Data exfiltration takes many different forms and is an objective of many different types of specific attacks. Dynamic DNS is a method of automatically updating name servers in public DNS (Domain Name System) in near real-time and is used to keep a specific domain name linked to a changing IP address. When used for nefarious purposes, Dynamic DNS allows an attacker to change the actual host and IP address used as a command and control point without having to modify the behavior of the malware used on the victim’s endpoint.
By leveraging a feed of known dynamic DNS top level domains, RSA Security Analytics can produce a rich report summarizing all activity that has been seen both on the wire (packets), or from various devices in the network such as proxies and firewalls (logs). You can see all the details in this solution overview.