This article describes the details of the new Open NRD threat intelligence feeds provided by Stamus Networks. To request a no-cost access to these feeds, please visit this webpage and complete the form: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
Our team has created additional resources on this topic:
- BLOG: Threat Hunting for Unknown Actors & Threats using NRD and Sightings
- VIDEO: Webinar using the NRD threat intel - "Network Threat Hunting with Suricata and SELKS"
- Threat Hunting with Suricata and Newly-Registered Domain Threat Intel (Open NRD) Part 1
- Threat Hunting with Suricata and Newly-Registered Domain Threat Intel (Open NRD) Part 2
- Threat Hunting with Suricata and Newly-Registered Domain Threat Intel (Open NRD) Part 3
- Threat Hunting with Suricata and Newly-Registered Domain Threat Intel (Open NRD) Part 4
Background
Every day hundreds of thousands of domains are registered through one of the 2600+ ICANN accredited domain registrars.
Many of these domains are registered to launch a legitimate new website, product, or brand. But many others are registered by criminals or rogue nation-states to create the infrastructure for various attacks.
Typically, new products, websites and brands take time to set up and launch. So it is unlikely that legitimate business and legitimate communications will take place in the first few weeks of a domain’s registration.
Many of these domains are created in bulk by domain generation algorithms (DGA) as temporary ‘burner’ domains which are subsequently used to host malware and command and control access points. Still others are designed to mimic popular brands and are used in phishing attacks.
Security leaders understand this. And many of those at highly targeted organizations such as government institutions, financial services firms, military operations, critical infrastructure operators, universities, manufacturing firms, and high-profile SaaS companies monitor their network for communications with these newly registered domains. Domains that appear on their networks in the first 30 days after registration are generally considered suspect and worthy of investigation.
In early 2023, Stamus Networks introduced a new threat intelligence feed to customers of its commercial solution, Stamus Security Platform (SSP). Because our customers have found this to be extremely valuable in uncovering suspicious activity on their network, we decided to make it available to the open source community - specifically Suricata users - at no cost.
An Example
Often malware and APT groups use a newly registered domain simply because it will take time for threat researchers to discover, analyze, and process them for inclusion in their intel feeds.
In many cases, threat actors use these new domains to do server-side request forgery (SSRF) scanning and probing of organizational defenses to see if their potential victims will reply or resolve the NRD that was created with malicious intent. In this way the attacker is able to verify if the policies for outbound connections and proxy setups are correctly configured. For example, an attacker might perform a scan with a specifically crafted HTTP request that has http://ip.ip.ip.ip with host: malicious.domain[.]com
This tactic can be very successful, as it effectively bypasses most domain based IoC block lists.
What we are Introducing
Enterprise security teams need updated intelligence on these newly registered domains to promptly identify their usage within the organization and prevent potential threats from causing damage. However, security analysts currently lack an efficient method to collect and analyze this information promptly since it is dispersed across many domain registrars worldwide. That’s why we created a streamlined source of this threat intelligence.
Collectively known as the “Open NRD Feeds,” The Stamus Networks threat research team - Stamus Labs - has created 6 open threat intelligence feeds containing newly registered domains.
Stamus Labs runs hourly and daily routines with multiple providers to harvest newly-registered domains (NRD). Using multiple methods and checks, including machine learning, entropy analysis and other algorithms, Stamus Labs creates two major list batches: for domains that were registered within the past 14 days and those registered within the past 30 days.
These lists are updated daily.
Optimized for Suricata
The Open NRD Feeds can benefit any Suricata user, from hobbyists to advanced enterprise security analysts.
This intel feed is optimized for the most recent Suricata versions 6.0.12(+) and 7.0(+). This optimization is made possible by the dataset feature introduced in Suricata 6.0.12.
Any implementation based on these versions of Suricata – commercial, home grown, or packaged open source – can take advantage of the Open NRD intel feed.
Users of SELKS™ - the turnkey open source Suricata implementation developed and maintained by Stamus Networks now includes links to these public feed sources in it’s user interface, the Stamus Community Edition (formerly known as Scirius)
While optimized for use in Suricata-based network security tools, users of other systems may also find this feed useful.
Performance Implications
The Suricata matching feature is incredibly efficient. For example, in live installations, our commercial solution routinely performs real time matching of lists containing over 12 million entries on 40 Gbps+ sensors with negligible performance impact.
How Matching is Performed in Suricata
The matching on any of the NRDs is performed over 3 protocols - DNS/HTTP/TLS.
