Domain threat intelligence

What it is#

Domain threat intelligence is intelligence derived from the infrastructure layer of the internet (domain names, DNS records, TLS certificates, web content, and hosting metadata). While broader threat intelligence spans endpoints, malware, and network traffic, domain threat intelligence focuses specifically on how attackers register, configure, and weaponize domains, particularly lookalike domains designed to impersonate legitimate brands.

Core data sources#

Several data sources feed into a domain threat intelligence program, each revealing different aspects of attacker behavior.

WHOIS and RDAP records expose registration details, registrant organization, registrar, creation and expiration dates, and name servers. Patterns like bulk registrations through a single registrar or privacy-protected records on newly created domains can indicate coordinated abuse.

Passive DNS provides historical resolution data, including which IPs a domain pointed to over time and which domains shared an IP. This enables infrastructure pivoting, starting from one suspicious domain and discovering related ones.

Certificate Transparency logs record every publicly trusted TLS certificate at issuance. Monitoring CT logs for a protected brand name or common misspellings surfaces lookalike domains within hours of certificate creation.

Web crawling captures the actual content served on a domain, login pages, brand logos, and page structure. Comparing crawled content against legitimate brand properties helps distinguish active phishing from parked or unrelated domains.

Enrichment workflow#

Raw domain lists are not intelligence. An effective workflow starts with discovery (permutation generation, CT monitoring, newly registered domain feeds), then enrichment (resolving DNS, pulling WHOIS/RDAP, checking reputation feeds, crawling content), and finally analysis (scoring risk, identifying patterns, attributing to known actors or campaigns).

For example, a newly registered domain like examp1e-login.com might score low on name similarity alone. But enrichment reveals it was registered through a registrar associated with phishing campaigns, resolves to an IP hosting other confirmed phishing sites, and serves a login page visually identical to the legitimate production site. That combination transforms a weak signal into actionable intelligence.

How domain threat intelligence supports incident response#

During an active incident, domain threat intelligence provides critical context. Analysts can pivot from a reported phishing URL to related infrastructure, other domains on the same IP, certificates issued to the same entity, or registration patterns suggesting a broader campaign. This accelerates containment by revealing the full scope rather than treating each domain in isolation.

For brand protection teams, domain threat intelligence enables proactive domain monitoring, detecting impersonation before customer reports arrive, supporting takedown requests with evidence, and tracking whether a taken-down actor re-emerges on new infrastructure. Tools like Have I Been Squatted automate the discovery and enrichment stages, surfacing high-risk lookalike domains with the context needed to act.

Limitations#

domain threat intelligence depends on the freshness of its data sources. WHOIS rate limits, GDPR-redacted records, and passive DNS coverage gaps all introduce blind spots. Enrichment takes time and resources, so prioritization, focusing on registered and actively resolving domains first, is essential.