Home Cloud Computing Establish and Examine Unusual DNS Visitors

Establish and Examine Unusual DNS Visitors

0
Establish and Examine Unusual DNS Visitors

[ad_1]

Programmatically filter unusual DNS Requests with Cisco Umbrella APIs

We use the Web in our on a regular basis lives to get work carried out, handle our lives, and even socialize. We take this Web utilization with no consideration as of late, however the actuality is that we’re speaking greater than ever on a world scale, instantaneously, and infrequently, with of us we’ve by no means met in-person or with third-party providers we don’t absolutely perceive.

From a cybersecurity perspective, this seems like a number of DNS visitors to have to observe, perceive, and examine. And, there are rising causes to do exactly that. After the foremost Colonial Pipeline ransomware assault that resulted in a $4.4 million ransom cost in 2021, the TSA issued (and has since, reissued) a safety directive to pipeline utility corporations that, partially, requested them to raised perceive their DNS visitors.

In fact, pipelines should not the one targets of such assaults, that means we want cheap methodologies for figuring out and investigating doubtlessly malicious domains. On this article, we stroll you thru the way you would possibly programmatically achieve visibility into and examine unusual DNS requests utilizing Cisco Umbrella APIs.

Preliminary developer setup

To create this automation, we assume you have got an energetic Cisco Umbrella account with API entry, Python3, and an built-in developer atmosphere (IDE) that helps Python.

If you happen to’re not but an Umbrella consumer, otherwise you’d merely wish to create a proof-of-concept (POC) round this, you’ll be able to leverage the always-on Umbrella Safe Web Gateway sandbox by way of Cisco DevNet.

Defining what visitors is “unusual”

The day earlier than writing this text, Cisco Umbrella processed over 800 billion DNS requests. On account of this constantly huge quantity of visitors processing and evaluation, Umbrella maintains an updated “Prime 1-Million Domains” listing as a CSV. This data establishes a baseline of what visitors is frequent.

We are able to decide what visitors coming out of your Umbrella community is rare by evaluating it to this Prime 1-Million Domains listing.

To do that, we make an API name utilizing the Umbrella Studies API to retrieve the Prime Locations seen by your Umbrella community previously week. The decision returns an inventory of domains from most to least frequent, one per row, as a CSV, that we will clear to take away the rank order and non-domains. (For instance, take away the 8 on this row: 8,www.google.com, and take away IP deal with locations as a result of they received’t match an Umbrella Prime 1-Million area)

We are able to then write logic that compares the domains seen by your community to Umbrella’s Prime 1-Million and provides any of your domains that aren’t on that listing to a brand new CSV.

Pattern Code

We’ve written a pattern Python script that will help you obtain this utilizing your individual DNS visitors! That script, together with directions for operating it, might be discovered right here.

Investigating unusual domains with Umbrella APIs

When you’ve recognized which domains seen by your community are thought of much less frequent, it’s possible you’ll select to additional examine some—or all—of them utilizing Umbrella Examine.

When you’ve got an Umbrella DNS Safety Benefit or Safe Web Gateway (SIG) package deal, within the Umbrella dashboard, you’ll be able to navigate to Examine > Good Search and seek for the area you’d like to analyze. You’ll see outcomes that present data wanting one thing like what you see beneath for examplemalwaredomain.com:

Umbrella APIDetermine 1: The start of Umbrella Examine outcomes for examplemalwaredomain.com

The outcomes first present you each the content material and safety classes for the area, offered by Cisco Talos. We are able to see that this area is classed as malware and is already on a Malware Block Record; although, if we wished to, we might discover further data on this area throughout Talos, Google, or VirusTotal (prime proper).

Umbrella APIDetermine 2: The danger rating and safety indicators for examplemalwaredomain.com

Scrolling down the outcomes, we subsequent see the chance rating assigned to this area and the safety indicators that went into calculating that rating. On this case, the area is classed as Excessive Danger, with further data on the safety indicators used right here.

After viewing primary data on the area, comparable to when it was created and from what nation it originates, in addition to related observables like IP addresses, identify servers, and recordsdata, you’ll discover WHOIS report data on the area (see beneath). You’ll discover that Umbrella Examine lets you additional examine the related electronic mail deal with and nameservers.

Umbrella APIDetermine 3: WHOIS report knowledge for examplemalwaredomain.com

Lastly, we will view a world map displaying the place DNS requests to examplemalwaredomain.com. Within the instance map beneath, over 95% of DNS requests to this area originate from the USA.

Umbrella APIDetermine 4: International requestor distribution map for examplemalwaredomain.com

These Umbrella Examine outcomes are additionally accessible as a part of the Umbrella Examine API, that means that the investigation of those unusual domains will also be carried out programmatically.

Extra alternatives for automation

What are the probabilities for constructing upon the automation we’ve offered within the pattern code?

  • Examine – including logic that for every unusual area, an API name is made to the Umbrella Examine endpoint to retrieve data and any risk intel
  • Ticketing – you could possibly combine a ticketing system, like Jira, by leveraging its API to create and assign a ticket for every unusual area
  • Coverage Adjustments – use the Umbrella Locations Record API to permit or block a number of of the unusual domains
  • Reporting – export the unusual domains, and maybe data on them from Umbrella Examine, right into a extra palatable format like PDF. Area data may be enhanced by intel from different safety merchandise, by viewing related gadgets and their relationships with the area utilizing JupiterOne, and/or utilized in a visualization.
  • Orchestration – you’ll be able to orchestration an automation workflow with a number of steps (not all of these steps want be automated) utilizing Cisco XDR. The workflow would possibly embody all steps your group requires for investigation and incident response.
  • Communication – fairly than save the ensuing CSV of domains domestically, it’s possible you’ll select to routinely electronic mail the outcomes to events or submit the outcomes to a messaging platform like WebEx.

 

Share:

[ad_2]