New Update: Cisco Umbrella Detections & Reports | Blumira

Cisco Umbrella prevents users from accessing known malicious websites to help protect them against phishing and ransomware. The platform secures cloud applications, protecting devices and remote users with its secure internet gateway. It delivers visibility into user and device internet activity and blocks threats before they reach an organization’s network or endpoints.

It combines DNS-layer security, threat intelligence, firewall and cloud access security broker functionality (CASB) into one cloud-delivered platform. Blumira integrates with Cisco Umbrella to collect, centralize and analyze your logs for patterns of attacker behavior, sending you prioritized findings with advice on how to respond quickly to prevent a breach.

We Do the Heavy Lifting For You: Automating Tasks For Small Teams

Keeping up with the constantly evolving threat landscape is difficult, especially if you’re running a small IT or security team. Blumira’s incident detection engineering (IDE) team helps you stay ahead by doing all of the heavy lifting for you:

• Creating, testing and releasing new detection rules into our platform every two weeks
• Tuning rules to reduce noisy false positives, focusing on critical findings
• Keeping up with the latest threat research and observed attack patterns
• Prioritizing and surfacing meaningful, relevant data in every finding
• Providing guided workflows with each finding to help IT teams respond faster

See our latest detections now available in our platform below:

Blumira’s New Cisco Umbrella Detections

Suspected DNS Tunneling

According to MITRE, attackers may abuse DNS (Domain Name System) to communicate with systems under their control within an organization’s network while disguised as normal, expected traffic. 

Known as DNS tunneling, it can be difficult to detect and provide a way for attackers to hide their communications while providing a path for data exfiltration. Blumira’s finding detects DNS tunneling by identifying a large number of DNS requests to a single domain, more than most legitimate requests, then helps you figure out which next steps to take for response.

Malware

Cisco Umbrella blocks requests to access servers hosting malware and websites that are compromised through any application, protocol or port. In this finding, Blumira alerts you when Umbrella has observed a user making a DNS request to a specific domain categorized as Malware. 

Since an allowed DNS request does not indicate if the user successfully visited or reached the site, Blumira recommends you use a web proxy, network traffic logs, or endpoint data to confirm if the user successfully reached the aforementioned domain.

Command and Control

A command and control server is a computer controlled by an attacker or cyber criminal which is used to send commands to systems compromised by malware and receive stolen data from a target network. Cisco Umbrella prevents compromised devices from communicating with hackers’ command and control servers via any application, protocol or port and helps identify potentially infected machines on your network.

In this finding, Cisco Umbrella has observed an endpoint making continuous DNS requests to a certain domain categorized as Command and Control. This could be indicative of unwanted or malicious software beaconing. This endpoint should be investigated to determine the process making these requests.

Unblocked Phishing Website

This finding is triggered when Cisco Umbrella observes a user making a DNS request to a certain domain that is categorized as phishing. Phishing sites are used by threat actors to collect sensitive information, like usernames and passwords. 

Blumira provides a playbook to walk you through next steps, including advice on correlating DNS behavior with any relevant data (matched evidence) we provide alongside the finding to figure out if the user intentionally browsed to the phishing domain, as well as if they clicked on any links, entered credentials or downloaded any files from the site.

Unblocked DNS Tunneling VPN Website

Blumira alerts you when Cisco Umbrella has observed a user making a DNS request to a certain domain categorized as DNS Tunneling VPN. VPN (virtual private network) services can be used to tunnel data over the DNS protocol, allowing users to disguise their traffic. Threat actors can use this method to evade security controls intended to prevent unauthorized data transfer and access.

Crypto Mining

Cisco Umbrella blocks access to crypto mining pools (where cryptominers group together to share processing power to better obtain cryptocurrencies), as well as known web crypto mining source code repositories. In this finding, Blumira alerts you when Cisco Umbrella has observed a user making a DNS request to a certain DNS that is categorized as crypto mining.

Blumira’s New Cisco Umbrella Reports

Newly Seen Domains

According to Cisco Umbrella, “Newly Seen Domains” identifies any domains queried for the first time within the past 24 hours by any user of Cisco Umbrella DNS service, and domains stay in the list for a period of 24 hours. Attackers often spin up new domains as part of new malware or phishing campaigns to bypass traditional signature-based security that blocks known bad websites.

Blumira’s new report surfaces these Newly Seen Domains along with all relevant information. Other new Cisco Umbrella reports available now for customers include:

• All DNS Queries

• Uncategorized Domains – According to Umbrella, this refers to any site that has not been categorized, meaning it does not match one of their security or content categories.

• Block List Policy Domains Blocked – These are all of the domains that are blocked by a Block List Policy, useful for auditing and administrative review

Additional Updates: Duo Security and Microsoft 365

Duo Security, now a Cisco company, provides multi-factor authentication (MFA), device visibility and single sign-on (SSO) to ensure secure remote access of users and devices into your applications. Duo administrator accounts have access to create, update, and delete users, devices, settings, policies, and more. 

Get Visibility Into Duo Admin Activity

Now you can send your Duo admin logs to Blumira for visibility into Duo admin panel activity to track policy changes, new users, new device enrollment, new applications and deleted applications. Detections are currently under development, stay tuned!

Other New Reports

• Duo: Authentication Bypass – See all Duo users that bypass two-factor authentication (in bypass mode)
• Microsoft 365 Legacy Authentication – Microsoft 365 is phasing out support for Basic authentication in Exchange Online. This report shows legacy-based authentication records.

See our previous blog post, Product Update: New Detections for Microsoft 365 & Windows to learn more about our latest detection rules released this summer. 

Easy, Effective Security: Free SIEM For Microsoft 365

Blumira makes security easy and effective for SMBs and the mid-market. Get started for free to achieve advanced visibility, detection, response and reporting capabilities across your Microsoft 365 environment.