We began developing a proof of concept in September 2019 with a single domain block list, the Spamhaus Domain Blocklist, DBL.

We chose a subset of twenty-three Top-level Domains and began collecting Spamhaus DBL data daily for these. We complemented the metadata that the DBL provides by adding DNS zone data, domain name and IP Whois (or RDAP), and ICANN registry statistics. From this data set, we produced our the report, Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access.

Learning from our experience with this proof of concept, we modified our methodology, developed a schema for composite records, and adopted a framework that would accommodate collection of threat intelligence information for multiple threats, from multiple threat intelligence data sources. The report, Phishing Landscape 2020: A study of the Scope and Distribution of Phishing, proved the viability of this experimental platform.

Having demonstrated that the framework can expand to collect and warehouse threat intelligence data from multiple sources for a single cybercrime (phishing), we expanded began to collect threat data for other malware and spam. We met our benchmark dates for 2021 and 2022. We transitioned most of our system to a production environment, acquired partners who contributed threat intelligence feeds and passive DNS data, and developed new methodologies for phishing and malware.

We have published phishing landscape studies in 2021 and 2022 and malware landscape studies in 2021, 2022 and 2023.

Project Evolution and Timeline