Dalelorenzo's GDI Blog

Threat Trends: DNS Security, Part 1

Duty 1: Top threat categories

When it comes to security, deciding where to dedicate reserves is vital. To do so, it’s important to know what security issues are most likely to crop up within their own organizations, and their potential impact. The challenge is that the most active threats change over time, as the prevalence of different criticizes ebb and flows.

This is where it becomes helpful to know about the larger vogues on the threat landscape. Reading up on these trends can inform you as to what types of assaults are currently active. That behavior, you’ll be better positioned to determine where to dedicate resources.

Our Threat Trends blog streak takes a look at the activity that we are presented in the threat landscape and relevant information on those vogues. After examining topics such as the MITRE ATT& CK framework, LOLBins, and others, this release will look at DNS traffic to malevolent websites. This data comes from Cisco Umbrella, our cloud-native security service.

We’ll briefly look at parties as a whole, before drilling down into the number of endpoints connecting to malicious places. We’ll likewise look at malicious DNS activity--the number of inquiries malevolent locates receive.

Overall, this can provide insight into how many malicious email ties-in customers are clicking on, how much communication RATs are performing, or if cryptomining act is up or down. Such report can inform on where to dedicate reserves, such as topics requiring security training or areas to build threat chase playbooks.

Overview of analysis

We’ll look at DNS inquiries to provinces that fall into certain categories of malicious undertaking, and in some cases specific threats, between January and December of 2020. While performing this analysis we looked at a wide variety of threat vogues. We’ve chosen to highlight those that an organization is most likely to encounter, with particular attention paid to the categories that are most active.

It’s worth noting that we’re deliberately not inducing extensive likeness across lists based on DNS activity alone. The knowledge is that different threat types necessitate varying amounts of internet connectivity in order to carry out their malicious undertakings. Instead, we’ll look at individual lists, with an heart on how they rise and fall over period. Then we’ll drill further into the data, looking at vogues for specific threat that are known to work together.

For more information on our technique, construe the Methodology section at the end of this blog.

Administration and malicious DNS pleasure

To start off, let’s look at organizations and how frequently they discover traffic going to sites involved in different types of malicious DNS work. The following chart shows the percentage of Cisco Umbrella patrons that encountered each of these categories.

Type of DNS activity

To be clear, this does not necessarily mean that 86 percentage of organizations received phishing emails. Instead, 86 percentage of organizations had at least one user attempt to connect to a phishing website, likely by clicking on a tie-in in a phishing email.

Similar narrations present themselves in other lists 😛 TAGEND

70 percent of organizations had consumers "thats been" performed malevolent browser ads. 51 percent of organizations encountered ransomware-related work. 48 percent found information-stealing malware activity.

Let’s take a closer look at some of the most frequently asked categories in further detail, focusing on two metrics: the number of endpoints notifying to malicious activity( outlined by text graphs in the chart ), and the amount of DNS traffic seen for each type of threat( shown by bar graphs in the following chart ).


It’s not surprising that cryptomining generated "the worlds largest" DNS traffic out of any individual list. While cryptomining is often favored by bad actors for low-key revenue generation, it’s relatively loud on the DNS side, as it regularly pings mining servers for more work.

DNS activity surrounding cryptomining

Cryptomining was most active early in its first year, before slumping until time. This, and the gradual recuperation seen in the later part of the year, principally moves with the value of popular cryptocurrencies. As money prices increased, so too did the rate of activity. For lesson, investigates in Cisco Talos noticed an increase in activity from the Lemon Duck threat starting in late August.

It’s likewise worth noting that there’s little inconsistency there is between “legitimate” and illegitimate cryptomining traffic. Some of the activity in the chart could be blocks based on policy contraventions, where end users attempted to mine digital monies abusing company resources. In contingencies like this, heads would have good reason for blocking such DNS activity.


The amount of phishing-related DNS activity was fairly stable throughout the year, with certain exceptions of December, which appreciated a 52 percentage increase around the holidays. In periods of the number of endpoints visiting phishing places, there were significant increases during August and September.

