Hello and welcome to the Monday, July 14th, 2025 edition of the Sands Inundit Storm Centers. Stormcast. My name is Johannes Orich, and today's episode is brought to you by the sands.edu credit certificate program in Industrial Control System Security, and it is recorded here at Sandspire in Washington, D.C.

Well, this weekend, I worked on a new data feed, suspicious domains.

This is something we used to have in the past.

Like years ago, we had a suspicious domain feed, and what we did in the past was that we

basically aggregated various other public domain

feats in order to then rank them and also look for domains that are sort of more significant

by showing up in multiple feats. The problem with this approach was that, well, these feats kind of

changed. Some of them got this continued.

Others changed their licensing, that we could no longer use them and redistribute them.

So we now take a little bit a different approach. We already had data of newly registered domains.

We offer that as part of our API data.

The recent domains feature in our API basically gives you

recently registered domains. So what we did now is took an approach that is not new, but

where we basically look for odd patterns in these domains. So things like, for example, well-known brand names are often impersonated.

We're looking for international characters that are a little bit odd,

in particular if multiple different scripts are being used in one domain name.

Also, things like lots of numbers, high entropy, like these random domain names.

What we have right now is probably a little bit more sensitive to fishing domains.

The malware domains are probably caught with a lot of these sort of high entropy,

these very random domain names.

But those are actually a little bit more difficult to find, actually

identify and prioritize, because it looks like there are also some legitimate, not really sure

...