lookup to find basic domain registration information. If not all data is available, this either means the information is hidden entirely, or it is not visible to you. To learn more about the organization itself, you will need to broaden your search to look for Organization open-source intelligence.
You also want to validate people that are connected to the domain, as these might provide new avenues of investigation. Search tools like Hunter.io let you perform domain searches to find associated emails and help you gather a comprehensive picture of who is associated with a domain or website. Doing this can provide new avenues of inquiry for your investigation, and you may want to collect their profile as part of your domain investigation. A number of data sources are available for POI OSINT investigations on people if you need to look deeper.
If a domain is trying to portray itself as being related to an organization or person but it is in fact not related at all, that might be an indicator that something fishy is going on. At the surface, it may even appear very above board – bad actors have gotten increasingly sophisticated. Capturing any organization and people information associated with a domain is a good first step. That being said, if a bad actor really wants to remain anonymous, this step might prove fruitless, but concealment could be a reason to be suspicious. For investigations of third-party vendors, partners, customers from a domain perspective, you will be looking to validate the information you already have, or to ensure that nothing is being concealed.
Next in your POI investigation, you are going to want to know more about what types of technologies are supporting the domain. BuiltWith is probably the most popular and easiest to access tool for finding out about technology providers, and even just accessing the free search functions can provide a number of clues about a domain. For most domains, you will see a slew of usual suspects: Google Analytics, a marketing automation platform, a content management system, and a long list of other marketing, tracking and reporting tools. But among all those services, this could include things that would make an organization vulnerable, or worse yet, reveal that the domain is surreptitiously acting with malicious intent. When looking at a potential partner or vendor, particularly if the domain is related to online services and platforms, this could be a key step and provide some insights.
To capture the digital footprint of a domain, you will need to know more than just the root domain. Capturing and mapping the full breadth of the domain can be achieved in a few different ways.
Arguably the best way to do this is brute force discovery, but there are subdomain scanners and tools that can help speed up the job.
Here are a few of the many options available for subdomain discovery:
- Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It uses information from popular search engines and from services like ThreatCrowd and DNSdumpster.
- DNSTwist takes a unique approach and is a bit more goal-oriented. It takes in a target domain name as a seed, generates a list of potential phishing domains, and then checks to see if they are registered.
Companies often have things like employee portals, internal subdomains, or testing servers they do not want everyone accessing. Sometimes the services on these subdomains are vulnerable, and this could signal a problem from a vendor. Where a domain is possibly suspicious, subdomains can help validate some of those suspicions or lead to an understanding of the extent of a problem.
If domains are the bodies of the Internet, then DNS servers are the heart. They do the important job of resolving hostnames and domain names into IP addresses. When building a profile of a domain, DNS enumeration refers to the act of detecting and enumerating all possible DNS records for a domain name. This would include hostnames, DNS records, IP addresses, and more depending on what you need. These techniques are used by security professionals and by bad actors, so keep that in mind. Passive DNS data provides a wealth of information. Analysts gain insight as to how a particular domain name changes over time and how it is related to other domains and IP addresses.
Capturing open intelligence is a laborious process, but with Media Sonar’s ability to let analysts narrow down their search from billions of data points across the Surface, Deep, and Dark Web, investigations can be conducted up to 30x faster than traditional methods. That is why most enterprises will need to opt for a technology-enhanced approach to OSINT – it just is not possible any other way and the time savings are substantial.
Media Sonar allows you to go deeper and further with these types of POI investigations. You can quickly act on the information you have to locate intelligence about People, Organizations, Domains. It is your gateway to a broad range of data sources and tools that answer the specific questions your organization regularly has about Points of Interest.
Step 2: Mapping Your Domain Data So Far
Just consider mapping the breadth and depth of your POI including domain, IP addresses, subdomains, DNS records, registration details, and all the information you have not even found yet.
At this point in an OSINT investigation, there is already a considerable amount of data. It needs to be captured and consolidated in a way that can be analyzed and you need to be able to retrace your steps for validation and transparency.
Analysts in the security space will typically use visual analysis to map the structure and connections within their data points. The visualization technique has been used for a long time, long before computers were invented, and is used in a lot of different scenarios.
Above is a visual representation of a root domain, and it allows you to see how all the pages are connected. It is far more useful than a sitemap, or list of pages when trying to understand the architecture of a website.
With Media Sonar, investigations are conducted from Pathfinder which allows analysts to save and map each point of data to show the connections between the data, and between domain POI, among other things.
For example, you might notice two different domains sharing the same IP, which could raise suspicions as to their relationship if it is contented that there is none. This can have a drastic impact on the ability of an investigator to come up with results.
While data might seem unconnected when presented separately when consolidated and mapped with Pathfinder, security practitioners are given new avenues in their investigations.
Step 3: Reputation Analysis
Reputation is an intangible property, it is something that cannot be bought, and for all intents and purposes, it’s based on actions and can’t be rolled back easily. For an organization, a good reputation means you are reliable or likely to generate returns, essentially generating a positive image to customers and partners. A bad reputation means the opposite of all that. For “bad actor domain”, a bad reputation can mean a whole lot of other things. At this point, it is fairly unlikely that a potential partner, vendor, or customer is engaged in malware distribution or hacking, so while spot checks are required, any deep dive into security reputation analysis will primarily be to look at potentially suspicious domains and websites.
Automating POI Investigations
Capturing the profile of a domain manually is time-consuming and not always effective. Automated tools can help make connections between the data that might be missed otherwise. Plus, there is a steep learning curve when it comes to open-source intelligence.
The Media Sonar platform bundles together the tools and access to datasets in one place to help automate POI workflows. With best-in-class digital footprint features and advanced search functions, queries and filters, access to data sources across social, Deep and Dark Web, and specialized OSINT checks, the Media Sonar platform is developed to help you investigate domains, and all POI, in corporate and information security environments.