Security information and event management (SIEM) and other cybersecurity technologies notify security teams about suspicious activities in their networks. Each week, organizations receive thousands of SIEM security alerts, resulting in alert fatigue for security professionals. The key could be to give context to these alerts so that the majority that gets through is valid and reliable. Integrating WHOIS history databases such as domainnamestat.com/whois-history into security platforms could aid in contextualizing security alerts.
In this post, we illustrated how domain ownership history could give context to security alerts. And by doing so, it allows for a more efficient prioritization.
Contextualizing a Cerber Ransomware IoC with WHOIS History
Cerber is a ransomware-as-a-service (RaaS) technology, which means that attackers don’t have to develop their own versions of the ransomware to launch an attack. Instead, they can use Cerber for a fee, in this case, as much as 40% of the ransom paid by the victim to the ransomware’s developer.
In 2017, the domain hjaoopoa[.]top was tagged as a Cerber indicator of compromise (IoC). Historical WHOIS records indicate that the domain’s registrant at that time was someone named “R. Lecomte” with an address in Massachusetts, U.S. The email address ******bobl@rothtec[.]com and a phone number ending in “622” were also indicated in the domain history record.
Security teams can use domain history data to give context to security alerts that contain the registrant name or email address in their historical WHOIS records. That way, security alerts involving domains whose domain ownership history indicates that they were owned or once owned by a suspected threat actor are given priority.
A search on the WHOIS history database using the email address ******bobl@rothtec[.]com yielded 1,052 domain names. The email address appeared in their domain name history. Such connection means that these domains are also possibly involved in malicious activities. In fact, dozens of these domains have been tagged “malicious” or “suspicious” by various blacklisting engines.
These specific domains, among others, were either reported for phishing, spamming, or malware activities:
- btcmarkets[.]top
- bulkcrypt[.]top
- cryptoboom[.]top
- cryptosinvestment[.]top
- cyberbestcrypt[.]top
- desksinvestment[.]top
- hometowergop[.]top
- sonyponytopc[.]top
- guidemoney[.]top
- libercrypt[.]top
- libertcrypt[.]top
Addressing Cyber Alert Fatigue with Domain History
Alert fatigue among cybersecurity professionals occurs mostly due to the sheer number of alerts generated by security systems such as SIEM and threat intelligence platforms. And because of the significant number of false positives, cyber professionals may sometimes have to ignore alerts and that can be a huge problem. What if a severe threat gets through because of alert fatigue?
An effective way to fight off alert fatigue is to contextualize alerts and allow the context gained to determine their importance. SIEM systems, threat intelligence platforms, and other security solutions can be set to check the WHOIS history database for a domain’s connection with known threat actors or IoCs. If a connection is established, then priority is given to the particular alert. Security professionals can then deal with alerts according to the importance determined by the security platform.
In our Cerber example above, a high-priority rating can be given to security alerts involving domains connected to the IoC. To recall, a connection was established through the registrant’s email address indicated in historical WHOIS records.
Note that any cybersecurity alert associated with ransomware IoCs should be dealt with immediately, as such a cybercrime can cost organizations a lot of money. On the other hand, their reputation is also at risk since data breach could be involved.
A WHOIS history database can enrich security platforms and give context to the security alerts they generate. Providing contextual information to alerts can help determine their importance so cyber professionals would know what to address first. With this strategy, false positives are lessened, and ultimately, alert fatigue can be reduced.