The term "cyber" has now become part of the common vocabulary and associated with other terms such as "attack", "defense", "operations", circumscribes a very specific sector of the most extended cyberspace.
Today I want to deal with cyber defense and in this regard I turned to Cisco who introduced me to his solution called "Umbrella". In particular, the Cisco ferrymers on this safety trip were Giovanni Di Venuta, the pre-sales technical representative for the Defense market, Paolo Carini as a solution expert Cloud Security and Alessandro Monforte as head of commercial relations for solutions of Cloud Security.
Made the introductions, let's start from the beginning, that is: what is Cisco Umbrella?
Cisco Umbrella is a cloud solution that provides a frontline defense service (just a security umbrella) to those who need to look out on the Internet.
The operation of Cisco Umbrella is relatively simple even if its effectiveness is based on very complex technological solutions.
Let's see, in short, how it works.
To explain how it works it is worth mentioning that Cisco Umbrella comes from the Cisco acquisition of OpenDNS which historically offers a reliable, secure and low-latency DNS (donaim name server) service. Cisco Umbrella combines the typical features of DNS with security, ie based on the domain of the website requested by the user applies appropriate security policies.
To be clearer, if an employee from a company computer, through a browser, is browsing the Internet and asks to access a specific web page, the access request is "mediated" by Cisco Umbrella (DNS) that checks whether this address web is listed as dangerous; if it were, the user would be shown a web page informing that the requested page is not available for security reasons.
The user can therefore continue his activity without further problems and, above all, without running the risks associated with navigation on a dangerous site.
But how does Umbrella know that the site is dangerous? And are we sure it really is? What is the percentage of "false positives", or errors made by Umbrella that identify as "dangerous" a site that is not and as "reliable" a site that instead is "dangerous"?
The routine work of Cisco Umbrella is to gather information on the Internet and on the Internet; on the Internet because Umbrella's infrastructure is on the cloud, receiving around 125 billion DNS requests per day to date. On the Internet as it collects data and information on Internet infrastructure, on the networks that are part of it, on domains, on autonomous systems, on IP addresses, on who owns it, on cyber attacks, on their origin and so on.
In this way Umbrella can get information on how the sites are interconnected with each other from an infrastructural point of view and thus have information on the "attackers".
Data and information are correlated through the use of proprietary algorithms that allow us to understand in which part of the Internet we run greater risks and on the basis of this, to prevent the connection to a certain area, even in the face of a specific request by a application or user. One of Umbrella's features is also to be predictive about security analysis for a new website and then block new threats before they appear.
Cisco estimates that the percentage of false positives is very low, about 1 / 10.000, this means precisely that statistically every 10.000 domains classified as malicious are not.
The update of the information is nonetheless continuous so that what at this moment can be a false positive, a few minutes later will probably be corrected; this is because data collection and predictive analysis is incessant. Below is a representation (carried out through OpenGraffiti, a free 3D representation tool used to analyze data) of the infrastructure network supporting a well-known botnet (MIRAI) from which it is possible to graphically analyze the interactions between domains, autonomus systems, IP / email addresses used from the attackers.
The Cisco Umbrella solution has been in operation for several years and is based on a huge data collection and analysis infrastructure, 26 Data Centers distributed worldwide (v.mappa).
Cisco Umbrella was born thanks to the idea of David Ulevitch who in the 2006 (at the age of 25 years!) Founded a company called OpenDNS, based in San Francisco. The company was intended to provide DNS (Domain Name System) and security services and is still so.
OpenDNS continues to exist and provides free services to non-professional customers while Umbrella provides paid services to companies and organizations. With the acquisition by Cisco, the solution of OpenDNS also makes use of the Cisco or TALOS security intelligence formed by a team of researchers that in a dedicated manner deals with threat intelligence analysis.
The power of the system is based on the statistics of the large numbers and on the predictive analysis carried out continuously on the graph database that contains all the infrastructural information we talked about before. For this reason, even individual users are welcome, even if they do not bring direct profits, they allow the collection of data useful for analysis.
But how is Cisco Umbrella implemented? The implementation is very simple because just set up Cisco Umbrella as the organization's DNS to resolve public requests (internet) and in addition to resolving the domain requested by the user will be applied security policies set by the security admin on the Cisco dashboard Umbrella.
It is easy to understand that the huge amount of data that Cisco has available represents a great added value for anyone interested in analyzing the infrastructures from which it is attacked or who simply have frequent interactions with their own. Cisco provides access to data through the solution called "Investigate" usable through a console (dashboard) or through programming interfaces (API); this offer is generally directed to the component of the company organization responsible for the analysis of vulnerabilities and IT investigations (for example CERT and / or SOC).
What I want to say is that by using "Investigate", it is possible to understand if your organization is under cyber attack or if it has been in the past, if you have been the object of a global, sector or targeted attack. You can also get information about domains or their security level and you can retrieve information on attacker networks (where a malicious domain has been registered, by whom and so on).
One might think that this is useless information as it is outdated, but this is not always the case.
Being able to understand that you have been the object of a cyber attack, not recognized as such, can have organizational implications, for example, by pushing the organization to invest more on cyber security personnel in order to reduce the risk and this is clearly a high-level decision.
Let's leave the floor to the numbers of Cisco Umbrella in terms of infrastructure used and data managed, which in this case are truly representative:
- 26 Data Centers distributed all over the world (v.mappa);
- 160 States from which information is collected;
- 15 thousand companies use the Umbrella services;
- about 100 millions of active users per day;
- 125 billion daily DNS queries analyzed.
These data are continuously updated and are visible at following link.
From these numbers it is possible to understand that Cisco (through Umbrella, formerly OpenDNS) has a knowledge of the Internet that probably has no other security operator.
But what importance can Cisco Umbrella have for a military organization?
Today's military organizations need huge amounts of data, from the most trivial that time alignment (time) can be considered to the most complex flow of meteorological forecast data, passing through the data flows concerning the supply needs of the parties. spare parts or those related to the proper functioning of computer systems.
These data are not always confined to the intranet (classified or not) of the military organization but, indeed, are often received or transmitted using the Internet.
The fact is that really "isolated" systems are practically non-existent.
Digitization is pushing the armed forces to equip themselves with increasingly complex instruments, which often require the intervention of specialists belonging to the industries, which means that the security perimeter becomes ever more extensive and increases the complexity and the need for control.
As well as being a security tool, Cisco Umbrella can be a useful aid to cybersecurity analysts, as it provides data and information on the structure of the Internet and on the risks related to the same network and Intelligence Analysis tools (Investigate is one of them).
Naturally, the use of sophisticated tools requires personnel trained in the sector, a preparation that can not be delegated to the good will of the individual operator, but which must be part of a well-structured training path for the cybersecurity operator.
The possibility of preventing attacks by blocking the dangerous DNS requests and the predictive analytical skills also make it a useful tool to monitor a possible attacker and potentially to carry out an action also preventive, if deemed necessary and authorized by the relevant legislation.
An appropriate cyber defense strategy requires the assessment of the multiple risk factors associated with the operation of technological platforms. Moreover, the same operating structure that provides the Umbrella service is subject to constant and various attempts at violation. For this reason and to keep the service always operational and available (since its launch in the 2006, Umbrella has placed the 100% of DNS requests) OpenDNS and Cisco have constantly invested in technologies and procedures to implement, develop and maintain adequate defense strategy.
To learn more:
- https://umbrella.cisco.com/products/our-intel
- https://learn-umbrella.cisco.com/datasheets/investigate-from-opendns
- https://www.talosintelligence.com/
(photo: web / US Air Force)
