Imagine you’re a cyberthreat investigator tasked with protecting the sensitive information of your customers. It’s a typical weekday afternoon when you notice suspicious network activity involving an unfamiliar domain. Something just doesn’t seem right about it, so you want to learn more about the domain before you decide if it is malicious. You want to know who registered the domain, where it was registered and when.

These are all key questions a seasoned cyberthreat investigator would likely ask, and WHOIS is a tool many cybersecurity investigators use, since it provides answers to basic questions about domains. But there could come a day when you submit your request to WHOIS and the answers it responds with are redacted, meaning you get less than a clear picture of the details of the suspicious domain, less information about a potential cybercriminal — and, ultimately, less information to help you do your investigation.

WHOIS data isn’t going away — don’t panic — but there are uncertainties about its future and how it will be impacted by privacy laws, such as the European Union’s General Data Protection Regulation (GDPR).

What Is WHOIS?

WHOIS was created in the early days of the internet to serve as a database of domain owner contact information. The contact information was collected by the domain registrar and made freely available through the WHOIS protocol. The primary reason owner data was collected was for troubleshooting purposes. For example, if you were troubleshooting a connectivity issue with a domain (i.e., a website), you would submit a WHOIS query to look up the contact information for the owner of the domain, then reach out directly to the owner to alert him or her of the issue.

As the internet matured and cybercriminal activity increased, WHOIS quickly became a vital investigative tool for security professionals. The reason for this is simple: As described in the opening paragraph, cyberthreat investigators must quickly triage suspicious domain activity. The triage process involves uncovering details on the domain through WHOIS. Submitting a WHOIS query on a given domain tells the investigator several things to help him or her determine the nature of a given domain.

To help illustrate the value of WHOIS, let’s look at a few key fields returned by a WHOIS query:

  • Registrant email
  • Registrar name
  • Business address
  • Phone number
  • Name server(s)
  • Date created

Each of the WHOIS fields listed above may be protected by existing or forthcoming privacy laws. The data fields listed are also key data points when investigating suspicious domain activity. Through research, an investigator may connect a given field to prior malicious activity.

Let’s take the WHOIS field “registrant email,” for example. While investigating a suspicious domain, an investigator submits a WHOIS query on the domain and identifies the registrant email address. The investigator then pivots off the registrant email address and searches for other domains registered with that email address. If the suspect domain proves to be malicious, it is then reasonable to assume that other domains registered under that email address are also malicious.

This is a powerful capability and is further amplified when you consider bulk access to WHOIS data. Large organizations may obtain bulk access to WHOIS data from various sources. Bulk WHOIS data may be coupled with existing tools and data to automate research and correlation of malicious domains. This expedites detection of new malicious domains and facilitates threat mitigation. This quick example illustrates the power of WHOIS.

The Potential Impact of Privacy Laws

In the case of WHOIS, regional or national data privacy and protection laws have a global impact. Take for example GDPR. At a high level, GDPR was created to better protect the privacy of EU data subjects by tightening controls on the organizations that collect, process or otherwise store personal information of EU data subjects. However, it is important to note that GDPR extends to non-EU organizations if they collect, process or otherwise store the personal data of EU data subjects:

“The GDPR not only applies to organizations located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” — Frequently Asked Questions About the Incoming GDPR

With this example, it’s easy to see how privacy laws in one region or country may collide with efforts to protect the same data for other purposes.

Privacy is important to everyone, and we all understand and appreciate efforts such as GDPR to protect the privacy of individuals. However, as the Internet Corporation for Assigned Names and Numbers (ICANN), registrars and governments debate the future of WHOIS, all should keep in mind the vital role ICANN plays in protecting organizations from cyberthreats and, ultimately, the online privacy of individuals. WHOIS is arguably one of the first tools information security professionals use to triage suspicious domain activity, and any delay in researching suspicious domains provides threat actors additional precious time to carry out attacks.

Members of the information security community are encouraged to keep a close eye on regulations such as GDPR and other efforts to restrict access to WHOIS data. Where possible, voice concerns on this issue and work to establish a dialogue with organizations that influence access to WHOIS data, such as ICANN, local governments and domain registrars. Hopefully, ICANN, governments, domain registrars and the information security community can work together to find a mutually agreeable solution to the issue of WHOIS access and privacy.

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read