New Security Categories Added to Cisco Umbrella to Monitor and Block DNS Tunneling

Cisco has added two new security categories to Umbrella to help customers identify and analyze potentially harmful Internet traffic and security threats.

The two new categories – DNS tunneling VPN and Potentially Harmful – help customers mange the risk of DNS tunneling and identify and block data loss.

DNS tunnelling allows the data of programs and protocols in DNS responses and queries to be encoded. DNS tunnelling is used by anti-virus and anti-malware programs to obtain signatures to update virus definition lists. While this use of DNS tunnelling is legitimate, malicious actors can similarly use DNS tunnelling to hide outbound traffic – communications between malware and C2 servers or to hide the exfiltration of data.

Many organizations do not monitor for this type of traffic, so it can be difficult to detect data loss and malware communications. To help customers identify this malicious traffic, Cisco has incorporated the new DNS tunneling VPN as a security category within Umbrella.

Commercial DNS tunneling VPN services can be used to mask or hide traffic as DNS queries, reducing overall visibility. By enabling this security category, customers can monitor hidden traffic and mitigate the risk of data loss through DNS tunneling.

In addition to DNS tunneling VPNs, there are other types of DNS tunneling, which can similarly be abused. It is therefore important to monitor for these uses and block suspicious domains.

These other DNS tunneling uses have been categorized as potentially harmful – the second new security category added to Umbrella. In this category are all domains that are potentially malicious, or as Cisco puts it, “I have a bad feeling about this” domains. Included in this category will be domains that cannot be linked to a specific type of service. Spikes in traffic to a specific domain –traffic above normal levels – could also be indicative of malicious activity. Under its Spike Rank Model, domains that hit high would be classified as malicious, whereas lower level spikes would see domains placed in the potentially harmful category. Based on the level of risk tolerance, customers will be able to monitor the results in reports, or block traffic.

The additional security categories will be incorporated into Umbrella and made available to customers from January 18, 2017.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.