Industry Insights with Ben Nahorney

Endpoint Security , Open XDR

One Year of Remote Work: Protecting an Increased Attack Surface

DNS-Based Threat Intelligence from Cisco Reveals Phishing, Malicious Spam and Ransomware Persist
One Year of Remote Work: Protecting an Increased Attack Surface

Over the course of the past year, as employees have worked from home during the pandemic, attackers have continued their malicious activities.

According to new data from Cisco, attackers using phishing, ransomware, malicious spam, information-stealing malware and Trojans have not abated their relentless assault against multiple industries, including financial services, healthcare, manufacturing, higher education and government. And the Cisco data isn't an abstract sample; it's based on real-world traffic in the "work from home" era.

There are many different ways to measure and identify network traffic that could potentially be a threat. One of the best sources of visibility is at the Domain Name Service, or DNS, level, since nearly all traffic - good or bad - makes some form of DNS request in order to get to its intended destination. Looking at data from Cisco Umbrella, which provides a DNS-based cloud-native security platform, certain trends are visible from January 2020 to December 2020 that reveal the prevalence of certain threats against specific industries.

Phishing Is a Top Threat Leading to Broader Risk

The Cisco Umbrella data found that 86% of all organizations had at least one user attempt to connect to a phishing site, most likely as a result of clicking on a malicious link in a phishing email.

But the prevalence of phishing was not uniform across all industries. The highest incidence of phishing was 52% in the Higher Education vertical. That was closely followed by Government at 51% and Financial Services at 46%. The next three industries with the highest levels of phishing were Healthcare (29%), Technology (22%) and Manufacturing (13%).

While phishing tops the Cisco Umbrella ranking for DNS activity, malvertising wasn't that far behind: 70% of organizations had a user click on a malicious advertisement. Rounding out the top five threats organizations encountered, based on DNS activity, were: malicious spam (67%), Trojans (65%) and ransomware (51%).

Two ransomware families dominated the landscape for most of 2020. Sodinokibi - also known as REvil - ransomware had significant DNS activity in September 2020 that resulted in 46% of organizations seeing the threat. In November and December, activity by the Ryuk ransomware family spiked as part of a multistage attack chain.

Multistage Attacks Visible in DNS Traffic

It's important to note that different types of malicious DNS activity are not just isolated risks. Cisco data shows that many common threat campaigns make use of multistage attacks. For example, Cisco has observed that the Emotet Trojan is often delivered as part of a phishing payload, and Emotet in turn deploys Ryuk ransomware.

Looking at Cisco Umbrella DNS data, it's possible to correlate the multistage phishing/Emotet/Ryuk attack chain. Cisco Umbrella found a significant increase in phishing between July and September, which aligns with a large jump in Emotet DNS activity during the same period. Activity drops off in October, followed by a dramatic increase in Ryuk activity.

Emotet’s operations were significantly disrupted in January 2021 as a result of global law enforcement action.

Follow the DNS Trail to Identify Associated Threats

The Emotet threat chain may have diminished, but it's likely that other threat actors follow similar patterns.

Ransomware such as Ryuk can be delivered by a number of different attack vectors. Cisco has found that Ryuk has also been deployed by the Trickbot Trojan. Phishing is likely to be the first step to get a foothold on an endpoint, regardless if that endpoint is within the four walls of a corporate office or in a home network.

Following the DNS trail provides visibility into threats across a distributed IT landscape. Attack traffic, just like legitimate traffic, uses DNS and, by understanding and recognizing potentially malicious traffic, organizations can investigate concerns and take precautionary measures to limit risk.

About the Author

Ben Nahorney

Ben Nahorney

Threat Intelligence Analyst, Cisco Secure

Ben Nahorney is a Threat Intelligence Analyst focused on covering the threat landscape for Cisco Security. With more than a decade and a half of experience in the Internet security field, Ben has weathered threat outbreaks reaching back to the early 2000s and helped develop and report on breaking research such as the Stuxnet virus.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.