In Chapter 3, Computer Forensics and Evidence Handling, we looked at the idea of threat actor attribution. In this section, we look more specifically at how we can utilize network (DNS and HTTP logs) and threat intelligence data to find a threat actor. This is specifically referenced in topics 4.7 and 4.8 in the 210-255 specification:

DNS and HTTP services are fundamental to many network applications, particularly those that operate over the internet. This means that they are services that very close to 100% of organizations will have permitted on their networks. For an attacker, this means that the likelihood of data successfully traversing the trusted/untrusted boundary is higher when using DNS and HTTP than for rarer protocols (for example, FTP or Telnet). DNS and HTTP are therefore common protocols leveraged by attackers for both data upload/download, and command and control messages.

In the previous chapter, we looked at pinpointing threats and identifying malicious files. Malicious files can mutate very quickly, in some instances changing with every iteration. URL (in HTTP traffic), DNS, and IP information changes much more slowly.

Routable (public) IP addresses must be bought or assigned from the available pools; it is often difficult to obtain an address outside the geographic area. Even using the Tor network or a virtual private network (VPN), exit points are often still known or registered. While the actor's own address may be obfuscated to the casual user, the use of a VPN or Tor exit point can even be a greater indicator of a threat.

To help obscure the end location, multiple domain names could be used to point to the same ultimate IP address. Again, domain names must be registered. Domain name servers must know the addresses associated with each name; if they did not, the URL would not point to the correct location anyway.