The cost of ransomware attacks: Why and how you should protect your data

As the COVID-19 pandemic ravaged the world in 2020, ransomware attacks grew to epidemic proportions of their own. Almost every day, both large and small companies across every industry — all lacking ransomware protection — were attacked. Now with incidents on the rise, organizations are rushing to implement data protection strategies to reduce their exposure.

By 2031, ransomware is likely to cost victims more than $250 billion annually, with a new attack occurring every 2 seconds.1

But, while everyone can agree that ransomware is a major threat, what are the actual costs that come with a ransomware attack? And, more importantly, what can you do to defend yourself from them?

What is ransomware?

Ransomware is malicious software (malware) used in a cyberattack to encrypt a victim’s data with a key known only to the attacker, rendering the data unusable until a ransom payment (usually cryptocurrency like Bitcoin) is paid by the victim. Ransomware activity has become pervasive, impacting 50% of organizations in 2020.2

Recently, however, ransomware incidents have become even more insidious. In the past, attackers would simply force companies to pay a ransom to unlock data. Today, 70% of occurrences employ double extortion tactics, where attackers exfiltrate and steal sensitive company information to coerce companies to pay even more.3 If payment isn’t made, the attackers leak the data onto the dark web.

The real costs of ransomware attacks

Ransomware has many costs, from the ransom amount to the costs of recovering from the occurrence to the damage to your organization’s brand. All of the costs add up to significant amounts and can take a major toll on your business.

Ransom costs

2020 was a very good year for ransomware attackers. The number of companies willing to pay increased, as did the size of the payouts.

Remediation costs

Beyond the ransom itself, there are the costs it takes to recover from an attack — including investing in IT resources to rebuild servers and recover data. There are also the costs of the disruption to the business, like lost revenue incurred from downtime.

Intangible costs: more than money

Beyond the direct costs of ransom and remediation, there are the soft costs of PR fiascos, brand erosion, and the reduced confidence of customers and partners. In addition, boards of directors and governments are starting to require immediate reporting of cybersecurity incidents, which take resources and incur more costs. For example, the U.S. Transportation Security Administration (TSA) will require pipeline companies to report incidents within 12 hours.

Using a modern cloud-native security solution for ransomware protection

While ransomware attacks are on the rise — and more costly than ever — there are risk mitigation strategies that you can take to defend against attacks and other cybersecurity threats. Cisco Umbrella, the cloud-native, multi-function security service, unifies firewall, secure web gateway (SWG), DNS-layer security, cloud access security broker (CASB), and threat intelligence into a single cloud service to help businesses of all sizes secure their network against ransomware and cybersecurity threats.

So, how exactly does Cisco Umbrella provide ransomware protection?

Blocks the first phase of attack — malicious internet requests at the DNS layer

Ransomware attackers need to stage internet infrastructure before they can launch an attack. Cisco Umbrella stops ransomware attacks early by blocking internet connections to the malicious sites that serve up ransomware. Cisco Umbrella enforces security at the DNS and IP layers, processing 220 billion internet requests for more than 20,000 businesses every day, preventing users from ever accessing most malicious content sites.

Unifies other security services for robust protection — anywhere and everywhere

With users accessing data and apps both on and off network and on many types of devices, ransomware security needs to be everywhere. Instead of a variety of individual standalone security solutions, Cisco Umbrella combines DNS-layer, firewall, SWG, CASB, and threat intelligence functions into a single cloud service to help businesses of all sizes secure their users, applications, and data, wherever they are.

Leverages unmatched threat intelligence

The best defense is a good offense. Cisco Umbrella uses intelligence from Cisco Talos, one of the largest commercial threat intelligence teams in the world, to offensively discover and block new threats before they become attacks. In addition, backed by more than 300 researchers, Cisco Umbrella uncovers and blocks a broad spectrum of malicious domains, IPs, URLs, and files being used in attacks.

Delivers proven performance against threats

Cisco Umbrella has a track record of tried-and-tested threat detection and security efficacy, backed by third-party validation. AV-TEST, an independent security organization, conducted a study of threat efficacy among leading cloud security vendors. Cisco Umbrella received top marks across the board, with a 96.39% threat detection rate — the highest in the industry.10

Take preventative action to defend your data

Ransomware attacks and their associated costs pose a serious threat to your business. But there are ways to defend against ransomware and mitigate the risks. Cisco Umbrella uses multiple, advanced security functions to provide protection from ransomware and other security threats. Want to learn even more about how to defend your data? Download the Ransomware Defense for Dummies ebook.

1 Brave, David, Global Ransomware Damage Costs Predicted to Reach $250 Billion (USD) by 2031, Cyber Security Ventures, June 1, 2021.
2 2021 Cyber security threat trends – phishing, crypto top the list, Cisco, June 1, 2021.
3 Brave, David, Global Ransomware Damage Costs Predicted to Reach $250 Billion (USD) by 2031, Cyber Security Ventures, June 1, 2021.
4 Highlights from the 2021 Unit 42 Ransomware Threat Report, Palo Alto Networks, March 17, 2021.
5 Highlights from the 2021 Unit 42 Ransomware Threat Report, Palo Alto Networks, March 17, 2021.
6 Yeap, Yuen Pin, Why Ransomware Costs Businesses Much More Than Money, Forbes, April 30, 2021.
7 Scroxton, Alex, Average Ransomware Cost Triples, Says Report, Computer Weekly, March 17, 2021.
8 Yeap, Yuen Pin, Why Ransomware Costs Businesses Much More Than Money, Forbes, April 30, 2021.
9 Andrus, Danielle, Ransomware Incidents, Costs On the Rise, and No Target Is Too Small, Benefits Pro, May 5, 2021.
10 DNS-Layer Protection & Secure Web Gateway Security Efficacy Test, AV-TEST, February 2021.

Source :

Cloud security for manufacturing – gaining control and visibility

I recently had the pleasure of sitting down for ‘coffee’ with Claudio Bolla, Global Information Security Director at INEOS to learn how he’s managing cloud manufacturing security during the pandemic. As a large chemicals company with 26,000 employees, INEOS operates 36 different business units with 196 locations around the world. Their businesses span oil and gas, energy, and chemical production. INEOS manufactures chemicals that have been used to develop the vaccine, hand sanitizer, face masks, the plastic used in aeroplane parts, just to name a few things!

I knew that INEOS did quite a bit of M&A and because of this, finds itself with many disparate businesses, such as INEOS Automotive which is building a 4×4 vehicle (inspired by the Land Rover Defender). But what I didn’t know was that INEOS has made a foray into the beautiful game of football! Turns out sports is one of INEOS’ key pillars. This started with the acquisition of Lausanne Football Club in Switzerland, followed by the Nice Football Club in France. On the philanthropic side, they’ve even developed their own football clubs in underdeveloped countries to improve the social well-being of youth.

When the pandemic hit, many companies sent all or the majority of their employees home to work remotely. However, because INEOS had physical assets with production sites, it wasn’t just a matter of telling everyone to work from home. They had to keep their manufacturing plants running! And it was critical to do so because they were making products that are used to fight the pandemic. They moved from a primarily office-based, production-site approach to a hybrid situation. This transition introduced much complexity, especially given the number of business units, differing types of products, and challenges related to maintaining a secure manufacturing environment in the cloud.

Prior to the pandemic, INEOS turned to Cisco Umbrella to migrate all of their divisions to a single provider for DNS coverage. Umbrella also gives them the ability to let each business unit decide if they want different types of policies for different types of users. With so many contrasting businesses, the security controls for each BU can vary quite a bit. Since they had already deployed Umbrella successfully, when the pandemic hit, INEOS was able to quickly secure remote manufacturing workers using the roaming client: they went from 500 users connecting per day to over 7,000 users in one weekend!

In the talk, Claudio reveals how “an unexpected benefit of Umbrella was App Discovery,” which allows them to uncover cloud storage and reduce risk. Umbrella’s CASB functionality allows customers to gain control and visibility of cloud application and service usage across their entire network, and block risky apps to improve security.

Claudio shared many, many intriguing insights on how to give employees the right level of security at the right time (yes, there is such a thing as too many security controls!)

Hear directly from Claudio Bolla in this short highlights video:

Click to watch the full Cisco Umbrella Coffee Hour with INEOS.

Source :

What is the difference between authoritative and recursive DNS nameservers?

In today’s blog post, we’ll talk about the difference between authoritative and recursive domain name system (DNS) servers. We’ll explain how these two types of DNS servers form the foundation of the internet and help the world stay connected.

What is the domain name system?

Every computer on the Internet identifies itself with an “Internet Protocol” or “IP” address, which is a series of numbers — just like a phone number. That means you can contact any of those computers by typing in the website name, or you can type the IP address into your browser address bar. Either method will get you to the same destination. All servers that host websites and apps on the internet have IP addresses, too.

Give it a try: the IP address of the Cisco Umbrella website is

The domain name system (DNS) is sometimes referred to as the “phone book” of the Internet.  You can connect to our website by typing in the IP address in the address bar of your browser, but it’s much easier to type in DNS was invented so that people didn’t need to remember long IP address numbers (like phone numbers) and could look up websites by human-friendly names like instead.

There are too many sites on the Internet for your personal computer to keep a complete list. DNS servers power a website directory service to make things easier for humans. Like phone books, you won’t find one big book that contains every listing for everyone in the world (how many pages would that require? That’s a question for a different blog post.)

There are two types of DNS servers: authoritative and recursive. Authoritative nameservers are like the phone book company that publishes multiple phone books, one per region. Recursive DNS servers are like someone who uses a phone book to look up the number to contact a person or company. Keep in mind, these companies don’t actually decide what number belongs to which person or company — that’s the responsibility of domain name registrars.

Let’s talk about the two different types in more detail.

What is a recursive DNS server?

When you type a website address into your browser address bar, it might seem like magic happens. In reality, the DNS system makes effortless internet browsing possible. First, your browser connects to a recursive DNS server. There are many thousands of recursive DNS servers in the world.  Many people use the recursive DNS servers managed by their Internet Service Provider (ISP) and never change them. If you’re a Cisco Umbrella customer, you’re using our recursive DNS servers instead.

Once your computer connects to its assigned recursive DNS server, it asks the question “what’s the IP address assigned to that website name?” The recursive DNS server doesn’t have a copy of the phone book, but it does know where to find one. So it connects to another type of DNS server to continue the search.

What is an authoritative DNS nameserver?

The second type of DNS server holds a copy of the regional phone book that matches IP addresses with domain names. These are called authoritative DNS servers. Authoritative DNS nameservers are responsible for providing answers to recursive DNS nameservers about where specific websites can be found. These answers contain important information for each domain, like IP addresses.

Like phone books, there are different authoritative DNS servers that cover different regions (a company, the local area, your country, etc.)  No matter what region it covers, an authoritative DNS server performs two important tasks. First, it stores lists of domain names and their associated IP addresses. Second, it responds to requests from a recursive DNS server (the person who needs to look up a number) about the correct IP address assigned to a domain name. After getting the answer, the recursive DNS server sends that information back to the computer (and browser) that requested it. The computer connects to the IP address, and the website loads, leading to a happy user who can go on with their day.

Putting it all together

This process happens so quickly that you don’t even notice it happening — unless, of course, something is broken.

Let’s use a real world example. Imagine that you are sitting at your computer and you want to search for pictures of cats wearing bow ties (hey, we don’t judge). So you decide to visit Google to do a web search.

First, you type into your web browser. However, your computer doesn’t know the IP address of the server for So your computer starts by sending a query to its assigned recursive DNS nameserver. For this example, we’ll assume you’re one of our customers., So it’s a Cisco Umbrella server. Your computer asks the recursive DNS server to locate the IP address of The Cisco Umbrella recursive DNS nameserver is now assigned the task of finding the IP address of the website. Google is a popular website, so its result will probably be cached. But if the recursive DNS nameserver did not already have a DNS record for cached in its system, it will need to ask for help from the authoritative DNS hierarchy to get the answer. This is more likely if you are going to a website that is newer or less popular.

Each part of a domain like has a specific authoritative DNS nameserver (or group of redundant authoritative nameservers).

At the top of the server tree are the root domain nameservers. Every website address has an implied “.” at the end, even if we don’t type it in. This “.” designates the DNS root nameservers at the top of the DNS hierarchy. The root domain nameservers will know the IP addresses of the authoritative nameservers that handle DNS queries for the Top Level Domains (TLD) like “.com”, “.edu”, or “.gov”. The Umbrella recursive DNS server first asks the root domain nameserver for the IP address of the .com TLD server, since is within the .com TLD.

The root domain nameserver responds with the address of the TLD server. Next, the Umbrella recursive DNS server asks the TLD authoritative server where it can find the authoritative DNS server for The TLD authoritative server responds, and the process continues. The authoritative server for is asked where to find and the server responds with the answer. Once the Cisco Umbrella recursive DNS server knows the IP address for the website, it responds to your computer with the appropriate IP address. Your browser loads Google, and you can get started with more important business: finding pictures of cats in bow ties.

Without DNS, the internet stops working

The DNS system is so important to the modern world that we often refer to it as the foundation of the internet. If your recursive DNS service breaks for some reason, you won’t be able to connect to websites unless you type in the IP addresses directly — and who keeps an emergency list of IP addresses in their desk? If the recursive DNS service you use is working, but has been slowed down for some reason (like a cyberattack), then your connection to websites will be slowed down, too.

Cisco Umbrella launched its recursive DNS service in 2006 (as OpenDNS) to provide everyone with reliable, safe, smart, and fast Internet connectivity. Umbrella has a highly resilient recursive DNS network. We’ve had 100% uptime with no DNS outages in our history. Our 30-plus worldwide data centers use anycast routing to send requests transparently to the fastest available data center with automatic failover.

By configuring your network to use Umbrella’s recursive DNS service, you’ll get the fastest and most reliable connectivity you can imagine. But Umbrella provides much more than just plain old internet browsing. Learn more about how we make the internet a safer place for cats in bow ties in our post about DNS-layer security.

Source :

Inadequate security makes WordPress sites a land of opportunity for hackers

The famous American robber Willie Sutton was asked once why he robbed banks. His answer was humorous, direct, and revealing: “Because that’s where the money is.

For hackers, WordPress sites represent a similar rich vein of opportunity. WordPress is one of the world’s most popular web publishing platforms. Its ease of publishing is popular with smaller businesses and organizations looking to establish a quick and easy presence on the internet.

Unfortunately, that same ease lends itself to insecure web practices, such as web platforms that aren’t properly protected, weak passwords, and lack of administrative controls. The latter can also make it easy for increased lateral movement once an initial web server is compromised. This can greatly increase the scale of damage, making WordPress infrastructure very lucrative for hackers.

Cisco Umbrella threat researchers have been analyzing attacks on various WordPress sites recently. We found some interesting examples of how attackers are compromising WordPress sites. Let’s look into it.

How do attackers compromise a WordPress site?

Generally, what we’ve seen are variations of land-and-expand techniques. Hackers seek opportunities to infiltrate weakly protected WordPress sites, identify associated assets through phishing and other subterfuge, and expand their network of compromised assets for further expansion of opportunities to monetize their activities.

There are several ways to infiltrate WordPress infrastructure. But, generally, we’ve seen attackers progress by these sorts of actions:

  1. Take control of the WordPress site through brute force attacks, trojans inside themes and plug-ins, and exploitation of poorly protected admin controls
  2. Host malware
  3. Host phishing pages that mimic popular brands to collect more information
  4. Host spam pages to create more intelligence-gathering opportunities
  5. Most importantly, use the compromised site to attack other WordPress sites

How does an attacker find and select a site to attack?

An attacker can use systems that are designed to scan the internet for vulnerable WordPress sites and then notify the attacker’s command-and-control server.

Another method to discover vulnerable sites for attack is open source domain intelligence. For example, an attacker could find a domain by using Google Dorks.

When our researchers examined the compromised machines, they found a lot of malicious PHP scripts and malware.

First, an attacker would append the malicious code in the index page. So when a customer visits the WordPress site, it redirects to spam pages — or it may trigger the server to do something else.

 An example of such spam page redirection follows:

This attack type is not new — we have been seeing attacks like this for a while.

We also observed cases where malware was hosted on the website. In one case, we found a trojan that made contact with the domain detroidcliper[.]at.

This particular domain is a command-and-control server. It receives a lot of queries, with high query volumes reaching a max of 94k queries. We also observed a login panel hosted at this domain, that matches the login panel of Sarwent.

Let’s take a closer look at malicious scripts that were hosted on a compromised WordPress site. Most of them are PHP scripts which are obfuscated heavily. The most commonly used obfuscation method is eval(gzuncompress(base64_decode(Endoded_content)));

After decoding, we found the following script.

This PHP code contains an executable file delivered via Base64 encoding. When the PHP code runs, the executable file executes directly in the memory.

Another function in the PHP code also searches for an exploit in order to perform privilege escalation.

The remainder of the malicious scripts perform various tasks. Some of these redirect to spam sites, give shell access to attackers, and others are used to attempt to compromise other WordPress sites. Generally, the objectives are to collect more intelligence in search of further opportunities to exploit, and compromise more sites to continue the cycle.

A brute force WordPress attack is an ongoing process. On average, a single compromised WordPress site tries to brute force about 2,000 other domains per day. Not every WordPress site will be compromised, but enough WordPress sites have easy-to-guess common passwords to make this type of attack worthwhile. Usually, attackers keep a list of simple passwords and use them to launch a brute force attack on a site.

During an analysis of network traffic, we noticed that one of the compromised sites was contacting another domain continuously.

The domain was styleofphucet[.]at. Surprisingly, this one also has high query volume.

This domain was repeatedly contacted during the same compromise that included network callouts to detroidcliper[.]at.

While we were researching more about this attack, we found a domain that was embedded in pages of many compromised domains. We found that it hosted an open directory that was very revealing. Inside the directory, we found almost all of the WordPress domains related to the attacks.

We observed that a massive amount of random text was collected and stored by the attacker. After closer analysis, we realized that it may be browser history of victims.

Why would an attacker store a random massive list of browser history? Isn’t this strange?

We believe that attackers use this browser history to search in various search engines for vulnerable domains using a bot. Any of those domains may become the target.

Also, the attackers use the sitemap for the pages they have hosted and let the bots crawl them. This way, when a user searches for a website, they get the pages that are hosted by the attackers instead of what they intended to visit.

How can WordPress administrators protect themselves from these kinds of exploits? Whenever a WordPress site is being hosted, the administrator has to make sure that all security requirements are met. So many attacks that are happening today are because of a lack of security controls, use of weak passwords, and because of vulnerable themes and plugins.

Here are some best practices to protect WordPress sites:

  1. Use a strong password and change it regularly
  2. Use adequate access controls
  3. Update plugins and themes

By taking these types of measures, you can reduce the attack surface so that your site is less likely to be compromised.

With Cisco Umbrella, you get instant access to interactive threat intelligence that lets you conduct investigations and uncover attacks before they start. Our recursive DNS servers resolve more than 200 billion requests per day, so we can see the relationships between malware, domains, IPs, and networks across the internet. Our threat analysis learns from internet activity patterns to automatically identify attacker infrastructure being staged for the next threat.

Learn more about how predictive intelligence can make a difference in your ability to stop threats by reading our technical paper, The Role of Predictive Intelligence in the Fight Against Cyber Attacks.

Check out our recent article on threat intelligence to dive into pandemic-themed phishing attacks and uncover how attackers orchestrate sophisticated campaigns to take advantage of the current pandemic.


Possible Compromised sites:



Source :

DoH! What’s all the fuss about DNS over HTTPS?

Cisco Umbrella now supports DoH

Not all DNS services are created equally. Some break. Some fail to connect to domain servers. Speeds can vary, and if not kept up-to-date, some DNS services can affect the ability to work efficiently. But with more than a decade of leadership in recursive DNS services (13+ years and counting!) Cisco Umbrella boasts significant advantages when it comes to understanding how both legitimate and non-legitimate parties register domains, provision infrastructure, and route internet traffic.

Back in the old days when we were known as OpenDNS, we started with the mission to deliver the most reliable, safest, smartest, and fastest DNS resolution in the world. It was a pretty tall order, but we did it — and we’re still doing it today under our new name, Cisco Umbrella. (Here’s one for the trivia champions: OpenDNS was acquired by Cisco on August 27, 2015.)

In fact, TechRadar Pro recognized us as having the best free and public DNS server for 2020. You don’t have to take our word for it — check it out here. But just because we’re the best doesn’t mean we’ll stop innovating.

We recently announced support for DNS over HTTPS, commonly referred to as DoH, a standard published by the Internet Engineering Task Force (IETF). Cisco Umbrella offers DNS resolution over an HTTPS endpoint as part of our home and enterprise customer DNS services. Users may now choose to use the DoH endpoint instead of sending DNS queries over plaintext for increased security and privacy. DoH can increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. In addition, when DoH is enabled, it ensures that your ISP can’t collect personal information related to your browsing history. It can often improve performance, too.

How does it work?

DoH works just like a normal DNS request, except that it uses Transmission Control Protocol (TCP) to transmit and receive queries. Both requests take a domain name that a user types into their browser and send a query to a DNS server to learn the numerical IP address of the web server hosting that site. The key difference is that DoH takes the DNS query and sends it to a DoH-compatible DNS server (resolver) via an encrypted HTTPS connection on port 443, rather than plaintext on port 53. DoH prevents third-party observers from sniffing traffic and understanding what DNS queries users have run or what websites users are intending to access. Since the DoH (DNS) request is encrypted, it’s even invisible to cybersecurity software that relies on passive DNS monitoring to block requests to known malicious domains.

DoH is a choice, not a requirement

So what’s all the fuss about DoH? It all comes down to user privacy. And since privacy is a hot topic, it will continue to be blogged and chatted about wildly. To block or not to block DoH is a personal choice. Mozilla blazed the trail with the Firefox browser, but other vendors like Microsoft and Google recently announced plans to add support for DoH in future releases of Windows and Chrome. Mozilla started enabling DoH by default in version 69 of Firefox, and started rolling it out gradually in September 2019. Cisco Umbrella supports Mozilla’s ‘‘ canary domain, meaning that Firefox will disable DoH for users of Cisco Umbrella.

Because DoH is configured within the application, the DNS servers configured by the operating system are not used. This means that the protection provided by Cisco Umbrella may be bypassed by applications using DoH. But don’t worry… you can block this feature easily with Umbrella, too. Most of our enterprise customers choose not to utilize DoH. It isn’t right for everyone.

Protect your Umbrella settings

Our team at Cisco Umbrella recommends that companies use enterprise policies to manage DoH on endpoints they control. For detailed help on how to proceed, check out this helpful article, GPO and DoH.

To block DoH providers and keep your Umbrella deployment settings follow these simple steps:

1. Navigate to Policies > Content Categories

2. Select your in use category setting.

3. Ensure that “Proxy/Anonymizer” is selected

4. Save.

Your users will now remain covered by Umbrella as Firefox gradually rolls out this change to their users.

How to disable DoH in Firefox

Firefox allows users (via settings) and organizations (via enterprise policies and a canary domain lookup) to disable DoH when it interferes with a preferred policy. For existing Firefox users that are based in the United States, the notification below will display if and when DoH is first enabled, allowing the user to choose not to use DoH and instead continue using their default OS DNS resolver.

Reliable, effective protection with Cisco Umbrella

Cisco Umbrella is the leading provider of network security and DNS services, enabling the world to connect to the internet with confidence on any device. When connecting directly to the internet, organizations need security that is incredibly reliable and eliminates performance problems for end users. Umbrella is built upon a global cloud infrastructure that has delivered 100% uptime since 2006 and we provide automated failover for simplified deployment and management. By leveraging our extensive peering relationships with the top internet service providers (ISPs), content delivery networks (CDNs), and SaaS platforms, such as O365, Umbrella optimizes the routes between core networks and our cloud hubs, providing superior performance and user satisfaction.

Umbrella’s support for DoH is just another demonstration of our commitment to delivering the best, most reliable, and fastest internet experience to more than 100 million enterprise and consumer users (and counting).

For more information on DoH, visit our knowledge base.

