March 27, 2020
Roberto Sanchez

Leverage ThreatStream and DomainTools COVID-19 Threat List

<h2>Deliver COVID-19 Intelligence to Your Security Controls</h2><p>Malicious actors continue to leverage the global Coronavirus (COVID-19) pandemic to register phishing and malware domains to lure unsuspecting users into disclosing their credentials or downloading and executing malware onto their systems. Anomali and <a href="" target="_blank">our partner ecosystem</a> have publicly released data and information to identify, monitor, and respond to the latest threats to thwart malicious Coronavirus (COVID-19) themed activity from impacting customer’s information systems and networks. In this latest blog, we detail how to collect the new and rich data source offered by Anomali partner <a href="" target="_blank">DomainTools</a> and how to operationalize this data within <a href="" target="_blank">ThreatStream</a>, the industry-leading Threat Intelligence Platform (TIP).</p><p><strong>Details</strong></p><p>On March 23, 2020, Anomali partner DomainTools released a free <a href="" target="_blank">COVID-19 Threat List</a>.  In the list, users can find Coronavirus (COVID-19) malicious domain name permutations covering more than 60 relevant keywords such as Covid, c0vid, c0v1d, Corona, carona, and corrona. Moreover, the threat list filters out any domains below a <a href="" target="_blank">Domain Risk Score</a> of 70. According to DomainTools, the Domain Risk Score is a proprietary machine-learning classifier to analyze the intrinsic properties of a domain, identifying patterns consistent with malware, phishing, spam, or neutral domains.<br/> MITRE Pre-ATT&amp;CK Techniques: <a href="" target="_blank">Buy domain name (T1328)</a> | <a href="" target="_blank">Spearphishing for Information (T1397)</a><br/> MITRE Enterprise ATT&amp;CK Techniques: <a href="" target="_blank">Spearphishing Attachment (T1193)</a> | <a href="" target="_blank">Spearphishing Link (T1192)</a></p><p><img alt="" src=""/></p><p style="text-align: center;"><strong>Figure 1. Free COVID-19 Threat List - Domain Risk Assessments for Coronavirus Threats (Source: <a href="" target="_blank">DomainTools</a>)</strong></p><p><br/> <strong>How Anomali Customers Leverage the COVID-19 Threat List</strong></p><p>The Anomali Threat Research team has curated the COVID-19 Threat List and imported the close to 65,000 suspicious and malicious domains into <a href="" target="_blank">ThreatStream</a> to help customers protect and defend their organizations. Anomali empowers our customers to operationalize and take action on this data in multiple ways such as:</p><ul><li>Identify attack trends, map out the adversary’s infrastructure, and discover tactics, techniques, and procedures employed by adversaries using the <a href="" target="_blank">Investigations Workbench</a> and <a href="" target="_blank">Enrichments</a> within <a href="" target="_blank">ThreatStream</a></li><li>Automate threat intelligence ingestion and deployment to downstream security systems via <a href="" target="_blank">Integrator</a> to proactively block access to high-risk COVID-19 themed domains at their organization’s defensive technologies</li><li>Correlate high-risk COVID-19 themed domains against internal event logs using <a href="" target="_blank">Anomali Match</a> to identify current and historical sightings indicative of a compromised host or network</li><li>Ingest the domains into their Security Information and Event Management (SIEM) instances such as <a href="" target="_blank">Splunk</a> to automatically scan events against the observables associated to the Coronavirus (COVID-19) Cyber Threats Threat Bulletin</li><li>Use <a href="" target="_blank">Trusted Circles</a> as a mechanism for real-time threat intelligence sharing and collaboration with industry peers and sharing groups to maintain situational awareness and establish community-based protections on a specific Campaign, adversary, or Incident  </li><li>Use <a href="" target="_blank">Anomali Lens</a> to determine if there are any observables in the aforementioned article (and others during their research) that are relevant to their environment by scanning the page and seeing if there are any Matches</li></ul><p>Of note, this Threat Bulletin was announced on <a href="" target="_blank">March 24, 2020</a> and provides our customers with a steady stream of new, actionable intelligence.</p><p><img alt="" src=""/></p><p style="text-align: center;"><strong>Figure 2. ThreatStream Observables Search page filtered on DomainTools - COVID-19 Threat List</strong></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.