By mapping the current and historical activity of domains and IPs, Core’s Passive DNS (PDNS) provides Incident Response, Fraud, and Security Operation Center teams the richest source of contextual, factual DNS activity data to investigate, mitigate, and protect against cyber threats. Core’s PDNS database is the industry’s largest, mapping 93 billion domains to IPs with trillions of DNS queries observed monthly from millions of devices. Armed with facts on the activity of the Internet, security professionals can:
- Identify when a domain or IP has become malicious
- Correlate with threat intelligence to provide context to a security event
- Enumerate fast flux C&C infrastructure
- Classify entire IP blocks to be treated as malicious
- Track threat actors as they change their infrastructure
- Spot patterns in operators / actors using shared infrastructure and hosting
- Estimate volumes of victims, rate of growth, and if a domain is still active C&C
- Discover specific malicious activity, especially for malicious use of dynamic DNS providers’ infrastructure
- Investigate fraudulent use of corporate branding
PDNS Empowers Your Team By:
Making Threat Intelligence Actionable
You’ve just learned PIGLYEUTQQ.COM is a TeslaCrypt domain. Core’s PDNS reveals all the IPs the domain has ever resided on:
- 37.123.101.74
- 46.246.126.108
- ....
- 91.196.50.241
Core’s PDNS then shows you the related domains that have pointed to those IPs. You immediately identify more domains to block along with context on the actor’s network infrastructure.
- HELLOMENQQ.SU
- HELLOWOMENQQ.SU
- ITSYOURTIMEQQ.SU
- ....
- HELLOWORLDQQQ.COM
Enhancing Forensic Discovery
You are investigating an incident where a device is potentially compromised. The device’s communications are reaching out to the domain amouc.com. Core’s PDNS shows:
- amouc.com has only had activity on it for two days
- global query volumes are close to the amount of your local activity
You immediately know this is a new domain and potentially targeted uniquely to you. Further investigation reveals customer data is being ex-filtrated using a form of DNS ex-filtration. Core’s PDNS provides you the context needed to respond quickly.
Providing Visibility Into Fraudulent Use of Brand
Your company is ACME Inc. You already receive reports from brand protection firms for anyone creating 2LD domain names like MYACME.COM, but you have limited visibility into other abuse. Core’s PDNS allows you to uncover abuse for sub-domain activity such as:
- acme.myweb.com
- acme.email.com
Armed with knowledge of the abuse, activity metrics for the fraudulent site, and duration of the activity you can promptly take action to have the domain taken down.
How Core PDNS is Delivered
Core’s PDNS System is a dynamically available hosted service with no deployment costs. Core’s PDNS can be accessed via:
- RESTful API: A RESTful API license key provides an automated query interface. The RESTful API is fully documented and constructed for simple interaction.
- Web Console: A web console interface is provided or a seat license query interface. The web console provides analyst with straightforward answers to their investigative questions.
- Admin Console: Both the RESTful API and Web Console are administered through a hosted Admin Console to assign and manage your license keys and account usage.
Core’s Passive DNS system is sold as an annual subscription with pricing of the API License based on query volume and the Web Console Seat License based on number of seats. Contact us to learn more.