Iris Investigation Platform from DomainTools brings a special pedigree to the mission of gathering and correlating threat intelligence. Originally, the focus of the firm was buying and selling domain names, which meant creating a website to perform Whois lookups. Over 17 years of providing this research-intensive service across the internet, including IP profiles and screenshots of sites, DomainTools has amassed a world-class repository of generic and country code top-level domains.
A fundamental underpinning of the Iris Investigation Platform is its ability to gather and process vast amounts of internet data in a timely fashion. Consider that the DomainTools database includes around 330 million domains, each of which has multiple related data points, such as hosting IPs, name servers, registration/Whois data, tracking codes, screenshots, SSL certificates and many more. The firm continues to process some 250,000 records daily, an average 5,000 of which are newly registered domains.
DomainTools can be confident in its proprietary Domain Risk Score displayed in Iris, because it is "seeded" by well-known domain blacklists. These are consumed and then augmented closely connected domains and by other domains that resemble (based on machine learning classifiers developed by internal R&D) registered domains with malicious intent.
The blacklists contain approximately three million domains, with more than 40 million likely malicious domains added through link analysis and machine learning.
We began searching in Iris by looking up a domain, and soon found ourselves engaged in the platform's pivot engine interface. Pivots are what DomainTools refer to as "starting points" in an investigation. A lot of information about the domain is displayed in this interface, including Nameserver, Whois, website response, expiration date, creation date, registrar status and contact information. Anything that was highlighted in blue indicated an interesting pivot, which is the system's signal to analysts that there are some unique attributes that look abnormal. Investigators would, at this point, pivot deeper into the IP to view the risk scores of other IPs associated with the domain under review.
The risk scores for these domains are predicated on proximity and known threat profile. Proximity refers to how closely connected a targeted domain is to others known to have a history of being blacklisted. The scale of 0-100 is a prediction-based score, and not an observation-based score. A key dataset Iris maintains, known as Passive DNS, is used to observe DNS traffic and record those subdomains that are tied to the parent domain.
While Iris is the primary User Interface (UI) for the platform, skilled analysts can build their own API packages to integrate. In fact, there are some pre-built APIs already included. The goal is to broaden all of the avenues of intelligence by enriching the DomainTools data through a process that often occurs in the customer's SIEM or another threat intelligence platform. To this end, Iris has specific integrations with Splunk, IBM QRadar, MISP, ThreatConnect, Recorded Future and Anomali.
For support, the company offers dedicated 16/5 (8 hours each for Americas and EMEA business hours) email and phone support, as well as free monthly recorded webinars and user guides to improve investigations and delve deeper into the features and functionality of the platform. The DomainTools Enterprise Membership license is based on query volume (not the number of users).