How a WHOIS History Database Can Help with Security

Domain name history is a type of data that allows businesses to see changes in the ownership of a given domain name. What that means in practice is that it lets you know who might be the current owner of a website or, at the very least, know who owned it in the past.

This information is important, especially in light of WHOIS record redaction, which was implemented to comply with data privacy regulations. In fact, when records are redacted, all relevant fields of information concerning ownership are masked.

The good news is that WHOIS history enables organizations to derive insights from WHOIS records created before the implementation of privacy redaction in 2018. Domain name history data points about owners include:

  • Registrant name
  • Organization
  • Street address
  • City/State/Country
  • Email address
  • Phone number
  • Other registrant, administrative, and technical contacts’ information

Other data points that can help contextualize ownership include:

  • Date of domain creation
  • Date of last domain update
  • Date when the domain has or is due to expired
  • Nameservers (current or past)
  • Registrar name

Domain ownership history can be gleaned from Domain Name Stat’s WHOIS History Database. And in this post, we discussed three of its use cases relevant to cybersecurity—namely, third-party risk evaluation, support managed security service providers (MSSPs), data enrichment of cybersecurity products.

Enhance Third-Party Risk Assessment

Third-party risk assessment is a crucial business process, especially for organizations that outsource some business functions. Whether companies deal with vendors, contractors, or subcontractors, it’s vital to assess and monitor the risks these third parties pose. After all, a significant share of recent data breaches involved third parties one way or another.

Historical WHOIS data can help strengthen third-party risk assessment by identifying a domain name’s past associations. Is it or was it owned by someone you would rather not do business with? A domain that has been used in malicious activities in the past is most likely compromised, and dealing with it can be risky as it may tarnish your image.

Consider the domain name gospodar-group[.]com. Current WHOIS records indicate that it is owned by a privacy-protected person or organization in the U.K. A more in-depth investigation that involves checking the domain’s historical WHOIS would reveal that it was previously registered by a certain “I. Yermakov” with an address in Edinburg, Great Britain, from July 2013 to October 2016.

The registrant’s name is similar to one on the Federal Bureau of Investigation (FBI) wanted cybercriminals list. That individual was indicted for allegedly interfering with the 2016 U.S. elections. Associating with a third party connected, even unwillingly, to such a personality in any way could be detrimental to an organization’s brand reputation and security.

Domain history databases, available in a variety of formats, can also be integrated into third-party risk monitoring tools to make them more robust.

Help MSSPs Protect Client Networks

Aside from third-party risk monitoring systems, domain name history databases can also aid MSSPs in threat management. In particular, domain history data points can help improve network security by providing insights into the past nameservers connected to clients’ domains. What’s more, they can also draw associations with domain owners worth watching and find a list of all their connected properties.

The bottom line for MSSPs is to improve clients’ network uptime. And they can do that by looking at cyber events and correlating these with intelligence from various data sources. As such, MSSPs can also use domain ownership history records to make attack forecasts more comprehensive and data-driven using millions of unredacted WHOIS data points.

Enrich Cyber Threat Intelligence Platforms

Raw cyber threat data in itself is useless unless it is processed and turned into useful threat intelligence. One way to give context to threat information, especially on malicious domains, is by looking into historical WHOIS records.

The domain getfond[.]info, for instance, is tagged “malicious” by Trustwave and suspicious by Comodo Valkyrie Verdict. It has 18 WHOIS history records after more than 2,000 days of tracking. Current WHOIS records indicate that a privacy protection service provider protects its present owner.

However, the oldest domain history record can be traced back to 15 March 2015, when it was owned by a person named “J. Tom” with the email address ****0981@gmail[.]com. The same registrant can be seen in various domain name history records until 28 January 2018. The email address is also present in the historical WHOIS records of two other domains:

  • webbooting[.]com
  • weboot[.]info

And one of these, webbooting[.]com, is also tagged “malicious” by Trustwave, thereby making threat intelligence platforms (TIPs) more comprehensive.

Domain name history can enrich several cybersecurity practices and platforms, as illustrated above. It helps lessen third-party risks when integrated into monitoring systems. Historical WHOIS records can also help MSSPs enhance network security while providing more context to threat information, thus making TIPs more inclusive and reliable.

You May Also Like