Domain

Overview

The analysis of domain indicators in the CoreTIS platform is split into two main tabs: “Detection” and “Details”. Each tab provides a unique set of data modules that give insights into the security posture of a domain.

Detection Tab for Domain Indicators

1. Antivirus Engine Analysis

Analyzes the domain against various antivirus engines to assess the threat level.

• Data Provided:
  • Number of engines that flagged the domain as malicious, suspicious, harmless, or undetected.
• Utility:
  • Provides a comprehensive view of how trusted antivirus sources rate the domain.
  • Assists in determining whether the domain is recognized as a threat across multiple security platforms.

2. User Abuse Report Analysis

Shows reports from users who have interacted with the domain and flagged it for abusive behavior.

• Data Provided:
  • The number of times reported and the confidence level of the reports.
• Utility:
  • Crowdsourced insights into the domain’s behavior and reputation.
  • Useful for understanding the types of threats the domain may be associated with.

3. Open Threat Exchange Analysis

Gathers threat intelligence from community-shared resources regarding the domain.

• Data Provided:
  • Counts of malware, DNS queries, URLs, and pulses associated with the domain.
• Utility:
  • Indicates the domain’s presence in threat intelligence feeds.
  • Helps identify associations with known malware and campaigns.

4. IP Blocklist Analysis

Indicates if the domain is listed in any IP-based blocklists.

• Data Provided:
  • The number of blocklists including the domain and threat status.
• Utility:
  • Useful for preemptively blocking potentially dangerous traffic.
  • Enhances domain reputation assessment.

Details Tab for Domain Indicators

1. Whois Information

Provides registration details for the domain.

• Data Provided:
  • Registration dates, contact information, and administrative details.
• Utility:
  • Essential for incident response and investigative actions.
  • Assists in ownership verification and historical tracking.

2. Communicating Files

Lists files that have been observed communicating with the domain.

• Data Provided:
  • File names and their respective threat analysis results.
• Utility:
  • Helps identify malicious payloads distributed by the domain.
  • Assists in understanding the domain’s role in an attack infrastructure.

3. Referring Files

Identifies files that refer to the domain within their content.

• Data Provided:
  • File details and the threat level assigned by antivirus scans.
• Utility:
  • Reveals potential sources of domain distribution or malicious campaigns.
  • Assists in the broader analysis of the attack vectors.

4. Siblings

Lists other domains that are within the same DNS hierarchy level.

• Data Provided:
  • Domain names that are considered siblings to the analyzed domain.
• Utility:
  • Unveils related domains that may be part of a connected network or fraud scheme.
  • Useful for expanding the scope of a security investigation.

5. Passive DNS

Collects historical DNS resolution data for the domain.

• Data Provided:
  • Historical DNS records and their resolution dates.
• Utility:
  • Offers a timeline of the domain’s resolution path.
  • Can uncover previously malicious associations.

6. SSL Certificate

Details about the SSL certificates used by the domain.

• Data Provided:
  • Certificate issue and expiration dates, issuer information, and encryption details.
• Utility:
  • Validates the security of the domain’s encrypted channels.
  • Detects anomalies or misconfigurations in SSL certificates that could indicate compromise.

Best Practices for Analysts

• Utilize the “Detection” tab to get an immediate sense of the domain’s threat level from various perspectives.
• Delve into the “Details” tab to gather in-depth technical and historical context.
• Continuously monitor changes in the data provided by these modules to track the domain’s threat evolution.