DNS Activity surrounding Phishing

This is due to a very large phishing campaign, where we consider a 102 percentage-point transformation between July and September. More on this later, but for now, taken due note of the point that dramatically more endpoints began clicking on relations in phishing emails.


Similar to cryptomining, Trojans started its first year strong. The improbably high-pitched number of endpoints connecting to Trojan places was largely due to Ursnif/ Gozi and IcedID--two menaces known to work in tandem to deliver ransomware. These two threats alone comprised 82 percentage of Trojans considered on endpoints in January.

Endpoint Trojans during JanuaryHowever, the above-average figures from January were likely bind to a holiday-season campaign by attackers, and worsened and stabilized as its first year progressed.

DNS Activity surrounding Trojans

In late July, Emotet emerged from its nap once again, comprising a big quantity of congestion that produce through September. This menace alone is responsible for the large increase in DNS activity from August through September. In all, 45 percent of organizations encountered Emotet.


For most of the year, two key ransomware threats dominated--one in opennes, the other in depth.

DNS Activity surrounding RansomwareBeginning in April, the number of computers compromised by Sodinokibi( a.k.a. REvil) increased significantly and continued to rise into autumn. The increase was significant fairly that 46 percentage of organizations encountered the threat. In September, overall inquiries from this particular ransomware family shot up to five times that of August, likely been reported that the ransomware warhead was being performed across many of the impacted systems.

DNS Activity surrounding Sodinobiki

However, this is a drop in the container compared to the DNS activity of Ryuk, which is largely responsible for the November-December spike in work.( It was so high-pitched that it skewed overall pleasure for the rest of the year, ensuing in below-average numerals when it wasn’t active .) Yet the number of members of endpoints connecting to Ryuk-associated subjects remained relatively small and consistent throughout the year, exclusively demo modest increases before inquiry work skyrocketed.

So, while one threat encloses more endpoints, the other is much busier. Interestingly, this oppose between the two ransomware threats correlates with the amount of money that each threat apparently attempts to extort from victims. Sodinokibi tends to affected a large number of endpoints, involving a smaller ransom. Ryuk accommodations far fewer organizations, asking a significantly larger payment.

Tying it all together

In today’s threat landscape, the idea that' no one is an island’ holds true for threats. The most widespread criticizes these days leverage a variety of threats at different stages. For precedent, let’s look at how Emotet is often delivered by phishing in order to deploy Ryuk as a payload. While the data below window-dressings all phishing, Emotet, and Ryuk activity, as opposed to specific expeditions, a clearly defined pattern emerges.

DNS Activity surrounding phishing, Emotet, and Ryuk Remember the 102 percentage-point shifting in phishing between July and September? This strands up with a 216 percentage-point jump in Emotet DNS activity. Work ceases off in October, be accompanied by an eye-watering 480 percentage-point an increasing number of Ryuk activity.

Emotet’s activities were significantly disrupted in January 2021, which will likely lead to a drop-off in undertaking for this particular threat chain. Nevertheless, the relationship presented here is worth considering, as other menace performers follow same patterns.

If you find one threat within your structure, it’s wise to investigate what menaces have been observed working in tandem with it and make precautionary measures to prevent them from inducing further havoc.

For example, if you find evidence of Ryuk, but not Emotet, it might be worth looking for Trickbot as well. Both Emotet and Trickbot have been seen deploying Ryuk in criticizes, at times in coordination, and other ages separately.

Sure enough, Trickbot follows a same motif in terms of DNS activity--lower in the first half of the year, busy in August and September, then gentle in October. However, Trickbot was active between November and December, when Emotet was not, likely contributing to the exceptional increase in Ryuk activity during these two months.

DNS Activity surrounding TrickbotPreventing successful assaults

As mentioned earlier, the data used to show these trends comes from Cisco Umbrella, our gloom delivered security service that includes DNS security, fasten entanglement gateway, firewall, and massed access insurance intermediary( CASB) functionality, and threat intelligence. In each of these cases, the malevolent activity was stopped in its tracks by Umbrella. The consumer who clicked on a phishing email was unable to connect to the malevolent locate. The RAT attempting to talk to its C2 server was unable to phone home. The unauthorized cryptominer couldn’t get work to mine.

