Use multiple DNS infrastructures

A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records. [1]

ID: T1327

Tactic: Establish & Maintain Infrastructure

Version: 1.0

Detection

Detectable by Common Defenses (Yes/No/Partial): Partial

Explanation: This is by design captured in public registration logs. Various tools and services exist to track/query/monitor domain name registration information. However, tracking multiple DNS infrastructures will likely require multiple tools/services or more advanced analytics.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Requires more planning, but feasible.

References

  1. Brian Krebs. (2015, May 18). St. Louis Federal Reserve Suffers DNS Breach. Retrieved March 6, 2017.