How WHOIS History Helps Cybersecurity Professionals Contextualize Threats

All cybersecurity professionals primarily want to keep their organizations safe from cyber attacks. Such a task entails several processes, including detecting, preventing, and mitigating cyber threats. And when a cyber threat gets through and results in a cyber incident, an investigation spearheaded by cybersecurity professionals ensues.

In all these processes, these cybersecurity experts use a wide range of techniques, tools, and systems. One tool explored in this post is a WHOIS history database offered by companies like DomainNameStat.

What Is a WHOIS History Database?

A WHOIS history database is a repository of domain ownership history data. Every domain name in the Domain Name System (DNS) has a corresponding WHOIS ownership record that gets updated every time with each domain ownership change. A WHOIS lookup for a particular domain would, therefore, only reveal its most recent WHOIS record.

To see domain name history details, you would need access to a WHOIS history database that contains historical WHOIS information. The data points found in the database include the registrar, registrant name, email address, street address, phone number, WHOIS server, and nameservers.

Contextualizing Threat Data with WHOIS History

About organizations typically use several tools, all of which generate various security alerts. Security teams need to contextualize these alerts, which could be challenging since most companies receive thousands of alerts per day. Some of the alerts are  threat data that cyber professionals get from various security systems. By integrating a historical WHOIS database into security systems, they can further contextualize security alerts in terms of past connections to other indicators of compromise (IoCs) and known threat actors.

Domain Ownership History in Action: An Illustration

Consider a scenario where security teams receive threat alerts citing these eight subdomains:

  • 5g[.]2x69i[.]cn
  • 4g[.]2x69i[.]cn
  • news[.]2x69i[.]cn
  • app[.]2x69i[.]cn
  • wap[.]2x69i[.]cn
  • 3g[.]2x69i[.]cn
  • index[.]2x69i[.]cn
  • xs[.]2x69i[.]cn

All of the subdomains and their root domain (2x69i[.]cn) have not been cited for malicious activity on blocklist sites, such as VirusTotal and PhishTank. Because of the sheer volume of security alerts, it could take a while for investigators to look into these subdomains. But what if we take a look into the root domain’s domain name history?

Our WHOIS history database revealed that on 14 March 2020, the domain’s registrant email address was *****85938@*q[.]com. The database further tied this email address to 357 other domain names, some of which have been reported for malicious doings. Below are some of the domains that have been tagged as spam sources, suspicious, or malicious:

  • 0jx9me[.]cn
  • 01jope[.]cn
  • ydequkqb[.]cn
  • 125fw[.]cn
  • 16rn00[.]cn
  • 17q51[.]cn
  • 1kjue9[.]cn

Given the subdomains’ association with multiple malicious domains, these potential threat sources should probably be blocked from networks. Without intelligence from a WHOIS history database, the subdomain-related alerts to those subdomains could be treated as a low priority or even tagged as false positives.

As shown, domain name history helps provide context to threat data and security alerts. As a result, security teams can prioritize alerts more accurately and promptly with the help of historical WHOIS data. It also helps security experts avoid incorrectly tagging alerts as false positives.

Digging into domain ownership history record details, such as registrant names, organizations, and email addresses could unveil connections to malicious entities. This discovery can help cybersecurity professionals detect more threats, thereby preventing threat actors from using the tagged domains and subdomains against their organizations.