Why DomainTools swapped selling '.coms' for hunting criminals

DomainTools’ Tim Helming talks about how the company pivoted to focus on security.

Since its inception, the Domain Name System (DNS) was designed to bring some order to the chaos of the web and turn IP addresses into human-friendly URLs. 

But as well as making finding websites easier, it’s extremely useful for helping tell the story of how individual websites came to be. Every site has to be registered, and is always the case with customer data, those databases of names are searchable.

Did you know, for example, Donald Trump has registered over 3,000 websites to do with his name? Or that Taylor Swift routinely buys domains that involve her name and porn? Or that one Pro-Trump fact-checking site was actually registered to a researcher at the Moscow State Institute of International Relations? Just this week Tesla CEO Elson Musk hit the headlines for buying back the X.com domain he once owned before it was bought by PayPal.

All of these were stories discovered thanks to analysing domain registration data, which from domain registry websites such as DomainTools.


Realizing there’s more to your data than ‘WhoIs?’

Today the Seattle, Washington-based company is using its data trove for security purposes. But it didn’t start life that way. Instead, DomainTools was founded back in 2002 as simply a service for buying and selling domain names, and looking up who owned those domains. Little did the company realise, however, that such data can also be used to hunt for, and shut down, cyber criminals.

“Believe it or not there is no central directory of WhoIs records from all the different zones, it doesn't exist,” says Tim Helming, VP/Director of Product Management. “Not even ICANN, amazingly enough. We're the closest thing to it.”

As one of the earlier WhoIs-type services, by 2014 the company had built a substantial horde of data, which as most IT types these days will attest, is the 21st century’s equivalent to oil.

“They kept everything, they never threw any records away, so they started building a historical record of domain ownership. And they started laying the foundations for this security company and products without realising they were doing. “

The company continued happily pursuing this domain buying and selling until it started getting more and more organisations coming to them about security-centric use cases. 

“They were large private sector companies or government organisations, and they were using that WhoIs data and other data that we've been gathering to profile adversaries to understand the infrastructure that was controlled by bad guys,” says Helming.

“If they were private sector they were more interested in defending themselves against the full complement of infrastructure that an adversary might be controlling. If they were government they might be interested in trying to take out those adversaries.”

“But in either case, the data that we've amassing all this time was key to being able to piece together this picture of everything controlled by a given actor/group etc.”


From the world of Top Level Domains to the security domain

As a result of these revelations, in 2014 the company decided to change the entire focus of the company. Instead of simply buying and selling domains and having a domain lookup service which some companies used for security purposes, DomainTools became a security intelligence company based around identifying bad domains, infrastructure, and the actors behind them.

“The company started looking for folks that had backgrounds in security to look at what the possibilities were in the data, and start to apply that and reinvent the company. We had to make that case to the investors, because this was not part of their comfort zone, or anything like that.”

From start to finish, the transformation took about a year. The company’s first security product, Iris, was launched in 2015.

“Iris; from concept to release was probably 18 months, and we had built a lot of the underpinnings for it ahead of time. The fundamentals of how the process works - whether you are looking for a domain owner for above board purposes or you're looking for a bad guy - are quite similar. But the UX, we had to build entirely from scratch.”

“There was already some in-house expertise: I had a security background, and our VP of R&D had done some of the early work on Spam Blacklists. I spent a ton of time interviewing folks that were security people to understand their workflows, use cases, and whatnot, so that we could build something that worked well.”

“The great thing about being a relatively small company is we were able to quite nimble, quite agile, and do that.”

Isis essentially mines the domain registration information and maps it so you can see how interconnected domains actually are. For example, if you discover a breach and see that data is leaking to a certain domain, once that’s blocked, you can use the tool to see if there are other domains closely associated with that domain, its registrar, IP address etc., enabling you to go back through your history and see if those domains have any fingerprints within your systems.

“It follows that if you have domains that have been blacklisted then there are going to be other ones that are closely associated to that but may not yet have been blacklisted but that are in fact in the hands of bad guys.”

“A lot of companies, especially larger organisations, get targeted attention from attackers who spin up new infrastructure just for that company, which means that it never makes it onto a blacklist, because it's not been reported by anybody else. We are able to apply scores to every domain as soon as it comes into existence, before its fired a shot.”


The art of the pivot

When the company started recognising the value of the security use case, DomainTools was only around 20 people. The company has since tripled its workforce to 60 people. But unlike most company going through growth and change, DomainTool’s eschewed the traditional “move fast and break things” startup mindset.

“One of the strengths of our CEO [Timothy Chen] is he's very thoughtful and deliberate about how we take on the changes that we've gone through. It's not just hell for leather, let's grow as fast as we conceivably can. It's let's grow as smart as we can. He wants to move fast but not too fast.”

“It was like a cross-fade on an audio board; we were fading up the enterprise business, fading down the retail business, so we did that in a very deliberate way.”

Helming says that the fact the company was both profitable and had no VC funding was a boon for the company’s transformation.

“A lot of the move “fast and break stuff” pressure is because the runway is going to run out for your funding - you're burning cash. I've been there where it's like 'Ok, this is our burn down rate and we've got to make the streams cross in such and such time' and the last company I was at before DomainTools didn't get there, like most startups.”

“It's been huge not to have to see that cliff coming at us. That reduced a lot of the pressure.”


Phishy business

The company’s most recent product, PhishEye, was launched at the end of last year to combat the growing number of fake websites being used to scam users and harvest data in phishing campaigns.

“What FishEye does is take a term - which pretty typically is a product or company name - and generate a bunch of variants of it in terms of typos as well as appended words like 'login-' and then go out and find all the domains that match those, and tell you about that, but more importantly, let you monitor it going forward.”

It’s possible to create thousands of variants of any given company’s site, whether changing from .com to a more local variant, adding a related word such as “software”, “services”, or “login”, or even substituting letters for similar looking ones ( a ‘п’ in place of ‘n’ for example). Once you’ve got the domain, it’s usually fairly easy to create a similar-looking site to the company you’re targeting.

The use of fake websites is growing. The Anti-Phishing Working Group (APWG) identified just under 200,000 domain names used for phishing in 2016, higher than the previous four years. Over 300 fake domains were found to be spoofing just five UK banks in a four-day period earlier this year.

“If somebody registers a domain that's variant or typo of your company or somebody that's in your close ecosystem that matters to you, we flag it and tell you about it, so you can take action.”

Also read:
Savvius goes from Packet Capture to Cyber Forensics in one move
Lookout keeps eye on B2C after pivot to enterprise infosec
Phishing attacks using internationalized domains are hard to block