Umbrella combines multiple defence affairs into one mixture, so you are eligible to extend the protection provided by manoeuvres, remote useds, and disseminated locales anywhere. Umbrella is the easiest way to effectively protect your customers everywhere in minutes.

Also, if you’re looking to get more information on the malevolent arenas that their own organizations meetings, Umbrella Investigate makes the most complete view of the relationships and evolution of internet disciplines, IPs, and files -- helping to pinpoint attackers’ infrastructures and predict future menaces. No other merchant volunteers the same level of interactive threat intelligence -- uncovering current and developing menaces. Umbrella delivers the context you need for faster incident investigation and response.

Want to learn more? Check out https :// umbrella.cisco.com / for more details.

Up next

In this blog we looked at the most active threat lists seen in DNS traffic, as well as how evidence of one threat can lead to uncovering others. In part 2, we’ll break the data down further to examine which industries are targeted by these threats. Stay aria to learn more about the impact on your manufacture!


We’ve coordinated the data set to obtain overall percentages and month-on-month trends. We’ve aggregated the data by the number of endpoints that have attempted to visit specific websites that ought to have signalled as malevolent. We’ve likewise aggregated the number of members of ages websites signalled as malicious have been visited. These digits have been grouped into meaningful threat lists and, when possible, have been commemorated as being associated with a particular threat.

We’ve likewise addrest filtering to remove certain data anomalies that can appear when looking at malicious DNS traffic. For sample, when a C2 infrastructure is taken down, compromised endpoints attempting to call back to a sinkholed domain can engender large amounts of traffic as they unsuccessfully attempt to connect. In suits like these, we have filtered out such data from the data set.

The shows use a variation of the Z-score method of statistical assessment, which describes a value’s relationship to the mean. In such cases, instead of using the number of standard deviations for comparison, we’ve shown the percent increase or weaken from the planned. We feel this presents a more digestible similarity for the average reader.

A parole on privacy

Cisco makes client privacy very seriously. To further this end, we’ve gone to great lengths to ensure that the data used for this blog series is anonymized and aggregated before any analysis is play-act on it. While Cisco Secure makes can report telemetry back to us, this is an opt-in feature.

Read more: blogs.cisco.com


Don’t Want a VPN? 4 Alternatives to Consider for Your Business

In today's highly-remote business world, online privacy and security have become more important than ever. Since private shop history is often open to third parties, users can lose their online privacy by simply logging onto the internet. Virtual private systems( VPNs) are a go-to solution for many business whose hires access busines registers away from company servers, peculiarly now that the coronavirus pandemic has forced numerous businesses to go perfectly remote.

Using a VPN ensures your shop is secure from hackers or cyberattacks. However, VPNs aren't perfect, and it's important to consider whether an alternative solution might be better for your business.

What is a VPN?

A VPN promotes a private network joining by creating an encrypted tunnel between your structure and a remote server, masking your identity and point while browsing the internet.

If you are connected to Wi-Fi in a public spot like a coffee shop, third parties might gain access to your passwords, banking report, credit cards amounts, wreak folders and more. Even on a private, procured structure( such as your home internet ), it's still possible for advertisers, internet service providers, and intruders to consider and place your shop undertaking. By encrypting your entanglement traffic, a VPN, in theory, ensures that no one else on that network can access your private browser intelligence.[ Read pertained essay: VPN and Online Privacy]

Drawbacks of VPNs

Businesses use VPNs to protect their private data, as they often have employees retrieving files while connected to an unsecured structure. It's absurd to monitor your employees' every move to ensure they're exclusively utilizing procure bonds. However, one wrong move can gravely cost your business.

While VPNs can help protect your business's private data, they aren't perfect. Here are some handicaps to VPNs you'll want to consider.

Data ceiling

Depending on the amount of data your business expends daily, a standard VPN service might not meet your needs. Some providers applied a limit on data used during VPN browsing. With insufficient data payments, you'll risk a slower tie-in and potential vulnerability to attempts while using a VPN.

Slower internet bond

Because of its encryption, VPNs might slow-footed your internet relationship, making it difficult to get work done or attend virtual fills. If you're situated far away from your VPN provider's servers, it can impact your browsing rate. Additionally, a VPN service provider with a very limited number of servers may strangle browsing moves if too many consumers are logged on simultaneously.