Domains are used in nearly all communication transactions. Most of us understand that domains appear in DNS queries when a client needs to map a hostname to an IP address. But domains are also used extensively in HTTP and TLS transactions where they appear, for example, in TLS Server Name Indication (SNI) or in HTTP hostnames, or the HTTP referrer, among other things. As you can see, domains can be observed on the network in many transactions.
We use one signature for each protocol transaction type and each list we want Suricata to perform the match on. Suricata performs the matching during DNS, HTTP, or TLS transaction processing using the following Suricata buffers, respectively: DNS query, HTTP hostname, and/or TLS SNI entry.
Below are examples of the detection signatures for the NRD with Entropy list
Signature for DNS Queries:
alert dns $HOME_NET any -> any any (msg:"SN NRD Entropy 30 day range domain"; flow:established,to_server; dns.query; dataset:isset,nrd-entropy-30day,type string,load nrd-entropy-30day,memcap 800mb,hashsize 3000000; classtype:unknown; flowbits:set, stamus.nrd.entropy; sid:3115010; rev:2; metadata:nrd_period 30_days, nrd_key dns.query.rrname, nrd_asset src_ip, stamus_classification nrd_entropy, provider Stamus, created_at 2022_04_29, updated_at 2023_08_16;)
Signature for HTTP Transactions:
alert http $HOME_NET any -> any any (msg:"SN NRD Entropy 30 day range HTTP server hosts"; flow:established,to_server; http.host; dataset:isset,nrd-entropy-30day,type string,load nrd-entropy-30day,memcap 800mb,hashsize 3000000; classtype:unknown; flowbits:set, stamus.nrd.entropy; sid:3115011; rev:2; metadata:nrd_period 30_days, nrd_key http.hostname, nrd_asset src_ip, stamus_classification nrd_entropy, provider Stamus, created_at 2022_04_29, updated_at 2023_08_16;)
Signature for TLS SNI Transactions:
alert tls $HOME_NET any -> any any (msg:"SN NRD Entropy 30 day range TLS SNI servers"; flow:established,to_server; tls.sni; dataset:isset,nrd-entropy-30day,type string,load nrd-entropy-30day,memcap 800mb,hashsize 3000000; classtype:unknown; flowbits:set, stamus.nrd.entropy; sid:3115012; rev:2; metadata:nrd_period 30_days, nrd_key tls.sni, nrd_asset src_ip, stamus_classification nrd_entropy, provider Stamus, created_at 2022_04_29, updated_at 2023_08_16;)
A Powerful Source of Threat Hunting Data
These feeds are not meant to be used as an IoC to trigger an incident response. Instead, they are intended to produce additional pieces of data that can be used as a risk indicator in a threat hunting process or incorporated into an automation to uncover malware and APT groups tools and tactics.
One of the many powerful features of Suricata is that it can create protocol and transaction logs even in the absence of alerts. These logs include flow, anomaly, alert, protocol, and file transaction logs, plus file extraction and packet capture (PCAP).
Here is a full list and details of what those logs and transactions look like.
Keeping in mind the above data produced by Suricata, let’s look at a few simple examples of communications – that, if seen on the network – might raise suspicion or even trigger an incident response (depending on organizational policies or deployment types):
- Production servers doing TLS/HTTP beacoining to a newly registered domain
- Large transfers to and from NRD
- Clear text executable downloaded / transferred from NRD
- SSH/FTP/SMTP communication to and from NRD
- New ssh hash with large flow to or form NRD with Entropy
- Any TLS/DNS/HTTP connections to Entropy or Phishing NRD
- Clear text password exchange to a Phishing NRD
Here are several examples of phishing domains from the Open NRD Phishing list:
login-office365[.] biz
login-office365[.] cloud
login-office365[.] info
microsoftoffice-office365[.] com
Here are several examples of domain names with high entropy from the Open NRD Entropy list:
c0rpr0jectsbusiness274eu[.] blog
zzbqweqwecb-qaswbq-3qg[.] buzz
zzdn09ivrvgmjm[.] top
zxcvbnmnbvcdsrtyjiuytrd8585858585[.] com
zzheeenxuan1007[.] com
zxdjicdc48cc5s56[.] vip
zxcv245qwrt1613[.] monster
zzz45fh9-d5s2v4w98sa[.] xyz
Open and Free
At Stamus Networks we believe in the good that can be achieved by helping the community and others through sharing knowledge and expertise. As such, we are making this threat intelligence feed available to all defenders at no cost.
To request a no-cost access to these feeds, please visit this webpage and complete the form: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
While optimized for use in Suricata-based network security tools, users of other systems may also find this feed useful. The feeds are described below
Stamus Labs runs hourly and daily routines with multiple providers to harvest newly-registered domains (NRD). Using multiple methods and checks, including machine learning, entropy analysis and other algorithms, Stamus Labs creates two major list batches: for domains that were registered within the past 14 days and those registered within the past 30 days.
