What is Whois Database?
Each year, millions of individuals, businesses, organizations and governments register domain names in the publicly accessible, global domain name system (DNS).
ICANN, the organization responsible for the security and stability of the Internet, enforces a level of trust and transparency by requiring these entities provide contact information in exchange for listing in the domain name system.
That data is then made publicly available through a network protocol known as Whois which functions as a kind of domain name White Pages that anyone on the Internet can access if they have problems with a domain or the services it is hosting.
At least, that was the expectation three decades ago when the Whois database and DNS protocols were conceived. Today, most Internet users are unaware that Whois data is available as a way to protect themselves from malware, fraud, ransomware and other types of nefarious online activities.
They are also unaware that security professionals and cybercrime investigators consider information on domain name registrants vital to their daily efforts to keep Internet users safe and their organizations secure.
Risk assessment and mitigation
This is the ongoing everyday duty of the systems and people tasked with network defense and consumer protection. Since domain names are so fundamental to the operation of the Internet, they factor in nearly every attack, and teams in security operation centers must closely analyze domain name registration data to know if an alert represents a credible threat.
Applied at scale, risk assessment of domain names using registrant data can identify a signal from noise and bring to the surface otherwise unknown attacks early in their lifecycle.
Why does it matter?
Most Internet users expect their networks to permit uninhibited communication with every domain on the Internet, be it inbound email or outbound web traffic, and they tolerate blocking only reluctantly and in limited scenarios – on their work computer, for example.
Though consistent with the ideals of the Internet and the founding principles of the domain name system itself, this stands in stark contrast with most corporate firewall and physical security policies that adopt a “default deny” policy, where unknown traffic or persons are not permitted until proven trustworthy.
Uninhibited communication creates scenarios where network defenders can assess the risk of a domain name only after it has been active on a network, when emails from the domain have already appeared in inboxes, attachments opened, and links clicked.
This reactive approach, coupled with vast amounts of network traffic and limited security staff, makes it essential that teams deliver informed analytics on a potential threat as quickly and accurately as possible.
Understanding where a security team needs to focus resources, and knowing which alerts should be escalated, can make the difference between stopping an intrusion early and permitting a full-scale breach. The key factor in many cases can be found in Whois data.
How does Whois Database help?
Whois data provides information on the ownership of a domain name, including where it was registered, by whom, and for how long. These factors enable rapid risk assessment by human analysts and drive detection models in security alert systems.
For example, an analyst can quickly check the Whois database record on the source domain for a suspicious email that claims to be “from the CEO” to learn whether the registration patterns are consistent with corporate policies.
Scaling an assessment and alerting process to thousands of indicators per hour simply cannot be handled manually, so the next step is to apply these proven principles at scale.
Top security operation centers in the US defense industrial base and financial sector were some of the first to enrich domain names on their network with Whois data, because it helped them detect new threats early and then efficiently hunt for previously unknown compromises.
Today, organizations around the world, including leading cyber security companies and global security operation centers are building sophisticated technologies and effective machine-learning models that use Whois data to achieve similar outcomes.
“Like other companies, Facebook uses Whois data in conjunction with our security technology and systems to help protect people from a range of abuse, spam, and other risks. For example, we have used Whois data and related DNS infrastructure to identify and take down tech support scams operated by spammers who make fraudulent use of domain names, phone numbers, and websites.” — Facebook