With the EU General Data Protection Regulation (GDPR) being implemented next week, on 25 May 2018, businesses are scrambling to ensure compliance. Since GDPR will force companies to take a hard look at how they handle data, many security analysts are questioning what will happen to WHOIS. Celebrated for its ability to form connections and break open cyber threat investigations, it is not completely clear if WHOIS will go away entirely when GDPR is enforced. However, one thing is for sure, it will not remain what it is today.
What is changing?
The concept of losing WHOIS is nothing new. Indeed, ICANN news and registrar changes have recently detailed issues surrounding WHOIS compliance ahead of GDPR. The reason why regulators have their sights on WHOIS centres around the changes to what is considered personal or private information by GDPR. WHOIS, which is commonly thought of as the phone book of the internet, serves as a registry of personal information for those who have registered domains on the internet – it is available to anyone for query and considered a big leak of privacy.
To the many people casually observing WHOIS, it would make sense to remove it from the public, or, at the very least, hide data deemed personal. However, in doing so, these changes make it difficult for cyber threat analysts to differentiate between legitimate, compromised and malicious domains. In addition, without point-of-contact information for a domain owner, it is even more difficult to communicate when a website may be compromised or infringing on a company’s trademarks or brand. This could not only have a potentially detrimental impact on the protection against cybercrime, but companies could also risk a fine for failing to comply with GDPR.
The value of WHOIS
Assuming WHOIS is just going away completely unless – and until – an accredited access model is implemented, not all hope is lost. Fortunately, many security analysts recognise the value in having multiple data sets to aid in threat investigations. In fact, companies should be collecting as much internet data as possible including data sets beyond WHOIS, such as passive DNS (domain name system), SSL (secure sockets layer) certificates, subdomains, OSINT (open-source intelligence), host pairs, trackers, and more. While these data sets are not a complete substitute for WHOIS, they will often surface more information or connections that would have otherwise gone unnoticed.
For many companies, they may think that their domain is privacy protected and that contact details are already hidden – they would be right. Over the past couple of years, security analysts have been seeing a rise in the use of privacy protection services which, ultimately, render the analytical content of the WHOIS record less useful, but this is not the norm for all the tens of thousands of domains being registered every day.
Minimising WHOIS disruption
For companies to minimise WHOIS disruption, while still respecting privacy concerns, this will require individual email addresses to be hashed using the same encrypted hash algorithm across databases. The idea being that the registrant email would be hashed uniformly allowing for analysts to pivot off it, while still obscuring the personal email address itself.
By hashing all emails, connections can still be made, but a lot of contextual data is often lost. Furthermore, there is no consensus that providing this pivoting mechanism in a public WHOIS directory would be GDPR-compliant, as it may allow connections to be drawn that would identify a person not otherwise identifiable.
Doing any work – good or bad – on the internet will result in “signals”, pieces of information generated from performing any action, that can then be used to form analyst connections. Using a process called ‘infrastructure analysis,’ it is possible for anyone to use a starting indicator – such as an IP address – and easily pivot around to discover related entities.
For example, the starting point may be a piece of malware. Within that malware, a security analyst might identify an IP address and an SSL Certificate used to encrypt command and control traffic. That SSL Certificate might include a domain, for which it was issued, and an IP address, for where it was hosted. And finally, maybe that IP address has a different domain connected to through passive DNS, or the domain has a unique tracking script within the web page it is hosting.
Security teams who subscribe to using more data sets in their investigations know the value of forming chains such as the above. This is not least because more data, ultimately, results in more connections, or more supporting evidence for an analyst hypothesis. If WHOIS continues to go ‘dark’ temporarily – and security analysts agree that it should not go dark completely – security teams would still be in a good position to protect their organisation and accelerate their investigations.
Sourced by Fabian Libeau, EMEA VP at RiskIQ