Companies today face huge challenges to detect, investigate and respond to security attacks, and it can be difficult to tackle incidents with limited staff. Once attackers have found a way in, they will work their way through your network to get to your sensitive data. Before launching an attack campaign, cyber criminals need to spin up servers, buy blocks of IP addresses, and register domains to host their malware. These activities provide digital ‘fingerprints’ which in-turn provide vital clues that can help resolve and prevent attacks.
Cisco Umbrella Investigate gives you access to a live, up-to-date view of domains, IP addresses and malware file hashes – all of which can help to pinpoint attacker’s infrastructure and predict emerging threats. This information is commonly called ‘Threat intelligence’.
The intelligence provided by Investigate is collected from ‘Cisco Talos’, the industry-leading threat intelligence group consisting of researchers, data scientists, and engineers. Talos underpins the entire Cisco security ecosystem and helps to deliver protection against attacks and malware.
With Investigate, Ironshare analysts (or your own security analysts if you prefer) can quickly drill into the critical information required to understand an attacker’s infrastructure in minutes, where more traditional methods would take them hours or even days to complete.
How does Investigate work?
Investigate delivers deep levels of information which highlight the relationships between key components of the attacker’s infrastructure: web sites, domains, IP addresses, networks (autonomous systems (ASNs) on the internet) and malicious files samples, through the use of unique file hashes.
This information is all delivered through a single page view that can be drilled into, to unveil further related detail, as required. This view gives an ‘at a glance’ determination as to whether a domain, IP address or file is considered malicious or safe to use.
Investigate analyses a huge amount of global internet data and malware, providing access to real time and historical information. This helps to:
- Prioritize incident investigations through quick access to accurate information
- Improve response times by having relevant information earlier in the investigation
- Reduce the overall time it takes to investigate security incidents
- Improve the use of threat intelligence, providing real time data to your other security systems as applicable, such as SIEM (Security Event Monitoring system).
To expand a little Investigate has the following capabilities and features:
- Includes threat scoring for suspicious or malicious domains by assessing a number of key domain attributes.
- Use of WHOIS data to see the ownership information for domains, which can highlight malicious domains registered with the same contact information.
- The ability to see suspicious spikes in DNS traffic to a specific domain.
- Ability to detect fast flux domains, which is a technique used to hide malicious behaviour, typically indicates those used for hosting malware or phishing sites.
- Ability to predict where attacks may be staged in the future through the identification of related domains and IPs that are associated with malware.
What’s it like to work with?
Investigate can be used through two different methods:
The web console gives real time access to all of the intelligence within Investigate and allows you to move through the different data during an investigation. As Investigate is integrated into Cisco Umbrella, you can either query matches through the Umbrella reports (which opens Investigate), or directly query using the dynamic search engine in the web console. Searches can be based upon exact matches for domains, IP addresses, file hashes etc. or can be pattern based for more flexibility to search on non-exact matches (terms, brand names etc.).
The integration with Umbrella can help to turn the alerts and events in your logs, into usable intelligence quickly, with just a simple search.
Application Programming Interface
The second method uses a RESTful API. API’s are simply pieces of software that allow communication between two different applications. The Investigate API allows you to bring the threat intelligence data into your other security systems to enhance your overall visibility. This includes systems such as Security Information and Event Management (ArcSight, Splunk etc.) as well other threat intelligence platforms.
Using the search function
Investigate is very easy to use, once logged into the Investigate console simply input a search string e.g. domain, URL, IP address or regular expression pattern.
Using Google.com as a quick example search we can see that the domain is deemed as safe, has a good score and is very popular, as expected.
Alternatively using a known bad domain, we see that Investigate has classed this as suspicious and placed it into the Umbrella Block List.
Digging further into the Investigate report, we see some of the reasons why. First of all, it shows the domain has a large number of associated malware samples with high threat scores.
The Timeline section of the report provides an at a glance view of the current categorisation of the domain, along with changes to the category over time. It shows that this domain is currently part of a Command and Control botnet.
Umbrella and Investigate
As described above the integration with Umbrella is a key point. The Activity search is a real-time log of traffic sent to Umbrella. From the Activity Search, we can launch Investigate on any malicious or blocked traffic for further analysis.
Ironshare and Cisco Umbrella Investigate
At Ironshare we aim to simplify the life of our customers in terms of IT Security. Together Ironshare and Cisco Umbrella Investigate can help organisations overcome common challenges such as:
- Lack of visibility to the threats and risk areas in the business.
- Limited resources – shortage of analysts with the knowledge and experience required to analyse data or are already overwhelmed with current workloads.
- Lack of, or, ineffective use of threat intelligence, to identify threats and remove risk.
- Have difficulties with managing or prioritizing security incidents.
- Being flooded with alerts that are difficult to manage and understand.
In summary Investigate is a great tool in the arsenal of the security analyst. It provides a single correlated source of threat intelligence, that includes, WHOIS data, domain and IP reputation to determine what’s good and what’s bad, geographical location of IP addresses and domains, DNS request patterns and Malware File analysis.
IronShare provide a fully managed service for Cisco Umbrella that includes Investigate, meaning all you need to do is tell us what you want to know about, and when. We’ll then tailor the service to your needs and deliver management reporting and recommendations as often as requested.
Ironshare have full access to Investigate as part of the Managed Service, which we actively use to inform customers about related threats as applicable.
Alternatively, if the Umbrella Platform package is preferred, Ironshare can provide your organisation with its own direct access to the Investigate console.
Our service is applicable to companies of all shapes and size, meaning that even the smallest businesses can get a full enterprise service, and use our reports to easily identify problem PCs, or employee activity concerns.
If you’d like to get more detailed information or pricing, please click here to Contact Us.