Security dangers

The more people who have access to your VPN, the more security gambles your company faces, specially if those workers are remote or are connecting to public Wi-Fi. It's important to choose a service that protects your data.

Consumer-focused VPN assistances generally prioritize getting around place restrictions on sure-fire entanglement content, rather than secure browsing, so you are not able get the level of secure access you need as a business with some VPNs. Additionally, some VPNs are not verified and are run by governments or scammers. Do your due diligence to ensure the VPN you are using is trusted and verified by other users.


A common controversy with VPNs is their inflexibility. Once your VPN network is established( which takes time ), it's difficult to change it, peculiarly if you have workers who travel or new employees. Additionally, some assistances intimidate the use of VPNs, blocking users from accessing their site or platform.


Effective VPNs can expense a lot of money. Depending on your data volume, some VPNs might be too expensive for national budgets. While there are some free options, professionals do not recommend them for security purposes.

"Although there are many free VPNs accessible, few of them furnish the security and speed of paid VPN software, " said Kristen Bolig, founder of SecurityNerd. "Many VPNs introduced their customers at risk. It's crucial that you look for reliable software that ensures you have a safe and anonymous connection."

Sluggish technology development

VPNs have not derived in recent years, even during the pandemic. With remote work becoming the new ordinary, it's important to consider the most progressive alternatives that don't have limited abilities, like VPNs.

Because of the limitations of VPNs, countless organizations use different certificate solutions. With more companionships exiting remote due to the COVID-1 9 pandemic, business owners are recognizing the need to look into VPN alternatives to keep their data safe.

VPN alternatives

To ensure the best protection, especially throughout the pandemic and amid the work-from-home culture, consider swapping from a VPN to an alternative security solution. Here are some VPN alternatives for your business 😛 TAGEND

Remote desktop alliances. There are many remote PC access software planneds available that allow businesses to provide secure off-site device access to their employees. Additional welfares include remote technical resources, online directions and collaboration.

Identity and access handling( IAM ). An IAM platform proves and allows the name of individual useds. IAM implements a thorough proof process through multifactor authentication. You can use this as a VPN alternative or a solution to pair with your VPN.

Privileged access management( PAM ). While IAM allows for individual access, PAM focuses on privileged credentials, or those who access critical the mechanisms and employments. Because of security rights jeopardies involved, high-level accountings necessitate improved protection and close monitoring.

Software-defined bound( SDP ). Also called the "black gloomed, " this VPN alternative is based on the "need-to-know access" government model. Any critical enters are stored in the black cloud and are inaccessible to regular consumers, while other aspects of the network are only accessed on a dispensation basis.

I still require a VPN. What do I look for?

Patrick Ward, founder of NanoGlobals , include an indication that hastened and security are the most important, differing influences VPNs advertise.

"For a business owner, insurance is primary considering the fact that your VPN will be used to protect you while potentially administer confidential companionship datum, " Ward said. "Security protocols, a "kill switch" and DNS leak protection are the three most important security aspects to evaluate your desired VPN."

In addition to these factors, Candace Helton, activities head at Ringspo, cautioned considering the following components when choosing a VPN for business 😛 TAGEND

Logging plans. Helton noted that some governments require access to a VPN company's enters, so you may wish to choose a VPN provider that's not legally bound to make this data accessible to the government. On the other hand, if you want to use your data to examine employee work, Helton recommended choosing a VPN provider that comes with an optional data logging piece.

Encryption. Because security is the main priority of VPN assistances, encryption protocols must be strong to prevent hackers and outsiders from gained by your info, said Helton. She recommended preferring VPN providers that offering at least 256 -bit AES encryption and ensuring IPSec protocols are not outdated.

Versatility. When you're utilizing a VPN for business intents, you crave something that can adapt to your needs, said Helton. “You might want to make certain adjustments to the service in the future, so the VPN provider you choose should be capable of that, ” she noted. “Before fixing the final buying decision, make sure to ask expansion-related questions to see if the service can adapt.”

Read more: business.com

Tagged as: No Comments