INVESTIGATE USE CASE:

SPEED UP INCIDENT RESPONSE

INCIDENT RESPONSE TIMES LAG WHEN SECURITY TEAMS DO NOT HAVE THE RIGHT CONTEXT
OR ACCESS TO PERTINENT INFORMATION EARLY ON IN THE INVESTIGATION.
OpenDNS Investigate provides the most complete view of the relationships and evolution of Internet domain names,
IP addresses, and autonomous systemshelping to pinpoint attackers infrastructures and uncover future threats.

Internet-wide visibility
Investigate connects the dots between attackers infrastructure, which helps attribute domains
to specific attacks and malicious activity.

Predictive intelligence
Our statistical models accurately identify malicious domains, IPs, and ASNs across the Internet,
and even predict where future attacks may be staged.

All of the information you need, correlated in a single source

including real-time and historical information about the domain ownership, relationships with
IPs and autonomous systems, co-occurrences, reputation, global request and route analysis, and
much more.

1992-2015 Cisco Systems, Inc. All Rights Reserved.

 OpenDNS Investigate provides the global context needed to quickly assess the maliciousness of a
domain or IP during incident investigations.

Starting with just one piece of information,

Investigate shows the following: suspiciousdomain.ru

Alerts and
Alerts and risk
riskscores
scores
Domain tagging
Domain tagging
summarize
summarize the suspicious
the suspicious activity
activity identified identified
for the domain for
shows history
shows ofwhen
history of when the domain
the domain was associated
was associated with malware or with
the domain. botnet activity
malware or botnet activity.

Global request patterns

Global request patterns
shows ananabnormal spikein in traffic,
whichwhich highlights IP geography analysis
3 CONFIDENTIAL
2 CONFIDENTIAL
shows abnormal spike traffic, highlights when when the
when thelaunched
attack attack launched. reveals the domain is hosted by IP addresses on
different networks in more than 20 countries, which is
unusual for legitimate country code top-level domains
(.ru in thisIPreveals
case).
geography analysis
the domain is hosted by IP addresses on different networks in
more than 20 countries, which is unusual for legitimate country code
top-level domains (.ru in this case).

Analysis of IP requester location

shows the vast majority of requests for this domain are
4 CONFIDENTIAL 5 CONFIDENTIAL

coming from people located in the United States, which

Analysis of IP requester location
could signify avastmore
shows the targeted
majority of requests for this attack.
domain are coming from
people located in the United States, which could signify a more targeted WHOIS record data
attack.
shows the domain was recently created and registered by some
usedWHOIS recordemail
the same data address to register other malicious doma
shows the domain was recently created and registered
by someone who used the same email address to
register other malicious domains.
6 CONFIDENTIAL

Mappings of IP prefixes and ASN

Mappings of IPtheprefixes
highlight where and
domain is ASNs
hosted and confirm its hosted in a bad
highlight where
neighborhood withthe
manydomain is hosted
other malicious andYou
domains. confirm itson the
can pivot
IP or ASN for more details.
hosted in a bad neighborhood with many other malicious
domains. You can pivot on the IP or ASN for more details.
Passive DNS data
provides insight into the history of the mapping
7
Passive DNS
between
CONFIDENTIAL
data and IPs. For example, this domain
domains
provides insight into the history of the mapping between domains and
was associated
IPs. For example, thiswith
domainmany differentwith
was associated IPsmany
in different
the past IPs in
the pastand
week, week,previously
and previouslywas
was only
only associated
associatedwith one.
with one.
8 CONFIDENTIAL
Anomaly detection
including identifying that it is a fast flux domain, which
is a technique used to hide malware sites behind IP
Anomaly detection
addresses that
including are constantly
identifying changing.
that it is a fast flux domain, which is a technique
used to hide malware sites behind IP addresses that are constantly
changing.

Named
Namedthreat
threatattribution
9 CONFIDENTIAL

attribution
confirms
confirms that that the domain
the domain waswith
was associated associated
a particularwith a
malware
family or botnetmalware
particular C&C family or botnet C&C.
10 CONFIDENTIAL

Related domains and co-occurrences

identifydomains
Related other domains that were queried with a high
and co-occurrences
statistical frequency right before
identify other domains that were queried with or after
a high this one
statistical and
frequency
right
arebefore
likelyorrelated
after this to
onethe
and same
could beattack.
related to the same attack.

Starting from a single piece of data, youre able to

quickly investigate the domain leveraging a single,
correlated source and speed up incident response.

11 CONFIDENTIAL
For a free trial or more sales information, contact our team:
12 CONFIDENTIAL 1-877-811-2367 | sales@opendns.com | www.opendns.com
19922015 Cisco Systems, Inc. All rights reserved.