The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.
In this Security Spotlight, we’ll be talking about a cool open-source integration that helps organizations monitor for domain name abuse.
Why You Need To Detect Domain Name Abuse
In today’s interconnected landscape, most organizations find that the image they project often carries as much importance as the tangible value they provide. When your brand and name are integral to your business, monitoring for their misuse, which could potentially harm your profile, becomes crucial.
Although the motives behind domain name abuse vary widely, and may not all be illegal, it is certainly a method employed by malicious actors seeking to compromise victims. A classic application of this tactic involves creating a deceptive login page that spoofs your own external-facing websites, with the aim of deceiving people into divulging their credentials.
Unfortunately, domain name abuse has been around for as long as domain names have been in existence. In fact, attackers have been growing smarter with their methods for spoofing or modifying domain names.
Hence, the DNSTwist tool is truly an excellent example of great security intelligence open-source content that’s available to all. By consuming this into LogRhythm, you can harness DNSTwist intelligence in a myriad of ways, including the detection of potentially suspicious domains.
How to Monitor Domain Name Abuse
The tool DNSTwist, developed by Marcin Ulikowski, operates by taking your domain name as a seed, generating a list of potential phishing domains, and subsequently checking to see if they are registered. In addition, it can test if the mail server from MX record can be used to intercept misdirected corporate emails and if it can generate fuzzy hashes of web pages to determine if they are live phishing sites.
DNSTwist is a Python-based script that generates a list of phishing domains in CSV format using a diverse range of techniques, including homoglyphs, where a single letter in the domain name is substituted with a similar looking one, and bitsquatting, which leverages a small portion of systems facing hardware errors that results in the mutation of an otherwise correctly resolved domain name.
How Can LogRhythm Help You?
To utilize DNSTwist, we first need to run the script on a schedule via Cron in order to pull the latest data into a CSV file which can then be ingested using flat file ingestion. After ingestion, the LogRhythm team has developed a MPE rule that will normalize the data into a standard format, readying it for presentation into dashboards or usage in correlation rules.
The dashboard provided as part of this use case demonstrates that by parsing the data into suitable metadata fields, we can highlight potentially bad permutations of the LogRhythm.com URL. These can then be manually or, through SmartResponse, added to a list for further use in AI Engine rules or Saved Searches.
For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rule into your platform.
For other Security Spotlight episodes, you can access the full playlist here.