We see the relationships between malware, domains, IPs, and networks across the internet. Similar to how Amazon learns from shopping patterns to suggest the next purchase, we learn from internet activity patterns to automatically identify attacker infrastructure being staged for the next threat.
The development lifecycle to create new attacks is similar to that of new applications. An app developer builds something, tests it, and then launches it. Attackers do the same, which requires infrastructure, malware, and a web or email delivery scheme. While they modify and create new malware (e.g. ransomware variants) and draft new phishing emails, attackers often reuse the exact same infrastructure (e.g. web servers and IPs) for multiple attacks — leaving behind cyber fingerprints. We focus on identifying those fingerprints, so we can pinpoint current attacks and even uncover emerging threats being staged.
We statistically score the “guilt” of domains and IPs to determine if they’re part of an attacker’s infrastructure. More than a reputation score that looks at the past, we analyze both historic and live data. And we’ve built statistical models to automatically score and classify all of our data, so we can detect anomalies, and uncover known and emergent threats. We use three main approaches: guilt by inference, guilt by association, and patterns of guilt.
Not only do we analyze a massive amount of data, but perhaps more important is the diversity of our data. Umbrella gathers 80 billion internet requests from over 65 million enterprise and consumer users across 160 countries every day at the moment a request is made — which gives us a statistically significant data set. Our real-time DNS data is also enriched with diverse public and private data feeds.
We analyze the request patterns to detect many types of threats and anomalies. For example, we can determine if a system is compromised based on the types of requests it’s making. If a device is making requests to a number of known-bad domains, it’s more likely to be compromised. The user requests patterns across our user base give us great insight into potential threats.
In the second part of the process, if our global cache doesn’t have a non-expired response to the request, then we recursively contact all of the nameservers that are authoritative for the domain requested. This process gathers authoritative logs for virtually every domain daily, which we use to find newly staged infrastructures and other types of anomalies.
There is no army of security researchers big enough to manually identify every threat. We look at things differently. The Cisco Umbrella security researchers take mathematical concepts and find new ways to apply them to security data — helping us uncover threats before attacks even launch. Our security researchers leverage advanced data mining techniques, 3D data visualization, and security domain expertise to develop the statistical models behind our intelligence.
Threat intelligence is one thing, but you also need to act on all of that data. Cisco Umbrella has the horsepower to actively process and enforce more than 7 million unique malicious domains and IPs concurrently at the DNS layer — appliances and hybrid-cloud solutions can’t come close to enforcing that many threats at once. And we’re constantly adding to our block list — 60,000+ new destinations are added every day. Plus, Umbrella can be deployed enterprise-wide in minutes — making it one of the easiest ways to start protecting users.
Take a few minutes to experience our 14-day trial of Umbrella