What is Cisco Umbrella Security Service? Discussion – Use Cases – Features

In recent years Cisco have been focused on building their cloud and software defined networking portfolio through the acquisition of smaller companies such as Viptela and OpenDNS among others.

In this article we will focus on Cisco Umbrella, explain what it is, discuss how it can protect your network etc.

A Brief History of Cisco Umbrella

OpenDNS was founded in 2006 and started out by supplying DNS services and DNS security to home users and small businesses.

By 2012 OpenDNS had grown into a successful business and were able to support large enterprises with a new cloud security platform that built upon their success with DNS security. This new cloud platform was called Umbrella.

By 2013 OpenDNS had added intelligence services to the platform which aided in determining which IP Addresses or DNS domains were safe or unsafe and launched a new service called OpenDNS Investigate.

In 2015 OpenDNS was purchased by Cisco and the Umbrella platform was rebranded as Cisco Umbrella. Interestingly the security of OpenDNS is still available to home users for free.

What is Cisco Umbrella Used for?

Cisco Umbrella is a cloud-based Domain Name Service (DNS) Security Solution which Cisco markets as a ‘first line of defence’ against internet sourced threats such as Malware, Ransomware and Phishing campaigns.

DNS is used to map human friendly names such as www.google.com to a computer readable IP address. DNS is one of the most crucial services required for Internet access and other network communication.

Many companies today rely on connectivity to applications that are running on servers out in the cloud rather than on premise.

This makes the task of protecting internal users from external threats using Firewalls alone a very difficult task.

This is especially difficult when a large portion of the corporate workforce may by located and working outside of the corporate infrastructure such as working from home.

The goal of Cisco Umbrella is to use DNS to block threats at the source by preventing users from accessing domains that are known to be malicious and aims to prevent Malware or Viruses from ever reaching the end users’ machine.

When a user’s computer or other host tries to access an Internet resource, it first queries the Umbrella DNS service to resolve the IP address of the destination.

If the destination target is known by Umbrella service to be malicious, the user is not allowed to access the target resource.

Major Security Threats out there

Any network which is connected to the internet is vulnerable to attacks by people who are looking to penetrate this network and exploit what lay within.

There are several reasons motivating hackers such as financial gain, political motivation, terrorism or simply for the fun and notoriety of being responsible for bringing down the network of a large corporation.

There are many methods that can be used by these ‘threat actors’ to gain access to a corporation’s network but the growing trend is to deliver a piece of malicious software that is known as Ransomware or other backdoor ATP to an internal user who unwittingly runs this malicious code on their system.

This software is often delivered through a targeted phishing campaign where the end user receives an email, which they believe to be from a legitimate and trusted source.

The malicious software payload is often disguised as a harmless attachment within this email and pretends to be something harmless like a PDF invoice or a word document. When this attachment is opened the software lurking within is activated.

How does Cisco Umbrella Work?

Umbrella works by protecting corporate end devices from threats such as ransomware by routing the end devices’ DNS requests through the Umbrella proxy service which is located on the cloud.

This service uses machine learning and a domain reputation-based system to determine which internet domains and which IP addresses are potentially unsafe and prevents the end users from accessing the systems within these locations.

When files are downloaded from the internet these downloads are routed through the Umbrella proxy service and scanned by an antivirus service and/or the Cisco Anti-Malware service AMP.

If the download is determined to be unsafe it is discarded and not forwarded onto the end user.

To connect a device to the Umbrella service, the DNS address which points to the Umbrella cloud is configured either on a software agent installed on individual machines or configured directly into Cisco Edge routers such as ISR’s or configured internally on Cisco Wireless Lan Controllers.

How does Cisco Umbrella stop ransomware and malware?

To break down the processes that threats such as ransomware use to attack networks, the company Lockheed Martin developed a framework that is used by security professionals to understand how malware applications are able to target, infect and then spread throughout an organization. This process is also known as a “Cyber Kill chain”.

Umbrella is designed to block certain stages of this kill chain which prevents the process from completing.  The stages of a cyber kill chain are as follows:

IDENTIFY & RECON – The target victims of ransomware can be chosen at random or via email lists that are available on the dark web from previous security breaches, or they may be explicitly targeted via phishing campaigns.

INITIAL ATTACK – The initial attack happens when the infected payload is successfully delivered to the victim system via download and is then installed to deliver the package.  

COMMAND AND CONTROL – At this stage the ransomware package has been delivered to the system and is installed and starting to take action. Usually, the next step the malware will take is to try and establish a connection with its command-and-control network which is often called C2 activity. Command and control require the use of malicious IP’s and anonymous network connections while it attempts to download key data.

DISCOVER AND SPREAD – The spreading of the ransomware is often completed by other forms of malware or trojans before the actual ransomware is deployed however there are some types which are known as Crypto Worms which attempt to infect system files and attempts to spread to other machines.

EXTRACT AND EXFILTRATE – With ransomware the extraction stage is the point where the ransom is paid, and money is exfiltrated from the company. At this stage it is already game over and without the encryption keys it is almost impossible to diminish the infection on affected systems.

At Stage 2 of the kill chain, this is where the targeted user is sent a carefully crafted phishing email which contains the malicious package.

The email would be made to look exactly like it is coming from a legitimate source and would contain the correct company logos, links back to the real corporate website and even the signatures may look legitimate with the correct phone numbers and contact details for the sender.

The domain that the email is sent from however would be false and again made to look like the real deal by maybe adding another character to the domain such as an extra “I” or a “0” instead of an O which can be missed by even tech savvy users.

This is the first stage where Umbrella can effectively break the Kill chain. By using machine learning and its reputation system Umbrella would be able to detect that the link the user has clicked on is directing them to either a domain with a poor reputation score or, if it is a newly registered domain, a domain with zero reputation.

Then it would take action to block the connection and redirect the user to a safe self-generated page which would warn the user that they may have been the victim of a phishing email with instructions on how they should proceed.

At stage 3 Umbrella again breaks the chain by using DNS and IP layer security to detect this outbound connection from the malware to its command-and-control server, block the download of the encryption keys and prevents any further communication with the C&C server which disrupts the ransomware and prevents it from fulfilling its task.

The Management interface for Umbrella is accessed through a Web GUI that connects to the service in the cloud.

This management pane is able to show the Network Admin statistics on all blocked connections on a per machine or per user level.

The management pane can also provide information on machines which may already be infected and are attempting to connect out from the corporate network to malicious domains.

Cisco Umbrella features

Like many of Cisco’s products, the features that are available with Umbrella depend on which level of licence has been purchased. There are 4 packages that are available:

• DNS Security Essentials
• DNS Security Advantage
• SIG Security Essentials
• SIG Security Advantage

Depending on the package purchased, Cisco Umbrella has the following features:

• Secure Web Gateway
• Cloud Access Security Broker
• DNS Layer Security
• Cloud Based Firewall
• Data Loss Prevention
• Remote Browser Isolation
• XDR and Threat Intelligence
• User Attribution
• Traffic Forwarding
• Management
• Reporting and Logs

More information on the available packages can be found here: https://umbrella.cisco.com/products/packages

Some Use Cases of Cisco Umbrella

There are many success stories that can be heard from companies which were struggling with Malware infections disrupting their businesses.

Many of these success stories can be found here: https://learn-umbrella.cisco.com/case-studies

Many of these Customers have chosen to use Cisco Umbrella to solve a particular problem that they have faced when dealing with Malware infections. The Most common Use cases are:

• Malware protection for a remote workforce.
• GDPR compliance and preventing data exfiltration.
• Faster incident response through faster identification of infected devices.
• Enforcement of company policy through URL and Web filtering.
• Identification of Shadow IT where users are using different cloud applications than the rest of the company.

Some Cisco Umbrella Competitors

Umbrella is currently the market leader for DNS security but there are many, many other companies which are competing for the Secure Web Gateway Market.

They all offer very similar features and according to Gartner.com the following products are currently the most popular alternatives to Umbrella.

• Zscaler Internet Access
• Forcepoint Web Security (Appliance)
• McAfee Web Gateway
• Kaspersky Security for Internet Gateway
• Symantec ProxySG
• Netskope NextGen SWG
• iboss cloud
• Trend Micro InterScan Web Security

Other vendors who offer a similar service are TitanHQ, Barracuda and Palo Alto Networks.