I recently came across this white paper which focuses in the dynamic analysis of network indicators for threat detection.
The paper is very easy to read and I found very surprising some of the conclusions obtained from the research. The most revealing one is the fact that months before researchers have access or discovered a new malware, domains used by the malware to connect to their C2 are active. This implies a delay in the detection between the time the malware is available for dynamic analysis and the time that the malware has been successfully deployed in the wild.
As a result the paper proposes a close look to passive DNS to be able to improve detection and reduce the time between the communication to the C2 and the discovery of the malware.
In the past, I wrote some articles around threat dectection using passive dns if you want to understand this topic.
https://cyber-ir.com/2016/07/22/hunting-down-threat-infrastructure-with-precision1/
https://cyber-ir.com/2016/11/02/hunting-down-threat-infrastructure-2-with-passivetotal/
The white paper is the following,
One Comment Add yours