Through our ongoing “Inside Out” project at Cisco, our threat researchers have the opportunity to closely examine select networks—with our customers’ permission—to identify evidence of malicious traffic. We use Domain Name System (DNS) lookups emanating from enterprise networks to create a snapshot of possible data compromises and vulnerabilities. This research yielded a significant finding that we presented in the Cisco 2014 Annual Security Report—malicious traffic was visible on 100 percent of the corporate networks we sampled, based on analysis of DNS lookups originating from inside those networks.

For the just-released Cisco 2014 Midyear Security Report, our researchers focused on the networks of 16 Cisco customers that are large multinational organizations. Their observations during the first half of 2014 yielded three compelling security insights tying these enterprises to malicious traffic:

  • Botnet “hide and seek”: Dynamic DNS (DDNS) is a system normally used for legitimate purposes, but has become popular with adversaries because it allows botnets to evade detection—and thus, avoid destruction. The majority of customer network sample queries observed in 2014 as part of our Inside Out project have been identified as issuing DNS queries for DDNS. While this doesn’t mean each of these organizations has been compromised by malware using DDNS providers, we have advised these customers to review these DDNS requests closely and verify that they are being performed for legitimate business reasons.
  • Man-in-the-browser malware: Palevo, SpyEye, and Zeus are malware families that incorporate man-in-the-browser (MiTB) functionality. The botnets they help to spawn are spread through instant messaging, peer-to-peer (P2P) networks, and removable drives. They are then used to perform distributed denial of service (DDoS) attacks and steal information entered into online forms in browsers using the Windows operating system. DNS lookups for hosts compromised by these malware types are considered a very high threat, and most—more than 90 percent—of the customer networks we observed in the first half of 2014 as part of our Inside Out project were identified as having traffic going to websites that host Palevo, SpyEye, and Zeus malware.
  • Encrypting of stolen data: When stealing information, some malicious entities will use secure, encrypted communication channels or data transfer protocols to cover their tracks. IP Security (IPsec) VPN, Secure Sockets Layer (SSL) VPN, and Secure File Transfer Protocol (SFTP) are some examples. Our researchers found that well over one-third of networks observed in the first half of 2014 were issuing DNS requests for sites and domains associated with devices that provide services such as IPsec VPN, SSL VPN, and SFTP. These types of sites can be used to exfiltrate data using encrypted channels to avoid detection, which is why organizations should regularly monitor and validate these communications.

See the Cisco 2014 Midyear Security Report to learn more about research. If you are a Cisco customer and would like your organization to take part in our Inside Out research project as part of the Custom Threat Intelligence (CTI) service, please contact your account team. Cisco customers that participate in the Inside Out project receive an “External Cyber Threat Report” that is prepared and delivered by Cisco.


Jason Brvenik

Principal Engineer

CIsco Security Business Group