Imagine you’re a cyberthreat investigator tasked with protecting the sensitive information of your customers. It’s a typical weekday afternoon when you notice suspicious network activity involving an unfamiliar domain. Something just doesn’t seem right about it, so you want to learn more about the domain before you decide if it is malicious. You want to know who registered the domain, where it was registered and when.
These are all key questions a seasoned cyberthreat investigator would likely ask, and WHOIS is a tool many cybersecurity investigators use, since it provides answers to basic questions about domains. But there could come a day when you submit your request to WHOIS and the answers it responds with are redacted, meaning you get less than a clear picture of the details of the suspicious domain, less information about a potential cybercriminal — and, ultimately, less information to help you do your investigation.
WHOIS data isn’t going away — don’t panic — but there are uncertainties about its future and how it will be impacted by privacy laws, such as the European Union’s General Data Protection Regulation (GDPR).
What Is WHOIS?
WHOIS was created in the early days of the internet to serve as a database of domain owner contact information. The contact information was collected by the domain registrar and made freely available through the WHOIS protocol. The primary reason owner data was collected was for troubleshooting purposes. For example, if you were troubleshooting a connectivity issue with a domain (i.e., a website), you would submit a WHOIS query to look up the contact information for the owner of the domain, then reach out directly to the owner to alert him or her of the issue.
As the internet matured and cybercriminal activity increased, WHOIS quickly became a vital investigative tool for security professionals. The reason for this is simple: As described in the opening paragraph, cyberthreat investigators must quickly triage suspicious domain activity. The triage process involves uncovering details on the domain through WHOIS. Submitting a WHOIS query on a given domain tells the investigator several things to help him or her determine the nature of a given domain.
To help illustrate the value of WHOIS, let’s look at a few key fields returned by a WHOIS query:
- Registrant email
- Registrar name
- Business address
- Phone number
- Name server(s)
- Date created
Each of the WHOIS fields listed above may be protected by existing or forthcoming privacy laws. The data fields listed are also key data points when investigating suspicious domain activity. Through research, an investigator may connect a given field to prior malicious activity.
Let’s take the WHOIS field “registrant email,” for example. While investigating a suspicious domain, an investigator submits a WHOIS query on the domain and identifies the registrant email address. The investigator then pivots off the registrant email address and searches for other domains registered with that email address. If the suspect domain proves to be malicious, it is then reasonable to assume that other domains registered under that email address are also malicious.
This is a powerful capability and is further amplified when you consider bulk access to WHOIS data. Large organizations may obtain bulk access to WHOIS data from various sources. Bulk WHOIS data may be coupled with existing tools and data to automate research and correlation of malicious domains. This expedites detection of new malicious domains and facilitates threat mitigation. This quick example illustrates the power of WHOIS.
The Potential Impact of Privacy Laws
In the case of WHOIS, regional or national data privacy and protection laws have a global impact. Take for example GDPR. At a high level, GDPR was created to better protect the privacy of EU data subjects by tightening controls on the organizations that collect, process or otherwise store personal information of EU data subjects. However, it is important to note that GDPR extends to non-EU organizations if they collect, process or otherwise store the personal data of EU data subjects:
“The GDPR not only applies to organizations located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” — Frequently Asked Questions About the Incoming GDPR
With this example, it’s easy to see how privacy laws in one region or country may collide with efforts to protect the same data for other purposes.
Privacy is important to everyone, and we all understand and appreciate efforts such as GDPR to protect the privacy of individuals. However, as the Internet Corporation for Assigned Names and Numbers (ICANN), registrars and governments debate the future of WHOIS, all should keep in mind the vital role ICANN plays in protecting organizations from cyberthreats and, ultimately, the online privacy of individuals. WHOIS is arguably one of the first tools information security professionals use to triage suspicious domain activity, and any delay in researching suspicious domains provides threat actors additional precious time to carry out attacks.
Members of the information security community are encouraged to keep a close eye on regulations such as GDPR and other efforts to restrict access to WHOIS data. Where possible, voice concerns on this issue and work to establish a dialogue with organizations that influence access to WHOIS data, such as ICANN, local governments and domain registrars. Hopefully, ICANN, governments, domain registrars and the information security community can work together to find a mutually agreeable solution to the issue of WHOIS access and privacy.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.
Threat Intelligence Liaison