Cisco Umbrella Malware and Content Filtering through DNS

John Van
Think|Stack
Published in
4 min readApr 1, 2018

If you have been around the internet long enough, you will see that it is full of both users and their content, and attackers who wants access to their content. They want what you have and they will leverage any tools to gain access to your systems and steal your data.

Domain name server (DNS) as a service is relatively new and becoming a widespread tool to prevent attackers from getting into your network.

According to Cisco’s research, over 90% of attacks are done over DNS and only two-thirds of organizations monitor their DNS records. Fortunately, Cisco Umbrella has a feature that would prevent a user from accessing a site, directly using it’s IP address, if it’s known to be malicious.

Cisco Umbrella offers security protection for both Home and Enterprise users through filtering DNS requests. The job of the DNS servers are to translate website URLs to their respective IP address. This makes accessing websites much more user friendly without having to remember long IP addresses.

If you are using your default DNS service, through your internet service provider, you are allowing your desktop or servers to connect to any website without a security filter. Since DNS is the foundation of the internet, it should be very high on your to security to do list.

Umbrella keeps a record of all websites that have been known to be malicious and prevents users from accessing the site. Many sites that were once safe, could have been hijacked recently and can host viruses and trojans that can then be pushed down to unsuspecting users.

One of the most popular ways for attackers to access the network is a fake phishing email.

We’ve all seen them. They used to come into our Yahoo, MSN, Google and AOL mail frequently. Before spam and phishing detection really took off. The email above is not from PayPal, but instead an attacker that wants you to click on the link. The link will redirect you to a URL that is not paypal.com but instead something very similar. Cisco Umbrella would prevent you from accessing that site if it has been around long enough for Cisco to detect it.

Ransomware relies heavily on on connecting back to their Command and Control Center to receive its encryption password to encrypt your files.

Umbrella detects these DNS queries in real time and uses anomaly detection algorithms, new domain clustering, and domain reputation system. Even if you were to install the virus, CiscoUmbrella will prevent your system from talking back to the Command and Control Center and thus preventing encryption.

DNS resolution and malicious website detection is only one part of the Cisco Umbrella services. An extremely popular usage of Umbrella is it’s ability to use content filtering to prevent its users from accessing sites that are not allowed.

Reports can be generated to see which users have accessed categories that are blocked and allowed.

Cisco lists all their categories here and changes periodically as they learn of new categories users would appreciate.

Now that I’ve hopefully convinced you of the importance of DNS protection, how can we get ourselves protected?

Home users can protect themselves for free by simply putting in 208.67.222.222 and 208.67.220.220 in their DNS.

Once you put that in, go to https://welcome.opendns.com/ and you should get the following.

For enterprise environments, there are several options to implement Umbrella services through the network. At a minimum, you could set your DNS on workstations and servers manually to Umbrella’s DNS IP’s. However, if you add Umbrellas Virtual Appliances and use their AD connector to integrate with your internal DNS server, you will gain further insight into the network.

What about users who take their laptops home and use VPN to connect to their workplace? Windows and Mac laptop users can also be protected if Roaming Client agent is installed. When the laptop is on the network, it will be disabled since it recognized the DNS of the Virtual Appliances. When the user is at home and off the network, it will re-enable itself and the user will be protected by Umbrella.

As security attacks develop and evolve, we can rely on DNS protection as a necessary layer to the security stack. Together with education, email security, firewall protection, and advanced antivirus, we can finally prevent attackers from impacting our lives.

--

--

John Van
Think|Stack

I enjoy learning new technology and spending time outside. Interested in anything security and networking related.