Stamus Networks has announced the availability of free threat intelligence feeds for newly-registered domains (NRD) that empower Suricata users with increased visibility into potential threats and enhanced data when investigating incidents. Announced at the Hack.Lu conference in Luxembourg – an annual event focused on computer security, cryptography, privacy and hacking – Suricata users can subscribe to the feeds for free. This is the latest example of Stamus Networks’ rich history of developing and supporting open source technologies including SELKS and the lateral movement ruleset for Suricata.
Every day, hundreds of thousands of new domains are registered. While many support legitimate new websites, brands or products, others are set up by criminals or rogue nation states working to create the infrastructure needed to host malware and command and control access points. Highly-targeted organizations, including government institutions, financial services firms, military operations, critical infrastructure operators and more, monitor their network for communications with these newly-registered domains as a key part of their cyber defenses.
However, security analysts currently lack an efficient method to collect and analyze this information since it is dispersed across more than 2,400 domain registrars worldwide. Stamus Labs, the company’s dedicated threat research team, has created six threat intelligence feeds optimized for Suricata that aggregate and consolidate newly-registered domains and are known as the “Open NRD Feeds.” Updated daily, this streamlined source of threat intelligence includes several lists:
- All newly registered domains: a complete list of all domains that have been registered during the previous 14 or 30 days along with the custom Suricata rule used to enable the list.
- Newly registered high-entropy domains: a list of domains that have been registered during the previous 14 or 30 days which exhibit high entropy or randomness along with the custom Suricata rule used to enable the list.
- Newly registered phishing domains: a list of domains that have been registered during the previous 14 or 30 days which are designed to mimic the most popular domains. This feed also includes the custom Suricata rule used to enable the list.
“Newly-registered domains are a key launching point for malware and other cyber attacks, but the sheer volume of new domains created each day, spread across thousands of domain registrars, make it overwhelming for security teams to properly track and analyze,” said Peter Manev, chief strategy officer of Stamus Networks. “Supporting defenders is one of our core principles, and by contributing to the open source community through these free tools, we believe we can help more defenders stop attacks in their tracks.”
