Avatar

Cisco recently announced a new AI-driven Domain Generation Algorithm (DGA) detection capability integrated into Secure Access and Umbrella. DGAs are used by malware to generate numerous domains for command and control (C2) communications, making them a critical threat vector via DNS. Traditional reputation-based systems struggle with the high volume of new domains and the evolving nature of DGAs. This new solution leverages insights from AI-driven DNS tunneling detection and the Talos threat research team to identify unique lexical characteristics of DGAs. The result is a 30% increase in real detections and a 50% improvement in accuracy, reducing both false positives and negatives. Enhanced detection is automatically enabled for Secure Access and Umbrella users with the Malware Threat category active.

Engineers from Cisco presented the technical details of this novel approach at the recent DNS OARC conference. The presentation discusses a method for detecting and classifying Domain Generation Algorithm (DGA) domains in real-world network traffic using Passive DNS and Deep Learning. DGAs and botnets are introduced, along with the fundamentals of Passive DNS and the tools employed. The core of the presentation highlights a monitoring panel that integrates Deep Learning models with Passive DNS data to identify and classify malicious domains within the São Paulo State University network traffic. The detector and classifier models, detailed in recently published scientific articles by the authors, are a key component of this system.

This is a key capability in environments like the Black Hat conference network where we need to be creative when interrogating network traffic. Below is an example of the detection we observed at Black Hat Asia.

Display showing the risk analysis of a specific domain

Domain Name Service Statistics

Authored by: Christian Clasen and Justin Murphy

We install virtual appliances as critical infrastructure of the Black Hat network, with cloud redundancy.

The team setting up the NOC before Black Hat Asia

Since 2018, we have been tracking DNS stats at the Black Hat Asia conferences. The historical DNS requests are in the chart below.

Graph showing DNS queries at Black Hat Asia
DNS requests, aggregated and displayed

The Activity volume view from Umbrella gives a top-level level glance of activities by category, which we can drill into for deeper threat hunting. On trend with the previous Black Hat Asia events, the top Security categories were Malware and Newly Seen Domains.

In a real-world environment, of the 15M requests that Umbrella saw, over 200 of them would have been blocked by our default security policies. However, since this is a place for learning, we typically let everything fly. We did block the category of Encrypted DNS Query, as discussed in the Black Hat Europe 2024 blog.

We also track the Apps using DNS, using App Discovery.

  • 2025: 4,625 apps
  • 2024: 4,327 apps
  • 2023: 1,162 apps
  • 2022: 2,286 apps
DNS app discovery screen, showing the number of apps reviewed and approved as well as flagged categories

App Discovery in Umbrella gives us a quick snapshot of the cloud apps in use at the show. Not surprisingly, Generative AI (Artificial Intelligence) has continued to increase with a 100% increase year-over-year.

DNS report showing the number of generative ai apps on the networks and the number of DNS requests going to said apps

Umbrella also identifies risky cloud applications. Should the need arise, we can block any application via DNS, such as Generative AI apps, Wi-Fi Analyzers, or anything else that has suspicious undertones.

Graph showing DNS requests by app risk
DNS-based display of apps on the network by category and risk

Again, this is not something we would normally do on our General Wi-Fi network, but there are exceptions. For example, every so often, an attendee will learn a cool hack in one of the Black Hat courses or in the Arsenal lounge AND try to use said hack at the conference itself. That is obviously a ‘no-no’ and, in many cases, very illegal. If things go too far, we will take the appropriate action.

During the conference NOC Report, the NOC leaders also report of the Top Categories seen at Black Hat.

Graph showing the top DNS categories for Black Hat Asia 2025, which are AWS, Slack, aurorapush, hinge, onclckip

Want to learn more about what we saw at Black Hat Asia 2025? Check out our main blog post — Black Hat Asia 2025: Innovation in the SOC — and our other Black Hat 2025 content.

Acknowledgements

Thank you to the Cisco NOC team:

  • Cisco Security: Christian Clasen, Shaun Coulter, Aditya Raghavan, Justin Murphy, Ivan Berlinson, and Ryan Maclennan
  • Meraki Systems Manager: Paul Fidler, with Connor Loughlin supporting
  • ThousandEyes: Shimei Cridlig and Patrick Yong
  • Additional Support and Expertise: Tony Iaconbelli and Adi Sankar

Also, to our NOC partners Palo Alto Networks (especially James Holland and Jason Reverri), Corelight (especially Mark Overholser and Eldon Koyle), Arista Networks (especially Jonathan Smith), MyRepublic and the entire Black Hat / Informa Tech staff (especially Grifter ‘Neil Wyler’, Bart Stump, Steve Fink, James Pope, Michael Spicer, Jess Jung and Steve Oldenbourg).

Black Hat 2025 NOC team

About Black Hat

Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia.

For more information, please visit the Black Hat website.


We’d love to hear what you think. Ask a question, comment below, and stay connected with Cisco Security on social media!

Cisco Security Social Channels

LinkedIn
Facebook
Instagram
X



Authors

Christian Clasen

Technical Marketing Engineer

Content Security