Whois Who? Mining Miscreant Registrant Records.

October 20, 2016 -

Bookmark and Share

Kevin Bottomly

Threat actors, both individually and as groups, register thousands of domains per day. Often times, either to save costs or just plain laziness, they do not implement the use of any privacy guard service. While exposing the registrant email address to the public might seem like not a big issue, one can start to harvest this information and store it for use later.

In the beginning it can be a bit tedious and mundane, yet once enough sources and data points are gathered, it becomes relatively trivial to put all of the underlying pieces together to form a bigger picture, whether this be a lone-wolf individual, or an entire APT group. Revealing the underlying attributes of Whois data and why it exists, and then moving forward to advanced data mining schemas, this talk will flow through creating an effective system for creating, harvesting, storing, and tracking the data points from starting with simple text files up to scalable databases.

Kevin will talk about, and listeners will take away, how to get a system up and running, including, but not limited to:

  • Designing a scalable architecture
  • What to do with the data once it starts to come in  
  • How to use stemming and edit distance to find common patterns in domain naming conventions
  • Using IP addresses and ASNs to identify Registrars that are more lax, as well as ones that are just in it for the profit.
  • How to make the connections after your eyes come back into focus after looking at all the data
  • Take down processes and working with Registrars 
  • What not to do in the beginning so you don’t have to burn the entire thing down and start over again.