Zero-Trust Implementation Using WHOIS, IP, and DNS Data

Retrieved from here.

The U.S. government released the Executive Order on Improving the Nation’s Cybersecurity in May 2021, highlighting the rationale of a zero-trust security approach. While the order only covers the government’s digital infrastructure, this initiative could also serve as a catalyst for more robust global cybersecurity.

Cybersecurity professionals already know what zero-trust security means — trusting no one without proper verification, regardless of their origin. As such, everyone and everything has to be verified.

While the zero-trust security model is not new, its implementation requires both the public and private sectors to review their current security practices.

Reteaching Domain Assessment of Security Tools

When it comes to detecting suspicious or malicious domains, companies often teach their machine learning (ML)-powered systems to flag newly registered domains (NRDs) and domain generation algorithm (DGA)-generated domains.

However, several high-profile cyber attacks hint that this approach could be outdated or simply not enough. A look into the indicators of compromise (IoCs) related to the SolarWinds data breach is one glaring example. None of the IoCs appeared to be DGA-generated, and only three were NRDs.

The same somewhat held when we investigated the DarkSide IoCs and uncovered more artifacts. The first two domains below are part of the original IoC list while the rest are artifacts connected to the ransomware hashes. Based on WHOIS History data, most of them are more than a year old during the estimated time of the Colonial Pipeline attack.

  • securebestapp20[.]com – 238 days
  • baroquetees[.]com – 335 days
  • catsdegree[.]com – 462 days
  • rumahsia[.]com – 380 days
  • temisleyes[.]com – 455 days
  • isrg[.]trustid[.]ocsp[.]identrust.com – 3,681 days

But NRDs still pose significant risks, as established in the 2020 Cyber Threat Intelligence Recap for COVID-19. As much as threat actors use old domains to evade detection, they also weaponize NRDs to take advantage of people’s interest in current events.

What do these findings teach us? They lead us back to the zero-trust approach — do not trust any domain.

Reinforcing Verification Methods with WHOIS, IP, and DNS Data

Central to the zero-trust security approach is regular verification of users and traffic as they move laterally throughout your network. Security systems can be taught to look beyond the age of domains and include current and historical WHOIS data and Domain Name System (DNS) intelligence to verify their security and integrity.

To illustrate, consider the domains tagged as IoCs in a recent Nobelium attack against several government agencies. The group is believed to be the same actors behind the SolarWinds campaign (the technical details are published here).

Using WHOIS SearchWHOIS History Search, and DNS Lookup, the domains’ age, registrant information, and IP resolutions were retrieved. These are shown in the table below.

 

IoCs Domain Age Registrant Details Connected IPs
worldhomeoutlet[.]com 476 days From WHOISGuard Protected to Withheld for Privacy 5[.]79[.]71[.]205
5[.]79[.]71[.]225
85[.]17[.]31[.]82
85[.]17[.]31[.]122
178[.]162[.]203[.]202
178[.]162[.]203[.]211
178[.]162[.]203[.]226
178[.]162[.]217[.]107
theyardservice[.]com 3,736 days From WHOISGuard Protected to Withheld for Privacy 5[.]79[.]71[.]225
85[.]17[.]31[.]82
85[.]17[.]31[.]122
178[.]162[.]203[.]202
178[.]162[.]203[.]211
178[.]162[.]203[.]226
178[.]162[.]217[.]107
5[.]79[.]71[.]205

 

When the data is fed into and analyzed by security systems, the zero-trust approach would immediately deny access to these domains and IP addresses. Here are some key insights from the WHOIS, IP, and DNS data:

  • Multiple A records: Both domains resolved to the same eight IP addresses. They are tagged “malicious” on VirusTotal (some were already reported even before the attack).
  • A records have a very short time to live (TTL): All the DNS A records have a short TTL of less than a minute. Such DNS settings, along with multiple IP address resolutions, may hint at DNS fast fluxing, a common method threat actors use to obfuscate malicious activities.
  • Change of WHOIS records: While theyardservice[.]com is older by about nine years than worldhomeoutlet[.]com, it was reregistered in January 2020. Both of their WHOIS records were changed a few weeks before the attacks. From WHOISGuard Protected, they changed their privacy protection provider to Withheld for Privacy. Provided that the domains have been trusted by a network before, should the same trust be extended when their WHOIS records show a possible change of hands? Organizations implementing the zero-trust approach would say no.

 


 

The zero-trust security model has other components not discussed in this post. However, the core idea is that this initiative requires scrutinizing all data related to a user, domain, or IP address requesting access to specific information.

Are you interested in the domain footprint of the DarkSide, SolarWinds, and Nobelium attacks? Contact us to get access to our cyber threat intelligence.

Leave a Reply

Your email address will not be published. Required fields are marked *