DomainTools Iris Investigation Platform combines enterprise-grade domain intelligence and risk scoring with passive DNS. Domain Tools has longevity on its side – having been around for approximately 18 years and collecting data around all public domains on the Internet for that entire period. The depth and breadth of data serves as a big differentiator for this company and can’t be easily duplicated by competitors. The DomainTools database contains approximately 330 million domains, each composed of multiple data points. This is primarily a web product although API support is offered.
An investigation platform sits on top of up-to-the-minute data in the company’s domain database. Because the database includes expired domain data over an 18-year time period the platform can cross-reference both historical and current data. Robust, enterprise-grade APIs power everything in the platform, allowing it to tag domains and generate data in a more investigative fashion.
A Domain Risk Score identifies the likelihood that a domain has malicious intent. The scoring leverages domain blacklists that it cross-references based on machine learning classifiers of the suspects. There are several ways to create a risk score. Three machine learning classifiers try to predict if a domain looks nefarious early in the lifecycle of a threat by referencing blacklisted domains. Proximity scoring brings in several blacklists daily and scores are accompanied by supporting evidence.
An Omni Box allows analysts to search domains, IPs, physical addresses, mail servers and the like from which they can easily pivot Historical search functionality through a Search History bar allows analysts to follow a breadcrumb trail and see how they pivoted from search to search. Guided pivots help analysts decide where to pivot to likely lead to something noteworthy.
A “Missing” button shows analysts what criteria is already included in a search along with what they potentially should add. Other analysts logging in can see the investigation that was performed as well as step through the path taken by an investigating analyst. Si nce the platform is a collaborative tool, this functionality is extremely helpful and, additionally, allows analysts to share investigations with a team and save them for the next analyst.
Analysts can confer read-only access to investigations. They can create PDF reports that show the visualization tool as well as all the notes pertaining to an investigation and apply the desired level of access to each investigation as it is shared.
Instead of simply consulting transparency logs, DomainTools combs all SSL certifications and attempts to ascertain how they are used. This database allows analysts to explore potential relationships between datasets and events, even pivoting from one entry to see other domains using the same SSL certifications. Analysts can use the information to dive as deep into the certs as they wish.
Starting price is $50,000. Basic, no-cost support is offered with all enterprise packages, 8/5. Phone, email and website support include FAQs and a knowledgebase. Also offered are free, monthly recorded webinars for investigation improvements; and user guides for in-depth review of features and functionality.
Tested by: Tom Weil