Cisco Web Security

Cisco Web Reputation Technology

Protect Against URL-Based Threats

Evolving Web-Based Threats

An increasingly common characteristic of malware is the presence of a URL that a user must visit to be attacked. Spam, URL-based viruses, phishing attacks, and spyware all direct the user to a malicious URL. Accurately analyzing these URLs and associating a reputation with them helps you:

  • Stop attacks much more quickly and accurately
  • Avoid the URL in whatever method it is disseminated

Cisco Web Reputation Technology provides dynamic analysis and protection against sophisticated blended threats.

Figure 1
Figure 1: How Cisco Web Reputation Technology Works

Web Reputation Tracking: An Innovative Approach

Cisco Web Reputation tracking helps protect against a broad range of URL-based threats. This solution asks a simple but powerful question: "What is the reputation of the URL?" When assessing the trustworthiness of a URL, a great deal can be determined by analyzing data that is hard to form, such as:

  • How long the domain has been registered
  • Which country hosts the website
  • Whether the domain is owned by a Fortune 500 company
  • Whether the web server is using a dynamic IP address

Cisco Web Reputation tracking is facilitated by a common security database, the Cisco SenderBase Network. SenderBase is the world's largest email and web traffic monitoring network. It tracks more than 50 distinct parameters that are excellent indicators of a URL's reputation.

Obtain a Highly Granular Score

Cisco Web Reputation tracking differs from a traditional URL blacklist or whitelist. It analyzes a broad set of data and produces a highly granular score of -10 to +10. This granular score offers administrators increased flexibility by helping them to:

  • Obtain more detail than the binary "good" or "bad" categorizations of most malware detection applications
  • Implement different security policies based on different Web Reputation score ranges

Cisco Talos

Cisco Advanced Malware Protection

Advanced Malware Protection (AMP) for the Cisco Email Security Appliance and Cisco Web Security Appliance detects and stops malicious files within email and web traffic, respectively. One of the solution's key capabilities is file reputation, which:

  • Captures a fingerprint of each file as it traverses the Cisco web and email security gateways
  • Sends the fingerprint to the AMP cloud-based intelligence network for a reputation verdict
  • Evaluates the results and automatically blocks malicious files and applies administrator-defined policies if necessary

Cisco Web Reputation Filters

Cisco Web Reputation Filters also use Talos Security Intelligence and Research Group's advanced security infrastructure. It provides threat detection, correlation, and mitigation. Talos continuously facilitates an exceptional level of security for Cisco customers. It also promotes fast and accurate protection with a combination of:

  • Threat telemetry
  • Global research engineer team
  • Sophisticated security modeling

This combination helps you securely collaborate and embrace new technologies.

Advanced Protection

Advanced protection powered by Talos delivers current and comprehensive security information to Cisco customers and devices. Threat mitigation data is provided through:

  • Dynamic rule updates for Cisco products, such as firewall, web, IPS, or email devices
  • Vulnerability aggregation and alert services from Cisco Security IntelliShield Alert Manager Service
  • Security best-practice recommendations and community outreach services

To help you stay ahead of the latest threats, when a new threat is detected (based on processing data in Cisco SensorBase):

  • It is extracted and correlated.
  • Rules and signatures are generated.
  • Systems are dynamically updated.
  • Updates are then immediately sent to Cisco security devices.

Web Reputation in Use

Cisco Web Reputation data improves efficacy, increasing the catch rate of every URL-based type of malware. This powerful technology is used in Cisco email security appliances and the Cisco Cloud Web Security solution.

Spam and URL-Based Viruses

To evaluate whether or not an email is spam, traditional spam solutions answer the basic question of "what." For example, these methods ask, "What is the nature of the content of a message?"

The difficulty with this approach is that spammers have found a variety of techniques to fool these filters, such as:

  • Adding blocks of legitimate text (called "Bayesian busters")
  • Using numbers instead of letters (for example, "L0ve")

As a result, first-generation antispam filter efficacy has decreased. Almost every spam message contains a URL link as a way to help the reader view the advertising website. Cisco Web Reputation adds another dimension to spam analysis by asking "where," as in "Where does the URL take me?"


Phishing site creators can make the content of their websites perfectly replicate legitimate banking and e-commerce sites. Phishing sites cannot, however, falsify the URL on which they are located. Cisco Web Reputation has a detailed and up-to-date score for the vast majority of URLs and can therefore protect you from phishing attacks.

Blended Attacks

In late December 2005, a Windows Metafile (WMF) vulnerability that allowed the execution of potentially malicious code was discovered. To become infected, a user merely had to browse to a site that had a WMF file (usually a picture) embedded in it. No explicit end-user action was required to download the malicious code.

Spyware Moves In

Initially, this vulnerability was exploited by spyware vendors, who placed spyware-infected WMF files on URLs that were typos of legitimate popular websites. Traditional solutions were ineffective because:

  • Antispyware solutions were not quick enough to determine this new presence of spyware and write signatures for it.
  • Antispam and antivirus solutions did not recognize that email sent by infected hosts had links to sites that exploited WMF vulnerabilities.

Web Reputation Technology Protection

Cisco Web Reputation Technology, however, sees the presence of new URLs on the web. This solution immediately assigns these URLs a Web Reputation score based on factors such as:

  • Use typos of popular domains
  • Rapid increase in volume
  • Presence of downloadable code

Cisco Web Reputation Technology has the power to block users from accessing these sites. It does not matter whether users attempt to view them through typos in a website query or links in a spammed email.

In addition, the broad Web Reputation scoring range helps administrators configure security policies to fit their specific security profile.

Botsite Defense and URL Outbreak Detection

Existing solutions that rely on traditional URL filtering have not been effective because most rely on manual classification techniques. The infected sites hide behind a variety of benign categories (including finance, entertainment, and news), thereby rendering traditional classification-based URL filtering ineffective as a defense.

Cisco URL Outbreak Detection

Cisco URL Outbreak Detection is designed to identify and defend against URLs that have no reputation or signature. These URLs are typically hosted on a botsite and controlled by a botnet.

Cisco SenderBase Network

Using SenderBase, Cisco can detect and block these new URL outbreaks rapidly, using real-time analysis of global web traffic. Analysts in the Cisco Threat Operations Center can proactively publish reputation scores for such URLs before signatures are available from antimalware vendors.

Cisco security modeling techniques provide:

  • Dynamic protection against threats that target legitimate websites
  • "Always on" detection, which tracks the infrastructure behind malware attacks and then adjusts to rapidly block them

Exploit Filtering

According to the Cisco Threat Operations Center, which provides real-time monitoring and analysis of web traffic:

  • Exploited websites are responsible for more than 87 percent of all web-based threats today.
  • Increasing numbers of malware writers are targeting well-known, trusted websites.

Cisco Exploit Filtering

Cisco Exploit Filtering helps protect you from malware delivered through compromised websites, which may not be identified by traditional URL filtering or signature scanning. Exploit Filtering targets trusted websites that have been compromised to deliver Trojans or phishing attacks through techniques such as:

  • Cross-site scripting (XSS) exploits
  • Buffer overflow attacks
  • SQL injections
  • Invisible iFrame redirects

Additional Resources