Having looked at evaluating domain risks, in the first part of this series, DomainTools now explores how predictive risk scoring can empower users to detect malicious intent on a large scale.

To address the risk window between when a domain is created and when it is being used maliciously in the wild, it’s possible to apply automated predictive risk scoring. This enables the user to effortlessly scale domain evaluation. The key objective here is to effectively mimic the actions that human practitioners go through when assessing the risk associated with domains.

Scoring criteria

Scores are attributed to domains using several algorithms. This provides a confidence statement as to whether the domain was created with malicious intent. At DomainTools we take the following factors into account:

  • Domain age: newly created domains are automatically scored as higher-risk. This contribution toward the score shifts more neutral as the domain ages.
  • Domain name: various attributes of the domain’s name itself contribute to the risk score, with factors such as spoofing of terms, entropy and length of the name, use of hyphens, etc.
  • Related infrastructure: the nature of the infrastructure such as hosting IP addresses and authoritative DNS name servers also factor into the scoring. If the domain shares its IP or name server with other domains that are already known to be malicious, then the score for the domain under evaluation is higher.
  • Common registration: similar to infrastructure, registration details in Whois records can often link to other domains, and if those other domains include a high population of items already flagged by well-regarded blocklists, then the domain under evaluation receives a higher risk score.

Likewise, Spamhaus uses similar factors to ascertain a domain’s reputation.

Detecting malicious domains at the source

One of the most important things about this scoring is that many of the attributes that contribute to the score are present as soon as the domain comes into existence. This has important implications for helping organizations get out ahead of emerging campaigns being set up by malicious actors. It provides the earliest warning possible about high-risk domains.

Under the hood of the algorithms

Using algorithms, DomainTools data scientists create profiles of potential threats, based on classifiers to identify domains that closely rememble domains previously known to be malicious. Additionally, algorithms can be employed to assess the connections in infrastructure and Whois data between the domain in question and other domains already known to be malicious:

Algorithm 1 – Threat Profile Phishing

This is a classifier trained on corpuses of previously-confirmed phishing domains. A high score from this classifier means that the domain in question shares many characteristics with domains known to have been used for phishing.

Algorithm 2 – Threat Profile Malware

This is a classifier trained on corpuses of previously-confirmed malware domains such as those tied to command and control servers, exfiltration, etc. domain generate algorithm (DGA) domains often will have high malware scores.

Algorithm 3 – Threat Profile Spam

This is a classifier trained on corpuses of previously-confirmed spam domains. A high score from this classifier means that the domain in question has attributes in common with known spam domains; such a score may be beneficial in configuring rules for spam filtering and email quarantine systems.

 Algorithm 4 – Proximity

This provides a score based on the makeup of the population of domains that share datapoints such as infrastructure or Whois details with the domain in question. When a domain has a high Proximity score, this often indicates that the domain is part of a larger, coordinated campaign or that the domain is hosted on infrastructure that is highly populated with known-malicious domains.

What about compromised domains?

Even where a domain doesn’t appear to have a score that indicates it’s malicious, it is worth acknowledging that such domains are not always risk-free; if compromised by malicious actors, legitimate domains can certainly pose risk.

Read part three to determine how organizations can leverage predictive risk scoring in practice, to empower Security Operation Center (SOC) teams.

Empowering SOC teams with predictive risk scoring – Part 3: Putting Predictive Risk Scoring into practice

10 May 2023


The final part in the series, with DomainTools, focuses on how organizations can leverage predictive risk scoring to empower SOC teams to detect malicious domains at scale and defend their network.

Empowering SOC teams with predictive risk scoring – Part 1: Evaluating risks posed by domains

10 May 2023


In this three-part series, by DomainTools, explore how to harness technology to operate at scale and release vital resources through evaluating domain risks, predicting malicious intent, and applying predictive risk scoring.

Know How Series | Domain Reputation

12 March 2023

Best practice

Reputation gives us a parameter for if, when, and how we engage with a domain. But what really is it, who's using this threat insight, and how does it impact you?