Category: OpenDns

New Data Centers Show Cisco’s Investment in a Global Cloud Architecture

You want a cybersecurity solution that safeguards your enterprise, not one that slows it down. So, finding a security partner that maintains a global data center network is crucial – this reduces latency and improves reliability. Fortunately, the Cisco Umbrella team backs an award-winning solution with an ever-expanding data center network that spans the globe.

Our data centers – located at key Internet Exchange Points (IXPs) around the world – improve Software-as-a-Service (SaaS) performance by up to 33% over direct internet access (DIA). And our engineers continue to build out this network to support global enterprise customers. We supplement this growing data center network with Anycast routing and a robust assortment of peering relationships, enabling Cisco Umbrella customers to experience the best of both worlds when it comes to security and performance.     

Expanding Cisco Umbrella’s Data Center Network

The Cisco Umbrella data center network allows our customers to utilize cybersecurity functionality that includes – but isn’t limited to – DNS-layer security, Secure Web Gateway (SGW), and Cloud Access Security Broker (CASB). A security efficacy test performed by AV-TEST found that Cisco Umbrella had the highest threat detection rate in the industry at 96.39%. And thanks in part to the network of data centers backing Umbrella, this security doesn’t come at the expense of performance.

The most recent additions to the Cisco Umbrella data center network include both brand-new locations and upgrades to existing facilities in:

Our team chooses new locations for their proximity to IXPs, allowing customers to take advantage of faster service. We also prioritize carrier-neutral data centers and heavily utilize colocation facilities. This gives users peace of mind, since Cisco Umbrella is fortified against downtime caused by carrier outages.

How Anycast Routing Makes a Difference

Anycast augmented routing allows our team to maximize performance for our customers. Anycast routing automatically selects the best path to a Cisco Umbrella data center, evaluating things like availability and connection quality.

Not only does Anycast routing reduce latency, but it also helps shield Cisco Umbrella users from outages. If one of the data centers in our network goes down, traffic will automatically fail over to the best available data center. Alternately, users can manually configure tunnels to a Cisco Umbrella data center of their choice to ensure ongoing availability and redundancy.  

Reducing Latency With Peering Partners

Of course, a robust data center network isn’t the only factor affecting latency within a cybersecurity solution. That’s why Cisco Umbrella maintains peering partnerships with 1,000+ internet service providers (ISPs), Content Delivery Networks (CDNs), and Software-as-a-Service (SaaS) providers. These partnerships result in more than 6,000 peering sessions with our premier partners.

Text reading "Some of our peering partners." Underneath the text are logos for AT&T, BT Media & Broadcast, GoogleFiber, Verizon, Amazon, Netflix, Dell Services, Huawei, Microsoft, Alibaba.com, SalesForce, Google, Facebook, Box, Baidu, and Cisco Webex.

Peering partnerships serve as a valuable shortcut between customer networks, ISPs, CDNs, and SaaS solutions. This reduces routing hops and shrinks latency, allowing customers to enjoy enhanced performance without ever sacrificing Cisco Umbrella’s world-class security.

Ready to See the Cisco Umbrella Data Center Network In Action?

Explore the full potential of Cisco Umbrella when you sign up for a free, personalized demo today!

Source :
https://umbrella.cisco.com/blog/new-data-centers-show-cisco-investment-global-cloud-architecture

Cisco Umbrella Enhances Support of DNS Encryption With DNS Over HTTPS

In December 2011, Cisco Umbrella – then going by the name OpenDNS – became the first public DNS resolver to announce support for DNS encryption. Now, a decade later, we’re proud to announce that we’ve added support for DNS over HTTPS (DoH) directly to our core Umbrella resolvers. In addition, we’ve also added support for Discovery of Designated Resolvers (DDR). These moves allow us to provide our customers with the low-latency and high availability DNS service they expect while also enhancing their security and privacy.

In this blog, we unpack what this latest DNS over HTTPS update means for Cisco Umbrella customers and discuss how they can configure DoH in their network. For more information on the DNS security offered by Cisco Umbrella, register for our on-demand demo of Cisco Umbrella today!

Our History With DNS Encryption

More than a decade ago, we became the first public resolver to announce support for DNSCrypt: a made-for-DNS solution to securing one of the most fundamental parts of internet communication. To this day, Cisco Umbrella continues to be at the forefront of DNS encryption, using DNSCrypt in the default configurations of our endpoint clients and DNS forwarders.

While we still believe that DNSCrypt has a critical place in our infrastructure, the lack of an Internet Engineering Task Force (IETF) standard for DNSCrypt has prevented widespread adoption. Recently, developments in encrypted DNS have focused on two different encryption protocols: DNS over HTTPS (DoH) and DNS over TLS (DoT).

Using DNS over HTTPS (DoH) With Cisco Umbrella

Unlike DNSCrypt, DoH is an IETF standard for performing DNS queries over a secure, encrypted channel. While it serves a similar purpose to our long-time friend DNSCrypt, its status as an IETF standard makes DNS over HTTPS more common amongst major browsers and operating systems.

Cisco Umbrella first announced support for DoH in May 2020. At that time, we wanted to support our users looking to take advantage of browser-based DNS initiatives. To keep our ability to adapt quickly, we launched DNS over HTTPS support using a set of dedicated resolvers (‘doh.umbrella.com’ and ‘doh.opendns.com’) with their own anycast IPs (146.112.41.5 and 146.112.41.2).

Since that release, the popularity of DoH has picked up steam. Apple added support in September 2020, and Microsoft recently announced that upcoming versions of Windows will support this form of DNS encryption. We’ve seen the result of this popularity on the Cisco Umbrella network, which has prompted our team to add support for DNS over HTTPS directly to Umbrella core resolvers.

Enabling DoH on Cisco Umbrella

Because we support DNS over HTTPS with our core resolvers, Cisco Umbrella customers will continue to experience the low-latency and high availability DNS service for which Umbrella is known. In addition, users can now configure DoH for Cisco Umbrella and OpenDNS on our well-known anycast addresses:

ResolverIPv4IPv6DoH
Umbrella/OpenDNS208.67.222.222
208.67.220.220		2620:119:35::35
2620:119:53::53		https://dns.opendns.com/dns-query
https://dns.umbrella.com/dns-query
FamilyShield208.67.222.123
208.67.220.123		2620:119:35::123
2620:119:53::123		https://familyshield.opendns.com/dns-query
Sandbox208.67.222.2
208.67.220.2		2620:0:ccc::2
2620:0:ccd::2		https://sandbox.opendns.com/dns-query

Additionally, we’ve moved the dedicated DNS over HTTPS hostnames and IPs onto the same core resolvers. This means they will provide the same service as our well-known IPs. And since we’ll continue to support those hostnames and IPs into the future, our existing users need not make any changes.

