Cisco Umbrella is happy to introduce two brand new security categories for you to enhance the protection delivered to your users. The first new security category is "DNS Tunneling VPN" domains and the second is "Potentially Harmful" destinations. These categories are being enabled for customers over the dates of January 17th and 18th, 2017 and should be available for everyone by end of day on the 18th.
This article discusses both categories and how they improve your security. It’s important to know that, by default, neither of these new categories is enabled to 'block' in your policies so there is no immediate action required on your part, but you will see changes in your reports and configuration options.
DNS tunneling VPN
DNS tunneling VPN classifies servers associated with commercial DNS tunneling VPN services under a security category that you can block or allow and report on. These services allow end-users to disguise outgoing traffic as DNS queries, potentially violating acceptable use, data loss prevention, or security policies. As a result, these services present a potential security threat and reduce overall visibility in your environment.
With this new security category providing immediate visibility, you can reduce the risk of DNS tunneling and potential data loss. You can block this category outright, or just monitor the results in reports; this provides the flexibility to determine what is the right approach to tackling the problem, depending on your risk tolerance, acceptable use or HR policies.
This security setting can be found under Prevent next to other Security Settings and is set to 'Allow' by default:
DNS tunneling utilizes the DNS protocol to communicate non-DNS traffic over port 53. It sends HTTP and other protocol traffic over DNS. There are various, legitimate reasons to utilize DNS tunneling. For example, DNS tunneling is often used as a login mechanism for hotspot security controls at airports or hotels to access internet. DNS tunneling is also used by antivirus to look up signatures for files.
However, there are also malicious reasons to use DNS Tunneling VPN services. They can be used to disguise outbound traffic as DNS, concealing data that is typically shared through an internet connection. This significantly reduces visibility for organizations. This is an attractive method for attackers since DNS is often allowed (necessarily) through even when other communication is blocked. Often, DNS traffic is not even monitored!
For malicious use, DNS requests are manipulated to exfiltrate data from a compromised system to the attacker’s infrastructure. We also see DNS responses being manipulated for command and control callbacks from the attacker’s infrastructure to a compromised system.
This presents a unique security challenge — DNS is an integral part of the internet and the vast majority of the traffic is legitimate, yet some of the traffic could be malicious. That's where this security category comes into play.
Umbrella customers have different levels of risk tolerance when it comes to security. Depending on the industry and type of work you’re in, it can be beneficial to proactively monitor and block potentially harmful activity. The new Potentially Harmful security setting can be found under Prevent next to other Security Settings and is set to 'Allow' by default:
Potentially Harmful is a new security category which contains domains that are likely to be malicious. It is different from our "malware" categories because we have ranked them with a lower level of confidence about whether they actually are malicious. Another way of phrasing it is that these domains are considered suspicious according to our research analysts and the algorithms we use to determine overall but not necessarily known to be malicious.
Use of this category depends on your tolerance for risk of blocking potentially good domains. If you have a highly secure environment, this is a good category to enable to block and if your environment is looser, you can simply allow and monitor.
If you’re not sure which of these you might fall under, you can simply monitor activity that is confirmed as Potentially Harmful in your reports. Having this category available will provide additional granularity in classifying traffic, increasing visibility and delivering greater protection and improving incident response. For instance, if you believe a machine is infected with malware, having a look at the Potentially Harmful domains that it has been visiting can help you do a better job of assessing the level of compromise.
We determine what falls under Potentially Harmful by weighing several factors that indicate that although the domain is not clearly malicious, it could pose a threat. For example, there are various types of DNS tunneling services. Some of these services fall into the categories of benign, malicious, and DNS tunneling VPN, but some are more unclear and do not fall into any of these categories. If the use case for the tunneling is unknown and suspicious, the destination will fall under the Potentially Harmful category.
Another example comes from our Spike rank model. Our Spike rank model leverages massive amounts of DNS request data and detects domains that have spikes in their DNS request patterns using sound wave graphing. The traffic that hits high on the Spike rank domain will automatically be classified as malicious, and traffic that is lower on the threshold will fall into the Potentially Harmful category. To read more about Spike, check out our blog: https://blog.opendns.com/2015/11/19/opendns-cracks-predictive-security/
To report unwanted detections in either of these categories, please e-mail email@example.com and we’ll take a look. For Potentially Harmful, we may not re-categorize it without having assurances that the domain is absolutely legitimate.
Both categories can be filtered against in your reports like any other security category: