UltraThreat Feeds Data Now Available via API
A year ago, Neustar introduced UltraThreat Feeds – an important new source of unique, near real-time threat data. With these DNS-derived insights, IT security teams can now uncover and counter emerging cyberthreats in their earliest stages – and even before they hit. It’s proven so valuable that it was named the Network Security Solution of the Year by Computing Security magazine.
Today, Neustar introduces UltraThreat Feeds API, an important new resource for IT security teams that provides direct, query-based access to the data that underlies these feeds. UltraThreat Feeds API let you quickly access nearly two years global DNS traffic data to discover, investigate and counter threats – and even prevent them from compromising your network in the first place.
The data and what it can do for you.
The DNS-derived data accessible through UltraThreat Feeds API comes from our global network of Neustar’s DNS service sites, representing billions of daily queries and responses from around the world.
This data captures a significant percentage of Internet traffic–including malicious traffic. And since virtually every action on the Internet leaves ‘tracks’ in this DNS data, it’s an important potential source of actionable information about threats. The key to finding the relevant ‘needle’ in an unimaginably enormous haystack.
With UltraThreat Feeds API, the “haystack” is truly vast: a rolling history of global DNS data dating back nearly two years, permitting investigation of threats that have been inactive for long periods. Security professionals can search this data, using an IP address or domain name along with a date range, to zero in on the critical insights they need to investigate possible or actual threats and protect their network assets.
My colleague Arsh Arora recently wrote about investigating TrickBot malware using UltraThreat Feeds API. His account of the actionable insights he uncovered in a very short time is a great example of the value this security resource offers for investigating important security questions and threats, such as:
- Incident response investigations, when it can help you learn more about the activities and status of a domain or IP you’ve linked to the incident, such as when the domain was first and last seen and the number of users that queried it
- Fraud prevention, allowing you to gain insights into the online activities – or lack of activity – of a business or consumer applying for a loan or credit line, or seeking to become a business partner
- Brand protection, ensuring that no malicious domains with a name similar to yours, but with a slight twist in the spelling, have become active – and if so enabling you to capture additional insights such as its hosting IP and whether it has subdomains
- Threat hunting, allowing you to investigate any domain or IP that you’ve identified as a potential threat, and gain critical insights into its hosting infrastructure, the scope and timing of queries, and the geographic source of queries
- Presumptive domain or IP watch, enabling you to easily keep tabs on activities and status changes involving a domain or IP that you suspect is or could become a source of malicious activity
Two outstanding sources of security insights.
UltraThreat Feeds API doesn’t replace UltraThreat Feeds. They are complementary services. Both utilize the vast Data Lake of Neustar’s global DNS-based data, but they tap this resource to offer different capabilities for security professionals.
UltraThreat Feeds API provides query-based access to the data, allowing security teams to research domains and IPs based on their own threat investigation needs, and according to their own schedule.
UltraThreat Feeds comprise a range of carefully focused data feeds that use AI-driven machine learning to isolate and present relevant data elements from DNS exhaust as well as other proprietary data sources. They provide information that allows security teams to address specific security concerns in near real time, including:
- Possible DNS Tunneling attempts, based on suspicious query and response patterns in DNS traffic
- Malicious domains created by Domain Generation Algorithms (DGAs), including both known and newly created DGAs
- Anonymizing proxies, allowing organizations to identify users who are connecting to their website anonymously (sourced from UltraGeoPoint geolocation data)
- Possible domain hijacks, identified by changes in nameservers or infrastructures for domains worldwide
- Even data that allows you to protect your assets and users during the vulnerable “golden hours” of a phishing or spear-phishing attack
Together, these powerful sources of threat insights give security teams important new tools to secure and protect their digital domain in the never-ending battle against bad actors.
To learn more about how you can incorporate the timely, DNS-derived insights of UltraThreat Feeds API or UltraThreat Feeds into your security framework, contact us or give us a call at 1-855-898-0036 in the US or +44 1784 448444 in the UK.