CISA Issues DNS Attack Emergency Directive

Share on facebook
Share on twitter
Share on linkedin
Share on email

Failure to Implement Mandated DNSSEC Leaves Gaping Hole in Security

Under the jurisdiction of Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA) leads our nation’s effort to defend critical infrastructure against the threats of today, while working with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow. Recently, the CISA issued its first Emergency Directive under authorities granted by Congress in the Cybersecurity Act of 2015.

The CISA issued the Emergency Directive in response to an active attack by malicious actors who obtained access to accounts that controlled DNS records. Once they had control of an organization’s DNS server, they hijacked incoming requests and pointed them to their own infrastructure before resolving them to the actual address. With control over the DNS server, the malicious actors were able to obtain “legitimate” digital certificates and decrypt intercepted data without tipping off administrators that anything suspicious was going on.

The CISA directive provides some common-sense guidance and mitigation steps to prevent DNS server tampering, including:

  • Verifying DNS records to ensure they are resolving as intended.
  • Updating DNS account passwords.
  • Adding multi-factor authentication to accounts that manage DNS records.
  • Monitoring Certificate Transparency logs for certificates issued but not requested.

 

None of the guidance they provided was new or groundbreaking. These are measures that any organization should be implementing to safeguard their data. In fact, a 2008 directive from the Office of Management and Budget directed federal agencies to improve their DNS security by implementing DNS security extensions (DNSSEC), and with DNSSEC implemented this attack would likely have never happened. DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types. By checking its associated signature, you can verify that a requested DNS record came from its authoritative name server and wasn’t altered in route.

I spoke with Travis Niedens, Sr. Security Solutions Engineer for Cerium Networks, about the Emergency Directive. “This issue illustrates how important it is to follow through with policy implementation when the technology to mitigate attacks has existed for over a decade. Recent security incidents have followed a pattern of primary and secondary mitigation processes not being followed. These issues were ultimately preventable,” Travis observed.

In addition to implementing DNSSEC and regularly parsing DNS records and Certificate Transparency logs, a Secure Internet Gateway, such as Cisco Umbrella, will help ensure DNS security. When Umbrella receives a DNS request, it determines whether the request is safe, malicious or risky. Safe requests are routed normally, malicious requests are blocked, and risky requests are routed to our cloud-based proxy for a more in-depth inspection. The Umbrella proxy uses Cisco Talos web reputation and other third-party feeds to determine if a URL is malicious. The Umbrella proxy also inspects files before they are downloaded from those risky sites using anti-virus (AV) engines and Cisco Advanced Malware Protection (AMP) and blocks suspicious content.

Recent Posts

Evaluating the ROI of SD-WAN

In several recent posts, we’ve described many of the potential business benefits of SD-WAN, including better cloud connectivity, improved administration, increased network visibility and reduced

Read More »
For Emergency Support call: (877) 423-7486
For other support requests or to access your Cerium 1463° portal click here
Stay in the Know

Stay in the Know

Don't miss out on critical security advisories, industry news, and technology insights from our experts. Sign up today!

You have Successfully Subscribed!