Outsourcing may not always have had the best connotation. In the context of cybersecurity, however, the activity is a vital one and often even the only real alternative for many small- and medium-sized organizations.

MDR service providers aim to address that demand by offering a team of security analysts and researchers readily available to take care of a variety of outsourced security processes. These involve analyzing client networks, anticipating cyber threats, dealing with them proactively when they occur, and else. This supplier also gives access to advanced technologies that can be customized to fit company requirements.

All in all, MDR services enable SMEs to operate without having to worry too much about the constantly-evolving cybersecurity environment. What many clients do not know about, however, are the sources of intelligence that are necessary for MDR teams to keep them cyber secure. This post intends to cast light on the subject, focusing on two categories of intelligence—domain names & IP addresses.

1. Domain Data Feeds

Domain data can take the form of both WHOIS and DNS databases. These databases, each composed of millions or more records, can be integrated into an MDR provider’s systems. Doing so allows studying domain registrations, transfers, and expirations, as well as the registrants behind.

This information is highly relevant since there is a domain name involved in most cybercriminal undertakings—including business email compromise (BEC) or other malware-instigated attacks.

More specifically, MDR teams can find answers to the following questions when using domain data intelligence:

• Are communications reaching client’s networks coming from potentially spoofed email addresses?
• Are certain categories of top-level domain names often being misused for conducting fraud?
• Are there patterns among domain records that may help uncover large-scale criminal networks?
• If any of these events are true, what should be the next steps? E.g., blocking known-malicious or suspicious senders, possibly contacting law enforcement agencies, etc.

2. Geolocation and Netblocks Feed

Another way MDR teams can protect their clients is by monitoring traffic according to its location, and this is where IP geolocation and IP netblocks databases become highly relevant.

The former, IP geolocation, is a means to learn more about visitors based on where they come from and find inconsistencies. For example, online fraud might be at play when there’s a lot of traffic from places where a client has no business activity. Another instance is users who chose to hide their locations while aiming to complete an online transaction.

IP netblocks, on the other hand, give information about a group of IPs and study external networks rather than a specific individual and its device. This data is relevant for MDR teams because it allows making sense of bulk traffic coming to a client’s sites and servers.

That traffic may come from regular commercial transactions between the client’s organization and the employees of a large supplier. If so, IP addresses are likely to belong to the same block, and there is no need to worry.

However, the traffic may also come massively from an unknown source and start slowing down IT infrastructure. Such an event is also known as a DOS attack. In this context, rather than spending time on securing clients from individual IPs, MDR specialists can decide to block entire IP blocks for efficiency.

* * *

Small and medium businesses rely on MDR teams to safeguard their online assets. In turn, MDR providers must gain access to comprehensive data feeds to fuel their tools and processes for the detection and response of security events and incidents. Domain and IP data are two examples of these feeds that can be used on their own or in combination for deeper protection.