Each batch is further organized into:
- All NRDs: A complete list of newly-registered domains
- High Entropy NRDs: Newly-registered domains exhibiting high entropy, including those created by domain generation algorithms (DGAs).
- Phishing NRDs: Newly-registered domains that mimic popular domains, highly likely to be used in phishing campaigns
So, this creates a total of 6 suspicious domain sources/lists. Allow me to further explain how we got to six:
The All NRDs list provides hunting information that could be interesting due to the novelty of the domain - if, for example, we have a download from a NRD.
Those 3 main sources each have 2 time range variations - 14 and 30 days. For example, domains with high entropy are organized into 2 lists : a list that contains domains registered in the past 14 days and a list that contains domains registered in the last 30 days.
These are each run through a rigorous QA process and global live traffic sensor testing before we release them.
By subscribing to these threat intelligence feeds, Suricata users will increase their visibility into potential threats and increase the body of evidence available when performing an incident investigation.
Knowing if and when these suspicious domains are being used in your organization’s network communications could indicate a threat actor has infiltrated your network or is actively attempting to do so.
With these feeds installed, Security teams can use Suricata to identify when these domains are being accessed by their organization and quickly determine if they pose a threat.
How to Subscribe to the Open NRD Feed?
Those who wish to access the Open NRD feed must complete a form on the Stamus Networks website which will grant you access to a 1 year unrestricted license. The license key will be delivered to you via email. The license can be renewed at the end of the year - again for no charge. Please visit this webpage and complete the form: https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed
After submitting the form, you will then receive an email from Stamus Labs which will include the license key (secret code).
How to Install the Open NDR Feeds
The following sections explain how to install the Open NRD threat intelligence feeds on a generic Suricata deployment and with SELKS™.
For General Suricata Users:
The instructions below assume you have Suricata installed on the system.
After registering and obtaining the free license, you will receive a “Secret Code” which will be required to access the feeds. You plug in the secret code into the URL to access the Open NRD feeds as follows:
Using the default command line suricata-update tool available with any Suricata installation, the addition and enabling of OpenNRD is very easy and straightforward with the three commands below:
suricata-update add-source StamusOpenNRD-Entropy-30Day https://ti.stamus-networks.io/SECRETCODEHERE/sti-domains-entropy-30.tar.gz
suricata-update update-sources
suricata-update
The example above uses a 30 day Entropy NRD URL.
The full possibilities are as follows.
For the 30 day lists:
https://ti.stamus-networks.io/SECRETCODEHERE/sti-domains-nrd-30.tar.gz
https://ti.stamus-networks.io/SECRETCODEHERE/sti-domains-entropy-30.tar.gz
https://ti.stamus-networks.io/SECRETCODEHERE/sti-domains-phishing-30.tar.gz
For the 14 day lists:
https://ti.stamus-networks.io/SECRETCODEHERE/sti-domains-nrd-14.tar.gz
https://ti.stamus-networks.io/SECRETCODEHERE/sti-domains-entropy-14.tar.gz
https://ti.stamus-networks.io/SECRETCODEHERE/sti-domains-phishing-14.tar.gz
For SELKS™ Users:
For users of SELKS
- Log in to the SELKS management interface
- In the Administration menu click on the “Sources” tab.
- Click on the “Add public sources” link on the left hand side panel
- Select the desired Open feed and click enable
- Enter your license code in the “Secret code” field
- Click the “Submit” button.
To update the ruleset:
- Click on the “Suricata” tab
- Click on “Ruleset actions” on the left hand side panel
- Select all “Actions”
- Click Apply
NOTE: we recommend that you use only one of the time ranges for a given NRD category. That is, if you are running the 30-day range list, there is no need to include the 14-day ones as they are already included in the bigger list.
Where to Get Support
Support for this solution will be provided by the SELKS and Suricata community on the Stamus Networks Discord server: https://discord.gg/e6GQKGS5HN
Additional Information
The following resources can provide additional information
- Blog about the commercial version of this threat intelligence feed, optimized for Stamus Security Platform: https://www.stamus-networks.com/blog/incorporating-newly-registered-domains-into-stamus-security-platform-workflow
- SELKS - the turnkey open-source Suricata implementation developed and maintained by Stamus Networks.https://www.stamus-networks.com/selks
- Stamus Labs webpage, containing links to numerous open source tools and projects maintained by Stamus Networks: https://www.stamus-networks.com/stamus-labs