1. Home
    2. »
  2. Blog
    3. »
  3. Threat Analyze
    4. » Tracking Seized Domains: Checking Your Environment for Harmful Domain IOCs

Tracking Seized Domains: Checking Your Environment for Harmful Domain IOCs

- Posted in Threat Analyze by - Permalink
Tracking Seized Domains: Checking Your Environment for Harmful Domain IOCs

Background: It’s no secret that international law enforcement agencies periodically seize domains linked to cyber threats, criminal activities, and other harmful purposes. Every cybersecurity specialist, in addition to implementing defense-in-depth mechanisms, should stay updated with recommendations and notifications issued by law enforcement agencies. However, given the vast volume of information available today, it’s possible to overlook critical updates. To stay aligned with law enforcement notifications, we need to adopt more proactive and creative approaches.

Mechanisms which are working under the seizure process: As expected, when law enforcement agencies seize domains, they often change the nameserver records of the domain. Knowing this, it becomes a relatively straightforward task to monitor such changes using threat intelligence platforms. However, to effectively track these changes, you also need to be familiar with the specific nameserver addresses commonly used by law enforcement agencies.

enter image description here

Method to track and not to miss any official statement: Of course, you can subscribe to updates from organizations like CISA, the FBI's IC3, Dutch Police, and other international bodies actively combating organized cybercrime in digital environment . However, as mentioned, it’s equally important to implement your own solution, leveraging metrics and records from internet .

To resolve this challenge I will use

  • Threat Inteligence platform to get network nameservers
  • Python
  • Already known public available law enforcement nameservers address

In this example, I am utilizing the OTX (Open Threat Exchange) platform API from AlienVault for threat intelligence capabilities. The nameserver being used is ns.lawenfoircementbodyname.seized.gov, which belongs to a law enforcement authority.

enter image description here

In the core of the request, I am specifying the law enforcement nameserver address and making a call to retrieve all the previous domains that were assigned to the specified nameserver. Right after that filtering all the results which first time was visible about 20 days ago . enter image description here

Conclusion: Using this method, the chances are higher that you will receive notifications earlier, and you won’t miss any important updates. Based on these notifications, you can perform all necessary validations using the official IOCs which can be provided when official statement will be available . For your convenience, I have shared a script example that was provided in this article.

Stay Saf3 ! Jok3R !

Tags:

Related posts

« »