Challenge

Building Extensive Domain Threat Profiles

Threat hunting does not stop at getting a list of potentially harmful domains. Each domain name has to be enriched with relevant intelligence to provide security teams with deeper context about the threat, and this is where DomainHunter adds value for security teams.

However, to give security teams relevant information, such as domain age, name servers, and registrant information, DomainHunter needed access to deep WHOIS intelligence. Without these critical registration data points, security professionals may find it difficult to accurately assess the legitimacy of domains.

Solution

Easy Integration and WHOIS Data Extraction

The developer created a Cloudflare Worker wrapper around WHOIS API to allow DomainHunter to query the tool and extract the necessary data points, namely:

  • Registrar details

  • Registration and expiration dates

  • Name servers

  • IP addresses the domain resolves to

  • Registrant information

  • Historical registration data

The IP address obtained from the WHOIS information is then used to further enrich the domain’s threat profile, specifically by analyzing the IP address’s hosting infrastructure using another intelligence API.

Results

Actionable Threat Intelligence

Comprehensive Threat Profiles

With the help of WHOIS API and other intelligence APIs, DomainHunter can create in-depth threat profiles of suspicious domains that encompass several factors, such as domain age, ownership legitimacy, hosting infrastructure, and website content.

Enriched Real-Time Threat Alerts

DomainHunter has the capability to send real-time notifications that contain a summary of the suspicious domain’s critical information, including its IP address, host, name servers, and registrar name. This quick summary allows security teams to assess specific threats at a glance, without needing to constantly check dashboards.