Cisco Umbrella Tech Update

Cisco Umbrella Tech Update

Cisco Umbrella Tech Update Mikael Grotrian Consulting Systems Engineer Cisco Umbrella Cloud security platform Safe request Blocked request Built i...

3MB Sizes 0 Downloads 7 Views

Cisco Umbrella Tech Update Mikael Grotrian Consulting Systems Engineer

Cisco Umbrella Cloud security platform Safe request

Blocked request

Built into the foundation of the internet Intelligence to see attacks before launched Visibility and protection everywhere Enterprise-wide deployment in minutes Integrations to amplify existing investments ANY DEVICE ROAMING ON NETWORK LAPTOP

BRANCH OFFICES

ENFORCEMENT

Built into foundation of the internet Destinations Original destination or block page

Safe Original destinations

Security controls § DNS and IP enforcement § Risky URL inspection through proxy § SSL decryption available

Internet traffic On and off-network

Intelligent proxy Deeper inspection

Blocked Modified destination

ENFORCEMENT

Breadth to cover all ports and depth to inspect risky domains DNS and IP layer § Domain request § IP response (DNS-layer) or connection (IP-layer)

Umbrella / Talos and partner feeds

Custom IP lists (future)

WBRS / Talos + partner feeds § URL request § File hash

UMBRELLA STATISTICAL & MACHINE LEARNING MODELS

Custom domain lists

ALLOW, BLOCK, PROXY

HTTP/S layer

PREDICTIVE UPDATES

Custom URL lists AV AMP ALLOW OR BLOCK RETROSPECTIVE UPDATES

INTERNET-WIDE TELEMETRY

Intelligence to see attacks before launched Data § Cisco Talos feed of malicious domains, IPs, and URLs

Security researchers

§ Umbrella DNS data — 100B requests per day

§ Industry renown researchers § Build models that can automatically classify and score domains and IPs

Models § Dozens of models continuously analyze millions of live events per second § Automatically uncover malware, ransomware, and other threats

INTELLIGENCE

Statistical models 2M+ live events per second 11B+ historical events

Guilt by inference § Co-occurrence model § Geo-location model § Secure rank model

Guilt by association § Predictive IP Space Modeling § Passive DNS and WHOIS Correlation

Patterns of guilt § Spike rank model § Natural Language Processing rank model § Live DGA Detection

INTELLIGENCE

Co-occurrence model Domains guilty by inference

time -

time +

a.com

b.com

c.com

Possible malicious domain

x.com

d.com

e.com

f.com

Possible malicious domain

Known malicious domain Co-occurrence of domains means that a statistically significant number of identities have requested both domains consecutively in a short timeframe

INTELLIGENCE

Spike rank model Patterns of guilt

Massive amount of DNS request volume data is gathered and analyzed

DNS REQUESTS

DGA MALWARE

EXPLOIT KIT

PHISHING

y.com

y.com is blocked before it can launch full attack DAYS

DNS request volume matches known exploit kit pattern and predicts future attack

Predictive IP Space Monitoring Guilt by association

Pinpoint suspicious domains and observe their IP’s fingerprint

209.67.132.476

209.67.132.477 DOMAIN

209.67.132.478 209.67.132.479

Identify other IPs – hosted on the same server – that share the same fingerprint Block those suspicious IPs and any related domains

IP geo-location analysis Host Infrastructure

DNS Requesters

Location of the server IP addresses mapped to domain

Location of the network and off-network device IP addresses requesting the domain

Hosted across 28+ countries

Only US-based customers requesting a .RU TLD

INTELLIGENCE

‘Live DGA Prediction’ automated at an unparalleled scale a.com + b.com

a1.com a2.com b1.com c2.com

b.com

DGA

DGA

fgpxmvlsxpsp.me[.]uk beuvgwyhityq[.]info gboondmihxgc.com

+

pwbbjkwnkstp[.]com bggwbijqjckk[.]me yehjvoowwtdh.com

Configs

ctwnyxmbreev[.]com upybsnuuvcye[.]net quymxcbsjbhh.info

Configs

vgqoosgpmmur.it

c.com, d.com, …

Live DNS log stream

Automate reverse engineering

Predict 100,000s of future domains

Automate blocking pool of C2 domains

Identify millions of domains, many used by DGAs and unregistered

Combine C2 domain pairs and known DGA to identify unknown configs

Combine newly-identified configs with DGA to identity C2 domains continuously

Used by thousands of malicious samples now and in the future

INTELLIGENCE

‘Sender Rank’ model: predict domains related to spammers REPUTATION SERVICES

check behavior patterns

suspect domain identified

Model automatically places registrants on a watch list

spam.ru a.spam.ru. checkspam.com b.spam.ru. checkspam.com Domain of sender

Domain of service

a.spam.ru

?

