Cisco cyber threat taxonomy classes
Cisco Umbrella’s security classifications give you more control over exactly what you’d like to enable and report. Our unique view of the internet provides unprecedented insight into malicious domains, IPs, and URLs. Users will find that use of this threat taxonomy delivers real-time context on malware, phishing, botnets, trojans and other threats, enabling faster, more confident incident investigation and response.
We use three levels of classification:
Categories are the highest level groups of threats that have methods and objectives in common
2. Threat Type
These are functional groups of specific threats that use similar techniques in the cyber attack chain
3. Individual Threat
Specific, named threats with a unique combination of tactics, techniques, and procedures (TTP) at the most granular level
Malware: Websites and other servers that host malicious software, drive-by downloads/exploits, mobile threats, and more.
Command and Control (C2) Callbacks: Compromised devices get instructions and malware downloads by communicating with attackers’ infrastructure.
Newly Seen Domains: Domains that have become active very recently. These are often used in new attacks.
Phishing Attacks: Fraudulent websites that aim to trick users into handing over personal or financial information.
Cryptomining: Cryptomining allows organizations to control cryptominer access to mining pools and web miners.
Dynamic DNS: Block sites that are hosting dynamic DNS content.
Potentially Harmful Domains: Domains that exhibit suspicious behavior and may be part of an attack.
DNS Tunneling VPN: VPN services that allow users to disguise their traffic by tunneling it through the DNS protocol. These can be used to bypass corporate policies regarding access and data transfer.
Adware: Adware, or advertising-supported software, is any software package that automatically renders advertisements in order to generate revenue for the author. The advertisements may be in the user interface of the software or presented in the web browser. Adware may cause tabs to open automatically that display advertising, make changes to the home page settings in your web browser, offer ad-supported links from search engines, or initiate redirects to advertising websites.
APT: An APT (Advanced Persistent Threat) is a set of stealthy and continuous computer hacking processes, often orchestrated by cyber criminals targeting a specific entity. An APT usually targets organizations and/or nations for business or political motives.
Backdoor: A Backdoor is a type of Trojan that enables threat actors to gain remote access and control over a system. The Backdoor is often the final stage in gaining full control over a system.
Botnet: A botnet is a number of Internet-connected systems infected with malware that communicate and coordinate their actions received from command and control (C&C) servers. The infected systems are referred to as bots. The most typical uses of botnets are DDoS attacks on selected targets and the propagation of spam.
Browser Hijacker: A Browser Hijacker is any malicious code that modifies a web browser’s settings without a user’s permission, to inject unwanted advertising into the user’s browser or redirect to fraudulent or malicious sites. It may replace the existing home page, error page, or search page with its own. It can also redirect web requests to unwanted destinations.
Bulletproof Hosting: Bulletproof hosting is a service provided by some domain hosting or web hosting firms that allows their customer considerable leniency in the kinds of material they may upload and distribute. This type of hosting is often used for spamming, phishing, and other illegal cyber activities.
Cryptojacking: Cryptojacking is malicious cryptomining and the covert use of a systems computer resources to mine cryptocurrency. Cryptojacking is initiated by malware or through webcryptominers embedded in website code.
Drive-by Download: Any download that happens without a person’s consent or knowledge.
Dropper: A dropper is a program or malware component that has been designed to “install” some sort of malware (ransomware, backdoor, etc.) to a target system. The dropper may download the malware to the target machine once it is received from the command and control server or from other remote locations.
Exploit Kit: An exploit kit is a software kit designed to run on web servers with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client.
Fast Flux Botnet: Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.
Information Stealer: An information stealer is a trojan that can harvest keystrokes, screenshots, network activity, and other information from systems where it is installed. It may also covertly monitor user behavior and harvest personally identifiable information (PII) including names and passwords, chat programs, websites visited, and financial activity. It may also be capable of covertly collecting screenshots, video recordings, or have the ability to activate any connected camera or microphone. Collected information may be stored locally and later retrieved, or may be transmitted to a command and control server.
Loader: A loader is a type of malware or malicious code used in the loading of a second-stage malware payload onto a victim’s system. The loader is able to hide a malware payload inside the actual loader code instead of contacting a remote location to download a second-stage payload.
