How to Monitor Network Traffic: Findings from the Cisco Cyber Threat Trends Report


The threat landscape is full of moving targets. Over time, popular tools, tactics, and procedures change. Malicious techniques fall out of fashion, only to come roaring back months, if not years, later. All the while, security practitioners monitor network traffic and adapt their defenses to protect their users and networks. Keeping on top of these trends is one of the most challenging tasks for any security team.

One great area to look for trends is in malicious DNS activity. These days almost all malicious activity requires an internet connection to successfully carry out an attack. For example, an attacker uses a backdoor to connect to a remote system and send it instructions. Information stealers need a connection to malicious infrastructure to exfiltrate sensitive data. Ransomware groups need to be able to “flip the switch” remotely to encrypt the victim’s systems.

In our latest report, Cyber Threat Trends Report: From Trojan Takeovers to Ransomware Roulette, we take the extraordinary volume of malicious domains that Cisco sees and blocks—over 1 million every hour—and examine it for malicious trends and patterns. This data comes to us thanks to the DNS-layer security that is available in Cisco Umbrella and  Cisco Secure Access.

Let’s take a closer look at how we conducted this research, a couple trends highlighted in the report, and what you can do to better defend against these threats.

How the DNS data was analyzed for the report

To create a clear picture from such a large data set, we looked at the categories Umbrella applies to known malicious domains. These Threat Type categories are functional groupings of threats that use similar techniques in their attacks.

We examined an eight-month time frame (August 2023–March 2024) and figured out the monthly average volume for each Threat Type category. To examine the trends, we then calculated how much each month was above or below the average volume.  This gives us a simplified look at how threat activity changes over time.

This is where patterns began to emerge from large batches of malicious internet traffic, and the results are quite interesting. To illustrate, we’ll look at the three most active threat type categories found in this report.

Information Stealers

The threat category that saw the most activity during the time frame was information stealers. This comes as no surprise, as it is a category that includes exfiltrating large batches of documents and monitoring audio/video communications will generate a large amount of DNS traffic.

An interesting trend appears here— three months of above-average activity, followed by one month of below-average activity. We speculate that these drops in activity could be tied to attack groups processing the data they steal. When faced with a mountain of documents and recordings to sift through, sometimes it makes sense to take a break to catch up.

Trojans vs Ransomware

Next, let’s compare two seemingly disparate categories: Trojans and ransomware. Trojan activity was highest in the beginning of our time frame, then declined over time. This activity doesn’t indicate that the use of Trojans is falling out of favor but rather highlights the ebb-and-flow nature we often see in the threat landscape. When Trojan activity declines, we often see other threat types rise.

DNS activity surrounding Trojans

In contrast to Trojan activity, ransomware activity appears to be trending in the other direction. The first few months of the time frame saw below average activity, but then in January it jumped well above average and stayed that way.

DNS activity surrounding Ransomware

Why might these two differing threat types be trending in opposite directions? In many cases threat actors will utilize Trojans to infiltrate and take over a network, and then once they’ve gained sufficient control, deploy ransomware.

These are just a couple examples of trends from the Cyber Threat Trends Report. In the report we cover several additional categories, including some that follow similar patterns to Trojans and ransomware.

How to protect and monitor your own network traffic

An internet connection is a primary component of modern-day threats. So why not block that internet connection to block threats? By monitoring and controlling DNS queries, security practitioners can often identify and block malicious traffic before it reaches end-users devices. Some high-level suggestions, covered in more detail in the report, include the following:

  1. Leveraging DNS Security
  2. Protecting Your Endpoints
  3. Implementing a Security Defense Strategy

Cisco has a unique vantage point here. You can’t protect what you can’t see, and because we resolve an average of 715 billion daily DNS requests, we see more threats, more malware, and more attacks than just about any other security vendor.

With over 30,000 customers already choosing Cisco as their trusted partner in DNS-layer security, organizations can be confident that their users will be better protected through their ongoing hybrid work, cloud transformation, and distributed environments:

Learn more

Download the full report for more key insights on the current threat landscape:
Cyber Threat Trends Report: From Trojan Takeovers to Ransomware Roulette

Learn more about the findings from the new Cyber Threat Trends report where I’ll share further insights on this research, in our webinar on June 20th, 2024: The Web’s Most Wanted – A Cyber Threat Trend Briefing

June 20th, 2024: The Web’s Most Wanted – A Cyber Threat Trend Briefing

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share:





Source link