Protecting the WFH workforce – Defending against COVID-19 malicious domains

Many organizations have implemented work from home (WFH) strategies due to COVID-19. This measure, although enabling business continuity for many, introduces increased risk to cyber threats and attacks.

Cisco Talos has been proactively hunting COVID related outbreaks, educating the public, and pushing these discoveries to all Cisco Security tools for blocking. I encourage you to read the Talos blog, “Threat Actors attempt to capitalize on coronavirus outbreak” and “Threat Update: COVID-19“.

Talos goes as far as to list ways that you can defend against COVID related attacks. Cisco Umbrella, in particular, can leverage threat intelligence from Cisco Talos, to uncover and block these malicious domains, IPs, URLs, and files that are used in attacks. It’s not just Talos intelligence that Umbrella can leverage, however. You can take advantage of 3rd party threat intelligence platforms (TIP) that you may have and create a completely robust, kickass defense for your work from home workforce.

Here’s how –

Turn on – Newly Seen DomainsAs part of Cisco Umbrella intelligence, some domains may be blocked as Newly Seen Domains (NSD). Newly created domains related to COVID-19 will also be flagged as NSD as long as they fit the criteria.

Third Party Integration: Umbrella support integrations with SIEM, threat intelligence platforms, or homegrown systems. This feature utilizes the ‘Enforcement API‘ in Umbrella.

Here are the default integrations.

In this case, I want to show you how to leverage a homegrown system. We’ll call it “COVID-19-BLOCK”

When you add a new integration, an API key is generated. This API key can be used to make requests to and from Umbrella.

Our homegrown system is nothing more than a simple python script that makes POST requests to Umbrella.

# Custom integration - ADD EVENT URL
import requests

url = "";

payload = "{\n    \"alertTime\": \"2013-02-08T11:14:26.0Z\",\n    \"deviceId\": \"ba6a59f4-e692-4724-ba36-c28132c761de\",\n    \"deviceVersion\": \"13.7a\",\n    \"dstDomain\": \"\",\n    \"dstUrl\": \"\",\n    \"eventTime\": \"2020-03-31T09:30:26.0Z\",\n    \"protocolVersion\": \"1.0a\",\n    \"providerName\": \"Security Platform\"\n}"
headers = {
  'Content-Type': 'application/json'
response = requests.request("POST", url, headers=headers, data = payload)


After running the script, we can confirm that our request to block the COVID-19 malicious domain was successful.

As you can see, we were successful in adding this malicious domain to our block list.

Now, take a moment to expand on this custom integration that we just made. There are roughly 70,000 COVID-19 malicious domains and growing daily. What if we were able to take all of the published COVID-19 molicous domains and add them to an Umbrella block policy like we did above?

I think that would make any CSO smile.



Secure Internet Gateway – Cisco Umbrella

As traffic patters change to a decentralized pattern, there needs to be a way to secure traffic to the cloud.

Today we will be talking about the Secure Internet Gateway (SIG), Umbrella formally OpenDNS.

Umbrella is a recursive DNS service, it resolves DNS queries. Almost everything starts out by making a DNS request.

The process of recursive DNS look-ups are pretty straightforward. Lets walk the process.

  1. A user opens web browser and types in
  2. Umbrella, the recursive DNS services queries a root server. The root server only has top level domain IPs for top level domain servers. Eg. (.com, .net). The root server will reply to Umbrella “I’m not sure, but here is the IP for the .com server, ask them”
  3. Umbrella queries the TLD server (.com). The TLD server stores information on the Authoritative Name Servers for domains that end in (.com). The TLD server will reply to Umbrella “I’m not sure, but here is the IP for the Authoritative Name server, ask them”
  4. Umbrella now has the IP address of the Authoritative Name Server for, Umbrella will ask Amazon’s Authoritative Name Server, what is your IP address of your Amazon web site.
  5. Amazon will reply with the IP of their website. Umbrella will return the web page to your browser.Screen Shot 2018-10-08 at 11.28.00 AM

There are three scenarios when resolving DNS with Umbrella.

  • Safe – Determined as a safe DNS request. Returns IP-to-URL mapping.
  • Block – Determined as unsafe/malicious DNS request and your request is blocked. The request is blocked by a block page. A block page is configured by an administrator.
  • Inspect – Determined as a risky DNS request. Sites like peer-2-peer hosting could be considered risky. In this scenario Umbrella returns the IP address of the Umbrella proxy so that the site can be inspected.

The Inspect scenario is where Umbrella gets interesting. Proxys are now involved in the scenario. Instead of just seeing the top level domain of a URL, the proxies now inspect the entire URL and web content. It leverages AV definitions, AMP and Talos to determine the sites reputation and content.

How does Umbrella determine a site to be malicious vs non-molicous?

This recursive process is processed by algorithms known as “models” that monitors request patterns,  malicious traffic, and abnormal behavior. The output from multiple models is how a domain is determined malicious or non malicious.

Some of these models:

  • Co-Occurance model
  • Spike Rank Model
  • Predictive IP space monitoring

Umbrella Investigate is a built in capability that can give you some offensive tools when responding to security incidences.

Screen Shot 2018-09-26 at 3.00.41 PM

Investigate provides real time intelligence on domains and IPs across the Internet to help uncover anomalies and pinpoint malicious domains/IPs. Access to the intelligence is done through web console or api for you to integrate your current security infrastructure with Investigate.

Screen Shot 2018-09-26 at 3.12.20 PM

How do you use Umbrella?

Simply point your DNS to the Umbrella DNS servers. You can do this in several ways.

  • DHCP
  • The ISR 4K version 16.6.1, any traffic passing through the router will use Umbrella
  • Generate an API key through the Meraki Dashboard, integrate it into the Meraki MR
  • Out of the box integration with  Viptal vEdge
  • Cisco Any Connect (Roaming Devices)
    • AnyConnect Umbrella Roaming module
    • If not using AnyConnect, install standalone roaming client

If your clients are using the AnyConnect Umbrella module, the DNS is intercepted by the kernal driver that is sitting at the network adapter. This is the same process that AnyConnect uses when using VPN.

Screen Shot 2018-09-26 at 3.41.16 PM

If your clients are using the roaming client, all DNS requests from any running application are pointed to and then handled by the roaming client.

Where are the Umbrella DNS servers located?

The Umbrella Data Centers are Co-Located at Major IXPs, this enables best path selections throughout the Internet via BGP. Anycast routing  is used for reliability to the DNS resolvers with no additional latency. Anycast routing improves functionality by sending your traffic to the closest data center and provides redundancy.

You can view the location of the Data Centers and the status of Cisco Umbrella systems through this link.

Data Center Locations

For more information see the documentation page Umbrella Documentation