Malvertising: Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Malvertising is often used in exploit kit redirection campaigns.
Mobile Trojan: A mobile trojan is a trojan designed to target and infect mobile phones running Android, iOS, Windows or other mobile operating systems.
Point-of-sale Malware: Point-of-sale malware (POS malware) is used by cybercriminals to target point of sale terminals with the intent to obtain credit card and debit card information by reading the device memory from the retail checkout point of sale system.
Ransomware: Ransomware is computer malware that installs covertly on a victim’s computer, encrypts files, and demands a ransom be paid to decrypt the files or to prevent the attacker from publishing the victim’s data publicly.
Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that allows covert surveillance or unauthorized access to a compromised system. RATs make use of specially configured communication protocols. The actions performed vary but follow typical trojan techniques of monitoring user behavior, exfiltrating data, lateral movement, and more.
Rootkit: A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
Scareware: Scareware is a form of malicious software or website that uses social engineering to give the perception of a threat in order to manipulate users into buying or installing unwanted software. Scareware misleads users by using fake alerts to trick them into believing there is malware on their computer, and manipulates them into paying money for a fake malware removal tool or allowing an entity remote access to their system to clean the malware. Instead of remediation, the software or remote entity delivers malware to the computer.
Sinkhole: A DNS sinkhole, also known as a sinkhole server is a DNS server that gives out false information, to prevent the use of the domain names it represents. Traffic is redirected away from its intended target. DNS sinkholes are often used to disrupt botnet command and control servers.
Spam: Spam is an unwanted, unsolicited message that can be received through email or SMS texts. Spam is sent to many users in bulk. It is often sent through the means of a botnet. Spam can contain advertising, scams, or soliciting. In the case of malspam or malicious spam, it contains malicious attachments or links that lead to malware.
Spyware: Spyware gathers information about a person or organization without their knowledge. It may assert control over a computer without the user’s knowledge.
Trojan: A Trojan is malware which is used to compromise a system by misleading users of its true intent. Trojans typically create a backdoor, exfiltrate personal information, and can deliver additional malicious payloads.
Worm: A computer worm is malware that replicates itself in order to spread to other computers. Worms typically spread through the computer network or removable storage devices that are shared between systems, relying on security failures on the target computer.
This is a sample of the data stored in Umbrella. There are about 235 individual threats that have been categorized as of April 2021 – and growing.
SUNBURST: A sophisticated supply-chain attack backdoor first seen in the SolarWind incident, where adversaries compromised updates to SolarWind’s Orion IT monitoring and management software. This backdoor can communicate to third party servers using HTTP. The backdoor is loaded by the executable before the legitimate code, so as not to alert the victim that anything is amiss. After a period of dormancy, which can last up to two weeks, the backdoor is able to execute commands to transfer and execute files, profile the system, reboot the machine, and disable system services.
Target geolocations: Predominantly the U.S., but SUNBURST has been observed in Europe, Asia, and the Middle East as well.
Target geolocations: Any
Dridex: Dridex/Cridex is a trojan that was first observed in 2012. Dridex is widely spread and is responsible for stealing banking credentials of approximately 300 banks and other financial institutions in over 40 countries. It is primarily spread through malspam with malicious document attachments.
Target geolocations: US, Europe
Emotet: Emotet was a banking trojan that was first detected in 2014. The trojan’s infrastructure was disrupted in January 2021 by authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. Emotet evolved into a massive botnet that delivered large amounts of malspam with malicious document attachments that lead to the Emotet trojan. The trojan also functioned as a dropper for 2nd stage payloads including, but not limited to, TrickBot, Qakbot and Ryuk.
Target geolocations: USA, Mexico, South Africa, Chile, India, Canada, Colombia, Germany, UK, Argentina
Ursnif/Gozi: Ursnif is a banking trojan and a variant of the Gozi malware. It has been active for over a decade, continuously evolving over time. Ursnif is spread through malspam with malicious document attachments, malvertising and exploit kits.
Target geolocations: Japan, US, Asia, Italy
Sign up for a Cisco Umbrella 14-day free trial
Just point your DNS to the Umbrella global network and any device that connects to it is instantly protected. It’s that easy. Get powerful and effective protection against cyber threats today.