Partner Spotlight: Gain a Complete View of Threats With Cisco Umbrella Investigate
This is part of a series of blog posts on useful “all-source analysis” research and collaborative approaches using Recorded Future and our OMNI Intelligence Partners.
Cisco Umbrella Investigate’s threat intelligence on domains, IPs, networks, and malware can be accessed via an extension built into Recorded Future Intelligence Cards™. Starting from a single piece of data, incident responders can query and find associated domains, IPs, ASNs, and file hashes, drill down on specific behavior indicators, and pivot directly into the Investigate console for additional research. In a single correlated source, Investigate’s threat intelligence enables security teams to uncover threats and tighten the gap between threat detection and remediation.
Many security products provide visibility into what’s happening on your own network. But what about the rest of the internet? What about everything going on beyond your perimeter?
News flash — that’s where attackers are staging infrastructure in preparation for launching attacks.
Many organizations have little or no visibility into global internet and attacker trends, including what infrastructure attackers are staging or leveraging on the internet to launch attacks. Additionally, they find it difficult to prioritize incident investigations because they’re overloaded with alerts and lack the context to determine which security incidents would have the biggest impact on the business.
Prior to launching a campaign, attackers need to pay for, build, or borrow the infrastructure needed. For example, they set up servers, obtain or reuse IP addresses, and register domains to use. This often happens before they even perform reconnaissance on their targets or create the malicious payload. In most cases, attackers are pretty sloppy criminals, leaving behind fingerprints and breadcrumbs.
That’s where Cisco Umbrella Investigate can help — it tracks down attackers and provides the most complete view of an attacker’s internet infrastructure, enabling security teams to discover malicious domains, IPs, and file hashes, and even predict emergent threats.
As analysts use Recorded Future’s Intelligence Cards™ to research emerging threats or review new alerts, they can quickly tap into Investigate’s wealth of infrastructure information with a single click.
An analyst receives a SIEM alert for suspicious activity linked with the IP address 126.96.36.199. Before deciding on a course of action, the analyst has to research this indicator, and with a single click, is able to pull up the following Recorded Future Intelligence Card™:
Recorded Future Intelligence Card™ for IP address 188.8.131.52. According to Recorded Future, this is a “malicious” IP, with plenty of evidence across a variety of sources to support this assessment. One easy route to gain more insight is to use the Cisco Umbrella Investigate extension. For this particular IP address, Investigate provides the following:
A partial response returned by the Cisco Umbrella Investigate extension in Recorded Future’s IP Intelligence Card™.
In addition to showing all of the malicious domains linked to this IP address, there are several malware samples that Investigate associates with it; as shown above, these samples are all from the “Ramnit” malware family. A quick look at the Ramnit Malware Intelligence Card™ gives the analyst a better idea of what this malware is about, as well as a sense of recent chatter volume related to it:
Recorded Future Malware Intelligence Card™ for Ramnit. Note that this screenshot is taken on April 5, and there was a spike in references about two weeks prior.
Looking at some of the recent spike of references about Ramnit, the analyst would have found the following article very helpful:
March 29, 2017 blog post about a recent campaign delivering the Ramnit malware via the Rig Exploit Kit.
Based on this quick investigation, the analyst can block further activity from the suspect IP address with confidence.
Diving Deep Into Cisco Umbrella Investigate
How does Investigate provide predictive threat intelligence?
Start with a massive, diverse dataset
In 2006, Cisco Umbrella (formally OpenDNS) started building the world’s largest internet security network. Today, over 85 million daily active users across 160+ countries point their DNS traffic to our global network — providing visibility into more than 100 billion internet requests every day. Plus, more than 500 peering partners exchange BGP route information with us, which allows Cisco to see the connections and relationships between different networks on the internet. This massive and diverse set of data gives us a view of the internet like no other security company.
Apply statistical and machine-learning models
To discover patterns and detect anomalies across our data, we design statistical and machine-learning models to categorize and score it automatically. For example, many models analyze spatial relationships, such as graphing the relationships between networks across the internet, or time-based relationships, such as discovering domain co-occurrences as a result of consecutive DNS requests over very short timeframes. Other models analyze statistical deviations from normal activity, such as measuring the geographic distribution of IP networks requesting a domain name.
These models are built and tuned by the Cisco Umbrella security researchers — our team of data scientists, engineers, mathematicians, and security researchers. The researchers leverage 3D visualization, numerous data mining techniques, and security expertise to develop the models and continuously come up with new ways of analyzing the data to find new connections and patterns.
Voilà: predictive intelligence
As a result of this analysis, we can accurately identify malicious domains, IPs, networks, and file hashes across the internet, and even automatically predict where future attacks may be staged. With this combination of internet-wide visibility and predictive intelligence within Cisco Umbrella Investigate, incident responders can stay ahead of attacks and make better decisions, faster.
Now let’s pick back up in our earlier investigation and take a deeper dive into google-verify.com — one of the domains calling out to our starting IP address (184.108.40.206).
Cisco Umbrella Investigate and Recorded Future give your security teams the real-time threat intelligence they need to fully understand the malicious nature of an attack and malware sample, so you can investigate and respond to incidents much faster, and defend your enterprise against the most advanced cyber attacks.
At the same time, it draws on behavioral analysis from billions of global threat incidents to give you the customized, context-driven threat intelligence you need to proactively protect your business.
To see this use case in action, register for our webinar on Wednesday, April 26 at 11:00 AM ET titled, “How Threat Intelligence Is Streamlining Security Operations.”
Cisco Umbrella is a cloud security platform that provides the first line of defense against threats on the internet wherever users go. Umbrella learns from internet activity to automatically identify attacker infrastructure staged for current and emergent threats. We capture and understand relationships between malware, domains, IPs, and networks across the internet. Get access to this unparalleled threat intelligence with Cisco Umbrella Investigate and speed up incident response. To learn more about our enforcement product, Umbrella, or our threat intelligence product, Investigate, please visit umbrella.cisco.com/products/features.