Cisco and Pxosys teamed up for this Webinar, we will walk you through the Threat Landscape and recent DNS Ransomware cases, and explain why DNS Security is important in your Security Stack within your Organization. We are going to look on a Cisco Umbrella Live Demo and see the potential of the platform from the easy deployment, reporting, and blocking & mitigate Threats from day Zero. A Q&A is going to end the event to clarify any questions that arise during the demo event. Attendees will receive a Cisco Umbrella Free Trial (30 days) at the end of the event.
Visit www.pxosys.com to know more about us.
7. Where does Umbrella fit? Malware
C2 Callbacks
Phishing
HQ
Sandbox
NGFW
Proxy
Netflow
AV AV
BRANCH
Router/UTM
AV AV
ROAMING
AV
First line
Network and endpoint
Network and endpoint
Endpoint
It all starts with DNS
– Port agnostic and used by all
devices
– Precedes file execution and IP
connection
– Malicious traffic and payloads
never reach target
– Reduces alerts by 2-10X and
improves SIEM
– Provision globally in under 30
minutes
8. Prevents connections before and during the
attack
ENFORCEMENT
Command and control callback
Malicious payload drop
Encryption keys
Updated instructions
Web- and email-based infection
Malvertising / exploit kit
Phishing / web link
Watering hole compromise
Stop data exfiltration and ransomware encryption
9. How Cisco Umbrella Works
badguys.com goodguys.com
Umbrella
Blocking
Landing Page
Browsing
Session
10. Ease data serenity concerns
Store data used for Umbrella
reports in EU facility
Use multi-org console
for different storage settings
for different locations
EU data
warehouse
facility available
CLOUD PLATFORM
11. ZERO
added latency
peer w/ top 500 ISPs
& CDNs
2.5%
worldwide
activity
globally-shared
DNS cache
100%
uptime
since 2006
Global Network Built into the Fabric of the Internet
400+ Gbps capacity,
protection & global
fail-over
12. Our view of the internet
125Brequests
per day
15Kenterprise
customers
90Mdaily active
users
160+countries
worldwide
13. Cisco’s Secure Internet Gateway Vision
Threat intelligence, cross-product analytics, APIs, and integrations
DNS-Layer Proxy App visibility
and control*
Sandbox 3rd-Party New
product*
Leveraging Cisco’s global footprint
CASB
controls
File
inspection
Inbound
inspection*
*Future
15. Ransomware: mapping attacker
infrastructure
Domain IP
Association
IP Sample
Association
IP Network
Association
IP Domain
Association
WHOIS
Association
Network IP
Association
-26 DAYS SEP 12
Umbrella
AUG 17
*.7asel7[.]top
LOCKY
20. Enterprise-wide deployment in minutes
ANY DEVICE
ON NETWORK
ROAMING
LAPTOP
On-network coverage
With one setting change
Integrated with Cisco ISR 4K series
and Cisco WLAN controllers
Off-network coverage
With AnyConnect VPN client
integration
Or with any VPN using lightweight
Umbrella client
BRANCH
OFFICES
Hello and good morning everyone. My name is Ruben Cocheno and I’m the Founder of PXOSYS a Digital Solutions Provider. I have with me as well Andy Hook from Cisco to answer any of your Questions during this Online Session.
For the next 40 minutes, I will help you discover on how Cisco Umbrella can Amplify your Security across your Enterprise network from any device from anywhere and keep it safe.
When it comes to the threat landscape, it’s important to take a look in the rearview mirror once in a while.
As with driving, not only do you get a good look at what’s behind you, but you can often spot what’s coming up quick, set to overtake you.
We’ve looked out for key stories from the last year or so, not just because they were big events, but because we think these threats, or similar ones, could very well appear in the near future.
Take modular threats like Emotet and VPNFilter, for example. These are threats that can deliver an on-demand menu of attacks and threats, depending on which device is infected or the intended goal of the attacker. We saw plenty of such modular threats in recent history, and wouldn’t be surprised if we see more in the future.
Email remains the darling delivery method of attackers, with threats from cryptomining to Emotet using it to spread. It’s also highly likely that other threats, such as unauthorized MDM profile, used it too. This highlights how critical it is to keep a close eye on what is coming in through your mailbox.
What is the Modus operandi ?
Revenue generation continues to be a primary motivation for attackers: malware follows the money. Cryptomining threats, for instance, are laser-focused on this goal. Meanwhile, Emotet has pivoted to a threat distribution network, capitalizing on a variety of options to make money.
