I recently came across this white paper which focuses in the dynamic analysis of network indicators for threat detection.

The paper is very easy to read and I found very surprising some of the conclusions obtained from the research. The most revealing one is the fact that months before researchers have access or discovered a new malware, domains used by the malware to connect to their C2 are active. This implies a delay in the detection between the time the malware is available for dynamic analysis and the time that the malware has been successfully deployed in the wild.

As a result the paper proposes a close look to passive DNS to be able to improve detection and reduce the time between the communication to  the C2  and the discovery of the malware.

In the past, I wrote some articles around threat dectection using passive dns if you want to understand this topic.

https://cyber-ir.com/2016/07/22/hunting-down-threat-infrastructure-with-precision1/

https://cyber-ir.com/2016/11/02/hunting-down-threat-infrastructure-2-with-passivetotal/

The white paper is the following,

https://www.ieee-security.org/TC/SP2017/papers/409.pdf