Using RDAP for Cyberattack Investigations

Cyberattacks are increasingly sophisticated, and one of the critical steps in responding to them is identifying the domains involved in malicious activities. The Registration Data Access Protocol (RDAP) is a powerful tool for investigating suspicious domains and tracking down information related to phishing websites, malware distribution, or other cybercrime activities. RDAP allows security teams to retrieve detailed registration data, which can help identify the source and history of a domain, assisting in investigation and response efforts. This article will explore how to use RDAP to investigate suspicious domains and provide examples of analyzing phishing sites.

How to Find Information About a Suspicious Domain Using RDAP

RDAP provides essential details about domain registration that can be invaluable when investigating cyberattacks. By querying RDAP for information on a suspicious domain, investigators can obtain key data such as the domain's creation date, its registrar, contact information, and its status. This information can be used to track down the parties behind malicious activities, identify patterns, or confirm whether the domain has been involved in previous attacks.

Key Data Points in an RDAP Response

When you perform an RDAP query, the response will include a wealth of information about the domain in question. Key data points to look for when investigating a suspicious domain include:

• Creation Date: The date the domain was registered can provide insights into how long the domain has been active. New domains may indicate recent cyberattack activity, while older domains might be linked to long-running schemes.
• Status: The status field reveals whether the domain is active, expired, or has been locked. If a domain has a "pendingDelete" or "expired" status, it may indicate an attempt to abandon a malicious domain after its purpose is fulfilled.
• Registrar Information: The registrar associated with the domain can offer clues as to who controls the domain. Some registrars may be more commonly associated with malicious domains, and identifying the registrar could help uncover more details about the domain's owner.
• Registrar Abuse Contact: Many registrars have abuse contact details, which can be useful for reporting the domain if it is involved in illegal activities. You can contact the registrar to take down the domain or investigate further.
• Registrant Information: If the domain owner’s details are not hidden by privacy protection, RDAP will provide contact information. This can be helpful in identifying the person or organization behind a suspicious domain.

To begin an investigation, you would query the RDAP server using the domain name. For example, querying rdap.verisign.com for a .com domain might look like:

GET https://rdap.verisign.com/com/v1/domain/suspiciousdomain.com

The response will contain a JSON object with details about the domain. Here is an example of a typical RDAP response:

{
  "objectClassName": "domain",
  "handle": "SUSPICIOUS-DOMAIN",
  "ldhName": "suspiciousdomain.com",
  "status": ["inactive"],
  "events": [
    {
      "eventAction": "registration",
      "eventDate": "2022-05-10T00:00:00Z"
    }
  ],
  "entities": [
    {
      "objectClassName": "entity",
      "handle": "REGISTRAR-XYZ",
      "roles": ["registrar"],
      "vcardArray": [
        "vcard",
        [
          ["fn", "Registrar XYZ"],
          ["email", "[email protected]"]
        ]
      ]
    }
  ]
}

In this example, the domain suspiciousdomain.com was registered on May 10, 2022, and it is currently inactive. The registrar is Registrar XYZ, and they have an abuse contact email, [email protected], which can be used to report any illegal activity associated with this domain.

Example of Analyzing Phishing Sites Using RDAP

Phishing websites are designed to steal sensitive information by impersonating legitimate sites. RDAP can be used to gather information about domains suspected of being used for phishing. By analyzing the registration data of a suspected phishing domain, investigators can uncover details about its creation, status, and ownership, which may help identify the perpetrators behind the attack.

Steps to Analyze a Phishing Domain

To analyze a phishing site using RDAP, follow these steps:

• Step 1: Query the RDAP server for the domain involved in the phishing attack.
• Step 2: Look at the domain's creation date to see if it was recently registered, which could indicate it was set up for a specific phishing campaign.
• Step 3: Check the domain's status. A "pendingDelete" or "expired" status could suggest that the attackers are attempting to abandon the domain after the phishing attempt.
• Step 4: Review the registrar information. Some registrars are more commonly associated with malicious activity, so this could help identify patterns or further investigate the domain's registration.
• Step 5: If available, check the registrant’s contact information. If the details are not hidden, reaching out to the owner or registrar may help in removing the site or identifying the attacker.

Here's an example of an RDAP query for a suspected phishing domain:

GET https://rdap.arin.net/registry/domain/phishingsite.com

The RDAP response might include the following key details:

{
  "objectClassName": "domain",
  "handle": "PHISHING-DOMAIN",
  "ldhName": "phishingsite.com",
  "status": ["active", "locked"],
  "events": [
    {
      "eventAction": "registration",
      "eventDate": "2022-06-15T00:00:00Z"
    }
  ],
  "entities": [
    {
      "objectClassName": "entity",
      "handle": "REGISTRAR-ABC",
      "roles": ["registrar"],
      "vcardArray": [
        "vcard",
        [
          ["fn", "Registrar ABC"],
          ["email", "[email protected]"]
        ]
      ]
    }
  ]
}

In this case, the domain phishingsite.com was registered on June 15, 2022, and is currently active but locked. The registrar is Registrar ABC, and their support contact is [email protected]. If you identify this site as part of a phishing campaign, you can report it to the registrar or take other action to block the site.

Identifying Indicators of Malicious Domains

There are several indicators to look for when investigating suspicious domains that may be involved in phishing or other cyberattacks. Some common red flags include:

• Newly Registered Domains: Phishing domains are often created recently, and investigating the creation date can help you identify such sites quickly.
• Suspicious Registrars: Some registrars may have a history of registering domains used for phishing or malicious activities. If the registrar is unknown or has been flagged for similar activities, it may be worth further investigation.
• Unusual Domain Names: Phishing sites often use domain names that closely resemble legitimate sites but with slight variations (e.g., replacing "o" with "0").
• Locked or Expired Domains: A domain that is locked or has expired may be a sign that the attackers are attempting to abandon the site or prevent it from being taken down.

Using RDAP for Cyberattack Response

RDAP is a valuable tool for investigators and security teams when responding to cyberattacks, particularly those involving phishing, malware distribution, and other online scams. By querying RDAP for suspicious domains, security teams can gather critical information about domain registration, registrar details, and owner contact information (if available). With this information, they can take appropriate action to mitigate the impact of the attack, report malicious domains to the appropriate authorities, and block further access to the harmful sites.