The worst nightmare of every customer, is showing up on the news for the wrong reasons. There multiple cases every single day, when the Press is full on recent breaches due Ransomware and other variants. This cause a chaos in stops organization for a few hours or even days, to calculate the full damage on the Business but also Brand that took years to build and maintain.
When you think why this is useful from a security perspective, DNS is fundamental to how the internet works and it’s used by every device on your network in order to connect to the internet. We’re tying to do something organizations are already doing. They’re already relying on something to handle their recursive DNS traffic and it’s most likely to be their ISP. So with Umbrella, we’re going to that plus adding security. It turns out that this same mechanism that’s used in all these internet connections is really useful for uncovering where all these malicious activity are on the Internet and then block devices from going there.
This data can be analyzed and turned into threat intelligence and more importantly, enforced.
Think about where you enforce security today. You probably have a range of products in your security stack to protect your network and endpoints—whether it’s at your corporate headquarters, branch offices, or on roaming endpoints including Firewalls, IDS, IPS, maybe proxies or sandboxing, AV on endpoints, email security and the list goes on. When you deploy these solutions they can take time to implement.
What we hear from customers is that despite the existing security products deployed —they are still dealing with too many malware infections and phishing attacks.
There are many ways that malware can get in, which is why it’s important to have multiple layers of security. We’re a 100% cloud security and hosted on the Internet. Security should start at the DNS layer. We’re not a replacement for other solutions but an additional layer that compliments what you have already. And of course, you can block malware on your network and endpoints, but why wait until malware reaches the endpoint when you can block threats out on the Internet? If you consider how malware is often downloaded or how phishing attacks work and how malware exfiltrates data…it often happens on the Internet.
Umbrella not only protects against initial infection
Umbrella also prevents command and control callbacks (aka C2 callbacks)
So even if devices become infected in other ways, Umbrella blocks the communication to an attacker’s server
CLICK
Stopping data exfiltration or the download of ransomware encryption keys
C2 callbacks are blocked using the same DNS enforcement process described a moment ago.
And in the event that the malicious payload is designed to bypass DNS and use a direct-to-IP connection, Umbrella goes beyond DNS to provide malicious IP blocking and enforcement.
Do you have concerns about where your Cisco Umbrella logs are stored?
With EU data sovereignty laws, storing EU-citizen data in a US-based data center can complicate things for EU companies.
Cisco Umbrella now makes it easy for EU companies to store their log data in the EU.
You now have the option to select an EU-based data center in Frankfurt, Germany for your Umbrella log data storage.
With our Multi-org console, you can also support both EU or US log storage
You can configure Umbrella to have child orgs point to either storage location
Now let’s talk a bit about the secret sauce that’s working behind the scenes for Umbrella. First is the Umbrella Global Network, which is truly built into the fabric of the Internet.
Cisco peer with over 600 of the top ISPs and Content Delivery Networks to exchange BGP routes and ensure we’re routing requests efficiently and not adding any latency over regional DNS providers. Over 30 datacenters around the world and advertised through Anycast We always publish/advertise the same IP addresses which means we’re extremely robust in terms of performance. Cisco Umbrella had 100% uptime of our network since it was first established in 2006 and we publish our system status on our website.
And even as the Internet population grows, Umbrella been handling roughly 2% of the world’s activity for the past 5 years—which is actually a huge percentage for a single provider. And it gives Umrbelal the visibility into where attacks are being staged on the Internet. [CLICK]
That handle DNS requests from about 85million users every day.
This shows Cisco’s vision and plan for building a secure internet gateway.
Bottom- connecting to the cloud. When you think about cloud solutions, the major challenge is how you get traffic and identity data to the cloud. We do a few things that are different from competitors. 1 we use DNS, which makes it super simple to connect to the cloud. DNS is the first connection point to the cloud.
Then on the top part, that’s our vision for cloud security. Now that security is moving to the cloud, we need to reimagine how the network security stack looks in the cloud. Cisco is building a security platform in the cloud that will allow customers to add even more security capabilities in the future. The dark blue circles are all things that are all in play today.
enforce security at the DNS-layer to prevent connections to malicious domains and IP at the earliest point
have a proxy that can do deeper inspection of risky traffic
inspect files from risky domains with file inspection and in the near future, sandboxing for unknown files
have a bi-directional API that enables integrations with third parties
and most recently, Cisco has been working on an integration with CloudLock
Today we’re looking at internet destinations and where employees are going. This could also be done for servers and IoT…the cloud is where we can apply the same technology for those types of use cases. Also today we’re looking at outbound traffic to these destinations, but what if we could look at inbound traffic too? The service will continue to become richer, while at the same time remaining the easiest security product to deploy and manage.