Type of domain

?

Domain popularity

?

Historical activity

b.spam.ru … MAIL SERVERS

Confirm “Hailstorm” domain

z.spam.ru

badguy

New domains registered at a future time

Model automatically verifies new domains

New malicious domain blocked by Umbrella

Identify queries to spam reputation services

Model aggregates hourly graphs per domain

Model identifies owners of “Hailstorm” domains

Block 10,000s of domains before new attacks happen

85M+ DNS users are attacked by various spam campaigns and use reputation services

Short bursts of 1000s of “Hailstorm” spam uses many FQDNs, e.g. subdomains, to hide from reputation services

After confirmation, query WHOIS records to get registrant of sender domain

Attackers often register more domains to embed links in phishing or C2 callbacks in malware

INTELLIGENCE

‘Newly Seen Domains’ category reduces risk of the unknown Umbrella’s AutoWHOIS model may predict as malicious.

1. Any user (free or paid) requests the domain1 2. Every minute, we sample from our streaming DNS logs. 3. Check if domain was seen before & if whitelisted2. 4. If not, add to category, and within minutes, DNS resolvers are updated globally.

Attackers register domains.

Domains used in an attack.

Cisco Umbrella

not yet a threat

Reputation systems

not yet a threat

EVENTS

DAYS TO WEEKS 1. 2. 3.

Before expiration3, if any user requests this domain, it’s logged or blocked as newly seen. potentially unprotected

protected unprotected

MINUTES

May have predictively blocked it already, and likely the first requestor was a free user. E.g. domain generated for CDN service. Usually 24 hours, but modified for best results, as needed.

Later, Umbrella statistical models or reputation systems identify as malicious.

24 HOURS

protected

INTELLIGENCE

New analysis and categories to combat DNS tunneling Streaming signature-based jobs

Malware (e.g. PisLoader)

Automatically identify malicious or potential data exfiltration or open-source tools (e.g. DNS2TCP)

100B+ DNS requests daily

Undetermined

Batch behavior-based jobs plus researcher inspection Manually identify commercial services (e.g. YourFreedom) or benign uses every hour Machine learning detects domains with excessive # of subdomains or characters and invalid characters or encoded data. Plus, detects clients requesting excessive # of subdomains over a time period.

Potentially Harmful Domains* DNS Tunneling VPN* Hidden whitelist (e.g. AV updates)

*NEW CATEGORIES: These are allowed by default, but can be blocked. And domains in these categories may have already been categorized as Malware or Botnet (a.k.a. C2 callbacks) by many other Umbrella statistical models.

DEPLOYMENT

HTTP/S CONNECTION

IP RESPONSE

Securely embed identities within query using a RFC-compliant mechanism, differing granularity based on deployment

DOMAIN REQUEST

Enforcement and visibility per Umbrella identity

Web-based redirects transparent to user enable same identity for proxy

NETWORK VIA EGRESS IP FOR ALL DEPLOYMENTS

Umbrella deployments

Your DNS or DHCP server

Umbrella roaming client (RC) Hostname (GA)

Umbrella identities

N/A

Internal IPs (LA) Usernames* (LA)

+

Umbrella AD Connector *Usernames with groups for RC and VA

*Indicates identity available with Umbrella AD Connector

+

Umbrella virtual appliance (VA) Internal IPs Subnets Usernames*

Umbrella API for network devices Network device names or VLAN IDs

On and off the corporate network

Secure Internet Gateway Your secure onramp to the internet, anywhere users go

All ports and protocols Open platform Live threat intelligence Proxy and file inspection Discovery and control of SaaS

Opfølgning •

Tilmeld jer Virtual Updates + TechUpdates



Tilmeld jer Cisco Live ( Vegas + Barcelona )



Talos



Join Cisco Security • Youtube •

Cisco Security



Umbrella



Talos



Chalk Talks

• Demo Fridays