Attacks don’t just suddenly happen
The development lifecycle to create new attacks is similar to that of new applications. An app developer builds something, tests it, and then launches it. Attackers do the same, which requires infrastructure, malware, and a web or email delivery scheme. While they modify and create new malware (e.g. ransomware variants) and draft new phishing emails, attackers often reuse the exact same infrastructure (e.g. web servers and IPs) for multiple attacks — leaving behind cyber fingerprints. We focus our cyber threat analysis on identifying those fingerprints, so we can pinpoint current attacks and even uncover emerging threats being staged.
Statistical models are our secret sauce
We statistically score the “guilt” of domains and IPs to determine if they’re part of an attacker’s infrastructure. More than a reputation score that looks at the past, we analyze both historic and live data. And we’ve built statistical models to automatically score and classify all of our data, so we can detect anomalies, and uncover known and emergent threats. We use three main approaches: guilt by inference, guilt by association, and patterns of guilt.
View examples of models that score guilt by:
Datasets must be diverse, global, and live
Leveraging threat intelligence from Cisco Talos, one of the largest commercial threat intelligence teams in the world, Umbrella uncovers and blocks a broad spectrum of malicious domains, IPs, URLs, and files that are being used in attacks.
Umbrella gathers 200 billion internet requests from over 100 million enterprise and consumer users across 190 countries every day at the moment a request is made. Our real-time DNS data is also enriched with diverse public and private data feeds. With such a massive and diverse data set, our threat analysis can uncover patterns that signal malicious behavior.
Making discoveries through DNS resolution
We analyze the request patterns to detect many types of threats and anomalies. For example, we can determine if a system is compromised based on the types of requests it’s making. If a device is making requests to a number of known-bad domains, it’s more likely to be compromised. The user requests patterns across our user base give us great insight into potential threats.
In the second part of the process, if our global cache doesn’t have a non-expired response to the request, then we recursively contact all of the nameservers that are authoritative for the domain requested. This process gathers authoritative logs for virtually every domain daily, which we use to find newly staged infrastructures and other types of anomalies.
A new approach to security research
There is no army of security researchers big enough to manually identify every threat. We look at things differently. The Cisco Umbrella security researchers take mathematical concepts and find new ways to apply them to security data — helping us uncover threats before attacks even launch. Our security researchers leverage advanced data mining techniques, 3D data visualization, and security domain expertise to develop the statistical models behind our intelligence and threat analysis.
Efficacy is king
Threat intelligence is one thing, but you also need to act on all of that data. Cisco Umbrella has the horsepower to actively process and enforce more than 7 million unique malicious domains and IPs concurrently at the DNS layer — appliances and hybrid-cloud solutions can’t come close to enforcing that many threats at once. And we’re constantly adding to our block list — 60,000+ new destinations are added every day. Plus, Umbrella can be deployed enterprise-wide in minutes — making it one of the easiest ways to start protecting users.
2019 Cybersecurity Trends
In this research readout, we explore the complex factors that make remote & roaming user …
3 Red Flags You’re Not Getting the Security You Were Promised
Some solutions promise to check all the boxes on network security. But it turns out, they’re checking …