Ransomware is more dangerous than ever before. Why? It’s partly because successful attacks don’t just affect the victim anymore.
Ransomware actors are looking to profit from successful attacks as much as possible. Per Threatpost, malicious actors are turning to customers, partners, and other third parties who are related to the initial victim. Sometimes, they’re targeting those affiliated with ransom demands of their own. Other times, they’re using the threat of a data leak to pressure them into contacting the initial victim and demanding that they fulfill the attackers’ ransom demands.
These sources of collateral damage explain why ransomware attacks have become so costly, with Bloomberg reporting that some companies end up paying tens of millions of dollars in ransom. Clearly, organizations need to defend themselves against ransomware if they’re going to avoid these and other recovery costs.
Investigate Cisco Umbrella Activity on the Endpoint
What if you could gain the certainty of safety and lose the anxiety that comes from a ransomware attack, however it may attempt to get into your network?
Cisco helps reduce the risk of ransomware infections with a layered defense approach from the endpoint to the cloud edge. We deliver integrated defenses that work together to provide ultimate visibility with ultimate responsiveness against ransomware.
In particular, Cisco Umbrella and Cisco Secure Endpoint form the first and last lines of defense for your security architecture. With SecureX, you can easily combine the intelligence of these products to get deeper visibility into your environment so that you can defend against digital threats infectious ransomware attacks.
Within Cisco Umbrella, we can look at the different events that it logs while monitoring DNS traffic. For example, the Activity Search page shows information such as Identity (from Active Directory configuration), DNS Type, Internal IP, External IP, and Umbrella’s action on each event.
Security analysts investigate malicious traffic that Cisco Umbrella blocks for further visibility into what happened by using internal IP addresses to identify the corresponding endpoint. We can pivot from Umbrella directly into Orbital Advanced Search, part of the Cisco Secure Endpoint.
Orbital allows you to query endpoints live. We provide 200+ predefined queries mapped to MITRE ATT&CK. These queries can be customized as needed. The results of your queries are stored in the cloud or sent to other applications such as Cisco SecureX Threat Response for further or future investigations.
Below, you can see how the SecureX Ribbon works in action, allowing us to use Orbital Advanced Search and query our endpoints without even leaving Umbrella.
Watch one of our Technical Marketing Engineers talk through the demo scenario live.
For more information on SecureX: https://www.cisco.com/c/en/us/products/security/securex/index.html
To start a free trial of Cisco Secure Endpoint: https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html
To start a free trial of Cisco Umbrella: https://signup.umbrella.com/
To view an Umbrella / Endpoint joint webinar we conducted recently: https://security.umbrella.com/using-umbrella-and-secure-endpoint-together?_ga=2.17479481.1673954254.1637714884-1052348425.1637714884
Apply Endpoint Intelligence to DNS Security Automatically
When Cisco Secure Endpoint detects Indicators of Compromise (IOCs) on a device, the event often contains DNS information that could be valuable to Cisco Umbrella. For most cases, Cisco Umbrella will already have determined the disposition of a particular IP, but in certain situations, we can use the information we learn on the endpoint to augment Cisco Umbrella’s capabilities to block IPs that previously had an unknown disposition.
SecureX Orchestration improves your organization’s efficiency by allowing you to create and implement automated workflows. This sample workflow connects Cisco Umbrella, Cisco Secure Endpoint, and Webex Teams. It runs continually to ensure that there’s never a gap in your security coverage that could give ransomware actors an opening.
SecureX Orchestration workflows can run regularly at a time interval of your choosing. This workflow is designed to check for Cloud IOCs from Cisco Secure Endpoint and then check to see if Umbrella has a disposition prepared for a particular URL.
If there is a disposition already from Cisco Umbrella, then the workflow moves onto the next URL. If there is not a disposition, then that URL is automatically added to the Umbrella Block List. A Webex Message includes the details of what was blocked and the circumstances around it is ultimately posted to the security team’s Webex space.
In the following presentation, one of our Technical Marketing Engineers talks through the workflow live.
For more information on SecureX: https://www.cisco.com/c/en/us/products/security/securex/index.html
To start a free trial of Cisco Secure Endpoint: https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html
To start a free trial of Cisco Umbrella: https://signup.umbrella.com/
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share:
Leave a Reply