A Template to Document Your DNS Abuse Investigations
Dave Piscitello
Some time ago, Anuj Soni posted a blog at SANS entitled How to Track Your Malware Analysis Findings. In the post, Anuj asserted that a truly successful malware analysis requires “both a well-crafted process and detailed documentation of the journey through that process”.
This strategy still applies not only to malware but to investigations that involve documenting Internet identifier systems – domain names , Internet addresses, and autonomous system numbers (ASNs).
Anuj explained that “meticulous documentation allows you to easily retrace your analysis flow (particularly important if the work supports any litigation), and it facilitates information sharing so others can benefit from your analysis approach and results.”
I prescribed a similar approach in a Thought Paper on Domain Seizures and Takedowns during my time at ICANN.
Anuj created template to record the details when performing malware analysis of Windows executables. I created a similar template some time ago (linked here for posterity).
I’ve uploaded a new template. Identifier Systems Investigations Template (ISIT) has sections for:
DNS and domain intel, including domain names of interest, class of abuse, name server, and zone data of interest;
Domain name registration information from domain registration data;
IP and ASN whois information; and
Reputation data and analysis services for domains, addresses, emails, and hosted or attachment malware.
I’ve updated the domain intel and class of abuse sections to more closely align with the data schema that we use at our Cybercrime Information Center. I’ve also updated the list of reputation data and analysis services to reflect what I rely on for our research.
Experienced first responders or investigators may find something in the template that they haven’t already included in their toolkit. This template may be especially helpful if you’re new to investigations involving domain names and addresses.
Like the Pirate Code from Pirates of the Caribbean, my template is more of a guideline than set of rules. If you are going to use this routinely, I recommend that you consider creating a web form from the pdf, especially if you’re investigating lists of domains and have Whois/RDAP records, DNS records, raw email messages, web page screenshots, and lots of reputation or analysis data. I’ve identified places where you might want to link or upload files of supporting data should you choose to make web forms, but tailor to your own methodology.
Happy hunting!
Original version posted 12/05/2014 at securityskeptic.com