CISA Issues DNS Attack Emergency Directive

Failure to Implement Mandated DNSSEC Leaves Gaping Hole in Security

Under the jurisdiction of Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA) leads our nation’s effort to defend critical infrastructure against the threats of today, while working with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow. Recently, the CISA issued its first Emergency Directive under authorities granted by Congress in the Cybersecurity Act of 2015.

The CISA issued the Emergency Directive in response to an active attack by malicious actors who obtained access to accounts that controlled DNS records. Once they had control of an organization’s DNS server, they hijacked incoming requests and pointed them to their own infrastructure before resolving them to the actual address. With control over the DNS server, the malicious actors were able to obtain “legitimate” digital certificates and decrypt intercepted data without tipping off administrators that anything suspicious was going on.

The CISA directive provides some common-sense guidance and mitigation steps to prevent DNS server tampering, including:

  • Verifying DNS records to ensure they are resolving as intended.
  • Updating DNS account passwords.
  • Adding multi-factor authentication to accounts that manage DNS records.
  • Monitoring Certificate Transparency logs for certificates issued but not requested.

 

None of the guidance they provided was new or groundbreaking. These are measures that any organization should be implementing to safeguard their data. In fact, a 2008 directive from the Office of Management and Budget directed federal agencies to improve their DNS security by implementing DNS security extensions (DNSSEC), and with DNSSEC implemented this attack would likely have never happened. DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types. By checking its associated signature, you can verify that a requested DNS record came from its authoritative name server and wasn’t altered in route.

I spoke with Travis Niedens, Sr. Security Solutions Engineer for Cerium Networks, about the Emergency Directive. “This issue illustrates how important it is to follow through with policy implementation when the technology to mitigate attacks has existed for over a decade. Recent security incidents have followed a pattern of primary and secondary mitigation processes not being followed. These issues were ultimately preventable,” Travis observed.

In addition to implementing DNSSEC and regularly parsing DNS records and Certificate Transparency logs, a Secure Internet Gateway, such as Cisco Umbrella, will help ensure DNS security. When Umbrella receives a DNS request, it determines whether the request is safe, malicious or risky. Safe requests are routed normally, malicious requests are blocked, and risky requests are routed to our cloud-based proxy for a more in-depth inspection. The Umbrella proxy uses Cisco Talos web reputation and other third-party feeds to determine if a URL is malicious. The Umbrella proxy also inspects files before they are downloaded from those risky sites using anti-virus (AV) engines and Cisco Advanced Malware Protection (AMP) and blocks suspicious content.

DNS Security with Cisco Umbrella

Contact Cerium Networks to learn more about DNS Security and how Cisco Umbrella can help secure your technology environment.

Learn More

Related Articles

A sampling of other articles you may enjoy if you liked this one.

How a Cloud Access Security Broker Strengthens Cloud Security
Feb 5, 2019

Cloud adoption continues to increase, the cloud market is quickly maturing, and more organizations a...

Read More
Rethinking Security for the Mobile and Cloud Era
Jan 31, 2019

Medieval security might seem primitive by today’s standards, but it was quite effective in its day...

Read More
Stay in the Know

Stay in the Know

Don't miss out on critical security advisories, industry news, and technology insights from our experts. Sign up today!

You have Successfully Subscribed!