A Lustrum of Malware Network Communication: Evolution and Insights

I recently came across this white paper which focuses in the dynamic analysis of network indicators for threat detection.

The paper is very easy to read and I found very surprising some of the conclusions obtained from the research. The most revealing one is the fact that months before researchers have access or discovered a new malware, domains used by the malware to connect to their C2 are active. This implies a delay in the detection between the time the malware is available for dynamic analysis and the time that the malware has been successfully deployed in the wild.

As a result the paper proposes a close look to passive DNS to be able to improve detection and reduce the time between the communication to the C2 and the discovery of the malware.

In the past, I wrote some articles around threat dectection using passive dns if you want to understand this topic.

https://cyber-ir.com/2016/07/22/hunting-down-threat-infrastructure-with-precision1/

https://cyber-ir.com/2016/11/02/hunting-down-threat-infrastructure-2-with-passivetotal/

The white paper is the following,

https://www.ieee-security.org/TC/SP2017/papers/409.pdf

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

You are commenting using your Google+ account. ( Log Out / Change )

Cancel

Connecting to %s

Share this:

Like this:

Leave a Reply Cancel reply