Threat Trends: DNS Security, Part 1

Duty 1: Top threat categories

When it comes to security, deciding where to dedicate reserves is vital. To do so, it’s important to know what security issues are most likely to crop up within their own organizations, and their potential impact. The challenge is that the most active threats change over time, as the prevalence of different criticizes ebb and flows.

This is where it becomes helpful to know about the larger vogues on the threat landscape. Reading up on these trends can inform you as to what types of assaults are currently active. That behavior, you’ll be better positioned to determine where to dedicate resources.

Our Threat Trends blog streak takes a look at the activity that we are presented in the threat landscape and relevant information on those vogues. After examining topics such as the MITRE ATT& CK framework, LOLBins, and others, this release will look at DNS traffic to malevolent websites. This data comes from Cisco Umbrella, our cloud-native security service.

We’ll briefly look at parties as a whole, before drilling down into the number of endpoints connecting to malicious places. We’ll likewise look at malicious DNS activity–the number of inquiries malevolent locates receive.

Overall, this can provide insight into how many malicious email ties-in customers are clicking on, how much communication RATs are performing, or if cryptomining act is up or down. Such report can inform on where to dedicate reserves, such as topics requiring security training or areas to build threat chase playbooks.

Overview of analysis

We’ll look at DNS inquiries to provinces that fall into certain categories of malicious undertaking, and in some cases specific threats, between January and December of 2020. While performing this analysis we looked at a wide variety of threat vogues. We’ve chosen to highlight those that an organization is most likely to encounter, with particular attention paid to the categories that are most active.

It’s worth noting that we’re deliberately not inducing extensive likeness across lists based on DNS activity alone. The knowledge is that different threat types necessitate varying amounts of internet connectivity in order to carry out their malicious undertakings. Instead, we’ll look at individual lists, with an heart on how they rise and fall over period. Then we’ll drill further into the data, looking at vogues for specific threat that are known to work together.

For more information on our technique, construe the Methodology section at the end of this blog.

Administration and malicious DNS pleasure

To start off, let’s look at organizations and how frequently they discover traffic going to sites involved in different types of malicious DNS work. The following chart shows the percentage of Cisco Umbrella patrons that encountered each of these categories.

Type of DNS activity

To be clear, this does not necessarily mean that 86 percentage of organizations received phishing emails. Instead, 86 percentage of organizations had at least one user attempt to connect to a phishing website, likely by clicking on a tie-in in a phishing email.

Similar narrations present themselves in other lists 😛 TAGEND

70 percent of organizations had consumers “thats been” performed malevolent browser ads. 51 percent of organizations encountered ransomware-related work. 48 percent found information-stealing malware activity.

Let’s take a closer look at some of the most frequently asked categories in further detail, focusing on two metrics: the number of endpoints notifying to malicious activity( outlined by text graphs in the chart ), and the amount of DNS traffic seen for each type of threat( shown by bar graphs in the following chart ).


It’s not surprising that cryptomining generated “the worlds largest” DNS traffic out of any individual list. While cryptomining is often favored by bad actors for low-key revenue generation, it’s relatively loud on the DNS side, as it regularly pings mining servers for more work.

DNS activity surrounding cryptomining

Cryptomining was most active early in its first year, before slumping until time. This, and the gradual recuperation seen in the later part of the year, principally moves with the value of popular cryptocurrencies. As money prices increased, so too did the rate of activity. For lesson, investigates in Cisco Talos noticed an increase in activity from the Lemon Duck threat starting in late August.

It’s likewise worth noting that there’s little inconsistency there is between “legitimate” and illegitimate cryptomining traffic. Some of the activity in the chart could be blocks based on policy contraventions, where end users attempted to mine digital monies abusing company resources. In contingencies like this, heads would have good reason for blocking such DNS activity.


The amount of phishing-related DNS activity was fairly stable throughout the year, with certain exceptions of December, which appreciated a 52 percentage increase around the holidays. In periods of the number of endpoints visiting phishing places, there were significant increases during August and September.

DNS Activity surrounding Phishing

This is due to a very large phishing campaign, where we consider a 102 percentage-point transformation between July and September. More on this later, but for now, taken due note of the point that dramatically more endpoints began clicking on relations in phishing emails.


Similar to cryptomining, Trojans started its first year strong. The improbably high-pitched number of endpoints connecting to Trojan places was largely due to Ursnif/ Gozi and IcedID–two menaces known to work in tandem to deliver ransomware. These two threats alone comprised 82 percentage of Trojans considered on endpoints in January.

Endpoint Trojans during JanuaryHowever, the above-average figures from January were likely bind to a holiday-season campaign by attackers, and worsened and stabilized as its first year progressed.

DNS Activity surrounding Trojans

In late July, Emotet emerged from its nap once again, comprising a big quantity of congestion that produce through September. This menace alone is responsible for the large increase in DNS activity from August through September. In all, 45 percent of organizations encountered Emotet.


For most of the year, two key ransomware threats dominated–one in opennes, the other in depth.

DNS Activity surrounding RansomwareBeginning in April, the number of computers compromised by Sodinokibi( a.k.a. REvil) increased significantly and continued to rise into autumn. The increase was significant fairly that 46 percentage of organizations encountered the threat. In September, overall inquiries from this particular ransomware family shot up to five times that of August, likely been reported that the ransomware warhead was being performed across many of the impacted systems.

DNS Activity surrounding Sodinobiki

However, this is a drop in the container compared to the DNS activity of Ryuk, which is largely responsible for the November-December spike in work.( It was so high-pitched that it skewed overall pleasure for the rest of the year, ensuing in below-average numerals when it wasn’t active .) Yet the number of members of endpoints connecting to Ryuk-associated subjects remained relatively small and consistent throughout the year, exclusively demo modest increases before inquiry work skyrocketed.

So, while one threat encloses more endpoints, the other is much busier. Interestingly, this oppose between the two ransomware threats correlates with the amount of money that each threat apparently attempts to extort from victims. Sodinokibi tends to affected a large number of endpoints, involving a smaller ransom. Ryuk accommodations far fewer organizations, asking a significantly larger payment.

Tying it all together

In today’s threat landscape, the idea that’ no one is an island’ holds true for threats. The most widespread criticizes these days leverage a variety of threats at different stages. For precedent, let’s look at how Emotet is often delivered by phishing in order to deploy Ryuk as a payload. While the data below window-dressings all phishing, Emotet, and Ryuk activity, as opposed to specific expeditions, a clearly defined pattern emerges.

DNS Activity surrounding phishing, Emotet, and Ryuk Remember the 102 percentage-point shifting in phishing between July and September? This strands up with a 216 percentage-point jump in Emotet DNS activity. Work ceases off in October, be accompanied by an eye-watering 480 percentage-point an increasing number of Ryuk activity.

Emotet’s activities were significantly disrupted in January 2021, which will likely lead to a drop-off in undertaking for this particular threat chain. Nevertheless, the relationship presented here is worth considering, as other menace performers follow same patterns.

If you find one threat within your structure, it’s wise to investigate what menaces have been observed working in tandem with it and make precautionary measures to prevent them from inducing further havoc.

For example, if you find evidence of Ryuk, but not Emotet, it might be worth looking for Trickbot as well. Both Emotet and Trickbot have been seen deploying Ryuk in criticizes, at times in coordination, and other ages separately.

Sure enough, Trickbot follows a same motif in terms of DNS activity–lower in the first half of the year, busy in August and September, then gentle in October. However, Trickbot was active between November and December, when Emotet was not, likely contributing to the exceptional increase in Ryuk activity during these two months.

DNS Activity surrounding TrickbotPreventing successful assaults

As mentioned earlier, the data used to show these trends comes from Cisco Umbrella, our gloom delivered security service that includes DNS security, fasten entanglement gateway, firewall, and massed access insurance intermediary( CASB) functionality, and threat intelligence. In each of these cases, the malevolent activity was stopped in its tracks by Umbrella. The consumer who clicked on a phishing email was unable to connect to the malevolent locate. The RAT attempting to talk to its C2 server was unable to phone home. The unauthorized cryptominer couldn’t get work to mine.

Umbrella combines multiple defence affairs into one mixture, so you are eligible to extend the protection provided by manoeuvres, remote useds, and disseminated locales anywhere. Umbrella is the easiest way to effectively protect your customers everywhere in minutes.

Also, if you’re looking to get more information on the malevolent arenas that their own organizations meetings, Umbrella Investigate makes the most complete view of the relationships and evolution of internet disciplines, IPs, and files — helping to pinpoint attackers’ infrastructures and predict future menaces. No other merchant volunteers the same level of interactive threat intelligence — uncovering current and developing menaces. Umbrella delivers the context you need for faster incident investigation and response.

Want to learn more? Check out https :// / for more details.

Up next

In this blog we looked at the most active threat lists seen in DNS traffic, as well as how evidence of one threat can lead to uncovering others. In part 2, we’ll break the data down further to examine which industries are targeted by these threats. Stay aria to learn more about the impact on your manufacture!


We’ve coordinated the data set to obtain overall percentages and month-on-month trends. We’ve aggregated the data by the number of endpoints that have attempted to visit specific websites that ought to have signalled as malevolent. We’ve likewise aggregated the number of members of ages websites signalled as malicious have been visited. These digits have been grouped into meaningful threat lists and, when possible, have been commemorated as being associated with a particular threat.

We’ve likewise addrest filtering to remove certain data anomalies that can appear when looking at malicious DNS traffic. For sample, when a C2 infrastructure is taken down, compromised endpoints attempting to call back to a sinkholed domain can engender large amounts of traffic as they unsuccessfully attempt to connect. In suits like these, we have filtered out such data from the data set.

The shows use a variation of the Z-score method of statistical assessment, which describes a value’s relationship to the mean. In such cases, instead of using the number of standard deviations for comparison, we’ve shown the percent increase or weaken from the planned. We feel this presents a more digestible similarity for the average reader.

A parole on privacy

Cisco makes client privacy very seriously. To further this end, we’ve gone to great lengths to ensure that the data used for this blog series is anonymized and aggregated before any analysis is play-act on it. While Cisco Secure makes can report telemetry back to us, this is an opt-in feature.

Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *