Threat Hunting for Domains as an IOC

Introduction

When threats are detected on a network, domains can serve as good indicators that the network is compromised. In many cases, this compromise could have been detected in time for an effective reaction had the respective domains been analyzed thoroughly. This article will detail threat hunting by using domains as an indicator of compromise (IoC). It will focus on the different ways in which domains can be used to assist in a successful threat investigation.

Indicators of Compromise

IoCs are pieces of forensic data that information security professionals can use to track down threats on their respective systems and networks. Think of IoCs as the proverbial “breadcrumb trail” that threat hunters use to bring them to where the mouse is. IoCs serve as static, go-to data for current known threats, and work best when they are freely shared throughout the greater information security community.

Domain as an IoC

Domains, along with other identifiers such as IP addresses and file hashes, have been traditionally held to be IoCs. This is self-evident in that these classifications of data were created to identify specific activity.

As you can see, domains deserve to be considered IoCs, and they can be found in places such as emails or DNS logs that reflect the traffic accessing, or attempting to access, your network and its resources.

Domains and Emails

Emails that are phishing or social engineering scams can really show their cards, so to speak, when it comes to the domains that they use.

For instance, let’s say that your organization frequently deals with Google in its regular course of business. A coworker approaches you and informs you that they have received an email from Google asking for personal information such as their bank account number, and it even had a strange-looking file attached. You look (Read more...)