Data enrichment is a threat intelligence mechanism that allows security teams to pinpoint the origin, function and risk level of a domain or IP address, by applying multiple categories and sub-categories that provide up to 10x more context than standard DNS lookups and queries are able to provide.

Enrichment is less about volume, and more about creating meaningful relationships between billions of disparate data points. Each enrichment category is designed to help defenders and threat hunters track attacker infrastructure across the IPv4 and IPv6 space.

Stale, unenriched DNS data cannot be truly relied upon as an actionable intelligence source. Security teams who don’t perform data enrichment as part of their threat analysis procedures are working with incomplete datasets, which can lead to flawed decision making and a higher risk of intrusion.

Data enrichment using Silent Push

To map out attacker infrastructure, Silent Push collects information across 100+ domain and IP enrichment categories that contextualize an observable’s presence on the Internet, including risk level, web content (headers, hash values, on-page data), certificates, geographic location, passive DNS data, and the reputation of associated infrastructure.

Data enrichment outputs Indicators of Future Attack (IOFAs) – intelligence data that tells security teams where an attack is coming FROM, rather than where it’s BEEN.

Defenders and threat hunters are able to use enriched data to join the dots across the global IPv4 and IPv6 space, and track the underlying infrastructure behind an attack, rather than relying on publicly available post-breach IOCs that rely on a single point in time.

Summary

In this blog, we’ll show you how to enrich a domain or IP, what each enrichment category means, and how to use enriched data in a live environment.

Data independence

We’re often asked how we are able to provide so much categorization for each piece of observable data. We achieve this by collecting and owning our own first-party data, via a concept we call ‘data independence’.

Controlling our own data allows us to add a near-infinite amount of context, and produce operationalized intelligence that’s adaptable to a range of workflows.

Security teams typically have to use somewhere in the region of three to four vendor platforms to gather intelligence. Data enrichment outputs self-contained searchable spaces relating to specific attack vectors, that require zero third-party intervention to turn into useable intelligence.

How to perform data enrichment using Silent Push

Data enrichment can be done in two ways, and is available for both Community and Enterprise users:

1. From the search bar on the top right of the platform
2. Via the Enrichment menu

Here’s a short YouTube video that covers the basics of how to enrich an observable, and how to interpret the data.

Data enrichment categories

We spread out data enrichment across six bitesize categories, each with its own part to play in telling a story about a domain or IP:

1. ‘Enrichment Highlights’
2. ‘Basic Information’
3. ‘Enriched Attributes’
4. ‘Custom Attributes’
5. ‘Live Threat Feeds’
6. ‘Scan Data’

Each category contains both standardized data, and categorization that is unique to Silent Push. Most of our data enrichment categories aren’t available anywhere else, without performing a considerable amount of supplementary analysis

Let’s take a look at each Enrichment category in turn…

1. ‘Enrichment Highlights’

Enrichment Highlights appear at the very top of the Enrichment page. These are a family of scores and numerical values tailored to the enriched data type, that act as reliable indicators of an observable’s risk level.

Data enrichment highlights differ based on the type of observable you’re working with – i.e. a domain or an IPv4/v6 address.

Domain data enrichment highlights include:

• IP reputation
• ASN reputation
• ASN takedown reputation
• ASN Rank
• Subnet reputation
• Curated Feeds History Score
• IP density
• Open S3 buckets

IP data enrichment highlights include:

• NS Reputation
• NS Entropy
• Curated Feeds History Score
• ASN Diversity
• IP Diversity
• Age
• Registrar
• Open S3 buckets

2. ‘Basic Information’

The Domain/IP Information data enrichment sub-category does what it says on the tin – it tells you when a domain or IP was first seen, last seen, its age, and an infratag that summarizes key information.

For domains, WHOIS Information provides standard WHOIS data, related to age, ownership and geographic location.

For IP addresses, the Geo sub-category lists the continent, country, and country code.

The DNS Records category details displays a numerical count of visible DNS records per type, and allows you to perform additional passive DNS lookups with one click.

3. ‘Enriched Attributes’

Enriched Attributes outlines a domain or IP’s relationship with the rest of the Internet, including the hosting infrastructure its used over time, its appearance in threat feeds, and how often it’s jumped between nameservers:

IP Diversity lists the number of unique IP addresses associated with a domain, over a period of time.

Nameserver Information provides info specific to each nameserver used by a domain, including reputation and the number of domains it hosts.

The Nameserver Changes section contains data that shows how often a domain has hopped between nameservers.

Curated Feed History allows you to establish the frequency and recency of an observable’s presence within trusted threat feeds.

4. ‘Custom Attributes’

The Custom Attributes section allows you to specify custom scores that reflect an observable’s risk level, relative to your organization or supply chain’s operation and assets.

