Programmatically filter unusual DNS Requests with Cisco Umbrella APIs
We use the Web in our on a regular basis lives to get work executed, handle our lives, and even socialize. We take this Web utilization with no consideration lately, however the actuality is that we’re speaking greater than ever on a world scale, instantaneously, and sometimes, with of us we’ve by no means met in-person or with third-party providers we don’t totally perceive.
From a cybersecurity perspective, this seems like a variety of DNS visitors to have to watch, perceive, and examine. And, there are growing causes to do exactly that. After the foremost Colonial Pipeline ransomware attack that resulted in a $4.4 million ransom cost in 2021, the TSA issued (and has since, reissued) a safety directive to pipeline utility corporations that, partially, requested them to raised perceive their DNS visitors.
In fact, pipelines will not be the one targets of such assaults, which means we’d like cheap methodologies for figuring out and investigating doubtlessly malicious domains. On this article, we stroll you thru the way you would possibly programmatically achieve visibility into and examine unusual DNS requests utilizing Cisco Umbrella APIs.
Preliminary developer setup
To create this automation, we assume you may have an lively Cisco Umbrella account with API access, Python3, and an built-in developer atmosphere (IDE) that helps Python.
Should you’re not but an Umbrella consumer, otherwise you’d merely prefer to create a proof-of-concept (POC) round this, you possibly can leverage the always-on Umbrella Secure Internet Gateway sandbox by Cisco DevNet.
Defining what visitors is “unusual”
The day earlier than writing this text, Cisco Umbrella processed over 800 billion DNS requests. On account of this constantly huge quantity of visitors processing and evaluation, Umbrella maintains an updated “Top 1-Million Domains” list as a CSV. This info establishes a baseline of what visitors is frequent.
We will decide what visitors coming out of your Umbrella community is rare by evaluating it to this High 1-Million Domains checklist.
To do that, we make an API name utilizing the Umbrella Reports API to retrieve the High Locations seen by your Umbrella community up to now week. The decision returns a listing of domains from most to least frequent, one per row, as a CSV, that we are able to clear to take away the rank order and non-domains. (For instance, take away the 8 on this row: 8,www.google.com, and take away IP tackle locations as a result of they received’t match an Umbrella High 1-Million area)
We will then write logic that compares the domains seen by your community to Umbrella’s High 1-Million and provides any of your domains that aren’t on that checklist to a brand new CSV.
Pattern Code
We’ve written a pattern Python script that will help you obtain this utilizing your personal DNS visitors! That script, together with directions for working it, will be discovered here.
Investigating unusual domains with Umbrella APIs
When you’ve recognized which domains seen by your community are thought-about much less frequent, it’s possible you’ll select to additional examine some—or all—of them utilizing Umbrella Investigate.
When you’ve got an Umbrella DNS Security Advantage or Safe Web Gateway (SIG) package deal, within the Umbrella dashboard, you possibly can navigate to Examine > Sensible Search and seek for the area you’d like to analyze. You’ll see outcomes that present info trying one thing like what you see under for examplemalwaredomain.com:
Determine 1: The start of Umbrella Examine outcomes for examplemalwaredomain.com
The outcomes first present you each the content material and safety classes for the area, offered by Cisco Talos. We will see that this area is classed as malware and is already on a Malware Block Listing; although, if we wished to, we might discover further info on this area throughout Talos, Google, or VirusTotal (prime proper).
Determine 2: The danger rating and safety indicators for examplemalwaredomain.com
Scrolling down the outcomes, we subsequent see the chance rating assigned to this area and the safety indicators that went into calculating that rating. On this case, the area is classed as Excessive Threat, with further info on the safety indicators used here.
After viewing fundamental info on the area, reminiscent of when it was created and from what nation it originates, in addition to related observables like IP addresses, identify servers, and recordsdata, you’ll discover WHOIS report info on the area (see under). You’ll discover that Umbrella Examine lets you additional examine the related electronic mail tackle and nameservers.
Determine 3: WHOIS report knowledge for examplemalwaredomain.com
Lastly, we are able to view a world map exhibiting the place DNS requests to examplemalwaredomain.com. Within the instance map under, over 95% of DNS requests to this area originate from america.
Determine 4: World requestor distribution map for examplemalwaredomain.com
These Umbrella Examine outcomes are additionally out there as a part of the Umbrella Examine API, which means that the investigation of those unusual domains may also be executed programmatically.
Extra alternatives for automation
What are the probabilities for constructing upon the automation we’ve offered within the pattern code?
- Examine – including logic that for every unusual area, an API name is made to the Umbrella Investigate endpoint to retrieve information and any menace intel
- Ticketing – you could possibly combine a ticketing system, like Jira, by leveraging its API to create and assign a ticket for every unusual area
- Coverage Adjustments – use the Umbrella Destinations List API to permit or block a number of of the unusual domains
- Reporting – export the unusual domains, and maybe information on them from Umbrella Examine, right into a extra palatable format like PDF. Area information is also enhanced by intel from different safety merchandise, by viewing related gadgets and their relationships with the area utilizing JupiterOne, and/or utilized in a visualization.
- Orchestration – you possibly can orchestration an automation workflow with a number of steps (not all of these steps want be automated) utilizing Cisco XDR. The workflow would possibly embrace all steps your group requires for investigation and incident response.
- Communication – moderately than save the ensuing CSV of domains regionally, it’s possible you’ll select to routinely electronic mail the outcomes to events or post the results to a messaging platform like WebEx.
Share:
