Securing DNS With Umbrella at Black Hat

Additional Contributor: David Keller

Monitoring DNS is essential to gain a high-level understanding of network usage trends at Black Hat. Cisco has secured Black Hat with DNS since 2017.

Routing DNS traffic through a centralized, intelligence-driven service provides valuable insights-DNS queries can reveal connections to destinations ranging from malware, crypto mining, and phishing sites to categories like social media, finance, and illicit activities. Moreover, these domains are classified into specific applications that can be reviewed in Umbrella's App Discovery report, which highlights the use of thousands of web, desktop, and mobile apps. At Black Hat USA 2025, we started blocking encrypted DNS requests on event networks using Umbrella DNS to ensure we had maximum visibility into user traffic. This forced conference attendees to resolve requests without encryption, enabling inspection to detect compromises or malicious activity.

One of our top monitoring priorities was the ApateWeb potentially unwanted program (PUP) delivery and phishing campaign, which uses 'two/three-name' domain pattern. We've monitored this campaign at major sporting events, Black Hat Asia, RSAC and Cisco Live this year. Common characteristics for domains associated with the campaign are:

• Domains registered in CZ
  • NS2[.]PUBLICDNSSERVICE[.]COM: Greater than 500 Total - At least At least 51 malicious
  • NS1[.]PUBLICDNSSERVICE[.]COM: Greater than 500 Total - At least At least 51 malicious
• Nameservers
• Two or three random English words DGG (vs. random alphanumeric string)

Examples:

NOC leaders were comfortable with blocking resolution requests for these domains to protect attendees from the campaign, based on these characteristics, as seen in the screenshot shared below.

Fig. 1: Blocked resolution requests

DNS Year-Over-Year Statistics

This year, we saw over 66.1 million DNS queries, as more attendees decided not to connect to the conference network vs recent years.

Fig. 2: Black Hat DNS queries, visualized year-over-year

With the decline of DNS requests, we also saw about the same number of apps at Black Hat USA as in 2024:

• 2019: ~3,600
• 2021: ~2,600
• 2022: ~6,300
• 2023: ~7,500
• 2024: ~9,300
• 2025: ~9,300

The Rise of Gen AI

Last year, there was one stand out Application Category that has been growing in popularity, Generative AI. It will likely be no surprise that we saw a rise in the number of Generative AI apps accessed by attendees vs. one year ago.

• 2024: 194
• 2025: 209

Fig. 3: Cisco App Discovery

With so many talks incorporating AI subjects, the real-world usage of attendees serves as a metric to measure the increase of adoption and the proliferation of AI tools.

Each year, the NOC leaders give out awards for the top requested websites by category. In 2025 we saw Slack hold serve for the top chat app, along with clashes of big names like Apple vs. Google and Tinder vs. Hinge. We'll present the last matchup with no comment.

Fig. 4: Black Hat USA 2024, top DNS categories

See you at Black Hat Europe!

About Black Hat

Black Hat is the cybersecurity industry's most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit the Black Hat website.

We'd love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X