Programmatically filter unusual DNS Requests with Cisco Umbrella APIs
We use the Web in our on a regular basis lives to get work accomplished, handle our lives, and even socialize. We take this Web utilization as a right today, however the actuality is that we’re speaking greater than ever on a world scale, instantaneously, and infrequently, with of us we’ve by no means met in-person or with third-party providers we don’t absolutely perceive.
From a cybersecurity perspective, this seems like lots of DNS site visitors to have to observe, perceive, and examine. And, there are growing causes to just do that. After the foremost Colonial Pipeline ransomware assault that resulted in a $4.4 million ransom cost in 2021, the TSA issued (and has since, reissued) a safety directive to pipeline utility firms that, partially, requested them to higher perceive their DNS site visitors.
In fact, pipelines are usually not the one targets of such assaults, which means we want affordable methodologies for figuring out and investigating probably malicious domains. On this article, we stroll you thru the way you may programmatically acquire visibility into and examine unusual DNS requests utilizing Cisco Umbrella APIs.
Preliminary developer setup
To create this automation, we assume you’ve an energetic Cisco Umbrella account with API entry, Python3, and an built-in developer surroundings (IDE) that helps Python.
If you happen to’re not but an Umbrella person, otherwise you’d merely prefer to create a proof-of-concept (POC) round this, you’ll be able to leverage the always-on Umbrella Safe Web Gateway sandbox by way of Cisco DevNet.
Defining what site visitors is “unusual”
The day earlier than writing this text, Cisco Umbrella processed over 800 billion DNS requests. On account of this constantly huge quantity of site visitors processing and evaluation, Umbrella maintains an updated “High 1-Million Domains” checklist as a CSV. This data establishes a baseline of what site visitors is frequent.
We will decide what site visitors coming out of your Umbrella community is rare by evaluating it to this High 1-Million Domains checklist.
To do that, we make an API name utilizing the Umbrella Experiences API to retrieve the High Locations seen by your Umbrella community prior to now week. The decision returns a listing of domains from most to least frequent, one per row, as a CSV, that we will clear to take away the rank order and non-domains. (For instance, take away the 8 on this row: 8,www.google.com, and take away IP deal with locations as a result of they gained’t match an Umbrella High 1-Million area)
We will then write logic that compares the domains seen by your community to Umbrella’s High 1-Million and provides any of your domains that aren’t on that checklist to a brand new CSV.
Pattern Code
We’ve written a pattern Python script that can assist you obtain this utilizing your individual DNS site visitors! That script, together with directions for operating it, will be discovered right here.
Investigating unusual domains with Umbrella APIs
When you’ve recognized which domains seen by your community are thought-about much less frequent, you might select to additional examine some—or all—of them utilizing Umbrella Examine.
In case you have an Umbrella DNS Safety Benefit or Safe Web Gateway (SIG) bundle, within the Umbrella dashboard, you’ll be able to navigate to Examine > Good Search and seek for the area you’d like to research. You’ll see outcomes that present data trying one thing like what you see beneath for examplemalwaredomain.com:
Determine 1: The start of Umbrella Examine outcomes for examplemalwaredomain.com
The outcomes first present you each the content material and safety classes for the area, supplied by Cisco Talos. We will see that this area is assessed as malware and is already on a Malware Block Listing; although, if we wished to, we might discover further data on this area throughout Talos, Google, or VirusTotal (prime proper).
Determine 2: The chance rating and safety indicators for examplemalwaredomain.com
Scrolling down the outcomes, we subsequent see the chance rating assigned to this area and the safety indicators that went into calculating that rating. On this case, the area is assessed as Excessive Threat, with further data on the safety indicators used right here.
After viewing primary data on the area, reminiscent of when it was created and from what nation it originates, in addition to related observables like IP addresses, title servers, and information, you’ll discover WHOIS file data on the area (see beneath). You’ll discover that Umbrella Examine permits you to additional examine the related e-mail deal with and nameservers.
Determine 3: WHOIS file knowledge for examplemalwaredomain.com
Lastly, we will view a world map displaying the place DNS requests to examplemalwaredomain.com. Within the instance map beneath, over 95% of DNS requests to this area originate from the USA.
Determine 4: World requestor distribution map for examplemalwaredomain.com
These Umbrella Examine outcomes are additionally obtainable as a part of the Umbrella Examine API, which means that the investigation of those unusual domains can be accomplished programmatically.
Extra alternatives for automation
What are the chances for constructing upon the automation we’ve supplied within the pattern code?
- Examine – including logic that for every unusual area, an API name is made to the Umbrella Examine endpoint to retrieve data and any risk intel
- Ticketing – you may combine a ticketing system, like Jira, by leveraging its API to create and assign a ticket for every unusual area
- Coverage Adjustments – use the Umbrella Locations Listing API to permit or block a number of of the unusual domains
- Reporting – export the unusual domains, and maybe data on them from Umbrella Examine, right into a extra palatable format like PDF. Area data is also enhanced by intel from different safety merchandise, by viewing related units and their relationships with the area utilizing JupiterOne, and/or utilized in a visualization.
- Orchestration – you’ll be able to orchestration an automation workflow with a number of steps (not all of these steps want be automated) utilizing Cisco XDR. The workflow may embrace all steps your group requires for investigation and incident response.
- Communication – relatively than save the ensuing CSV of domains regionally, you might select to robotically e-mail the outcomes to events or publish the outcomes to a messaging platform like WebEx.
Share: