The point of security is to keep the bad things from happening and support the occurrence of good things. When Bad things happen to an organization, they usually go to law enforcement and the legal system for compensations. To get the legal support - they must demonstrate that the crime was committed that the suspect committed the crime. It means that the organization must provide a trail of evidence to convince the legal system to support them. This is relatively challenging things to do, and an organization will need Digital Forensics and Incident response teams to run and develop evidence for them. Security teams must think in terms of Legally Defensible Security. 

Domain Name Server (DNS) is one of the most common protocol. We use it multiple times a day without realizing it. Popularly known for converting a do main name into an IP address. Think of it as a glue between human and the network. Newer Content Delivery Networks (CDN) use DNS to ensure a client is send to the server closest to it's geography.

In today's post we are going to talk about the common DNS attacks used by malwares called Fast Flux. This may fall under the "Command and Control" Category in MITRE ATT&CK Framework.

In order to avoid blocking a malware owner quickly changes the resolved IP Addresses. So, every-time you'll query a host-name it'll give you a different IP Address. Usually, time to live (TTL) for each IP address is around 300 Seconds.  This technique is most commonly used by Botnets. A key thing to remember is the DNS Servers participates in the Fast-Flux is usually for Malicious purpose.

Investigation Tips:
Look for TTL < 300
DNS Count > 12
Recently registered domain.
Learn more about Fast Flux: http://www.honeynet.org/node/136