Cisco Umbrella Investigate: Threat Intelligence about Domains, IPs, and Malware across the Internet
Far too often, the job of securing a network is reactionary. New threats are developed and often do their damage before the security community figures out ways to stop them. Organizations need to understand the risks they face against attackers who might be targeting them and what type of information they may be after (for example, intellectual property, customer/patient data, credit card data). Organizations must also have systems in place to prevent, detect, and respond to attacks quickly.
There is a shortage of qualified security analysts who know how to investigate and respond to advanced attacks. This means that organizations need to automate and provide as much context as possible. This helps less-experienced analysts prioritize and conduct incident investigations and frees up senior analysts to handle the most difficult problems.
Threat intelligence is often static information that is outdated, incomplete, or unreliable. Organizations struggle to manage threat information and use it effectively—either to proactively uncover threats or to aid incident investigators.
Cloud Network Solutions offers Cisco Umbrella Investigate, providing threat intelligence about domains, IPs, file hashes, and networks across the Internet. Using a live graphical database of DNS requests and other contextual data, The proposed Investigate solution gives the complete view of the relationships and evolution of Internet domains, IP addresses, autonomous system numbers (ASNs), and malware. This view helps security teams pinpoint attackers’ infrastructures and even predict future threats.
The proposed solution uses a massive, diverse dataset of Internet activity. This data is pulled from 100+ billion daily DNS requests from the Cisco Umbrella global network. Statistical and machine learning models are applied to the data to uncover current and future malicious places on the Internet.
Cloud Network Solutions offers Cisco Umbrella, Cisco’s enforcement product which blocks users from connecting to malicious domains and IPs, anywhere they access the Internet. Umbrella Investigate gives security and incident response teams access to the intelligence that powers Umbrella.
Cisco Umbrella Investigate Benefits
The following table describes how Umbrella Investigate solution can help you achieve your business objectives.
|Desired Business Outcome||How We Can Make It Happen|
|Internet-wide visibility||Umbrella Investigate solution provides a view into global Internet requests and gives insight into where attackers are staging infrastructure for future threats. It shows how malicious domains, IPs, ASNs, and malware are connected.|
|Speed up incident response||Our solution provides a single, correlated source of information for security analysts to use. By speeding up incident investigations, you can respond faster and reduce attacker dwell time in your environment.|
|Use threat intelligence more effectively||Bolster your outdated, commodity threat feeds with up-to-the-minute, Internet-scale intelligence.|
|Better prioritize investigations||Cisco Umbrella solution provides the relevant content and accurate information to help properly triage those incidents. Its unique view of the Internet can enrich your security event data and threat intelligence with global context to help better prioritize investigations.|
Cisco Umbrella Investigate Advantage
In 2006, Cisco, the developer of the proposed solution, started building the world’s largest Internet security network to acquire global intelligence. Today, over 85 million daily active enterprise and consumer users across 160+ countries point their DNS traffic to the offered Cisco Umbrella. That provides visibility into more than 100 billion DNS requests every day. Plus, more than 500 peering partners exchange BGP route information with Cisco, which shows the connections between different networks on the Internet. Cisco uses this very unique view of the Internet to uncover current attacks and predict where attackers are staging infrastructure for future campaigns.
To discover patterns and detect anomalies across the data, Cisco designs statistical and machine learning models to categorize and score it automatically. The Umbrella security researchers continuously come up with new ways of analyzing the data to find new connections and patterns. By using these models, the detection of malicious domains, IPs, networks, and file hashes can be automated.
Cisco Umbrella Investigate provides a complete source of real-time, correlated intelligence about domains and IPs. Without this solution, security teams need to go to several different places to get this information during incident investigations, which is time-consuming. It provides a single source that shows correlations between key data points to help security teams speed up incident response and even stay ahead of attacks.
Cisco Umbrella Investigate Details
Here are just a few examples of the types of information provided with Cloud Network Solutions Umbrella Investigate offering:
- WHOIS record data: Provides information about who registered a domain, when, and where it was registered—including contact information and any changes over time. This system automatically correlates any domains registered using the same email address, which can be used to link attacks together.
- Co-occurrences: The proposed solution identifies other domains frequently looked up right before or after a given domain that are likely affiliated with the same attack. For example, you might visit one domain, but could be automatically redirected to another site that hosts malware—the proposed Investigate can show you those associations. This is unique to this solution because of Cisco’s global view of DNS requests.
- Malware file analysis: Umbrella Investigate pulls in malware analysis details from Cisco AMP Threat Grid, also available through Cloud Network Solutions, which shows connections between malware file hashes, domains, and IP. This gives you insight into malware that is calling out to a particular domain and provides details about the threat score, behavioral indicators, and more.
- Passive DNS database: The proposed solution shows the historical mapping of domains and IP addresses. For example, it could show you that an IP address which historically hosts only 3 domains, started hosting 10 new domains in the past week, 5 of which are associated with malware.
There are two main ways that security teams can access the intelligence in Cloud Network Solutions Cisco Umbrella Investigate:
- Dynamic search engine: Real-time access to domains, IP addresses, autonomous systems, and file hashes across the Internet.
- RESTful API: Use this API to automatically enrich data in your security information and event management (SIEM) system, threat intelligence platform, or incident workflow.
Below are some examples of the key functionality of the proposed solution and how it can be used by security teams:
- Associate attacks with specific domains, IPs, ASNs, and malware in order to map out attacker infrastructure.
- See suspicious spikes in global DNS requests to a specific domain.
- Predict where future attacks might be staged by identifying related domains and IPs that are associated with malware.
- Research the behavioral indicators and network connections of malware samples with data from the offered Cisco AMP Threat Grid.
- Use WHOIS data to see domain ownership and uncover malicious domains registered with the same contact information.
- Use Cisco’s risk scoring across a number of domain attributes to assess suspicious domains.
- Detect fast flux domains and domains created by domain generation algorithms.
- Access the largest passive DNS and WHOIS database to see historical data about domains.
There are many ways to use the information available in the Umbrella Investigate. The table below highlights four major use case categories
- Solution OverviewCisco Umbrella Investigate