Recently, many reports of incidents have been making headlines, proving that no business or industry is immune to advanced threat actors. Applying user and entity behavior analytics (UEBA) for the challenging task of the detection of compromised devices over time can play a critical role in your defense mechanisms. In this blog, I'll showcase a newly-developed algorithm called MORTON, which aims to detect devices that are engaging in malicious Domain Name System (DNS) behavior. \r\n Until recently, our focus was on finding an indication of compromise via a domain or URL in order to increase our DNS\\HTTP proxy blocklist, and from there infer that a device is being compromised. However, Akamai has added substantial improvements to our defense toolsets with the indication of compromise based solely on the behavior of devices.  \r\n After malware has been downloaded and executed on a device, delivered mostly by spam and phishing emails, the device effectively becomes part of a botnet (see Figure 1).…