Within the fashionable safety operations middle (SOC), the most important problem isn’t at all times a scarcity of information — it’s the dearth of that means. Analysts are sometimes drowning in telemetry, attempting to differentiate the calculated actions of a risk actor attempting to mix in with regular visitors from the noise of a worldwide community.
Compounding this problem is that many conventional safety instruments try to forestall threats primarily based on what they’ve already seen, not on what might doubtlessly occur.
The complexity of a ransomware assault, unfolding by means of a number of levels, highlights lots of the challenges SOC groups face day-after-day. For an analyst, these occasions are sometimes fragmented. If the SOC isn’t configured to grasp risk patterns, they seem as separate alerts in separate dashboards, forcing the human to manually sew collectively the “who,” “what,” and “the place.”
At Cisco, we consider that safety ought to transcend enforcement; it should perceive intent. Right this moment we’re releasing our new AI-powered DNS protection platform, out there inside Cisco Safe Entry and powered by Cisco Talos intelligence. With AI-assisted algorithms, it brings a brand new predictive layer of protection to DNS.
These new capabilities bridge the hole between how customers connect with the community and the way the community is protected, enabling proactive, clever protection.
Let’s stroll by means of how that appears throughout a ransomware assault, with a give attention to how DNS-based threats play a task in malware supply, information exfiltration, DNS tunnelling, command-and-control (C2) communications, and entry to phishing domains.
How Cisco disrupts the ransomware lifecycle (DNS focus)
Cisco Talos DNS Safety (absolutely built-in into Cisco Safe Entry) detects obfuscated information hidden in DNS packets, the core of web communication. Superior AI-driven detection, together with area technology algorithm (DGA) evaluation, proactively identifies and predicts malicious domains, stopping threats earlier than they affect your group.
By embedding predictive intelligence from Cisco Talos instantly into Safe Entry, we are in a position to disrupt the attacker’s workflow at a number of crucial levels of a ransomware assault:
- Preliminary Entry: Ransomware can enter by means of a couple of doorways—from malicious hyperlinks (phishing continues to be the most typical entry level, showing in 40% of Cisco Talos Incident Response circumstances in 2025) and drive-by downloads to exploited vulnerabilities. Cisco Safe Entry makes use of Talos DNS Safety intelligence to investigate the intent of each vacation spot, and proactively blocks connections to malicious websites, malware supply servers, and suspect infrastructure.
- Blocking C2 connections: As soon as malware is on a tool, it should set up a command-and-control (C2) channel to obtain its encryption keys. Via Talos DNS Safety, Talos’ customized constructed machine studying fashions detect the distinctive “lexical texture” of algorithmically generated domains (DGA) utilized by attackers. By figuring out these machine-made patterns, we block the communication channel on the onset, leaving the ransomware actor unable to execute its assault.
- Stopping lateral motion: Cisco Hybrid Mesh Firewall advantages from real-time intelligence from Talos, which suggests it could possibly additionally acknowledge the “fingerprint” of an energetic breach. If a compromised system makes an attempt to scan the community or transfer laterally to delicate servers, the firewall leverages Talos-authored SNORT® guidelines to establish exploit makes an attempt and the Encrypted Visibility Engine (EVE) to detect malicious exercise — even inside encrypted visitors. By combining these granular detection capabilities with strict segmentation, the firewall enforces strict segmentation insurance policies, trapping the risk in a “digital cage” and making certain organizations have layers of protection throughout their surroundings.
- Figuring out and stopping information exfiltration: Earlier than encryption begins, risk actors might try to smuggle information out utilizing covert DNS tunneling. Convolutional neural community fashions constructed inside Talos DNS Safety are in a position to detect and forestall such threats by analyzing the construction of domains and behavioral patterns in DNS requests. Via Cisco Safe Entry, we block suspicious requests on the DNS resolver, stopping the information from leaving the community and making certain delicate info stays protected.
Because of this, as an alternative of chasing fragmented alerts that won’t point out that an assault is imminent, your safety workforce advantages from a unified, predictive protection. We scale back the noise on your analysts, and assist to cease ransomware earlier than it could possibly escalate into an organization-disrupting breach.
The view from the SOC
An analyst’s dashboard abruptly alerts an early alert: a pointy enhance in DNS queries to suspicious domains. Talos DNS Safety’s predictive blocking inside Cisco Safe Entry stops these domains earlier than the exercise spreads, permitting the analyst to give attention to actual threats as an alternative of noise.
Because the analyst investigates, Safe Entry gives detailed charts with embedded “slice profiles” that present a contextual snapshot of which purchasers, subdomains, and protocols prompted every spike. Not like conventional safety techniques that solely present exercise quantity, the analyst doesn’t have to dig by means of uncooked logs. They can rapidly see a pattern, perceive the precise sources and behaviors behind it, and map out the potential ransomware assault.
Quickly after, the analyst notices that Safe Entry is flagging domains with excessive lexical danger scores and coordinated shopper exercise — basic indicators of a DGA-based C2 try. Safe Entry blocks these domains instantly, chopping off the ransomware actor’s communication channels earlier than they will take maintain.
The new commonplace for protection
When your safety instruments allow you to shift from handbook log-stitching to automated risk disruption, the SOC dynamic adjustments:
- From alert triage to contextual investigation: As an alternative of manually correlating a DNS request with a firewall log, the shared intelligence gives an entire, pre-correlated narrative. When an alert triggers, your analysts now have the “who,” “what,” and “the place” already connected to the occasion.
- From “Whack-a-Mole” to marketing campaign blocking: As a result of Cisco Safety merchandise have built-in Talos intelligence, you cease blocking particular person IPs and begin blocking total marketing campaign infrastructures. When a phishing lure or a DGA-based C2 channel is recognized, the enforcement is utilized throughout all the mesh, stopping the attacker from merely pivoting to a special a part of your community.
In an period the place ransomware actors closely make use of stealth and protection impairment ways, this integration ensures that your safety stack acts as a single, cohesive system; a unified protection that shares context throughout each layer — cloud, department, and information middle — to cease threats at pace and scale.
Be taught extra about how Talos powers the Cisco Safety platform right here.
Be taught extra about how Cisco is extending DNS-layer safety within the Cisco Safe Entry group with AI-driven DGA detection and Safe Entry DNS Protection.
We’d love to listen to what you suppose! Ask a query and keep linked with Cisco Safety on social media.
Cisco Safety Social Media