Let’s look now at a real-world example of a Ransomware attack, and how Umbrella works to block the threat before launched.
Let’s look now at a real-world example of a Ransomware attack, and how Umbrella works to block the threat before launched.
Leveraging our in-depth understanding of Internet infrastructure and statistical models we are able to map and block attackers infrastructure before attackers use it to launch the attack.
Details:
We start the process with domain already blocked by Umbrella based on our statistical models and is linked with Locky ransomware.
Umbrella predictive intelligence blocked by this domain 26 days earlier than a first submission appeared on VT by community
As we have a very broad view of the Internet infrastructure we can leverage this and see if we can find more IPs/domains etc. that relate to Locky or other ransomware leveraging various relationships that naturally exists in the Internet.
The internet itself has many built–in relationships that we can leverage to quickly map attackers infrastructure. We start with one domain and get very quickly to 1000.
Details:
Domain to IP association - based on DNS information we learn that the domain resolves to two IP address. Both IPs are blocked.
Let’s now see what domains are hosted on 185.101.218.206 via IP to Domain association –>more then 1000 DGA like domains linked with Cerber.
Looks like Locky and Cerber share the infrastructure.
Umbrella and AMP TG integration gives is IP-Sample mapping.->more than 600 samples clearly marked as Cerber ransomware.
Focus on 2nd IP 91.223.89.201 and explore new association – IP to Autonomous Systems (for simplicity we refer AS as network). Every public IP belongs to an network typically owned by ISP or large enterprise like Facebook or Google.
The IP 91.223.89.201 belongs to network 197569 which is owned by Russian service provider ENERGOMONTAZH ltd.
Let’s see what other domains are within the network AS 197569 have been recently spotted by our alg.
Our statistical models were able to identify and block 2 domains that were generated by DGA alg. several days before the domain has been even register thus eliminating the damage that could be done. This is specially critical for ransomware.
Details:
What we are doing now is looking what other malicious domains have been recently spotted within this network range.
Not very surprisingly two additional domains which clearly look like generated with DGA alg.
Compare when Umbrella marked the domains as malicious vs. first evidence available in Virus Total
Both domains are related to Locky ransomware.
The first domain was registered on July and immediately blocked based using our DGA detection alg. The first evidence on VT was 7days later.
The 2nd domain highlights our predictive capabilities even more – 26days earlier.
Notice this domain was blocked 4days before it was registered by the attacker
With predictive intelligence malicious infrastructures can be blocked in advance to significantly cripple malware operations.
The infrastructure and related findings can be visualized by OpenGraphiti, our 3D visualization tool.
The cluster on the right hand side is linked with IP 185.101.218.206 to which more than 600 samples classified as Cerber Ransomware by AMP ThreatGrid connected during sandboxing
The cluster on the left shows hundreds of DGA based domains related to Cerber ransomware
Domain generation algorithms (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers.
Umbrella is one of the simplest solutions to deploy and manage.
Because Umbrella is delivered from the cloud, there is no hardware to install or software to manually update, and the browser-based interface provides quick setup and ongoing management.
Many customers deploy enterprise wide in less than 30 minutes.
On-network coverage:
You can protect all devices on your network – even those you don’t own – by changing one setting in your network server, access point or router. All you have to do is point your DNS requests to the IP address for the Umbrella global network.
Umbrella has pre-built integrations with many network devices, including the Cisco ISR 4K series and Cisco Wireless LAN controllers.
Umbrella is integrated with Cisco ISR 4K series to provide protection to branch office users, and Cisco Wireless LAN to provide guest Wi—Fi and employee protection. Customers simply upgrade to the latest network device software and configure the connection via an Umbrella API.
Off-network coverage:
What about laptops connecting off network? If you use Cisco AnyConnect, simply enable the Umbrella roaming security module for protection anywhere — even when the VPN is off.
Not a Cisco AnyConnect user? Our lightweight, standalone agent works with any VPN and has been proven in over a million deployments. Our roaming client is a virtual "bump-in-the-wire" for every internet connection. It is transparent to users and does not cause any latency or performance issues because the footprint is very small.