When individuals, companies, organizations, and governments register a domain, they are required to provide information to a domain registration company, called a registrar. This information usually includes their name, address, email address, phone number, administrative contact details (who has legal power and usually also who pays the bills), and technical contact details (who runs the infrastructure).1 Until very recently, all this information was publicly available through the online lookup service WHOIS.
In essence, WHOIS is both a protocol and a service that registrars are required to provide by the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN is primarily responsible for coordinating the distribution of unique names and addresses on the internet. ICANN undersigns the registrars’ lists of unique domain names and gives them legitimacy as well as enforces general standards applicable to all domain name systems.
WHOIS & security researc
WHOIS has long been a common tool for security professionals researching threat groups, cyberespionage and other criminal actors.2 This is true for security experts at DCSO too. WHOIS data can be vital in determining if there is a connection between older and newer attacker infrastructure. The registration details used, such as names, can reveal strategy, victims, and other connections that are hard to grasp without the information. WHOIS helps draw a picture of how different networks that are used to stage, distribute, and launch attacks against a range of targets are interconnected.
However, it is important to note that the use of WHOIS data in security research and threat hunting has declined in recent years, mostly because of the rise of paid privacy protection in online tools—taking private information out of the WHOIS query—and data not being updated over time. As long as the bills are paid, registrars pay little attention to whether contact details are current or correct3.
With the advent of the General Data Protection Regulation (GDPR) the availability of WHOIS information is changing. The GDPR, which came into effect on May 25, 2018, aims to make it harder for organizations within the EU to collect data about an individual if they do not have a direct use for the data or if the individual in question did not consent to sharing the data. The fines for refusing to comply with the GDPR are hefty, with values going up to 20 million euros or 4% of a company’s annual turnover.
However, domain registration companies, fearful of the large fines that they can incur if they fail to comply with the GDPR, have had no choice but to update their services in order to comply with the new regulations.
Under pressure from member organizations, ICANN has contacted the EU to conduct a roundtable on giving security researchers access to the data. However, this might still be a long way off.
ICANN vs EPAG: First GDPR lawsuit
ICANN recently took EPAG, a German domain registrar and subsidiary of Tucows (the second largest registrar in the world after GoDaddy) to court after EPAG declared it would stop collecting technical and administrative data about its domain holders to comply with the GDPR.5
ICANN stated that EPAG was contractually obliged to collect that data. However, EPAG argued that the contract also states that EPAG must comply with all relevant laws and regulations. In the end, the German court ruled that, under GDPR, EPAG is no longer obligated to collect the technical and administrative data. While this is a victory for EPAG and data privacy advocates around Europe, the verdict does not clarify whether collecting administrative and technical data is illegal. In fact, at time of writing, the German court plans to revisit its ruling following an appeal by ICANN.7
We anticipate more court cases in the coming months as ICANN, EU courts and registrars continue to grapple with the GDPR.
What is the impact on security research?
There has already been a marked impact, as some registrars are not providing the full information or the bits of information that are useful in the investigation into large adversary infrastructure. However, our threat researchers are not overly concerned. Not every botnet command and control will move to Europe or fake a European address. In fact, as one of our security researchers pointed out, now that WHOIS data is in the spotlight, registrars and other companies in this ecosystem could be forced to take a closer look at which actors are attempting to register with them.
- Evaluate your security team’s dependence on WHOIS.
- Stay alert to any news regarding the ongoing court case between ICANN and EPAG. DCSO believes it to be a hallmark court case that will define how organizations use and access WHOIS data in future.
- Intensify your reliance on other sources of threat intelligence, since WHOIS might not be as rich as it used to be.
1“About WHOIS.” ICANN. https://whois.icann.org/en/about-whois
2Brian Krebs. ”Who Is Afraid of More Spams and Scams?” KrebsOnSecurity. March 16, 2018. https://krebsonsecurity.com/tag/gdpr/
3Allan Liska. “WHOIS: The Potential Impact of GDPR Security Research.” Recorded Future. May 25, 2018. https://www.recordedfuture.com/whois-gdpr-icann/
4Vaughan-Nichols, Steven. “ICANN makes last minute WHOIS changes to address GDPR requirements.” May 23, 2018. ZDNet. https://www.zdnet.com/article/icann-makes-last-minute-whois-changes-to-address-gdprrequirements/
5La Bolle, Ashley. “Tucows Statement on ICANN Legal Action.” May 29, 2018. EPAG. https://www.epag.de/en/tucows-statement-on-icann-legal-action/
6Smith, Jason. “Ruling by German court creates further WHOIS and GDPR complications for ICANN.” Jun 1, 2018. Indivigital. https://indivigital.com/news/ruling-by-german-court-creates-further-whois-and-gdprcomplications-for-icann/
7“German Regional Court to Revisit Ruling in Injunction Proceedings on Request to Preserve WHOIS data.” June 21, 2018. ICANN https://www.icann.org/news/announcement-3-2018-06-21-en
Who we are
The Threat Intelligence -Team helps clients to reduce the threat posed by adversaries for their networks by leveraging the power of collaborative defense in combination with comprehensive analytics and contextualized threat intelligence. DCSO delivers actionable intelligence on all levels – from atomic Indicators of Compromise (IoC) to insights into the political, economic and cultural context of adversaries.