ThreatConnect Domain Thrasher

Overview

Domain squatting, or cybersquatting, is a sneaky tactic in which bad actors register misspelled or otherwise altered versions of popular domain names to hijack traffic, mislead users, or even steal personal information. Using techniques such as typosquatting, bitsquatting, and combosquatting, cybercriminals register domains that mimic real sites, providing them with a façade they can use to harvest user data, spread malware, and phish for login credentials. Every mistyped domain or accidental click that lands on a fake site instead of yours is a potential risk. In today’s threat landscape, protecting your brand means guarding not just your main domain, but also every letter around it.

ThreatConnect® Domain Thrasher is a purpose-built capability that helps you investigate and detect spoofed domains before they become a problem for your organization. You can use it to automate and track proactive investigations into registered domain variants for your organization’s online assets and the IP addresses to which they resolve, equipping you with the information you need to take action against the squatted domains.

ThreatConnect Domain Thrasher is powered by two Playbooks that identify, import, and enrich registered squatting variants for given domains and a dashboard that you can use to track registered domain squats and related information. Registered squatting variants and related DNS and other records (e.g., CNAME, MX, and NS) are imported into ThreatConnect as Host Indicators, and resolved IP addresses are imported as Address Indicators, with custom Attributes and Tags that provide identification and enrichment data.

Before You Start

User Roles

• To install the ThreatConnect Domain Thrasher Attribute Types file on the System level on your ThreatConnect instance and to configure the Attribute Types, you must have a System role of Administrator.
• To import the ThreatConnect Domain Thrasher dashboard and to share the dashboard to your Organization, your user account can have any Organization role.
• To import the ThreatConnect Domain Thrasher Playbooks into your Organization and to configure the Playbooks, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.

Prerequisites

• DNSTwist Playbook App version 2.0.xinstalled on your ThreatConnect instance.
  Note

  To verify that version 2.0.x of the DNSTwist Playbook App is installed on your ThreatConnect instance, search for “dnstwist” (without the quotation marks) on the Installed tab of the TC Exchange™ Settings screen with Apps selected from the dropdown at the upper left. If you do not see version 2.0.x of the DNSTwist Playbook App, please contact your Customer Success Manager for further assistance.
• ThreatConnect Domain Thrasher.zip file downloaded to your local drive. Please contact your Customer Success Manager to request this file.
• To have access to Playbooks on your ThreatConnect instance, turn on the playbooksEnabled system setting (must be a System Administrator to perform this action).
• To have access to Playbooks in your Organization, turn on the Enable Playbooks permission on the Permissions tab of the Organization Information window when editing your Organization on the Organizations tab of the Account Settings screen (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action).
• To import and share dashboards, turn on the Enable Custom Dashboards permission on the Permissions tab of the Organization Information window when editing your Organization on the Organizations tab of the Account Settings screen (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action).

ThreatConnect Domain Thrasher Contents

ThreatConnect Domain Thrasher is provided as a ThreatConnect Domain Thrasher.zip file that includes the following components:

• Attribute Types package: domainthrasher-attributes.json
• Playbooks:
  • Domain Thrasher - Domain Search.pbxz
  • Domain Thrasher - Create Associations.pbxz
• Dashboard: Domain_Thrasher.tdb

Install and Configure ThreatConnect Domain Thrasher

Unzip the ThreatConnect Domain Thrasher.zip file. Then follow these steps to install and configure each component of ThreatConnect Domain Thrasher:

1. Upload and configure the Attribute Types.
2. Install and configure the Domain Thrasher dashboard.
3. Install and configure the Domain Thrasher - Domain Search Playbook.
4. Install and configure the Domain Thrasher - Create Associations Playbook.

Upload and Configure Attribute Types

The domainthrasher-attributes.json file contains a set of Attribute Types that the Playbooks in ThreatConnect Domain Thrasher leverage to process and enrich domain data stored as Attributes for imported Indicators:

• Fuzzer
• Registrar
• Address Record (IPv4)
• Address Record (IPv6)
• Canonical Name Record (CNAME)
• Mail Exchanger record (MX)
• Nameserver record (NS)
• Pointer record (PTR)
• Start of Authority record (SOA)
• Service Location record (SRV)
• Text record (TXT)
• Monitored Domain

Upload Attribute Types

Follow these steps to upload the domainthrasher-attributes.json Attribute Types at the System level on your ThreatConnect instance and create all required Attribute Types for ThreatConnect Domain Thrasher:

1. Hover over Settingson the top navigation bar and select System Settings.
2. Select the Attribute Types tab.
3. Click UPLOAD at the upper left.
4. Click + SELECT FILE in the Upload Attributes window.
5. Select the domainthrasher-attributes.json file.
6. Click SAVE to create all the displayed Attribute Types at the System level.

Configure Attribute Types

The ThreatConnect Domain Thrasher dashboard requires three of the Attribute Types to be made available for grouping on dashboard cards.

Follow these steps to configure each of the Fuzzer, Registrar, and Monitored Domain Attribute Types:

1. Hover over Settingson the top navigation bar and select System Settings.
2. Select the Attribute Types tab.
3. Click Editin the Options column for the Attribute Type.
4. Select the Enable in GroupBy checkbox at the lower left of the Configure Attribute Type window.
5. Click SAVE to save the updated configuration for the Attribute Type.

Install and Configure Domain Thrasher Dashboard

The Domain Thrasher dashboard enables you to track registered domain squats and related information.

Install Domain Thrasher Dashboard

Follow these steps to install the Domain Thrasher dashboard:

1. Select Import Dashboard from the Dashboard option on the top navigation bar.
2. Select the Domain Thrasher - Dashboard.tdb file.

Configure Domain Thrasher Dashboard

Follow these steps to configure the Domain Thrasher Dashboard:

1. Select Domain Thrasher from the My Dashboards section under the Dashboard option on the top navigation bar to view the Domain Thrasher dashboard.
   Note

   The Domain Thrasher dashboard cards will all display No Results at this time. The cards will populate with data after the Playbooks are installed, configured, and executed.
2. Select Share Dashboard from the ⋮ menu at the upper right of the Domain Thrasher dashboard screen and click SAVE to share the dashboard to your Organization with the name Domain Thrasher - Shared.
   Note

   To avoid confusion between dashboards with similar names, you can delete the original Domain Thrasher from My Dashboards if desired. Do not delete the Domain Thrasher - Shared dashboard.
3. After it is fully installed and configured and has executed, ThreatConnect Domain Thrasher will populate domain variants into one of your ThreatConnect owners. Make sure that the owner you plan to select (most likely your Organization) is selected in My Intel Sources for the Domain Thrasher - Shared dashboard.
4. Copy or otherwise note the URL for the Domain Thrasher - Shared dashboard. You will be pasting it when you configure the Settings App in the Domain Thrasher - Domain Search Playbook.

Install and Configure Domain Thrasher - Domain Search Playbook

The Domain Thrasher - Domain Search Playbook uses the DNSTwist Playbook App to generate, import, and enrich domain variants.

Install Domain Thrasher - Domain Search Playbook

Follow these steps to install the Domain Thrasher - Domain Search Playbook in your Organization:

1. Click Playbooks on the top navigation bar.
2. Hover over the NEW dropdown at the upper left of the Playbooks screen and select Import Playbook from the dropdown.
3. Select the Domain Thrasher - Domain Search.pbxz file.
4. Click NEXT on Step 2 (Playbook Preview) of the Import Playbook drawer.
5. Click IMPORT on Step 3 (Components to Install) of the Import Playbook drawer.
   Note

   This step will install the Domain Thrasher - Processing Data Component Playbook Component in your Organization.
6. Click IMPORT to import the Domain Thrasher - Domain Search Playbook into your Organization.

Configure Domain Thrasher - Domain Search Playbook

Follow these steps to configure the Domain Thrasher - Domain Search Playbook (Figure 1):

1. Configure the Domain Thrasher - Domain Search Playbook’s Trigger.
2. Configure the Settings App.
3. Configure the DNSTwist App.
4. Activate the Domain Thrasher - Processing Data Component Playbook Component.
5. Activate the Domain Thrasher - Domain Search Playbook.

Configure Domain Thrasher - Domain Search Playbook Trigger

The Domain Thrasher - Domain Search Playbook is executed with a Timer Trigger, which runs the Playbook on a set schedule, allowing you to search for domain squats regularly and as often as you need.

Follow these steps to configure the Domain Thrasher - Domain Search Playbook’s Timer Trigger:

1. Double-click the Timer Trigger (Figure 1) to edit it.
2. Fill out the fields in the Edit Trigger drawer (Figure 2) as follows:

    

   • Timer Name: Retain Timer Trigger as the Trigger's name.
   • Schedule: Select the frequency at which you want the Playbook to execute. Your selection will determine the available configuration options under the Scheduledropdown:
     • Daily: Select this option to run the Playbook at least one time per day.
       • Job Repeating: (Optional) Select this checkbox to run the Playbook more than one time per day. After you select this checkbox, configure the following options to define when and how often the Playbook will run each day:
         • Job Repeating Starting Hour: (Required) Enter the time at which the Playbook should start to run each day.
         • Job Repeating Ending Hour: (Required) Enter the time at which the Playbook should finish running each day.
         • Repeating Interval Time (Minutes): (Required) Enter the interval, in minutes, at which the Playbook will run. For example, if you enter 5, the Trigger will run every 5 minutes between the Job Repeating Starting Hour and the Job Repeating Ending Hour.
       • Daily Time (UTC): If you did not select the Job Repeating checkbox, then the Playbook will run one time per day. Enter the time of day at which the Playbook should run.
         Important

         Make sure to adjust the time you enter to the UTC time zone.
     • Weekly: Select this option to run the Playbook at least one time per week.
       • Weekly Time (UTC): Enter the time of day at which the Playbook should run.
         Important

         Make sure to adjust the time you enter to the UTC time zone.
       • Weekly Day(s): Select one or more days of the week on which the Playbook should run.
     • Monthly: Select this option to run the Playbook at least one time per month.
       • Monthly Time (UTC): Enter the time of day at which the Playbook should run.
         Important

         Make sure to adjust the time you enter to the UTC time zone.
       • Monthly Day(s): Select one or more days of the month on which the Playbook should run.
         Important

         Make sure to adjust the time you enter to the UTC time zone.
     • Advanced: Select this option to enter a standard Quartz Cron expression to set a granular schedule for the Playbook’s execution.
       • Cron Expression: Enter a standard Quartz Cron expression that determines the Playbook’s execution schedule. To view examples, click Display Documentationat the upper right of the Edit Trigger drawer (Figure 2) and scroll to the “Advanced Expressions” section of the Documentation drawer.
3. Click SAVE to save the Trigger’s configuration.

Configure Settings App

The Settings App determines the ThreatConnect owner into which domain variants are imported, the email addresses to which notifications about newly identified domain variants are sent, and the dashboard that receives the data processed by ThreatConnect Domain Thrasher.

Follow these steps to configure the Settings App in the Domain Thrasher - Domain Search Playbook:

1. Double-click the ⚙️ SETTINGS - CHANGE ME App (Figure 1) to edit it.
2. Make the following changes in the Edit App drawer (Figure 3): 

    

   • Job Name: Retain ⚙️ SETTINGS - CHANGE ME as the Job's name.
   • source_name: The source_name variable represents the owner into which ThreatConnect Domain Thrasher will import enriched domains and DNS and related records (as Host Indicators) and resolved IP addresses (as Address Indicators). The default owner is your Organization, represented by #gbl.org.name. If you want to select a different owner, click Editin the source_name row of the table. The Value field under Variables will display the current value for the source_name key. Replace the current value with the name of the owner you want to receive data imported from ThreatConnect Domain Thrasher, and then click Save.
     Important

     If you change the value for the source_name variable, the new value must be an exact match to the name of one of your ThreatConnect owners.
   • emails_comma_separated: The emails_comma_separated variable represents a list of one or more email addresses to which you want ThreatConnect Domain Thrasher to send notifications about newly imported domain variants. Click Editin the emails_comma_separated row of the table. The Value field under Variables will display the current value for the emails_comma_separated key. Replace the default value with one or more email addresses you want to receive notifications from ThreatConnect Domain Thrasher, separating each email address with a comma, and then click Save. If you do not want ThreatConnect Domain Thrasher to send email notifications, delete the default value, and then click Save.
   • dashboard_url: The dashboard_url variable represents the URL of the dashboard that will track data from ThreatConnect Domain Thrasher. Click Editin the dashboard_url row of the table. The Value field under Variables will display the default value for the dashboard_url key.  Replace the default value with the URL you copied in Step 4 when configuring the Domain Thrasher dashboard, and then click Save.
3. Click SAVE to save the App’s configuration.

Configure DNSTwist App

The DNSTwist App applies the DNSTwist algorithm to one or more given domains to identify variants that can be used for forms of cyber squatting such as typosquatting and combosquatting.

Follow these steps to configure the DNSTwist App in the Domain Spinning - Domain Search Playbook:

1. Double-click the DNSTwist App (Figure 1) to edit it.
2. Fill out the fields in the Edit App drawer (Figure 4) as follows:

    

   • Job Name: Retain DNSTwist as the App’s name.
   • Action: Select one of the following options from the dropdown:
     • Multiple Domains: Select this option, which is the default, if you want the App to identify domain variants for more than one domain.
     • Single Domain: Select this option if you want the App to identify domain variants for only one domain.
   • Domains Map: Replace the default value with one or more domains for which you want to identify variants, separating each domain with a comma.
     Note

     This option will be available only if you select MultipleDomains from the Actions menu.
   • Domain Name: Enter a single domain for which you want to identify variants.
     Note

     This option will be available only if you select Single Domain from the Actions dropdown.
   • Return Only Registered Domains: Select this checkbox to have the DNSTwist App return only variants that are registered domains.
     Important

     It is recommended that you keep the Return Only Registered Domains checkbox selected, as ThreatConnect Domain Thrasher’s intended use case is to track only registered domain variants.
   • Nameservers: (Optional) Enter one or more custom nameservers to use for performing DNS requests, separating each nameserver with a comma.
3. Click SAVE to save the App’s configuration.

Activate Domain Thrasher - Processing Data Component Playbook Component

The Domain Thrasher - Processing Data Component Playbook Component processes the domain variants identified by the DNSTwist App in the Domain Thrasher - Domain Search Playbook. It imports and enriches the domain variants and their DNS and other related records and resolved IP addresses. The orange Process Data box in the Domain Thrasher - Domain Search Playbook is the Component’s Trigger—that is, it calls the Component to execute after the DNSTwist App has executed.

Follow these steps to activate the Domain Thrasher - Processing Data Component Playbook Component:

1. Select View from the Process Data Component Trigger’s menuin the Domain Thrasher - Domain Search Playbook (Figure 1) to open a tab for the Component in the Playbook Designer (Figure 5). 

    

2. Select Active from the Mode dropdown at the upper right of the Domain Thrasher - Processing Data Component tab in the Playbook Designer to activate the Domain Thrasher - Processing Data Component Playbook Component.

Activate Domain Thrasher - Domain Search Playbook

Select Active from the Mode dropdown at the upper right of the Domain Thrasher - Domain Search tab in the Playbook Designer (Figure 1) to activate the Domain Thrasher - Domain Search Playbook.

Install and Configure Domain Thrasher - Create Associations Playbook

The Domain Thrasher - Create Associations Playbook creates associations between the domains, DNS and related records, and resolved IP addresses provided and imported in the Domain Thrasher - Domain Search Playbook.

Install Domain Thrasher - Create Associations Playbook

Follow these steps to install the Domain Thrasher - Create Associations Playbook in your Organization:

1. Click Playbooks on the top navigation bar.
2. Hover over the NEW dropdown at the upper left of the Playbooks screen and select Import Playbook from the dropdown.
3. Select the Domain Thrasher - Create Associations.pbxz file.
4. Click IMPORT to import the Domain Thrasher - Create Associations Playbook into your Organization.

Configure Domain Thrasher - Create Associations Playbook

Follow these steps to configure the Domain Thrasher - Create Associations Playbook (Figure 6):

1. Double-click the Host Trigger (Figure 6) to edit it.
2. Fill out the fields on Step 1 (Configure) of the Edit Trigger drawer (Figure 7) as follows:

    

   • Trigger Name: Retain Host Trigger - CHANGE ME as the Trigger's name.
   • Click NEXT.
3. Fill out the fields on Step 2 (Action) of the Edit Trigger drawer (Figure 8) as follows:

    

   • Owners: Select the owner you chose for the source_name variable when configuring the Settings App (Figure 8) from the Owners dropdown.
   • Click NEXT.
     Hint

     If you retained the default owner (#gbl.org.name) as the source_name variable in the Settings App, select your Organization from the Owners dropdown.
4. Click SAVE on Step 3 (Filters) of the Edit Trigger drawer.
5. Select Active from the Mode dropdown at the upper right of the Domain Thrasher - Create Associations tab in the Playbook Designer (Figure 6) to activate the Domain Thrasher - Create Associations Playbook.

Using ThreatConnect Domain Thrasher

After the Playbooks in ThreatConnect Domain Thrasher execute for the first time, the following events will occur:

• The Domain Thrasher dashboard will populate.
• Host and Address Indicators will be imported into the ThreatConnect owner you selected in ThreatConnect Domain Thrasher’s configuration.
• Tags specific to Domain Thrasher will be added to Indicators imported into the ThreatConnect owner you selected in ThreatConnect Domain Thrasher’s configuration.
• Email notifications will be sent to the email addresses you provided in ThreatConnect Domain Thrasher’s configuration.

Domain Thrasher Dashboard

The Domain Thrasher dashboard (Figure 9) displays cards with information related to registered domain squats identified by ThreatConnect Domain Thrasher, including the following:

• Recently registered squat domains and the geographic location of their associated DNS records
• Prevalence of squatting strategy for recently registered squat domains
• DNS records of various types for your domains and the squat domains identified for them
• Breakdowns of squat domains, resolved IP addresses, and DNS records of various types by monitored domain

Imported Indicators

ThreatConnect Domain Thrasher imports the following data as Host Indicators in the ThreatConnect owner selected in ThreatConnect Domain Thrasher’s configuration:

• Registered domains identified as squatting variants of the domains provided to ThreatConnect Domain Thrasher.
• Canonical name records for registered domains identified as squatting variants of the domains provided to ThreatConnect Domain Thrasher.
• Mail Exchanger records for registered domains identified as squatting variants of the domains provided to ThreatConnect Domain Thrasher.
• Nameserver records for registered domains identified as squatting variants of the domains provided to ThreatConnect Domain Thrasher.

ThreatConnect Domain Thrasher imports the following data as Address Indicators in the ThreatConnect owner selected in ThreatConnect Domain Thrasher’s configuration:

• IPv4 and IPv6 address (DNS) records for IP addresses resolving to the domains provided to ThreatConnect Domain Thrasher.
• IPv4 and IPv6 address (DNS) records for IP addresses resolving to registered domains identified as squatting variants of the domains provided to ThreatConnect Domain Thrasher.

ThreatConnect Domain Thrasher automatically creates associations between domains or registration records imported as Host Indicators and their resolved IP addresses imported as Address Indicators. When investigating Indicators imported by ThreatConnect Domain Thrasher, you can refer to their Attributes for details on squatting technique, registration information, and related nameserver records.

Domain Thrasher Tags

The Tags listed in Table 1 are added to Indicators that ThreatConnect Domain Thrasher imports into the ThreatConnect owner selected in the Playbooks’ configuration. You can search and pivot on these Tags, as well as explore their associations in Threat Graph.

Email Notifications

When ThreatConnect Domain Thrasher identifies registered domain variants, it will send notifications providing the number of newly registered domains and a link to the Domain Thrasher - Shared dashboard to the email addresses provided in its configuration, ensuring that stakeholders are informed about potentially threatening domains as soon as they are discovered.

ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.

20172-01 v.01.A