Programmatically filter out unusual DNS Requests with Cisco Umbrella APIs

We use the Web in our on a regular basis lives to get paintings achieved, arrange our lives, or even socialize. We take this Web utilization without any consideration nowadays, however the truth is that we’re speaking greater than ever on an international scale, instantaneously, and continuously, with other people we’ve by no means met in-person or with third-party services and products we don’t totally perceive.

From a cybersecurity point of view, this looks as if a large number of DNS site visitors to have to watch, perceive, and examine. And, there are expanding causes to just do that. After the key Colonial Pipeline ransomware assault that ended in a $4.4 million ransom cost in 2021, the TSA issued (and has since, reissued) a safety directive to pipeline software corporations that, partially, requested them to higher perceive their DNS site visitors.

In fact, pipelines don’t seem to be the one goals of such assaults, which means we want cheap methodologies for figuring out and investigating probably malicious domain names. On this article, we stroll you via how you may programmatically achieve visibility into and examine unusual DNS requests the usage of Cisco Umbrella APIs.

Preliminary developer setup

To create this automation, we think you’ve gotten an energetic Cisco Umbrella account with API get admission to, Python3, and an built-in developer atmosphere (IDE) that helps Python.

In case you’re no longer but an Umbrella consumer, otherwise you’d merely love to create a proof-of-concept (POC) round this, you’ll be able to leverage the always-on Umbrella Protected Web Gateway sandbox via Cisco DevNet.

Defining what site visitors is “unusual”

The day ahead of writing this newsletter, Cisco Umbrella processed over 800 billion DNS requests. Because of this persistently large quantity of site visitors processing and research, Umbrella maintains an up to the moment “Most sensible 1-Million Domain names” record as a CSV. This knowledge establishes a baseline of what site visitors is commonplace.

We will be able to resolve what site visitors coming out of your Umbrella community is rare through evaluating it to this Most sensible 1-Million Domain names record.

To do that, we make an API name the usage of the Umbrella Experiences API to retrieve the Most sensible Locations noticed through your Umbrella community prior to now week. The decision returns an inventory of domain names from maximum to least commonplace, one in step with row, as a CSV, that we will be able to blank to take away the rank order and non-domains. (As an example, take away the 8 on this row: 8,www.google.com, and take away IP cope with locations as a result of they gained’t fit an Umbrella Most sensible 1-Million area)

We will be able to then write common sense that compares the domain names noticed through your community to Umbrella’s Most sensible 1-Million and provides any of your domain names that don’t seem to be on that record to a brand new CSV.

Pattern Code

We’ve written a pattern Python script that can assist you do so the usage of your personal DNS site visitors! That script, together with directions for operating it, can also be discovered right here.

Investigating unusual domain names with Umbrella APIs

When you’ve recognized which domain names noticed through your community are thought to be much less commonplace, chances are you’ll select to additional examine some—or all—of them the usage of Umbrella Examine.

If in case you have an Umbrella DNS Safety Merit or Protected Web Gateway (SIG) bundle, within the Umbrella dashboard, you’ll be able to navigate to Examine > Good Seek and seek for the area you’d like to analyze. You’ll see effects that supply data having a look one thing like what you spot underneath for examplemalwaredomain.com:

Determine 1: The start of Umbrella Examine effects for examplemalwaredomain.com

The effects first display you each the content material and safety classes for the area, equipped through Cisco Talos. We will be able to see that this area is classed as malware and is already on a Malware Block Checklist; regardless that, if we needed to, shall we in finding additional info in this area throughout Talos, Google, or VirusTotal (best proper).

Determine 2: The chance rating and safety signs for examplemalwaredomain.com

Scrolling down the consequences, we subsequent see the danger rating assigned to this area and the protection signs that went into calculating that rating. On this case, the area is classed as Top Chance, with additional info at the safety signs used right here.

After viewing elementary data at the area, akin to when it used to be created and from what nation it originates, in addition to related observables like IP addresses, identify servers, and information, you’ll in finding WHOIS file data at the area (see underneath). You’ll understand that Umbrella Examine lets you additional examine the related electronic mail cope with and nameservers.

Determine 3: WHOIS file information for examplemalwaredomain.com

In any case, we will be able to view an international map appearing the place DNS requests to examplemalwaredomain.com. Within the instance map underneath, over 95% of DNS requests to this area originate from america.

Determine 4: World requestor distribution map for examplemalwaredomain.com

Those Umbrella Examine effects also are to be had as a part of the Umbrella Examine API, which means that the investigation of those unusual domain names can be achieved programmatically.

Further alternatives for automation

What are the probabilities for development upon the automation we’ve equipped within the pattern code?

• Examine – including common sense that for each and every unusual area, an API name is made to the Umbrella Examine endpoint to retrieve data and any risk intel
• Ticketing – you want to combine a ticketing device, like Jira, through leveraging its API to create and assign a price ticket for each and every unusual area
• Coverage Adjustments – use the Umbrella Locations Checklist API to permit or block a number of of the unusual domain names
• Reporting – export the unusual domain names, and most likely data on them from Umbrella Examine, right into a extra palatable layout like PDF. Area data is also enhanced through intel from different safety merchandise, through viewing related gadgets and their relationships with the area the usage of JupiterOne, and/or utilized in a visualization.
• Orchestration – you’ll be able to orchestration an automation workflow with a couple of steps (no longer all of the ones steps want be automatic) the usage of Cisco XDR. The workflow would possibly come with all steps your company calls for for investigation and incident reaction.
• Communique – reasonably than save the ensuing CSV of domain names in the neighborhood, chances are you’ll select to robotically electronic mail the consequences to events or publish the consequences to a messaging platform like WebEx.

Percentage: