While using our service and surfing the internet, you may come across websites that we've blocked for security reasons. Alternately, while going through reports around the activity of the users on your organization's infrastructure, there may be questions about the nature of the sites blocked by Umbrella.
For instance, you might wonder how Umbrella knew to block a site, or what content on the blocked website our systems found to be malicious.
As well as having our own awesome team of security researchers, we work closely with the Cisco Talos team. For more information about that, visit the Umbrella blog, or check out the work by the Talos team here: http://blogs.cisco.com/talos. We also have a series of partnerships that we do not disclose publicly, but it is safe to say we have more than 50 sources of partner data ranging from malware and Command and Control Callback trackers, anti-virus and other security companies, higher education researchers and their institutions, and more. We are a part of the global Internet security community and active participant in that community.
When a site is blocked, there may be an incident response procedure within the IT organization that needs to be followed. This may include understanding why the site was blocked and determining whether the block could be indicative of a more serious security problem, such as a breach or an infected computer.
To help understand why Umbrella has made a particular decision to block a domain for your Organizations, there are two easy steps you can take.
Step 1 - Verify the Reason for the Block
It's crucial that any investigation start by the direction and the category of the blocked threat. You should try to answer:
- Was the threat blocked from being visited by a computer within my Organization?
- Did the threat originate from a potentially compromised computer?
- What type of malicious activity did Umbrella prevent?
Looking at the Activity Search report will show you the category under which the query was blocked, and understanding the security categories can give you more information about what each one of these categories means and how it answers the questions above.
If a request for a website has been blocked as a "Prevent" action, such as Malware, or Drive-by Downloads, then this means you have been blocked from going to a site that is hosting malware. It doesn't mean your machine is infected with malicious software—quite the opposite: Umbrella has successfully prevented you from going to a site that was deemed malicious.
If a request for a website has been blocked as a "Contain" action, such as Command and Control Callback or Phishing, this means a DNS request we associate with malicious software running on your computer, or malicious links contained in email are a part of the request.
For requests blocked as Command and Control Callback, the endpoint in question has made a request to a site that's a known "command and control" center for malware.
For requests blocked as phishing, a user has clicked on a link in an email designed to trick them into visiting sites that request information.
If a request for a website has been blocked by advanced threat categories, such as Potentially Harmful these sites are blocked using proprietary technology from the Umbrella to predictively stop emerging threats. Similar to "Prevent", you have been stopped from going to a suspected bad site but there is slightly less certainty about whether it's absolutely malicious and how malicious it actually is.
To learn more about these security categories and what each means, read this article.
It is also possible that a domain was blocked under your Destination Lists. These are lists you or another administrator in your Organization has created. In a situation like that, you can review the Destination Lists under Policy Settings > Destination Lists.
Step 2 - Using the Destinations and Identities Reports
If you're a customer with an Umbrella Insights or Platform package, or an MSP or customer of an MSP you have access to Destinations and Identities Reports.
Note: For more information on upgrading your package, please contact your Cisco Umbrella representative.
The Destinations report gives you access to information about the destinations that your identities are visiting, determining which are the most actively requested and when this activity occurs. This report lists all destinations visited during the selected time period. From the Destinations page, you can access a specific destination to explore activity at the domain level, determining who has visited the selected domain and when. This information can help you determine what machines or networks may be compromised or are connecting to known malicious sites so that you can better protect yourself and others.
For more information, see Destinations Report.
The Identities report gives you access to activity information for your identities, determining which are the most active and which destinations they are visiting. This report lists all identities active during the selected time period. From the Identities page, you can access a specific identity to explore details about its activities at the domain level, determine the sites visited and if any activities pose a security threat. This information can help you determine if the identity has visited sites that you should block.
For more information, see Identities Report.
Step 3 - Find out More About the Site Using Free, Public Resources
Using resources from Umbrella and the Internet Security Community, you can find out more about the blocked website without actually visiting it, thereby avoiding potentially risking your computer's security and personal information.
The Umbrella support team can work with you to find out more, especially around sites you feel should not be blocked, or should be but are not.
You can open a Support ticket from the Support tag within your Umbrella, or from the Support button toward the bottom of the Dashboard.
If a site was blocked for non-security categories or a content category, you can find out why here
It can be helpful to simply type the name of the site into major search engines, like Google or Bing. Often, the domain has been tagged in lists of known bad domains and information can be gathered around the malicious site from other members of the security community.
The following is a list of free web resources that more security-savvy people can take advantage of. Umbrella and Cisco are not necessarily partnered with any of these resources or using any of these feeds, but these sites do provide helpful information free of charge to help with these types of concerns:
- http://www.google.com/safebrowsing/diagnostic?site=[yoursite.com]—Google's Safe Search will check any site at the end of this URL.
- https://www.virustotal.com/en/#url—The VirusTotal database compares the URL you submit against dozens of vendors. Their site also allows you to see if an executable you have is potentially infected.
- http://www.malwaredomainlist.com/mdl.php—This is a list of known malware sites to search against. Please exercise caution: these sites are definitely malicious.
- http://jsunpack.jeek.org/—Helps decrypt Java on a site to see if it's malicious.
- http://anubis.iseclab.org/—You can submit URLs and Submit malicious executables to find out more about them.
- http://www.threatexpert.com/submit.aspx—Submit an executable to find out more about whether it's known to be malicious.
- http://www.surbl.org/surbl-analysis—Checks sites against known block lists for malware, spam, and more.
- https://www.stopbadware.org/clearinghouse/—Check against yet another list of known bad URL.