• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

Visualizing Domain Registration Relationships by WHOIS Information

Author avatar of Anthony KaszaAnthony Kasza
Updated — August 3, 2020 • 2 minute read
View blog >

In the course of investigating suspect domains, a few sources of data are typically considered. The first source that most would think of is VirusTotal, and for good reason. A less commonly used source is Whois. We’ve used Whois information previously to observe exploit kit domain life cycles, comparing query volumes to registration dates.
By sampling our domain intelligence, a list of malicious domains was created. Querying a proprietary Whois database, a list of email addresses, which have been used to register at least one malicious domain, was created. Applying a technique often referred to as reverse Whois, this list of email addresses was then used to expand the original domain list. Feeding the labeled domains and email addresses to a semantic network library and then to OpenGraphiti – our soon-to-be open sourced 3d visualization engine, some interesting relationships were observed.
Groupings of domains which share a registrant contact email address are explored below.
Red nodes are known malicious domains (blocklisted by OpenDNS), green nodes are known benign domains (allowlisted by OpenDNS) and white nodes are either domains with no alignment, or no email addresses.
Some email addresses from our research are associated with a mix of malicious and benign domains:
Image1
Some email addresses were seen to have registered only a few malicious domains. Possible explanations include misclassification of the malicious domain, the domain was compromised and repurposed maliciously, or perhaps the domain was malicious, sinkholed, and had its registrant contact email updated. It’s also possible that the email address used to register the domains was at some point compromised and used to register a domain for malicious use:
image2
Some email addresses registered a balanced mix of good, bad, and benign domains:
image3
Some email addresses were observed to have registered one allowlisted domain, a few blocklisted domains, and a large set of benign domains:
image4
Many groups had a majority of domains in our blocklist with a small minority of sibling domains categorized as benign. These particular groups are interesting as the benign domains (white) are highly suspect:
image 5
A large majority of the groups formed looked like the image below. Notice some domains are blocklisted and most are unknown. Having such a large number of domains, with a mix of alignments, sharing a single registrant contact email address is indicative of a proxy registration service. In these cases the sibling domains are likely unrelated to each other:
Screen Shot 2014-07-31 at 10.11.39 AM
Similar to proxy registration email address groupings, abuse desks are another type of large group that are usually comprised of half unknown and half blocklisted domains. The lower right point in the below graphic is an abuse desk email address, while the rest of the nodes are domains registered with that Whois registrant contact email address. Red nodes are known malicious domains, while white nodes are domains with unknown or benign intent. If a domain’s Whois contact email address has recently been changed to a registrar’s abuse desk, chances are the domain has an outstanding abuse complaint and is under investigation:
image7
Though our research into registrant-to-maliciousness has just begun, the initial results look promising enough to continue gathering data and investigating the results.

Suggested Blogs

  • Cloud Application Security – Risks, Questions, Insights, and Solutions July 1, 2021 3 minute read
  • Cisco Umbrella discovers evolving, complex cyberthreats in first half of 2020 August 18, 2020 6 minute read
  • New research shows consumers want cybersecurity from service providers July 7, 2020 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella