Probably one of the hardest things to do in the cybersecurity research process is knowing how or where to start looking for clues. As part of the benefits of a WHOIS database, the resource is usually a good start for pivoting, as it can provide clues as to who owns a particular domain. From it, you can get data points that include when a domain was created to determine if it is newly registered or not, who its registrar is in case you need help taking it down, who its registrant is so you know who to contact in case it has been compromised, and more.
To know exactly how a WHOIS database can help you jumpstart your investigations, take a look at the following sections.
Determine the Suspicious Domains’ Ages
Let us say that you are conducting research on how many of the suspicious domains in your data set are newly created. We will use a list of confirmed malicious Federal Bureau of Investigation (FBI) domains related to a public announcement the agency made at the beginning of the year. The list contains 66 domains classified as “malicious” on VirusTotal on 2 January 2021.
Using a WHOIS database, we discovered that only eight of the 66 domains or 12% were newly created. These include authefbi[.]ga, fbibau[.]de, fbi-bau[.]de, fbi-c[.]com[.]co, fbinews[.]ga, fbinigeria[.]org, fbiofficial[.]online, and fbi-c-d[.]com[.]co. This finding could support research meant to update the latest data on newly registered domains (NRDs). Instead of warning the public about the dangers that NRDs pose, investigators could theorize a change in cybercriminal tactics. Security experts could say that since threat actors are aware that companies tightened their network security against NRDs, bad guys are avoiding the use of such domains although that does not mean they should let their guards down. Organizations would then be forewarned not to focus on NRDs only but include all kinds of suspicious domains, regardless of age, in their deep dives.
Find Out Who the Registrars of the Malicious Domains Are
Registrars are often called on to help with malicious domain takedowns supervised by law enforcement agencies worldwide. But they would not automatically know which registrar to contact without consulting a WHOIS database first.
Using the same sample, we discovered that 11 of the malicious domains were registered under GoDaddy.com, LLC. The number of domains under the management of the top 3 registrars is shown in the table below.
|Registrar||Number of Domains||Domains|
|PDR Ltd. d/b/a PublicDomainRegistry.com||6||fbi-unit[.]net
These registrars can be contacted regarding the respective domains on the rightmost column. While they may not be aware of the nature of the domains under their jurisdiction, they would know who to contact in case these are categorized as harmful to Internet users. They could, should the law enforcement agents have the necessary legal documents, also pinpoint who the domains’ owners are.
Pinpoint Who May Be Behind a Malicious Campaign
Most importantly, though, you can use a WHOIS database to know who is likely behind an ongoing attack or a malicious campaign by looking at a domain’s registrant or registrant organization name.
For illustration purposes, let us say that fbinews[.]online was used to spread fake news. A WHOIS database can tell you that it is owned by an individual. Law enforcement agents with the proper documentation could then approach the individual for questioning, thus furthering the investigation.
This post featured just three of the many ways to pivot cybersecurity research off a WHOIS database. There are many more using the various data points (e.g., contact email address, registrant street address, registrant phone number, etc.) available on WHOIS records.