Indicators of Exfiltration
Here are a few signs of malware as seen through DNS traffic.
1. Young domains
When employees’ systems look up domains that are less than a week — or a day — old, companies should start investigating. Young domains are a solid sign that a machine has been infected with malware. Companies can either monitor and investigate the traffic or just block the requests. Maybe the solution is that you do not want to allow traffic to go to a site that is less than 24 hours old. There are a lot of domain names that are new, and they are hosting malicious content.
2. Esoteric domains
Not just age, but the uniqueness of a domain can be a tip that some unsavory activity is going on. If only a handful of employees appear to be going to a relatively unknown site, that could indicate that their machines have been compromised. If you just have one or two domains that only a few devices are querying, that is a good thing to start looking at. As with young domains, esoteric domains can escape IP blacklists that might otherwise signal the company that the domain is hosting a malicious Web site.
3. Lookup failures
Finally, if a computer has a large number of failed domain lookups, that could also be a sign that something is wrong. Domain-generation algorithms, which attempt to foil defenders by generating thousands of possible domain names every day in a digital shell game, have a recognizable traffic pattern. If a device tries 1,000 different domains and only one or two are valid, then focus on that device.
https://bigsnarf.wordpress.com/2012/12/15/assessing-outbound-dns-traffic-to-uncover-apt-advanced-persistent-threat/ – Using Splunk to monitor DNS