As the world is struggling to respond to the global COVID-19 pandemic, we want to make sure we’re doing our part. There are a number of ne’er-do-wells that are trying to take advantage of the situation by exploiting people in their time of need, and we applaud the industry for coming together to find ways to thwart their efforts. In addition to collaborating with the COVID-19 Cyber Threat Coalition, we’re proud to announce that we’ve released a new COVID-19 themed CAL Feed to identify newly registered domains (NRDs) that we think are worth looking at.
What’s in the New Feed?
There are a lot of efforts across the community right now to shine a spotlight on this kind of activity. We didn’t want to act as an echo chamber to the valid efforts that are already underway. Worse, we didn’t want to dilute them by adding a lot of noise to the conversation. As with most NRD efforts, there’s a lot of coal to pull out of them hills!
There’s value in handing you a truckload of coal and working together to refine it to find the diamonds. To complement existing efforts we’re taking a stab at giving you a fistful of diamonds, or at least the rocks we consider most likely to yield something of value.
To this end, we’re looking for NRDs that contain COVID-19 themed keywords and variants thereof that have a particular footprint in terms of DNS resolutions. It’s important to remember that there are a lot of legitimate efforts among these NRDs: there is an information need out there and many governments and organizations are mobilizing to get information out there. To find the signal in the noise, we’re using CAL’s analytics to identify resolution patterns that we think make something look interesting.
These analytics are crucial in helping us focus our efforts as a community. We’ve identified nearly 50,000 NRDs from the last 30 days related to COVID-19 or some of its similar topics, such as medications or preventative measures. That’s far too many for people to comb through to figure out which ones have a potential on your organization’s security posture. We’ve pruned the list from thousands a day to about 50 a day to help you focus your efforts:
How do I use it?
If you have a ThreatConnect Dedicated Cloud, or have installed On Premise on your own hardware, you will be able to pull in the CAL COVID19-themed Newly Registered Domains feed from the TC Exchange panel, as seen below. Note that you will need adequate permissions to change these settings:
We’ve already taken care of this within our Public Cloud environment, and made the feed available to all ThreatConnect Public Cloud users, free and paying alike. If you’d like to start using ThreatConnect, you can make a free account to access the data. (We’ve also enabled this feed, along with other CAL Feeds, on a dedicated ThreatConnect instance provided to the COVID-19 Cyber Threat Coalition.)
Once enabled, the data from the feed can be leveraged in a number of ways in ThreatConnect. The most direct way to interact with the indicators in this feed is to use the Browse screen (see Figure 1 above). To see the indicators from this feed in your Browse results, make sure that CAL COVID19-themed Newly Registered Domains is selected under Intelligence Sources in the My Intel Sources selector at the top left of the screen.
You can further refine these results using the available filters at the top of the screen or by constructing ThreatConnect Query Language (TQL) queries in the Advanced Browse screen. To learn more about these features, see our Knowledge Base article on Browse and TQL.
The data from the CAL COVID19-themed Newly Registered Domains feed can also be viewed in ThreatConnect Dashboards by including the Source in the My Intel Sources selector for an entire dashboard or for a specific Dashboard card. Public Cloud users can refer to the existing COVID-19-Related Activity Dashboard, which will include data from this CAL feed.
Finally, our users with orchestration capabilities like Playbooks can operationalize this feed through one of our many integrations.
What if I don’t have time to use it?
As mentioned above, this feed is an effort to provide a set of COVID-19-related infrastructure that is more likely to be actionable. However, if you don’t have the resources or bandwidth to further vet these indicators, rest assured that our Research Team is scrutinizing them to identify and report malicious activity. As always, their findings will be shared with our users, and in the case of any COVID-19 related attacks, these will be made available to all ThreatConnect users in our Common Community, and in the ThreatConnect Intelligence Source for those that subscribe.