In the modern security operations center (SOC), the biggest challenge isn’t always a lack of data — it’s the lack of meaning. Analysts are often drowning in telemetry, trying to distinguish the calculated movements of a threat actor trying to blend in with normal traffic from the noise of a global network.
Compounding this challenge is that many traditional security tools attempt to prevent threats based on what they have already seen, not on what could potentially happen.
The complexity of a ransomware attack, unfolding through multiple stages, highlights many of the challenges SOC teams face every day. For an analyst, these events are often fragmented. If the SOC isn’t configured to understand threat patterns, they appear as separate alerts in separate dashboards, forcing the human to manually stitch together the “who,” “what,” and “where.”
At Cisco, we believe that security should go beyond enforcement; it must understand intent. Today we’re releasing our new AI-powered DNS defense platform, available within Cisco Secure Access and powered by Cisco Talos intelligence. With AI-assisted algorithms, it brings a new predictive layer of defense to DNS.
These new capabilities bridge the gap between how users connect to the network and how the network is protected, enabling proactive, intelligent defense.
Let’s walk through how that looks during a ransomware attack, with a focus on how DNS-based threats play a role in malware delivery, data exfiltration, DNS tunnelling, command-and-control (C2) communications, and access to phishing domains.
How Cisco disrupts the ransomware lifecycle (DNS focus)
Cisco Talos DNS Security (fully integrated into Cisco Secure Access) detects obfuscated data hidden in DNS packets, the core of internet communication. Advanced AI-driven detection, including domain generation algorithm (DGA) analysis, proactively identifies and predicts malicious domains, stopping threats before they impact your organization.
By embedding predictive intelligence from Cisco Talos directly into Secure Access, we are able to disrupt the attacker’s workflow at multiple critical stages of a ransomware attack:
- Initial Access: Ransomware can enter through a few doors—from malicious links (phishing is still the most common entry point, appearing in 40% of Cisco Talos Incident Response cases in 2025) and drive-by downloads to exploited vulnerabilities. Cisco Secure Access uses Talos DNS Security intelligence to analyze the intent of every destination, and proactively blocks connections to malicious sites, malware delivery servers, and suspect infrastructure.
- Blocking C2 connections: Once malware is on a device, it must establish a command-and-control (C2) channel to receive its encryption keys. Through Talos DNS Security, Talos’ custom built machine learning models detect the unique “lexical texture” of algorithmically generated domains (DGA) used by attackers. By identifying these machine-made patterns, we block the communication channel at the onset, leaving the ransomware actor unable to execute its attack.
- Preventing lateral movement: Cisco Hybrid Mesh Firewall benefits from real-time intelligence from Talos, which means it can also recognize the “fingerprint” of an active breach. If a compromised device attempts to scan the network or move laterally to sensitive servers, the firewall leverages Talos-authored SNORT® rules to identify exploit attempts and the Encrypted Visibility Engine (EVE) to detect malicious activity — even within encrypted traffic. By combining these granular detection capabilities with strict segmentation, the firewall enforces strict segmentation policies, trapping the threat in a “virtual cage” and ensuring organizations have layers of defense across their environment.
- Identifying and preventing data exfiltration: Before encryption begins, threat actors may attempt to smuggle data out using covert DNS tunneling. Convolutional neural network models built within Talos DNS Security are able to detect and prevent such threats by analyzing the structure of domain names and behavioral patterns in DNS requests. Through Cisco Secure Access, we block suspicious requests at the DNS resolver, stopping the data from leaving the network and ensuring sensitive information stays protected.
As a result, instead of chasing fragmented alerts that may not indicate that an attack is imminent, your security team benefits from a unified, predictive defense. We reduce the noise for your analysts, and help to stop ransomware before it can escalate into an organization-disrupting breach.
The view from the SOC
An analyst’s dashboard suddenly signals an early alert: a sharp increase in DNS queries to suspicious domains. Talos DNS Security’s predictive blocking within Cisco Secure Access stops these domains before the activity spreads, allowing the analyst to focus on real threats instead of noise.
As the analyst investigates, Secure Access provides detailed charts with embedded “slice profiles” that provide a contextual snapshot of which clients, subdomains, and protocols caused each spike. Unlike traditional security systems that only show activity volume, the analyst doesn’t need to dig through raw logs. They can quickly see a trend, understand the exact sources and behaviors behind it, and map out the potential ransomware attack.
Soon after, the analyst notices that Secure Access is flagging domains with high lexical risk scores and coordinated client activity — classic signs of a DGA-based C2 attempt. Secure Access blocks these domains immediately, cutting off the ransomware actor’s communication channels before they can take hold.
The new standard for defense
When your security tools enable you to shift from manual log-stitching to automated threat disruption, the SOC dynamic changes:
- From alert triage to contextual investigation: Instead of manually correlating a DNS request with a firewall log, the shared intelligence provides a complete, pre-correlated narrative. When an alert triggers, your analysts now have the “who,” “what,” and “where” already attached to the event.
- From “Whack-a-Mole” to campaign blocking: Because Cisco Security products have integrated Talos intelligence, you stop blocking individual IPs and start blocking entire campaign infrastructures. When a phishing lure or a DGA-based C2 channel is identified, the enforcement is applied across the entire mesh, preventing the attacker from simply pivoting to a different part of your network.
In an era where ransomware actors heavily employ stealth and defense impairment tactics, this integration ensures that your security stack acts as a single, cohesive system; a unified defense that shares context across every layer — cloud, branch, and data center — to stop threats at speed and scale.
Learn more about how Talos powers the Cisco Security platform here.
Learn more about how Cisco is extending DNS-layer protection in the Cisco Secure Access community with AI-driven DGA detection and Secure Access DNS Defense.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