Source :

Working at Home? How to Protect Against Phishing During a Pandemic with Cisco Umbrella and OpenDNS

In the wake of this unprecedented global health crisis, cyber attackers have shown no mercy. Earlier this week it was reported that hospitals in the U.S. and Europe, which have been struggling for weeks with an influx of patients, are now dealing with yet another issue: a surge of phishing and ransomware attacks. Even amidst a pandemic, attackers are looking for ways to exploit our most critical institutions and take advantage of vulnerable people with malicious campaigns.

If we look back to the beginning of March, there were relatively few domains that even mentioned the words “COVID” or “Corona.” This is how quickly things have changed over the past month: On Friday April 3, 2020, there were more than 117,000 domains that included these keywords. Of those, more than 75,000 domains were phishing or otherwise malicious in nature. That means at least 65% of all domains with “COVID” or “Corona” are malicious!

Fortunately, the recent global events have demonstrated the resilience of the cybersecurity community to combat new threats. Security professionals have come together quickly to share knowledge and combat these bad actors. I’m proud to share that we have recently made a number of updates to the Cisco Umbrella and OpenDNS services to ensure that we are protecting our users against pandemic themed cyberattacks.

What are you doing to stay safe online at home?

As many of us are now working and spending a lot more time at home, it’s important to think about how you can stay safe online. The good news: Cisco can help.

To protect your family and home network, OpenDNS makes the web a safer place with customizable parental controls and basic security protection. And I should mention that it’s free and simple to get started with at home!

For enterprises, Cisco Umbrella delivers flexible, fast and effective cloud security so you can secure your remote workers, even in a matter of minutes. Cisco Umbrella combines multiple security functions into a single cloud-delivered service — helping you deliver the right level of security anywhere your users work.

How we protect against attacks

Our global cloud infrastructure resolves over 200 billion DNS requests daily, far more than any other security vendor, giving our researchers a unique view of the internet to better identify threats faster. We also have a team of industry-renowned researchers that are constantly finding new ways to uncover fingerprints that attackers leave behind, so that we have visibility into the bad neighborhoods on the internet. If a webpage you are trying to reach is malicious, we will stop the connection at the earliest possible point and give you a block page instead. Easy peasy!

How we block COVID-19 related phishing attacks

Our phishing category leverages indicators derived from multiple sources, including Cisco Talos intelligence, lexical clustering of domains, a natural language processing model, and a spike rank model, which detects sudden spikes of traffic to particular domains. Now, this phishing category also includes a blacklist of vetted COVID-19 URLs, domains, and IP addresses.

We update the phishing category continuously with the latest malicious indicators of compromise as provided via the COVID-19 Cyber Threat Coalition (CTC). This incredible organization is a global volunteer community of 2,500+ security professionals who are focused on stopping these bad actors, by carefully vetting IOCs for the security industry and sharing intelligence in this time of crisis.

All Cisco Umbrella enterprise users and OpenDNS consumer users, are now getting protection from COVID-19 themed cyberattacks.

Click with caution: phishing tips to protect you

Now, more than ever, it is important to stay vigilant online. We see very sophisticated spam in these pandemic themed attacks. Generally speaking, the guidelines for identifying a phish have evolved. Think before you click, and keep in mind these helpful tips:

  • Don’t count on an obvious spelling mistake or grammatical error in order to identify that it’s a phishing email.
  • Avoid strangers by checking names and email addresses.
  • Keep in mind that the email could seemingly come from someone you know. Be wary of unusual requests, even from known senders.
  • Be extra cautious before you click! Hovering over links will not always show you the final destination of a URL. It could issue several redirects, which could result in landing on a different website.
  • Do not trust a website just because you see HTTPS. Threat actors can obtain certificates for creating HTTPS websites.
  • Never give out personal or financial information from an email request.

Get protection at home for free

It only takes one wrong click for cybercriminals to get a foothold into your network. Take steps to ensure that you are safely connecting to the internet.

Get started with the OpenDNS free home service or the Cisco Umbrella free trial today!

You can easily get protection in minutes. Also, you can extend the initial Cisco Umbrella 14-day trial period to 90 days by contacting the Cisco sales team. This offer will be available from now until July 1, 2020. Check out this blog for more information on additional security offerings Cisco is providing for free during this time of need.

Source :

#CyberSelfCare: Reinvest Your Commute Time with Cybersecurity Training and Education

This is the second article in our set of #CyberSelfCare blogs to help you educate yourself, your coworkers, family, and friends about how to protect their digital presence.

In last week’s blog post, we talked about how to maintain your sanity while working from home. Working from home has a lot of challenges, but it has major benefits, too. When you work from home, your commute time is greatly reduced. Instead of driving your car, riding a train, riding a bike, or walking to the office, all you have to do is turn on your computer and start working. Anyone who has ever had a long commute can appreciate this.

For my first job, I commuted on the train to New York City from a small town in the suburbs. Every day, I spent more than 4 hours on my commute — just traveling to and from the office — and this was before the days of WiFi on public transit. Later, I switched to commuting by car, but with unpredictable traffic, it wasn’t much better. It’s not quite that bad everywhere, but anyone who works in a major metropolitan area like San Francisco, London, or Los Angeles will agree – commuting is exhausting and stressful!

One of the single biggest benefits of working remotely is spending less time traveling to and from the office. If you’re new to working from home, you might find yourself with more time in your day. How will you spend it? With that time, you can focus on things that you might not otherwise have time to do if you were still commuting. Sure, you can spend that extra time sleeping and watching reality shows, but what about setting a goal to invest some of that extra time in cybersecurity training?

In this week’s post, we’ve curated a list of educational resources you can use to learn more about cybersecurity on your own schedule.

Read Cybersecurity Blogs

You’re already reading our blog, so why not start reading a few more? In these blogs, you get immediate access to some of the best minds in cybersecurity research and threat hunting.

  • Krebs on Security is written by Brian Krebs, a former Washington Post reporter and well-known cybersecurity expert.
  • Schneier on Security is written by Bruce Schneier, a Harvard fellow and internationally renowned cybersecurity guru.
  • Cisco Talos Blog is written by one of the largest commercial threat intelligence teams in the world, made up of world-class researchers, analysts and engineers.