5. ‘Live Threat Feeds’

This category provides a list of feeds that feature a given domain or IP, including any associated TLP Amber reports. This helps security teams validate the risk level of an observable across the IPv4 and IPv6 space, particularly if it appears within multiple feeds.

6. ‘Scan Data’

Scan Data enrichment pulls intelligence from Silent Push’s passive web content database, including certificates, HTML body and title data, favicon hash values and header information.

You can use this data to perform additional pivots that instantly detect matching infrastructure, and hunt for domains that are attempting to circumvent global certificate standards.

Scan data is an integral part of not only the Enrichment feature, but our entire first-party dataset. The Silent Push Web Scanner uses scan data to return query results across 100+ field names, including header values, body data and favicon hash values, and SSL data.

Data enrichment as operationalized intelligence

While there’s no doubt that data enrichment provides a number of benefits in and of itself, it’s just as important to ensure the enrichment process fits into your existing workflows.

You can use our API and custom query language to integrate any of the above enriched data types with your existing security stack, providing a near-infinite level of context for billions of observable domains and IPs across the IPv4 and IPv6 range.

Similar to Silent Push passive DNS lookups, you can pivot across, share, save and monitor enriched data, all from a single screen.

Register for Silent Push Community Edition

Data enrichment is available as part of Silent Push Community Edition – a free threat hunting and cyber defense tool used by security teams, threat analysts, and researchers that features 100+ data enrichment categories that you can use to track and monitor attacker activity across the global IPv4 and IPv6 space.

Click the button below to sign-up for a free account.

Performing a passive DNS lookup (PADNS) allows security teams to collect, analyze and share historical DNS data. Unlike traditional DNS which actively queries servers to translate domain names into IP addresses, passive DNS stores this information over time, creating a searchable historical record of how domains and IP addresses are associated with each other across the global IP space.

A ‘forward’ passive DNS lookup uses a domain or server name as the input parameter and returns an IP address as the ‘answer’, whereas a ‘reverse’ lookup uses an IP address to return a domain or server address.

Passive DNS lookups are the bread and butter of most threat hunting and cyber defense activities. There are, however, several challenges that security teams need to overcome when dealing with DNS records as pieces of digital infrastructure. These range from an over-reliance on incomplete and outdated datasets, to sorting through mountains of DNS records – particularly within enterprise organizations – to produce actionable intelligence.

Silent Push’s passive DNS lookup functionality allows you to perform a deep dive into enriched intelligence datasets, bolstering your cyber defenses, and uncovering emerging threats before they become a problem using a first-party dataset that’s uniquely designed to create searchable spaces related to specific DNS attack vectors.

Summary

In this blog, we’ll delve into different DNS record types, the role they play in the world of cyber threat intelligence, and how to maximise the Silent Push ‘Explore DNS Data’ feature to generate proactive threat intelligence. We’ll then discuss the outcome-focused tools available to you that make the most out of your organization’s passive DNS lookups, including pivoting on datapoints, monitoring results and more advanced query sets.

Understanding DNS record types

Attackers target different DNS record types using a variety of techniques to silently slip past an organization’s security measures. This makes it all the more important for security teams to diversify their defence mechanisms across multiple record types, encompassing their entire attack surface.

Let’s take a look at a selection of common DNS record types, and how attackers seek to exploit them…

A records

A records map a domain name to an IPv4 address. Passive A record lookups help analysts detail any IP addresses associated with a given domain name, detect changes in DNS activity, and associate domains and IPs with a specific threat campaign.

A records play a central role in the cat and mouse game of cyber attack and defense. Adversaries view A records as low hanging fruit, using them to propagate all manner of assaults on a public DNS presence, from domain hijacking, to typosquatting and email spoofing.

CNAME record

A Canonical Name (CNAME) record acts as an alias for another domain name, in lieu of a subdomain. You can’t use a CNAME record to point directly to an IP address – they’re used to map subdomains (such as www.) to apex domains (silentpush.com).

Attackers often use CNAME records when attempting a subdomain takeover – a DNS hijacking technique that can end up with an adversary obtaining access to an organization’s entire public DNS presence.

MX records

Mail Exchanger (MX) records identify which server is responsible for handling emails for a particular domain. Threat actors exploit MX records when propagating DMARC and email spoofing attacks, which involve an attacker making it appear as though an email has originated from a trusted source, when it’s actually been sent by the threat actor themselves.

Nameserver records

Nameserver (NS) records identify the authoritative DNS servers for a domain. NS records are particularly useful when an analyst wants to identify and monitor changes to registrars, hosts, or organizations associated with a particular domain.

Threat actors create searchable patterns by using the same set of nameservers to carry out attacks. By querying NS records via a passive DNS lookup, security teams are able to ascertain the risk level of a domain name, evaluate the reputation score of the NS associated with it, and view how many times a domain has jumped between different NS.

TXT records

TXT records contain any textual information that the domain owner wants to include, such as email addresses, contact information, or security-related information. By manipulating TXT records associated with specific email authentication protocols such as SPF, DKIM, and DMARC, attackers can make fraudulent emails appear legitimate.

SOA records

Start of Authority (SOA) records provide information about the DNS zone in which a particular domain is located, and hold administrative information about the domain. When a change is made to a DNS zone, the SOA serial number is incremented, indicating that an amendment has occurred.

This allows other DNS servers to detect and propagate the change, ensuring that all DNS information is consistent and up-to-date. Subsequently, security teams are able to detect changes to DNS information that may indicate malicious activity, such as the creation of new subdomains or changes to the IP addresses associated with a domain.

Executing a passive DNS lookup

Silent Push allows you to perform powerful passive DNS lookups across a range of record types. Security teams are able to use the console to establish links between disparate records, uncover attacker infrastructure, and obtain granular information on a given domain or IP.

Passive DNS lookup interface

The ‘Explore Indicator DNS Data’ page allows you to perform forward and reverse PADNS lookups, and execute advanced queries, all within a single screen. 

Forward and reverse lookups are performed on the ‘Explore Indicator DNS Data’ page, available to both Community and Enterprise users, for the following record types:

• A/AAAA
• CNAME
• MX
• NS
• PTR4/6
• SOA

‘Explore’ table

Once you’ve executed a lookup, the Explore table populates results drawn from our first-party database that’s collected, clustered, scored and delivered without third-party intervention.

From here you can monitor and save observables to a feed, perform additional lookups on individual pieces of data, export raw data, obtain risk scores and enrich observables to gather further intelligence across 90+ categories, most of which are unique to Silent Push:

A secondary tab on the Explore screen allows you to view and copy the raw data, either for offline analysis or to facilitate integration with your security stack:

Utilizing results from a passive DNS lookup

Unlike other passive DNS lookup platforms that provide queries in isolation, Silent Push features outcome-focused screens that enable security teams to gather intelligence that can be accessed, saved, and shared in just a few clicks. 

Filtering and searching through results

Filters help you sort data using a range of parameters, including:

• Domain
• IPv4 address
• First seen date (When an observable was first seen in the dataset).
• Last seen date (when an observable was last seen in the dataset).
• DNS record type 

Filters can be accessed at the top of the Explore screen. You can also search through individual columns for specific pieces of data:

Pivoting on passive DNS data

‘Pivoting’ involves performing additional queries on a single piece of data, including forward and reverse lookups, and domain or IP Enrichment queries.

Pivoting allows you to unearth intelligence that reveals the origin, function and risk level of a piece of data across a range of categories and sub-categories.

Clicking on an observable opens a pop-up window, featuring a bank of lookups relevant to the data type:

Monitoring a passive DNS lookup

Once you’ve used a lookup to generate a set of results, you can enable ongoing monitoring that alerts you to changes in the dataset every 24 hours. By automating key queries across a range of internal workflows, security teams can save valuable time and resources, and eliminate repetitive tasks to focus on more pressing matters.

Clicking the ‘Monitor’ button on the top right of the Explore screen lets you assign a monitor to a set of results:

Saving and exporting passive DNS data

Critical to any security operation is the ability to share information amongst team members. You can save any piece of data – or even entire datasets – obtained from a passive DNS lookup either to an existing feed, or to a new feed, using a simple drop-down menu.

Feeds can be shared globally throughout your organization:

Passive DNS data can also be exported in raw format, as a JSON, or as a CSV:

Advanced queries

The ’Explore Queries’ menu features a range of advanced DNS queries that allow you to analyze the historical characteristics of a piece of data, including the relationship it has with other data types, and build a behavioural fingerprint of attacker TTPS, including:

• All domains hosted on specific server.
• All domains hosted on an IP address.
• IPs hosting a domain.
• The IP ‘diversity’ of domain (the number of unique IP addresses associated with a particular domain).
• Any nameserver changes.
• All TXT records associated with a domain.

Register for Silent Push Community Edition

Silent Push passive DNS lookups allow you to explore your organization’s and supply chain’s DNS presence in a more timely, accurate and detailed way, and hunt for malicious infrastructure before it’s weaponized.

Silent Push Community Edition is a free threat hunting and cyber defense tool used by security teams, threat analysts, and researchers that features a range of basic and advanced DNS queries which interrogate the Silent Push database, built from our daily scans of the Internet’s global IP range.

Click the button below to sign-up for a free account.