• Dynamic DNS & Data Exfiltration


One of the most common goals of malicious actors is to steal data. Data exfiltration refers to the successful sending of information out of an environment to an environment controlled by an attacker. For malicious purposes, dynamic DNS allows an attacker to change the actual host and IP address used as a drop zone, for “malvertizing”, or as a command and control point without having to modify the behavior of the malware used on the victim’s endpoint. This provides a quick and convenient mechanism for attackers to evade detection using traditional IP/domain reputation services. While dynamic DNS can be used for many stages of an attack, this scenario focuses on its use as a drop zone for data exfiltration, uncovered by noticing an anomaly in a daily report.

Customer values/problems solved

  • RSA Security Analytics allows for the reporting of all network, log, and net flow and endpoint data from a single interface. By leveraging a feed of known dynamic DNS top level domains, Security Analytics can produce a rich report summarizing all activity that has been seen both on the wire (packets) or from various devices in the network such as proxies and firewalls (logs).
  • In addition to just tagging traffic to and from dynamic DNS domains, Security Analytics can add valuable business and asset context to help an analyst sift through the noise.
  • By further investigating Use Case Reports within RSA, an analyst can reconstruct the exfiltrated data. This helps to evaluate the business impact of the attack as well as provides information for suitable containment measures.


  • RSA NetWitness Suite