Listen to a Security Podcast

If you used to have a long commute, you may already listen to podcasts. Podcasts are a great way to stay up to date on a topic that interests you, and are especially good for listening when taking a walk or during a workout. There’s a podcast for everyone, and that includes people interested in security threats.

  • Talos Takes — join Cisco Talos researchers and analysts as they cover everything from breaking news to the latest trends in cybersecurity.
  • Beers with Talos — listen to the security experts from Talos as they dive into topics like emerging threats, hacking, and other security issues over beers. Shhh… we won’t tell anyone if you enjoy an adult beverage while you listen.
  • Security Stories — enjoy an interview-based podcast full of insights from CISOs and featuring unique, strange, and often hilarious stories about leading cybersecurity efforts in an organization.

Attend a Live or On-Demand Webinar

Our security experts deliver virtual talks on a wide range of topics, with options for technical and non-technical audiences. There are plenty of live and on-demand webinars to choose from, including:

Want to listen to a webinar, but don’t have a lot of time? We have the answer for you! Our Dip in the Deep End series of mini-webinars packs a treasure trove of information into 10 short minutes. Check out some of our recent topics:

Read a Cybersecurity Book

Maybe you prefer reading a book to listening to a podcast or webinar. The Cisco Umbrella team has published a vast library of cybersecurity ebooks for you to read, and they’re short enough to read in one sitting.

Complete a Cyber Ops Certification

If you have a lot of spare time and a desire to challenge yourself, consider the new Cisco Certified Cyber Ops Associate certification. This credential is designed to prepare you for associate-level job roles in a security operations center (SOC).

The program consists of a training course and exam that cover the foundational skills, processes, and knowledge you need to prevent, detect, analyze, and respond to cybersecurity incidents. At the time of writing this blog post, all Cisco certification exams can be completed online from the comfort of your home.

Even if you’re not pursuing a career in cybersecurity operations, a certification is a great option for anyone who wants to do a deeper dive into cybersecurity topics and prove their knowledge to current and future employers.

Knowledge is Power

At Cisco, we’re always learning, and our researchers are pushing the boundaries of threat research and security best practices. It’s harder than ever to keep up with the constant changes in the network security world. Spending just a few minutes per day on continuing education can make you into the trusted cybersecurity expert at your company!

Source :

AV-TEST Places Cisco Umbrella First in Security Efficacy

When it comes to rating the effectiveness of security solutions, efficacy is king. Why? All it takes is one malicious request slipping through the net for a damaging breach to take place.

Lots of network security providers claim they are the best at threat detection and prevention. But can they prove it? Brand new third-party research from AV-TEST reveals that Cisco Umbrella is the industry leader in security efficacy, according to the 2020 DNS-Layer Protection and Secure Web Gateway Security Efficacy report.


AV-TEST is the leading independent research institute for IT security in Germany. For more than 15 years, the cybersecurity experts from Magdeburg have delivered quality-assuring comparison and individual tests of virtually all internationally relevant IT security products.

In November and December 2019, AV-TEST performed a review of Cisco Umbrella alongside comparable offerings from Akamai, Infoblox, Palo Alto Networks, Symantec and Zscaler.

In order to ensure a fair review, the research participants did not supply any samples (such as URLs or metadata) and did not influence or have any prior knowledge of the samples being tested. All products were configured to provide the highest level of protection, utilizing all security-related features available at the time.

The test focused on the detection rate of links pointing directly to PE malware (e.g. EXE files), links pointing to other forms of malicious files (e.g. HTML, JavaScript) as well as phishing URLs. A total of 3,668 samples were included in the testing.

DNS-Layer Protection Test

In the first part of this study, DNS-layer protection was tested. DNS-layer protection uses the internet’s infrastructure to block malicious and unwanted domains, IP addresses, and cloud applications before a connection is ever established as part of recursive DNS resolution. DNS-layer protection stops malware earlier and prevents callbacks to attackers if infected machines connect to your network.

An ideal use case for DNS-layer protection is guest wifi networks. With guest wifi it is usually not possible to install a trusted certificate on the guests’ devices, so HTTPS inspection is not possible. The study however shows that DNS-layer protection without a selective proxy still provides a good base layer of security.

DNS-layer protection with selective cloud proxy redirects only risky domain requests for deeper inspection of web content, and does so transparently through the DNS response. A common use case for selective proxy is corporate owned devices where there is a need to inspect risky traffic including HTTPS, but for privacy considerations, certain content categories such as financial or healthcare can be excluded from HTTPS inspection in the selective proxy.

For the DNS-layer protection testing, the products achieved the following blocking rates:

Cisco Umbrella performed significantly better than other vendors with a 51% detection rate for DNS-layer protection. Cisco Umbrella’s selective proxy makes a big difference in effective threat detection and increased the blocking rate to 72%.

Secure Web Gateway Test

In the second part of the study, the web gateway solutions were tested. A secure web gateway is based on a full web proxy that sees and inspects all web connections. Unlike DNS-layer protection which only analyzes domain names and IP addresses, a web proxy sees all files and the full URLs enabling more granular inspection and control.

Organizations adopt secure web gateways when they are looking for more flexibility and control. Common use cases for a secure web gateway include: needing full visibility of web activity, inspection of granular app controls, the ability to block specific file types and inspection of all HTTPS content with the ability to exclude specific content.

For secure web gateway testing, the products achieved the following blocking rates:

In this test scenario, Cisco Umbrella outperformed the other vendors’ offerings in terms of security efficacy.


In both test scenarios, the Cisco Umbrella detection rate outperformed the offerings from other vendors.

These test results demonstrate several key takeaways. Organizations should adopt a layered approach to security. DNS-layer protection is simple and adds to the overall security efficacy. In use cases where deploying a selective proxy is possible , the security efficacy and blocking rates improve significantly. As seen in the test results, a secure web gateway full proxy solution provides the highest level of protection.

For more information on specific configurations and the detailed test results, click here to read the full report by AV-TEST.


Source :

Cybersecurity Terms and Threats You Need to Know in 2020

Let’s do a show of hands — who loves jargon? Anyone?

I didn’t think so.

Face it, aside from trivia champions, jargon doesn’t make life any easier for us. If you’re attending your first security conference this year, you might feel like you need an interpreter to make sense of the technical terminology and acronyms you’ll find around every corner.

At Cisco Umbrella, we’re fluent in cybersecurity – and we want to help you make sense of the often-confusing security landscape! In this post, we define key cybersecurity terms that everyone should know in 2020 — and beyond.

Part 1: Threats

Backdoor: A backdoor is an access point designed to allow quick and undetected entrance to a program or system, usually for malicious purposes. A backdoor can be installed by an attacker using a known security vulnerability, and then used later to gain unfettered access to a system.

Botnet: A botnet is a portmanteau for “robot network.” It’s a collection of infected machines that can be used for any number of questionable activities, from cryptomining to DDoS attacks to automated spam comments on blogs.

Command-and-control (C2) attacks: Command-and-control attacks are especially dangerous because they are launched from inside your network. Security technologies like firewalls are designed to recognize and stop malicious activity or files from entering your network. However, a command-and-control attack is trickier than a standard threat. A file doesn’t start out showing any malicious behavior, so it is deemed harmless by your firewall and permitted to enter your network. Once inside, the file stays dormant for a set period of time or after being triggered remotely. Then, the file reaches out to a malicious domain and downloads harmful data, infecting your network.

Denial of Service (DoS) Attack: This type of attack consumes all of the resources of a target so that it can no longer be used or reached, effectively taking it down. DoS attacks are designed to take a website or server offline, whether for monetary, political, or other reasons. A DDoS, or Distributed Denial of Service attack, is a subcategory of DoS attack that is carried out using two or more hosts, often via a botnet.

Drive-by download: A drive-by download installs malware invisibly in the background when the user visits a malicious webpage, without the user’s knowledge or consent. Often, drive-by downloads take advantage of browser or browser plug-in vulnerabilities that accept a download under the assumption that it’s a benign activity. Using an up-to-date secure browser can help protect you against this type of attack.

Exploit: An exploit is any attack that takes advantage of a weakness in your system. It can make use of software, bits of data, and even social engineering (like pretending to be someone from your IT team who needs your password to perform a security update). To minimize exploits, it’s important to keep your software up-to-date and to be aware of social engineering techniques (see below).

Malware: Malware is a generic term for any program installed on a system with the intent to corrupt, damage, or disable that system. Razy, TeslaCry, NotPetya, and Emotet are a few recent examples.

  • Cryptomining malware: Cryptomining by itself is not necessarily malicious — many people mine crypto currency on their own systems. Malicious cryptomining, however, is a browser- or software-based threat that enables bad actors to hijack system resources to generate crypto currencies. Cryptomining malware is an easy way for bad actors to generate cash while remaining anonymous and without having to use their own resources. Learn more about the cryptomining malware threat.
  • Ransomware: Ransomware is malware used to encrypt a victim’s data with an encryption key that is known only to the attacker. The data becomes unusable until the victim pays a ransom to decrypt the data (usually in cryptocurrency). Ransomware is a fast-growing and serious threat — learn more in our newly updated guide to ransomware defense.
  • Rootkits: A rootkit is a malicious piece of code that hides itself in your system, prevents detection, and enables bad actors to gain continued access to your system. If attackers gain full access to your system once, they can use rootkits to continue that access over a long period of time.
  • Spyware: Malicious code that gathers information about you and your browsing habits, and then sends that information to a third party.
  • Trojans: A trojan is a seemingly innocuous program that acts as a front for malicious code hiding inside. Trojans can do any number of things, from stealing data to allowing remote system control.  These programs take their name from the famous Grecian “Trojan Horse” that took advantage of a similar vulnerability.
  • Viruses: Often used as a blanket term, a virus is a piece of code that attaches itself to files, such as email attachments or files you download online. Once it infects your system, it can cause all kinds of problems, whether that means deleting system files or corrupting your data. Computer viruses also replicate and spread across networks – just like viruses in the physical world.
  • Worms: A worm is a type of malware that clones itself in order to spread to other computers, performing various damaging actions on whatever system it infects. Unlike a virus, a worm exists as a standalone entity — it isn’t hidden inside something else like an attachment.

MitM or Man-in-the-Middle Attack: A MitM attack is pretty much what it sounds like. An attacker will intercept, relay, and potentially change messages between two parties without their knowledge. MitM can be used to break encryption, compromise account details, or gain access to systems by impersonating a user.

Phishing: Phishing is a technique that mimics a legitimate communication (like an email from your online bank) to steal sensitive information. Like fishermen with a lure, attackers will attempt to take your personal information by using fake emails, forms, and web pages to coax you to provide it to them.

  • Spear phishing is a form of phishing that targets one specific individual by using publicly accessible data about them, like from a business card or social media profile.
  • Whale phishing goes one step further than spear phishing and describes a targeted attack on a high-ranking individual, like a CEO or government official.

Social engineering: A general term for any activity in which an attacker is trying to manipulate you into revealing information, whether over email, phone, web forms, or social media platforms. Passwords, account credentials, social security numbers — we often don’t think twice about giving this information away to someone we can trust, but who’s really on the other end of the line? Protect yourself, and think twice before sharing. It’s always OK to verify the request for information in another way, like calling an official customer support number.

Zero-day (0day): A zero day attack is when a bad actor exploits a new, previously unknown software vulnerability for which there is no patch. It’s a constant struggle to stay ahead of attackers, but you don’t have to do it alone — you can get help from the security experts at Cisco Talos.

Part 2: Solutions

Anti-malware: Anti-malware software is a broad category of software designed to block, root out, and destroy viruses, worms, and other nasty things that are described in this list. These products need to be updated regularly to ensure that they remain effective against new threats. They can be deployed at various points in the network chain (email, endpoint, data center, cloud) and either on-premises or delivered from the cloud.

Cloud access security broker (CASB): This is software that provides the ability to detect and report on the cloud applications that are in use across your environment. It provides visibility into cloud apps in use as well as their risk profiles, and the ability to block/allow specific apps. Read more about securing cloud apps here.

Cloud security: this is a subcategory of information security and network security. It is a broad term that can include security policies, technologies, applications, and controls that are used to protect sensitive company and user data wherever it is exposed in a public, private, or hybrid cloud environment.