Using DNS over TLS (DoT) With Cisco Umbrella

While adding support for DNS over HTTPS directly to our core resolvers enabled our users to take advantage of DNS encryption better, it also provides an additional benefit.  We can now handle TLS connections and support DNS over TLS natively in the core resolvers. We’re thrilled to announce that, as of January 28, 2022, support for DoT is live on all Umbrella resolvers globally.

Like DoH, DoT is an IETF standard for performing DNS queries over a secure, encrypted channel. Unlike DoH, however, DoT uses a dedicated port (TCP/853) for its connections. Clients that support DoT will check if their DNS server supports DoT. If it doesn’t, clients will fall back to regular unencrypted DNS (sometimes called Do53). Thus, configuration for DoT is typically just a matter of enabling it in a supported client.

Discovery of Designated Resolvers (DDR)

With all of these new methods for DNS encryption, clients need an automated means to discover what encryption methods their chosen DNS resolver supports. Tasked with this goal, the Adaptive DNS Discovery (ADD) working group at the IETF has proposed a standard called Discovery of Designated Resolvers (DDR).

The basics of DDR are simple. When a DNS client first finds out its DNS server, it will send a DNS query for a special use domain name, ‘_dns.resolver.arpa’, using a special DNS query type (type 64, or ‘SVCB’). The DNS server will respond with the different types of encryption it supports, and any configuration information the client needs. The client can pick the kind of encryption it prefers, verify that all the information is secure, and then start encrypting DNS.

Cisco Umbrella is very proud to be the first public resolver to announce support for DDR. We developed it in close collaboration with Microsoft to ensure that encrypted resolver selection works smoothly end to end. We look forward to DDR support being added to more clients and operating systems in the future.

Our DNS over HTTPS and DNS over TLS services are now discoverable via DDR, and any supported client can start using it now.

Enhance Your DNS Security Today

Just as with our decade of support for DNSCrypt, Cisco Umbrella views encryption of DNS queries in transit as a core component of DNS security, along with the use of DNSSEC for securing the data in the queries itself. We’ve been pleased to see the industry and client begin to add direct support for DNS encryption, and we can’t wait to see standards like DoH, DoT, and DDR take off and become more widely adopted.

If you want to learn more about the DNS security that Cisco Umbrella provides, view our on-demand demo today!

Source :
https://umbrella.cisco.com/blog/enhancing-support-dns-encryption-with-dns-over-https

Introducing Improvements in DNS Tunneling & DNS Exfiltration Detection

DNS tunneling is a technique that encodes data of other programs and protocols in DNS queries, including data payloads that can be used to control a remote server and applications. Because of this, DNS tunneling – and DNS exfiltration associated with it by threat actors – is of great concern to many IT and SecOps teams. Fortunately, new developments in the Cisco Umbrella DNS cache system allow for faster and more reliable detection of DNS tunneling and exfiltration events.

How Does DNS Tunneling Work?

DNS tunneling revolves around the transfer of data. So, if we have:

  • Input Data data – Name: Alice, Age: 25, SSN: 123-45-678

Using DNS exfiltration, we can encode and send this data placed in several subdomains of the domain under our control as a single entry:

  • jzqw2zj2ifwg.sy3ffrawozj2.gi2syu2tjy5d.cmrtfu2djljw.my.tunnel.com

Or, we can use multiple entries using multiple queries to large numbers of domains:

  • jzqw2.zj2if.my.tunnel.com
  • wgsy3.ffraw.my.tunnel.com
  • ozj2g.i2syu.my.tunnel.com
  • 2tjy5.dcmrt.my.tunnel.com

Users can abuse this technique – as seen in Fig. 1 below – by installing a free DNS tunneling tool to bypass IT policies and/or monitoring. They can also use this technique to bypass network authorization to obtain free internet access in hotels and airports.

A graphic illustrating how users abuse DNS tunneling to bypass IT policies and/or monitoring. The graphic shows traffic going from the user device, through port 53, through recursive DNS resolution provided either by the ISP or Cisco Umbrella, through a VPN tunnel infrastructure, to a blocked site. Traffic then reverses through the same chain before returning to the user device.
Fig. 1

Attackers can use outbound DNS requests to send encoded exfiltrated data to their infrastructure – as seen in Fig. 2 below – or use DNS responses to send commands to compromised systems and manage infected devices remotely.

A graphic showing the process of a DNS-tunneling-based attack. A compromised system sends data in a DNS request through Port 53. The data then passes through recursive DNS resolution before being admitted into the attacker's infrastructure.
Fig. 2

Improvements to DNS Tunneling Realtime Detection

Today, we’re thrilled to announce that organizations have a powerful new ally to protect against data exfiltration and unauthorized DNS tunnels in their networks. Cisco Umbrella has developed a new proprietary cache within our DNS resolvers to work alongside our machine learning modules. Our newest machine learning module is tuned to detect data exfiltration and DNS tunneling events.

This new module monitors DNS traffic for behavioral patterns and traffic exfiltrating data, efficiently building enough information to detect and block data exfiltration. And, in the event circumstances and domain reputations change, this module will correct itself and let traffic through.

We made this update because, over the past couple of years, we’ve seen organizations more productive and more connected amidst the new reality of working digitally during the pandemic. The explosion of logins and bandwidth, though, has at times come with reductions in digital security. Data exfiltration has become a new reality, and one hole attackers punch is in the DNS.

Powering Improvements With a Revolutionary DNS Cache

The technology stack powering Cisco Umbrella’s DNS resolvers handles blistering loads of DNS traffic from ISPs, global organizations, municipalities, schools, and homes. Building on this, we’ve hacked the heart of the DNS resolver – the cache. And while we dig into the details of this new functionality in our DNS tunneling solution brief, we also want to provide you with an overview here.

The cache of a DNS resolver enables serving the swell of global traffic without fault, outage, and ease. It also insulates the backbone of the internet from being overwhelmed with identical queries. Caches store data locally so that it can be served quicker.

Tunneling Cache

An image illustrating how Cisco Umbrella uses the tunneling cache.

The tunneling cache enables us to glue together a sequence of queries that are otherwise distinct atomic events. With proprietary key and data fields, we seamlessly incorporate rapid cache updates unbeknownst to web surfers. We maintain lightning speed throughout by merging incoming data fields using tricks found in probabilistic algorithms. Gluing together each individual’s DNS queries provides access to a rich amount of information, otherwise hidden. Organizations can now get personalized DNS tunneling monitoring, detection, and enforcement in real time.

Encryption Payloads

An image illustrating how Cisco Umbrella identifies encryption payloads.

We pair the new DNS cache with a lexical engine highly trained at identifying encrypted messages. Our researchers dug into various encryption protocols and created a stateful algorithm capable of churning through every character transition in a domain name and identifying encryption payloads with high fidelity.

Take DNS-Layer Security to the Next Level

Cisco Umbrella analyzes internet activity to uncover known and emergent threats in order to protect users anywhere they go. Together, these capabilities power Umbrella to predict and prevent DNS tunneling attacks before they happen. Enabling this security category reduces the risk of DNS tunneling and potential data loss. Organizations can choose to block users from using DNS tunneling VPN services, or they can monitor the results in reports, providing flexibility to determine what is suitable given their risk tolerance.

Address your DNS blind spot by enforcing security over port 53 both on and off the corporate network. Request a personalized demo of Cisco Umbrella today to explore how this exciting new feature can help protect your enterprise.

Source :
https://umbrella.cisco.com/blog/improvements-dns-tunneling-dns-exfiltration-detection

3 Ways to Strengthen Your Cybersecurity Strategy in 2022

Last year threw a lot at cybersecurity teams, from the emergence of several high-profile cyberattacks to the revelation of widespread vulnerabilities. As we all move into 2022, odds are your team is re-thinking your cybersecurity strategy to help make your organization more resilient and flexible. This should involve an evaluation of your cybersecurity solutions, as they impact the implementation and effectiveness of any strategies your team creates.

In our ebook 7 ways to strengthen your security in 2022 and beyond, we discuss the different ways you can amplify and extend your cybersecurity stack this year using Cisco Umbrella. But if you’re looking for some tips to get you started, here are three things to keep in mind as you plot out your cybersecurity strategy:

1. Make Sure Your Cybersecurity Solutions Don’t Impact Network Speeds

Graphic showing seated young man using a laptop. He's surrounded by a graphic of an inverted triangle, an an image of the globe is superimposed above his right shoulder. A trail of dots leads from the laptop to the globe, indicating that his computer is connecting to the world-wide network. A series of arrows pointing upwards is superimposed next to his left shoulder, indicating high network speeds.

The use of internet resources and cloud services was on the rise before the COVID-19 pandemic. Now that employees have spread out – collaborating with coworkers and performing business-critical tasks from anywhere they have internet access – cloud-based tools have become more critical than ever.

This means that an effective cybersecurity strategy needs to balance the implementation of strong protections against the need for minimal latency on the company network. From a business perspective, cyber safety can’t come at the expense of speed.

In order to maintain this balance, take a look at your cybersecurity solutions and evaluate the following:

  • Routing Algorithms – Frequently, having fast and secure internet access comes down to a cybersecurity vendor’s data center network and routing algorithms. Make sure your cybersecurity solutions come backed by a robust global data center network and transparent routing protocols with automated failover to the fastest available servers. This minimizes latency, regardless of where users on your network are located.
  • Peering Relationships – Peering relationships allow cybersecurity vendors to minimize latency without compromising on security. As you reevaluate your cybersecurity strategy in the coming year, make sure your vendors have peering relationships with large cloud service providers your organization relies on. This allows employees to easily access the tools they need without introducing added latency.

Keeping network speeds in mind while you refine your cybersecurity strategy for the upcoming year can improve employee satisfaction, affect executive buy-in, and have an impact on your organization’s bottom line.

2. Strengthen Cybersecurity Infrastructure to Reduce Disruptions

Last year, we all experienced more than our fair share of network disruptions, outages, and downtime. Several of these events were impactful enough to make it into the news cycle. And while an outage isn’t the same thing as a cyberattack, your cybersecurity strategy should include finding solutions that are designed to reduce downtime instead of causing it.

Take some time to review the track record of your vendors. For example, do they have a proven record of resiliency and uptime? Better yet, can they handle infrastructure disruptions without passing those disruptions onto your users? For example, the unique DNS logging features included in Cisco Umbrella DNS-layer security can be used during certain events – like the 2021 Akamai outage – to keep users connected to business-critical cloud tools despite provider outages.

3. Make Sure Your Cybersecurity Strategy Includes Guest WiFi Considerations

A graphic showing three different devices (a cell phone, a desktop computer, and a tablet) using WiFi. Dotted lines connect each of the devices to a graphic of a cloud, which is surrounded by a shield graphic that indicates a cybersecurity solution in place.

Between the move to a hybrid work model and the gradual reopening of public spaces, odds are you’ll find more employees and clients using your guest WiFi in the coming year. So, it’s essential to make sure that both your private and guest WiFi networks have the speed users desire and the protection you need.

Does your suite of cybersecurity solutions provide your team with the ability to filter content and enforce security protocols over your guest WiFi network? Does your security stack allow you to maintain a single IP address for your entire enterprise, streamlining the management of guest WiFi security policies? Finally, can your cybersecurity solutions handle the uptick in user traffic that guest WiFi causes without increasing latency? If the answer to any of these questions is “no,” it may be time to think about adjusting your security stack.

Looking for More Ways to Strengthen Your Cybersecurity Strategy?

Download our ebook 7 ways to strengthen your security in 2022 and beyond today to discover more ways that you can use Cisco Umbrella to strengthen your cybersecurity strategy this year.

Source :
https://umbrella.cisco.com/blog/ways-to-strengthen-your-cybersecurity-strategy

The cost of ransomware attacks: Why and how you should protect your data

As the COVID-19 pandemic ravaged the world in 2020, ransomware attacks grew to epidemic proportions of their own. Almost every day, both large and small companies across every industry — all lacking ransomware protection — were attacked. Now with incidents on the rise, organizations are rushing to implement data protection strategies to reduce their exposure.

By 2031, ransomware is likely to cost victims more than $250 billion annually, with a new attack occurring every 2 seconds.1

But, while everyone can agree that ransomware is a major threat, what are the actual costs that come with a ransomware attack? And, more importantly, what can you do to defend yourself from them?

What is ransomware?

Ransomware is malicious software (malware) used in a cyberattack to encrypt a victim’s data with a key known only to the attacker, rendering the data unusable until a ransom payment (usually cryptocurrency like Bitcoin) is paid by the victim. Ransomware activity has become pervasive, impacting 50% of organizations in 2020.2

Recently, however, ransomware incidents have become even more insidious. In the past, attackers would simply force companies to pay a ransom to unlock data. Today, 70% of occurrences employ double extortion tactics, where attackers exfiltrate and steal sensitive company information to coerce companies to pay even more.3 If payment isn’t made, the attackers leak the data onto the dark web.

The real costs of ransomware attacks

Ransomware has many costs, from the ransom amount to the costs of recovering from the occurrence to the damage to your organization’s brand. All of the costs add up to significant amounts and can take a major toll on your business.

Ransom costs

2020 was a very good year for ransomware attackers. The number of companies willing to pay increased, as did the size of the payouts.

A graphic that reveals three statistics about ransomware attacks in 2020. The first reads "$312,493: The average ammount paid by attack victims - an increase of 171% year-over-year." The second reads: "$10 million: The highest ransom paid by an organization in 2020 - up by $5 million in 2019." The third reads: "58%: The estimated percentage of victims that paid ransoms in 2020."

Remediation costs

Beyond the ransom itself, there are the costs it takes to recover from an attack — including investing in IT resources to rebuild servers and recover data. There are also the costs of the disruption to the business, like lost revenue incurred from downtime.

A graphic that provides three statistics about ransomware attacks in 2020. The first reads: "$207,875: The average cost of a forensic investigation after a ransomware incident in 2020." The second reads: "16 days: The average downtime after a ransomware incident." The third reads: "$283,000: The average loss in downtime, per incident, in 2020."

Intangible costs: more than money

Beyond the direct costs of ransom and remediation, there are the soft costs of PR fiascos, brand erosion, and the reduced confidence of customers and partners. In addition, boards of directors and governments are starting to require immediate reporting of cybersecurity incidents, which take resources and incur more costs. For example, the U.S. Transportation Security Administration (TSA) will require pipeline companies to report incidents within 12 hours.

Using a modern cloud-native security solution for ransomware protection

While ransomware attacks are on the rise — and more costly than ever — there are risk mitigation strategies that you can take to defend against attacks and other cybersecurity threats. Cisco Umbrella, the cloud-native, multi-function security service, unifies firewall, secure web gateway (SWG), DNS-layer security, cloud access security broker (CASB), and threat intelligence into a single cloud service to help businesses of all sizes secure their network against ransomware and cybersecurity threats.

So, how exactly does Cisco Umbrella provide ransomware protection?

Blocks the first phase of attack — malicious internet requests at the DNS layer

Ransomware attackers need to stage internet infrastructure before they can launch an attack. Cisco Umbrella stops ransomware attacks early by blocking internet connections to the malicious sites that serve up ransomware. Cisco Umbrella enforces security at the DNS and IP layers, processing 220 billion internet requests for more than 20,000 businesses every day, preventing users from ever accessing most malicious content sites.

Unifies other security services for robust protection — anywhere and everywhere

With users accessing data and apps both on and off network and on many types of devices, ransomware security needs to be everywhere. Instead of a variety of individual standalone security solutions, Cisco Umbrella combines DNS-layer, firewall, SWG, CASB, and threat intelligence functions into a single cloud service to help businesses of all sizes secure their users, applications, and data, wherever they are.

Leverages unmatched threat intelligence

The best defense is a good offense. Cisco Umbrella uses intelligence from Cisco Talos, one of the largest commercial threat intelligence teams in the world, to offensively discover and block new threats before they become attacks. In addition, backed by more than 300 researchers, Cisco Umbrella uncovers and blocks a broad spectrum of malicious domains, IPs, URLs, and files being used in attacks.

Delivers proven performance against threats

Cisco Umbrella has a track record of tried-and-tested threat detection and security efficacy, backed by third-party validation. AV-TEST, an independent security organization, conducted a study of threat efficacy among leading cloud security vendors. Cisco Umbrella received top marks across the board, with a 96.39% threat detection rate — the highest in the industry.10

Take preventative action to defend your data

Ransomware attacks and their associated costs pose a serious threat to your business. But there are ways to defend against ransomware and mitigate the risks. Cisco Umbrella uses multiple, advanced security functions to provide protection from ransomware and other security threats. Want to learn even more about how to defend your data? Download the Ransomware Defense for Dummies ebook.

Get the Ransomware Defense for Dummies ebook

1 Brave, David, Global Ransomware Damage Costs Predicted to Reach $250 Billion (USD) by 2031, Cyber Security Ventures, June 1, 2021.
2 2021 Cyber security threat trends – phishing, crypto top the list, Cisco, June 1, 2021.
3 Brave, David, Global Ransomware Damage Costs Predicted to Reach $250 Billion (USD) by 2031, Cyber Security Ventures, June 1, 2021.
4 Highlights from the 2021 Unit 42 Ransomware Threat Report, Palo Alto Networks, March 17, 2021.
5 Highlights from the 2021 Unit 42 Ransomware Threat Report, Palo Alto Networks, March 17, 2021.
6 Yeap, Yuen Pin, Why Ransomware Costs Businesses Much More Than Money, Forbes, April 30, 2021.
7 Scroxton, Alex, Average Ransomware Cost Triples, Says Report, Computer Weekly, March 17, 2021.
8 Yeap, Yuen Pin, Why Ransomware Costs Businesses Much More Than Money, Forbes, April 30, 2021.
9 Andrus, Danielle, Ransomware Incidents, Costs On the Rise, and No Target Is Too Small, Benefits Pro, May 5, 2021.
10 DNS-Layer Protection & Secure Web Gateway Security Efficacy Test, AV-TEST, February 2021.

Source :
https://umbrella.cisco.com/blog/cost-of-ransomware-attacks

Cloud security for manufacturing – gaining control and visibility

I recently had the pleasure of sitting down for ‘coffee’ with Claudio Bolla, Global Information Security Director at INEOS to learn how he’s managing cloud manufacturing security during the pandemic. As a large chemicals company with 26,000 employees, INEOS operates 36 different business units with 196 locations around the world. Their businesses span oil and gas, energy, and chemical production. INEOS manufactures chemicals that have been used to develop the vaccine, hand sanitizer, face masks, the plastic used in aeroplane parts, just to name a few things!

I knew that INEOS did quite a bit of M&A and because of this, finds itself with many disparate businesses, such as INEOS Automotive which is building a 4×4 vehicle (inspired by the Land Rover Defender). But what I didn’t know was that INEOS has made a foray into the beautiful game of football! Turns out sports is one of INEOS’ key pillars. This started with the acquisition of Lausanne Football Club in Switzerland, followed by the Nice Football Club in France. On the philanthropic side, they’ve even developed their own football clubs in underdeveloped countries to improve the social well-being of youth.

When the pandemic hit, many companies sent all or the majority of their employees home to work remotely. However, because INEOS had physical assets with production sites, it wasn’t just a matter of telling everyone to work from home. They had to keep their manufacturing plants running! And it was critical to do so because they were making products that are used to fight the pandemic. They moved from a primarily office-based, production-site approach to a hybrid situation. This transition introduced much complexity, especially given the number of business units, differing types of products, and challenges related to maintaining a secure manufacturing environment in the cloud.

Prior to the pandemic, INEOS turned to Cisco Umbrella to migrate all of their divisions to a single provider for DNS coverage. Umbrella also gives them the ability to let each business unit decide if they want different types of policies for different types of users. With so many contrasting businesses, the security controls for each BU can vary quite a bit. Since they had already deployed Umbrella successfully, when the pandemic hit, INEOS was able to quickly secure remote manufacturing workers using the roaming client: they went from 500 users connecting per day to over 7,000 users in one weekend!

In the talk, Claudio reveals how “an unexpected benefit of Umbrella was App Discovery,” which allows them to uncover cloud storage and reduce risk. Umbrella’s CASB functionality allows customers to gain control and visibility of cloud application and service usage across their entire network, and block risky apps to improve security.

Claudio shared many, many intriguing insights on how to give employees the right level of security at the right time (yes, there is such a thing as too many security controls!)

Hear directly from Claudio Bolla in this short highlights video:

Highlights: Coffee with Claudio Bolla, INEOS


Click to watch the full Cisco Umbrella Coffee Hour with INEOS.

Source :
https://umbrella.cisco.com/blog/cloud-security-for-manufacturing-gaining-control-and-visibility

What is the difference between authoritative and recursive DNS nameservers?

In today’s blog post, we’ll talk about the difference between authoritative and recursive domain name system (DNS) servers. We’ll explain how these two types of DNS servers form the foundation of the internet and help the world stay connected.

What is the domain name system?

Every computer on the Internet identifies itself with an “Internet Protocol” or “IP” address, which is a series of numbers — just like a phone number. That means you can contact any of those computers by typing in the website name, or you can type the IP address into your browser address bar. Either method will get you to the same destination. All servers that host websites and apps on the internet have IP addresses, too.

Give it a try: the IP address of the Cisco Umbrella website is 67.215.70.40.

The domain name system (DNS) is sometimes referred to as the “phone book” of the Internet.  You can connect to our website by typing in the IP address in the address bar of your browser, but it’s much easier to type in umbrella.cisco.com. DNS was invented so that people didn’t need to remember long IP address numbers (like phone numbers) and could look up websites by human-friendly names like umbrella.cisco.com instead.

There are too many sites on the Internet for your personal computer to keep a complete list. DNS servers power a website directory service to make things easier for humans. Like phone books, you won’t find one big book that contains every listing for everyone in the world (how many pages would that require? That’s a question for a different blog post.)

There are two types of DNS servers: authoritative and recursive. Authoritative nameservers are like the phone book company that publishes multiple phone books, one per region. Recursive DNS servers are like someone who uses a phone book to look up the number to contact a person or company. Keep in mind, these companies don’t actually decide what number belongs to which person or company — that’s the responsibility of domain name registrars.

Let’s talk about the two different types in more detail.

What is a recursive DNS server?

When you type a website address into your browser address bar, it might seem like magic happens. In reality, the DNS system makes effortless internet browsing possible. First, your browser connects to a recursive DNS server. There are many thousands of recursive DNS servers in the world.  Many people use the recursive DNS servers managed by their Internet Service Provider (ISP) and never change them. If you’re a Cisco Umbrella customer, you’re using our recursive DNS servers instead.

Once your computer connects to its assigned recursive DNS server, it asks the question “what’s the IP address assigned to that website name?” The recursive DNS server doesn’t have a copy of the phone book, but it does know where to find one. So it connects to another type of DNS server to continue the search.

What is an authoritative DNS nameserver?

The second type of DNS server holds a copy of the regional phone book that matches IP addresses with domain names. These are called authoritative DNS servers. Authoritative DNS nameservers are responsible for providing answers to recursive DNS nameservers about where specific websites can be found. These answers contain important information for each domain, like IP addresses.

Like phone books, there are different authoritative DNS servers that cover different regions (a company, the local area, your country, etc.)  No matter what region it covers, an authoritative DNS server performs two important tasks. First, it stores lists of domain names and their associated IP addresses. Second, it responds to requests from a recursive DNS server (the person who needs to look up a number) about the correct IP address assigned to a domain name. After getting the answer, the recursive DNS server sends that information back to the computer (and browser) that requested it. The computer connects to the IP address, and the website loads, leading to a happy user who can go on with their day.

Putting it all together

This process happens so quickly that you don’t even notice it happening — unless, of course, something is broken.

Let’s use a real world example. Imagine that you are sitting at your computer and you want to search for pictures of cats wearing bow ties (hey, we don’t judge). So you decide to visit Google to do a web search.

First, you type www.google.com into your web browser. However, your computer doesn’t know the IP address of the server for www.google.com. So your computer starts by sending a query to its assigned recursive DNS nameserver. For this example, we’ll assume you’re one of our customers., So it’s a Cisco Umbrella server. Your computer asks the recursive DNS server to locate the IP address of www.google.com. The Cisco Umbrella recursive DNS nameserver is now assigned the task of finding the IP address of the website. Google is a popular website, so its result will probably be cached. But if the recursive DNS nameserver did not already have a DNS record for www.google.com cached in its system, it will need to ask for help from the authoritative DNS hierarchy to get the answer. This is more likely if you are going to a website that is newer or less popular.

Each part of a domain like www.google.com has a specific authoritative DNS nameserver (or group of redundant authoritative nameservers).

At the top of the server tree are the root domain nameservers. Every website address has an implied “.” at the end, even if we don’t type it in. This “.” designates the DNS root nameservers at the top of the DNS hierarchy. The root domain nameservers will know the IP addresses of the authoritative nameservers that handle DNS queries for the Top Level Domains (TLD) like “.com”, “.edu”, or “.gov”. The Umbrella recursive DNS server first asks the root domain nameserver for the IP address of the .com TLD server, since www.google.com is within the .com TLD.

The root domain nameserver responds with the address of the TLD server. Next, the Umbrella recursive DNS server asks the TLD authoritative server where it can find the authoritative DNS server for www.google.com. The TLD authoritative server responds, and the process continues. The authoritative server for www.google.com is asked where to find www.google.com and the server responds with the answer. Once the Cisco Umbrella recursive DNS server knows the IP address for the website, it responds to your computer with the appropriate IP address. Your browser loads Google, and you can get started with more important business: finding pictures of cats in bow ties.

Example graphic showing how a recursive DNS server works - Cisco Umbrella Blog

Without DNS, the internet stops working

The DNS system is so important to the modern world that we often refer to it as the foundation of the internet. If your recursive DNS service breaks for some reason, you won’t be able to connect to websites unless you type in the IP addresses directly — and who keeps an emergency list of IP addresses in their desk? If the recursive DNS service you use is working, but has been slowed down for some reason (like a cyberattack), then your connection to websites will be slowed down, too.

Cisco Umbrella launched its recursive DNS service in 2006 (as OpenDNS) to provide everyone with reliable, safe, smart, and fast Internet connectivity. Umbrella has a highly resilient recursive DNS network. We’ve had 100% uptime with no DNS outages in our history. Our 30-plus worldwide data centers use anycast routing to send requests transparently to the fastest available data center with automatic failover.

By configuring your network to use Umbrella’s recursive DNS service, you’ll get the fastest and most reliable connectivity you can imagine. But Umbrella provides much more than just plain old internet browsing. Learn more about how we make the internet a safer place for cats in bow ties in our post about DNS-layer security.

Source :
https://umbrella.cisco.com/blog/what-is-the-difference-between-authoritative-and-recursive-dns-nameservers

Inadequate security makes WordPress sites a land of opportunity for hackers

The famous American robber Willie Sutton was asked once why he robbed banks. His answer was humorous, direct, and revealing: “Because that’s where the money is.

For hackers, WordPress sites represent a similar rich vein of opportunity. WordPress is one of the world’s most popular web publishing platforms. Its ease of publishing is popular with smaller businesses and organizations looking to establish a quick and easy presence on the internet.

Unfortunately, that same ease lends itself to insecure web practices, such as web platforms that aren’t properly protected, weak passwords, and lack of administrative controls. The latter can also make it easy for increased lateral movement once an initial web server is compromised. This can greatly increase the scale of damage, making WordPress infrastructure very lucrative for hackers.

Cisco Umbrella threat researchers have been analyzing attacks on various WordPress sites recently. We found some interesting examples of how attackers are compromising WordPress sites. Let’s look into it.

How do attackers compromise a WordPress site?

Generally, what we’ve seen are variations of land-and-expand techniques. Hackers seek opportunities to infiltrate weakly protected WordPress sites, identify associated assets through phishing and other subterfuge, and expand their network of compromised assets for further expansion of opportunities to monetize their activities.

There are several ways to infiltrate WordPress infrastructure. But, generally, we’ve seen attackers progress by these sorts of actions:

  1. Take control of the WordPress site through brute force attacks, trojans inside themes and plug-ins, and exploitation of poorly protected admin controls
  2. Host malware
  3. Host phishing pages that mimic popular brands to collect more information
  4. Host spam pages to create more intelligence-gathering opportunities
  5. Most importantly, use the compromised site to attack other WordPress sites

How does an attacker find and select a site to attack?

An attacker can use systems that are designed to scan the internet for vulnerable WordPress sites and then notify the attacker’s command-and-control server.

Another method to discover vulnerable sites for attack is open source domain intelligence. For example, an attacker could find a domain by using Google Dorks.

When our researchers examined the compromised machines, they found a lot of malicious PHP scripts and malware.

First, an attacker would append the malicious code in the index page. So when a customer visits the WordPress site, it redirects to spam pages — or it may trigger the server to do something else.

 An example of such spam page redirection follows:

Example of spam page redirection - Cisco Umbrella Blog

This attack type is not new — we have been seeing attacks like this for a while.

We also observed cases where malware was hosted on the website. In one case, we found a trojan that made contact with the domain detroidcliper[.]at.

example of a command-and-control server whose domain has very high query volume - Cisco Umbrella Blog

This particular domain is a command-and-control server. It receives a lot of queries, with high query volumes reaching a max of 94k queries. We also observed a login panel hosted at this domain, that matches the login panel of Sarwent.

Example of a login panel that matches the login panel of sarwent, which is implicated in prior attacks - Cisco Umbrella Blog

Let’s take a closer look at malicious scripts that were hosted on a compromised WordPress site. Most of them are PHP scripts which are obfuscated heavily. The most commonly used obfuscation method is eval(gzuncompress(base64_decode(Endoded_content)));

Example of the most commonly used obfuscation method - Cisco Umbrella Blog

After decoding, we found the following script.

Example of obfuscated PHP script found after decoding - Cisco Umbrella Blog

This PHP code contains an executable file delivered via Base64 encoding. When the PHP code runs, the executable file executes directly in the memory.

Example of WordPress site with PHP code containing an executable file delivered via Base64 encoding - Cisco Umbrella Blog

Another function in the PHP code also searches for an exploit in order to perform privilege escalation.

Example of a function in the PHP code searching for an exploit to escalate the privilege in WordPress - Cisco Umbrella Blog

The remainder of the malicious scripts perform various tasks. Some of these redirect to spam sites, give shell access to attackers, and others are used to attempt to compromise other WordPress sites. Generally, the objectives are to collect more intelligence in search of further opportunities to exploit, and compromise more sites to continue the cycle.

A brute force WordPress attack is an ongoing process. On average, a single compromised WordPress site tries to brute force about 2,000 other domains per day. Not every WordPress site will be compromised, but enough WordPress sites have easy-to-guess common passwords to make this type of attack worthwhile. Usually, attackers keep a list of simple passwords and use them to launch a brute force attack on a site.

During an analysis of network traffic, we noticed that one of the compromised sites was contacting another domain continuously.

The domain was styleofphucet[.]at. Surprisingly, this one also has high query volume.

Example showing that the higher the query volume of the command-and-control server, the more the sites have been compromised - Cisco Umbrella Blog

This domain was repeatedly contacted during the same compromise that included network callouts to detroidcliper[.]at.

While we were researching more about this attack, we found a domain that was embedded in pages of many compromised domains. We found that it hosted an open directory that was very revealing. Inside the directory, we found almost all of the WordPress domains related to the attacks.

Example of a WordPress directory where we found almost all the domains involved in the attacks - Cisco Umbrella Blog
Example of a massive amount of random text that may be browser history of victims - Cisco Umbrella Blog

We observed that a massive amount of random text was collected and stored by the attacker. After closer analysis, we realized that it may be browser history of victims.

Why would an attacker store a random massive list of browser history? Isn’t this strange?

We believe that attackers use this browser history to search in various search engines for vulnerable domains using a bot. Any of those domains may become the target.

Also, the attackers use the sitemap for the pages they have hosted and let the bots crawl them. This way, when a user searches for a website, they get the pages that are hosted by the attackers instead of what they intended to visit.

How can WordPress administrators protect themselves from these kinds of exploits? Whenever a WordPress site is being hosted, the administrator has to make sure that all security requirements are met. So many attacks that are happening today are because of a lack of security controls, use of weak passwords, and because of vulnerable themes and plugins.

Here are some best practices to protect WordPress sites:

  1. Use a strong password and change it regularly
  2. Use adequate access controls
  3. Update plugins and themes

By taking these types of measures, you can reduce the attack surface so that your site is less likely to be compromised.

With Cisco Umbrella, you get instant access to interactive threat intelligence that lets you conduct investigations and uncover attacks before they start. Our recursive DNS servers resolve more than 200 billion requests per day, so we can see the relationships between malware, domains, IPs, and networks across the internet. Our threat analysis learns from internet activity patterns to automatically identify attacker infrastructure being staged for the next threat.

Learn more about how predictive intelligence can make a difference in your ability to stop threats by reading our technical paper, The Role of Predictive Intelligence in the Fight Against Cyber Attacks.

Check out our recent article on threat intelligence to dive into pandemic-themed phishing attacks and uncover how attackers orchestrate sophisticated campaigns to take advantage of the current pandemic.

IOCS

Possible Compromised sites:
https://github.com/minakushi/Domains

Hash:
593b2c9292dc36ab619453bb7d8480f78d5d1e04e811f5f1f8d9b612de771718

Uris:
/15hftjsefg.php
/wp-ss.php
/jtyergd
/jtyergd
/hoinudh12jshs
/qoclekrjs
/alekfjwh62jshd.php
/xlvkfjehq
/bzk7md
/l3x7zxz9dsv3rt.php
/zzz.php
/wp_butt.php
/wp_class_datalib.php
/runargg.php
/shathagg.php
/roman.php
/wp-less
/story2.php

Source :
https://umbrella.cisco.com/blog/inadequate-security-makes-wordpress-sites-a-land-of-opportunity-for-hackers

DoH! What’s all the fuss about DNS over HTTPS?

Cisco Umbrella now supports DoH

Not all DNS services are created equally. Some break. Some fail to connect to domain servers. Speeds can vary, and if not kept up-to-date, some DNS services can affect the ability to work efficiently. But with more than a decade of leadership in recursive DNS services (13+ years and counting!) Cisco Umbrella boasts significant advantages when it comes to understanding how both legitimate and non-legitimate parties register domains, provision infrastructure, and route internet traffic.

Back in the old days when we were known as OpenDNS, we started with the mission to deliver the most reliable, safest, smartest, and fastest DNS resolution in the world. It was a pretty tall order, but we did it — and we’re still doing it today under our new name, Cisco Umbrella. (Here’s one for the trivia champions: OpenDNS was acquired by Cisco on August 27, 2015.)

In fact, TechRadar Pro recognized us as having the best free and public DNS server for 2020. You don’t have to take our word for it — check it out here. But just because we’re the best doesn’t mean we’ll stop innovating.

We recently announced support for DNS over HTTPS, commonly referred to as DoH, a standard published by the Internet Engineering Task Force (IETF). Cisco Umbrella offers DNS resolution over an HTTPS endpoint as part of our home and enterprise customer DNS services. Users may now choose to use the DoH endpoint instead of sending DNS queries over plaintext for increased security and privacy. DoH can increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. In addition, when DoH is enabled, it ensures that your ISP can’t collect personal information related to your browsing history. It can often improve performance, too.

How does it work?

DoH works just like a normal DNS request, except that it uses Transmission Control Protocol (TCP) to transmit and receive queries. Both requests take a domain name that a user types into their browser and send a query to a DNS server to learn the numerical IP address of the web server hosting that site. The key difference is that DoH takes the DNS query and sends it to a DoH-compatible DNS server (resolver) via an encrypted HTTPS connection on port 443, rather than plaintext on port 53. DoH prevents third-party observers from sniffing traffic and understanding what DNS queries users have run or what websites users are intending to access. Since the DoH (DNS) request is encrypted, it’s even invisible to cybersecurity software that relies on passive DNS monitoring to block requests to known malicious domains.

DoH is a choice, not a requirement

So what’s all the fuss about DoH? It all comes down to user privacy. And since privacy is a hot topic, it will continue to be blogged and chatted about wildly. To block or not to block DoH is a personal choice. Mozilla blazed the trail with the Firefox browser, but other vendors like Microsoft and Google recently announced plans to add support for DoH in future releases of Windows and Chrome. Mozilla started enabling DoH by default in version 69 of Firefox, and started rolling it out gradually in September 2019. Cisco Umbrella supports Mozilla’s ‘use-application-dns.net‘ canary domain, meaning that Firefox will disable DoH for users of Cisco Umbrella.

Because DoH is configured within the application, the DNS servers configured by the operating system are not used. This means that the protection provided by Cisco Umbrella may be bypassed by applications using DoH. But don’t worry… you can block this feature easily with Umbrella, too. Most of our enterprise customers choose not to utilize DoH. It isn’t right for everyone.

Protect your Umbrella settings

Our team at Cisco Umbrella recommends that companies use enterprise policies to manage DoH on endpoints they control. For detailed help on how to proceed, check out this helpful article, GPO and DoH.

To block DoH providers and keep your Umbrella deployment settings follow these simple steps:

1. Navigate to Policies > Content Categories

2. Select your in use category setting.

3. Ensure that “Proxy/Anonymizer” is selected

Example of settings to block DNS over HTTPS (DoH) providers - Cisco Umbrella Blog

4. Save.

Your users will now remain covered by Umbrella as Firefox gradually rolls out this change to their users.

How to disable DoH in Firefox

Firefox allows users (via settings) and organizations (via enterprise policies and a canary domain lookup) to disable DoH when it interferes with a preferred policy. For existing Firefox users that are based in the United States, the notification below will display if and when DoH is first enabled, allowing the user to choose not to use DoH and instead continue using their default OS DNS resolver.

Example of a Mozilla warning, regarding DNS over HTTPS (DoH) - Cisco Umbrella Blog

Reliable, effective protection with Cisco Umbrella

Cisco Umbrella is the leading provider of network security and DNS services, enabling the world to connect to the internet with confidence on any device. When connecting directly to the internet, organizations need security that is incredibly reliable and eliminates performance problems for end users. Umbrella is built upon a global cloud infrastructure that has delivered 100% uptime since 2006 and we provide automated failover for simplified deployment and management. By leveraging our extensive peering relationships with the top internet service providers (ISPs), content delivery networks (CDNs), and SaaS platforms, such as O365, Umbrella optimizes the routes between core networks and our cloud hubs, providing superior performance and user satisfaction.

Umbrella’s support for DoH is just another demonstration of our commitment to delivering the best, most reliable, and fastest internet experience to more than 100 million enterprise and consumer users (and counting).

For more information on DoH, visit our knowledge base.

Source :
https://umbrella.cisco.com/blog/doh-whats-all-the-fuss-about-dns-over-https

Working at Home? How to Protect Against Phishing During a Pandemic with Cisco Umbrella and OpenDNS

In the wake of this unprecedented global health crisis, cyber attackers have shown no mercy. Earlier this week it was reported that hospitals in the U.S. and Europe, which have been struggling for weeks with an influx of patients, are now dealing with yet another issue: a surge of phishing and ransomware attacks. Even amidst a pandemic, attackers are looking for ways to exploit our most critical institutions and take advantage of vulnerable people with malicious campaigns.

If we look back to the beginning of March, there were relatively few domains that even mentioned the words “COVID” or “Corona.” This is how quickly things have changed over the past month: On Friday April 3, 2020, there were more than 117,000 domains that included these keywords. Of those, more than 75,000 domains were phishing or otherwise malicious in nature. That means at least 65% of all domains with “COVID” or “Corona” are malicious!

Fortunately, the recent global events have demonstrated the resilience of the cybersecurity community to combat new threats. Security professionals have come together quickly to share knowledge and combat these bad actors. I’m proud to share that we have recently made a number of updates to the Cisco Umbrella and OpenDNS services to ensure that we are protecting our users against pandemic themed cyberattacks.

What are you doing to stay safe online at home?

As many of us are now working and spending a lot more time at home, it’s important to think about how you can stay safe online. The good news: Cisco can help.

To protect your family and home network, OpenDNS makes the web a safer place with customizable parental controls and basic security protection. And I should mention that it’s free and simple to get started with at home!

For enterprises, Cisco Umbrella delivers flexible, fast and effective cloud security so you can secure your remote workers, even in a matter of minutes. Cisco Umbrella combines multiple security functions into a single cloud-delivered service — helping you deliver the right level of security anywhere your users work.

How we protect against attacks

Our global cloud infrastructure resolves over 200 billion DNS requests daily, far more than any other security vendor, giving our researchers a unique view of the internet to better identify threats faster. We also have a team of industry-renowned researchers that are constantly finding new ways to uncover fingerprints that attackers leave behind, so that we have visibility into the bad neighborhoods on the internet. If a webpage you are trying to reach is malicious, we will stop the connection at the earliest possible point and give you a block page instead. Easy peasy!

How we block COVID-19 related phishing attacks

Our phishing category leverages indicators derived from multiple sources, including Cisco Talos intelligence, lexical clustering of domains, a natural language processing model, and a spike rank model, which detects sudden spikes of traffic to particular domains. Now, this phishing category also includes a blacklist of vetted COVID-19 URLs, domains, and IP addresses.

We update the phishing category continuously with the latest malicious indicators of compromise as provided via the COVID-19 Cyber Threat Coalition (CTC). This incredible organization is a global volunteer community of 2,500+ security professionals who are focused on stopping these bad actors, by carefully vetting IOCs for the security industry and sharing intelligence in this time of crisis.

All Cisco Umbrella enterprise users and OpenDNS consumer users, are now getting protection from COVID-19 themed cyberattacks.

Click with caution: phishing tips to protect you

Now, more than ever, it is important to stay vigilant online. We see very sophisticated spam in these pandemic themed attacks. Generally speaking, the guidelines for identifying a phish have evolved. Think before you click, and keep in mind these helpful tips:

  • Don’t count on an obvious spelling mistake or grammatical error in order to identify that it’s a phishing email.
  • Avoid strangers by checking names and email addresses.
  • Keep in mind that the email could seemingly come from someone you know. Be wary of unusual requests, even from known senders.
  • Be extra cautious before you click! Hovering over links will not always show you the final destination of a URL. It could issue several redirects, which could result in landing on a different website.
  • Do not trust a website just because you see HTTPS. Threat actors can obtain certificates for creating HTTPS websites.
  • Never give out personal or financial information from an email request.

Get protection at home for free

It only takes one wrong click for cybercriminals to get a foothold into your network. Take steps to ensure that you are safely connecting to the internet.

Get started with the OpenDNS free home service or the Cisco Umbrella free trial today!

You can easily get protection in minutes. Also, you can extend the initial Cisco Umbrella 14-day trial period to 90 days by contacting the Cisco sales team. This offer will be available from now until July 1, 2020. Check out this blog for more information on additional security offerings Cisco is providing for free during this time of need.

Source :
https://umbrella.cisco.com/blog/working-at-home-how-to-protect-against-phishing-during-a-pandemic-with-cisco-umbrella-and-opendns