Cisco Umbrella’s domain reputation intelligence integrated into Cisco Threat Grid
Black Hat’s 2018 world conference tour kicked off in Singapore with Black Hat Asia: two days of Trainings, followed by two days of Briefings and the Business Hall. Cisco Security is now a full Technology Partner of Black Hat, with Cisco Threat Grid for malware analysis, Cisco Umbrella for DNS and Cisco Visibility for threat intelligence; supporting the Network Operations Center’s (NOC) Security Operations.
The focus of the NOC is to provide secure and open Internet access to the conference presenters, attendees and sponsors. Many of the Trainings, Briefings and demonstrations require access to malicious files and domains; so the NOC do not block such traffic. Rather, we focus on the security of the conference assets and ensuring there are no internal or external attacks that would disrupt the educational and collaborative conference.
Cisco Threat Grid is integrated with RSA NetWitness Packets, for network forensics and investigation. The RSA team does full packet capture and its Malware Analysis component sends potentially malicious .exe, .dll, .pdf and .rtf files to Threat Grid for dynamic malware analysis. An important new integration, right before the conference, was Cisco Umbrella’s domain reputation intelligence piped directly into Threat Grid. Now, if a sample contacts a domain that is known to belong to a malicious or potentially harmful Cisco Umbrella category, this triggers a Behavioral Indicator in Threat Grid; which in turn contributes to that sample’s Threat Score and appears in the analysis report.
This is another way that you can effectively utilize broader Cisco threat intelligence to help identify malicious behaviors and to improve overall threat detection. Here is the list of the Network DNS Category indicators and their detections:
- network-dns-category-adware – Cisco Umbrella Categorized Domain As Adware
- network-dns-category-cnc – Cisco Umbrella Flagged Domain As A Command & Control Server
- network-dns-category-driveby-exploit – Cisco Umbrella Flagged Domain As Hosting An Exploit
- network-dns-category-dynamic – Cisco Umbrella Categorized Domain As A Dynamic DNS
- network-dns-category-harmful – Cisco Umbrella Categorized Domain As Potentially Harmful
- network-dns-category-new – Cisco Umbrella Categorized Domain As A Newly Seen Domain
- network-dns-category-p2psharing – Cisco Umbrella Categorized Domain As P2P/File Sharing
- network-dns-category-phishing – Cisco Umbrella Flagged Domain As Phishing
- network-dns-category-proxy – Cisco Umbrella Flagged Domain As A Proxy Or Anonymizer
- network-dns-category-urlshortener – Cisco Umbrella Categorized Domain As A URL Shortener
- network-dns-category-webspam – Cisco Umbrella Categorized Domain As Web Spam
- network-dns-cnc-category – Cisco Umbrella Flagged Domain As A Command & Control Server
We were also able to take advantage of the new Playbooks for automated interaction and the Network Exit Localization to the region.
Expanding the Behavioral Indicator, you can see the domains and Umbrella Security designation. Clicking on the link next to the domain name will provide additional intelligence.
The WHOIS detail is also from the Umbrella integration; with the Related IPs and Hosted URLs from the threat intelligence observed during dynamic analysis by Threat Grid, and correlated with the global dataset.
In the Black Hat Asia NOC, we used the Threat Grid Glovebox to investigate suspicious domains identified by Umbrella, including related to potential malicious activity and cryptomining.
From the first day of the conference, we noted hourly DNS traffic to www.blekeyrfid.com with over 1,000 requests. The intelligence was shared with the RSA NetWitness team, and they determined the traffic was all from a single machine.
We pivoted into Umbrella Investigate to understand more about the domain and where it was hosted. The IP address to which it resolved is on the Umbrella block list. Per Black Hat policy, we allowed it for attendees, but would have blocked it on conference assets. We could see there was a spike in activity at the Black Hat Asia conference, and only during conference hours, not at night.
Investigation in the Threat Grid glovebox determined it is an access control spoofing application. I happened to be meeting with representatives from Interpol and shared the information.
The Rise of Cryptomining
We have seen many cyber criminals move away from ransomware to cryptomining; where they can make money by stealing the processing power of unsuspecting users who visit infected websites. Often the mining software will run as a javascript while the browser is open. With the fluctuation of cryptocurrency making hosted farms less profitable, using the electricity and resources of others is a way to continue to make illicit profits, without the scrutiny of ransomware attacks. The victims rarely know they have been a victim, and can be exploited over and over.
At Black Hat Europe 2017, for the first time we saw an incident of cryptomining on a conference network. At Black Hat Asia, cryptomining became a major security event, to ensure it was consensual and not on conference assets.
authedmine.com (link goes to Umbrella report on the domain) was of particular interest, as most mining traffic was going to that domain the first two days of the conference; and then the miners did not attend the last day. The website is associated with coinhive.com.
Taking a look at the domain in Umbrella Investigate, we could see DNS queries to the domain from many convicted samples in Threat Grid, and it was classified under Cryptomining this month.
With new Cisco Visibility, we were able to get a better visual of the architecture and relationships with IP addresses, samples, artifacts and URLs.
Cryptomining comes in two variations:
- Opt-in: the user specifically consents and takes action to allow their resources to be used for mining
- Non-consensual: the user is not aware that an open browser session is utilizing their resources for mining
AuthedMine.com purports to be explicitly opt-in, when reviewed in the Threat Grid Glovebox.
The website uses a .js for the mining, the same method as non-consensual attacks. The script was downloaded into the Temporary Internet Files, without an opt-in.
Using the integrated threat intelligence, the same .js was seen as an artifact in other samples within Threat Grid, which were definitely non-consensual.
Other cryptomining and cryptocurrency domain activity included (links go to the Umbrella reports on the domains):
During the conference, Cisco Umbrella updated its Security – Prevent reporting in the Activity Volume, and now includes Cryptomining. Like many training events, we also saw a lot of Newly Seen Domains, created just for the excellent training. Total DNS requests for the conference were over 5.1 million.
As in other conferences, the volume decreased during the Briefings and Business Hall vs. the Training days. Below is the distribution of the requests over the week.
Top Domains for the week:
Top Categories for the week:
Black Hat USA 2018 will be 4-9 August 2018. See you in Vegas!
And, if you are attending RSA Conference in San Francisco, 16-20 April 2018; the RSA and Cisco team who works in the Black Hat NOC will be in the RSAC Security Operations Center (SOC).
At the SOC, you will receive a security briefing and have time for Q&A with RSA and Cisco engineers. Advanced registration is highly recommended. Please fill out the RSA SOC Tour Request Form to request your spot.
CONNECT WITH US