DNS-layer security: This is the first line of defense against threats because DNS resolution is the first step in establishing a connection to the internet. It blocks requests to malicious and unwanted destinations before a connection is even established — stopping threats over any port or protocol before they reach your network or endpoints. Learn more about DNS-layer security here.

Email security: This refers to the technologies, policies, and practices used to secure the access and content of email messages within an organization. Many attacks are launched via email messages, whether through targeted attacks (see note on phishing above) or malicious attachments or links. A robust email security solution protects you from attacks whether email is in transit across your network or when it is on a user’s device.

Encryption: This is the process of scrambling messages so that they cannot be read until they are decrypted by the intended recipient. There are several types of encryption, and it’s an important component of a robust security strategy.

Endpoint security: if DNS-layer security is the first line of defense against threats, then you might think of endpoint security as the last line of defense! Endpoints can include desktop computers, laptop computers, tablets, mobile phones, desk phones, and even wearable devices — anything with a network address is a potential attack path. Endpoint security software can be deployed on an endpoint to protect against file-based, fileless, and other types of malware with threat detection, prevention, and remediation capabilities.

Firewall: Imagine all the nasty, malicious stuff on the Internet without anything to stop it. A firewall stands between your trusted entities and whatever lies beyond, controlling access based on security rules. A firewall can be hardware or software, a standalone security appliance or a cloud-delivered solution.

Next-generation firewall (NGFW): This is the industry’s new solution for an evolved firewall.  It is typically fully integrated with the rest of the security stack, threat-focused, and delivers comprehensive, unified policy management of firewall functions, application control, threat prevention, and advanced malware protection from the network to the endpoint.

Security information and event management (SIEM): This is a broad term for products that deal with security information management (SIM) and security event management (SEM). These systems allow for aggregation of information and events into a single “pane of glass” for security teams to use.

Secure web gateway (SWG): This is a proxy that can log and inspect all of your web traffic for greater transparency, control, and protection. It allows for real-time inspection of inbound files for malware, sandboxing, full or selective SSL decryption, content filtering, and the ability to block specific user activities in select apps.

Secure internet gateway (SIG): This is a cloud-delivered solution that unifies a variety of connectivity, content control, and access technologies to provide users with safe access to the internet, both on and off the network. By operating from the cloud, a SIG protects user access anywhere and everywhere, with traffic routing to the gateway for inspection and policy enforcement regardless of what users are connecting to, or where they’re connecting from. Because a SIG extends security beyond the edge of the traditional network — and without the need for additional hardware or software — thousands of enterprises have adopted it as a modern catch-all for ensuring that users, devices, endpoints, and data have robust protection from threats.

Secure access service edge (SASE): Gartner introduced an entirely new enterprise networking and security category called “secure access service edge.” SASE brings together networking and security services into one unified solution designed to deliver strong security from edge to edge — in the data center, at remote offices, with roaming users, and beyond. By consolidating a variety of powerful point solutions into one solution that can be deployed anywhere from the cloud, SASE can provide better protection and faster network performance, while reducing the cost and work it takes to secure the network.

Cybersecurity is always evolving, and it can be hard to keep up with the rapid pace of changes. Be sure to bookmark this blog post – we’ll keep it up to date as new threats and technologies emerge. To learn more, check out our recent blog posts about cybersecurity research, or come chat with our security experts in person in Barcelona at Cisco Live EMEA this month. Don’t be shy!


Source :

How DNS-Layer Security Can Improve Cloud Workloads

More organizations are adopting the public cloud for their enterprise workloads. Gartner has forecasted1 that by 2020, less than 5% of enterprise workloads will be running in true on-premises private clouds. As workloads move to public clouds, it is crucial that security architectures evolve to protect those workloads, wherever they are.

Like with on-premises applications, a layered security approach works better than point solutions for cloud workloads. But the security challenges in the cloud are different. Without a physical data center in which you build your security stack to protect your data, it’s difficult to know if you’re fully protected everywhere your enterprise data is exposed.

That’s where DNS-layer security comes in. Since DNS is built into the foundation of the Internet, security at the DNS-layer can be simple to deploy and highly effective, whether your enterprise uses on-premises architecture or the public cloud. Cisco Umbrella provides DNS-based security that blocks requests to malware, phishing, and botnets before a connection is even established. It can prevent cloud workloads from being leveraged for malicious cryptomining by blocking requests to suspicious domains. Content category blocking can also be configured to prevent cloud workloads from being used by employees to circumvent on-premises content filtering rules.

One of the simplest approaches to enable DNS-based security for cloud-native workloads is to point the DNS server used by these workloads to Cisco Umbrella. This enables DNS-level blocking of malicious domains and provides an added layer of security. However, since most cloud workloads tend to access the Internet through an ephemeral public IP address, it is difficult to define policy or to view reporting of DNS activity in the public cloud.

Another approach is to deploy the Cisco Umbrella Virtual Appliance in a Virtual Private Cloud (VPC) in the public cloud. Workloads in that VPC can use the Virtual Appliance as their DNS server. The Virtual Appliance forwards DNS requests for external domains to Umbrella and includes the source IP of the requesting workload in the DNS metadata. Virtual Appliances include a customer identifier in each outgoing DNS request, which enables them to be used for environments with ephemeral public IP addresses. With the Virtual Appliance approach, subnet-based content filtering policies can be defined for cloud workloads. Umbrella can also provide visibility into the source of malicious domain requests, allowing administrators to quickly remediate these workloads.

The Cisco Umbrella Virtual Appliance now supports deployment in the three major public cloud platforms: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). With many organizations now adopting a multi-cloud strategy2, deploying Umbrella Virtual Appliances in the respective public cloud VPCs can provide a highly effective added layer of security for workloads deployed in any of these platforms, as well as improved visibility into activity.

What are you waiting for? Sign up for a free trial of Cisco Umbrella, and start leveraging the power of DNS-layer security to protect your cloud workloads.

  1. Modernize IT infrastructure in a hybrid world, Gartner, Mar 2019. Retrieved from
  2. Why organizations choose a Multicloud strategy, Gartner, May 2019. Retrieved from

Source :