Collecting DNS Domains

Summary:

The document outlines a method for collecting DNS permutations of domains from public WHOIS and DNS servers to be used in other security management solutions (ESM). Specifically, it uses the open-source Python script dnstwist in conjunction with an ArcSight FlexConnector to provide information to security analysts in the ArcSight ESM console regarding domain name variations. This is crucial for defending organizations against phishing and related attacks by detecting potential malicious domain names based on permutations of the organization's owned domains. The process involves running dnstwist as a scheduled job to generate domain name permutations, querying WHOIS servers for creation and modification dates, performing DNS lookups to confirm registration and retrieve NS and MX records, and parsing the output in CSV format to CEF (Common Event Format) for further processing by ArcSight ESM. This solution helps prevent data loss due to typos or phishing attempts by monitoring newly registered domains or known ones that could be used in phishing campaigns. The use case has been adapted from its original implementation at DHL and is now aimed at assisting other organizations in enhancing their cybersecurity measures against hostile actors attempting to exploit domain name permutations for malicious intent. The solution enhances visibility through data loss prevention (dlp), anti-replay botnet (arb), and phishing controls by identifying potential malicious domain names based on permutations of the targeted organization's name.

Details:

The document outlines a use case for collecting DNS permutations of domains from public WHOIS and DNS servers to be used in other security management solutions (ESM). This is crucial for preventing potential data loss due to typos or phishing attempts. The solution involves using the open source python script dnstwist along with an ArcSight FlexConnector, which provides information to security analysts in the ArcSight ESM console regarding domains that are permutations of the organization's owned domains. The use case is particularly aimed at defending organizations against phishing and related attacks by enumerating and monitoring domain name variations. It helps detect newly registered domains or known registered for potential phishing campaigns, such as those used in phishing emails where a typo might lead to "manager@hpF.com" instead of the correct "manager@hpe.com". Originally implemented for DHL, this solution has been adapted to assist other organizations in enhancing their cybersecurity measures against hostile actors attempting to exploit domain name permutations for malicious intent. The provided text discusses the use of DNS permutation algorithms, such as bitsquatting, homoglyph, repetition, transposition, replacement, omission, and insertion, by a targeted organization's domain. These permutations are generated by dnstwist based on a configuration file containing domain names, including example.com. The purpose is to register the domains or notify security teams when such domain names are registered, potentially indicating an impending attack. The process involves several stages: 1. A scheduled job runs dnswist, which creates permutations of domain names. 2. WHOIS queries provide information on creation and modification dates of these domains. 3. DNS lookups confirm the registration of IPv4 or IPv6 addresses and retrieve NS and MX records. 4. The FlexConnector parses the output in CSV format to CEF (Common Event Format) for further processing by ESM (Extended Security Manager). The document is attached as "ArcSight DNS Permutation Use Case.zip" and was last modified on 3-Oct-2016, indicating its relevance at that time. The use case involves enhancing visibility through dlp (data loss prevention), arb (anti-replay botnet), and phishing controls by identifying potential malicious domain names based on permutations of the targeted organization's name. This content is related to a case study on "Impact Metrics" and discusses the addition of categories. There are no comments provided, but there seems to be an interest in sharing information about various assets including text, videos, presentations, and links. The page also mentions specific products like iRock, SharePoint vs Jive, ArcSight demos, and SE/Partner demo licenses. The content is marked as final and doesn't show any comments or interactions. It suggests that there might be related articles titled "iRock is our best kept secret," "SharePoint likely will be substandard replacement to Jive," and a list of current ArcSight Demo Assets. There are also references to downloadable demo VMs, SE/Partner demo licenses, and other resources which could potentially provide more detailed information or context on the mentioned topics. The page is part of a larger digital space managed by Jive Software, as indicated by the copyright notice at the bottom of the content block and their logo.