Ransomware is more dangerous than ever before. Why? It’s partly because successful attacks don’t just affect the victim anymore.
Take the Colonial Pipeline attack as an example. As reported by Reuters, the ransomware infection didn’t just disrupt the flow of fuel to cities directly served by the Colonial Pipeline. It also caused panic buying of gasoline in cities like Miami and Tampa—locations that don’t rely on the pipeline for fuel. Such activity drove up the price of gas by 20-30 cents in some areas.
Simultaneously, ransomware actors are looking to profit off successful attacks as much as possible. Per Threatpost, malicious actors are turning to customers, partners, and other third parties who are related to the initial victim. Sometimes, they’re targeting these entities with ransom demands of their own. Other times, they’re using the threat of a data leak to pressure them into contacting the initial victim and demanding that they fulfill the attackers’ demands.
These sources of collateral damage explain why ransomware attacks have become so costly, with Bloomberg reporting that some companies end up paying tens of millions of dollars in ransom. Clearly, organizations need to defend themselves against ransomware if they’re going to avoid these and other recovery costs.
Investigate Cisco Umbrella Activity on the Endpoint
What if you could stay safer from ransomware, however it may attempt to get into your network?
Cisco helps reduce the risk of ransomware infections with a layered defense approach from the endpoint to the cloud edge. We deliver integrated defenses that work together to provide ultimate visibility with ultimate responsiveness against ransomware.
In particular, Cisco Umbrella and Cisco Secure Endpoint form the first and last lines of defense for your security architecture. With SecureX, you can easily combine the intelligence of these products to get deeper visibility into your environment so that you can defend against digital threats like a ransomware infection.
Within Cisco Umbrella, we can look at the different events that it logs while monitoring DNS traffic. The Activity Search page shows information such as Identity (from Active Directory configuration), DNS Type, Internal IP, External IP, and the action that Umbrella took on each event.
As security analysts who are investigating malicious traffic that Umbrella blocked, we can gain further visibility into what happened by using internal IP addresses to identify the corresponding endpoint. We can pivot from Umbrella directly into Orbital Advanced Search, part of the Cisco Secure Endpoint.
Orbital allows you to query endpoints live. We provide 200+ predefined queries mapped to MITRE ATT&CK. These queries can be customized as needed. The results of your queries can be stored in the cloud or sent to other applications such as Cisco SecureX Threat Response for further or future investigations.
Below, you can see how the SecureX Ribbon works in action, allowing us to use Orbital Advanced Search and query our endpoints without even leaving Umbrella.
Watch one of our Technical Marketing Engineers talk through the demo scenario live.
For more information on SecureX: https://www.cisco.com/c/en/us/products/security/securex/index.html
To start a free trial of Cisco Secure Endpoint: https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html
To start a free trial of Cisco Umbrella: https://signup.umbrella.com/
To view an umbrella / Endpoint joint webinar we conducted recently click here
Apply Endpoint Intelligence to DNS Security Automatically
When Cisco Secure Endpoint detects Indicators of Compromise (IOCs) on a device, the event often contains DNS information that could be valuable to Cisco Umbrella. For most cases, Cisco Umbrella will already have determined the disposition of a particular IP, but in certain situations, we can use the information we learn on the endpoint to augment Cisco Umbrella’s capabilities to block IPs that previously had an unknown disposition.
SecureX Orchestration improves your organization’s efficiency by allowing you to create and implement automated workflows. This sample workflow connects Cisco Umbrella, Cisco Secure Endpoint, and Webex Teams. It runs on a continual basis to ensure that there’s never a gap in your security coverage that could give ransomware actors an opening.
SecureX Orchestration workflows can run regularly on a time interval of your choosing. This workflow is designed to check for Cloud IOCs from Cisco Secure Endpoint and then check to see if Umbrella has a disposition already for a particular URL.
If there is a disposition already from Cisco Umbrella, then the workflow moves onto the next URL. If there is not a disposition, then that URL is automatically added to the Umbrella Block List. A Webex Message including the details of what was blocked and the circumstances around it is ultimately posted to the security team’s Webex space.
In the following presentation, one of our Technical Marketing Engineers talks through the workflow live.
For more information on SecureX: https://www.cisco.com/c/en/us/products/security/securex/index.html
To start a free trial of Cisco Secure Endpoint: https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html
To start a free trial of Cisco Umbrella: https://signup.umbrella.com/
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share:
Leave a Reply