Failure to Implement Mandated DNSSEC Leaves Gaping Hole in Security
Under the jurisdiction of Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA) leads our nation’s effort to defend critical infrastructure against the threats of today, while working with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow. Recently, the CISA issued its first Emergency Directive under authorities granted by Congress in the Cybersecurity Act of 2015.
The CISA issued the Emergency Directive in response to an active attack by malicious actors who obtained access to accounts that controlled DNS records. Once they had control of an organization’s DNS server, they hijacked incoming requests and pointed them to their own infrastructure before resolving them to the actual address. With control over the DNS server, the malicious actors were able to obtain “legitimate” digital certificates and decrypt intercepted data without tipping off administrators that anything suspicious was going on.
The CISA directive provides some common-sense guidance and mitigation steps to prevent DNS server tampering, including:
- Verifying DNS records to ensure they are resolving as intended.
- Updating DNS account passwords.
- Adding multi-factor authentication to accounts that manage DNS records.
- Monitoring Certificate Transparency logs for certificates issued but not requested.
None of the guidance they provided was new or groundbreaking. These are measures that any organization should be implementing to safeguard their data. In fact, a 2008 directive from the Office of Management and Budget directed federal agencies to improve their DNS security by implementing DNS security extensions (DNSSEC), and with DNSSEC implemented this attack would likely have never happened. DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types. By checking its associated signature, you can verify that a requested DNS record came from its authoritative name server and wasn’t altered in route.
I spoke with Travis Niedens, Sr. Security Solutions Engineer for Cerium Networks, about the Emergency Directive. “This issue illustrates how important it is to follow through with policy implementation when the technology to mitigate attacks has existed for over a decade. Recent security incidents have followed a pattern of primary and secondary mitigation processes not being followed. These issues were ultimately preventable,” Travis observed.
In addition to implementing DNSSEC and regularly parsing DNS records and Certificate Transparency logs, a Secure Internet Gateway, such as Cisco Umbrella, will help ensure DNS security. When Umbrella receives a DNS request, it determines whether the request is safe, malicious or risky. Safe requests are routed normally, malicious requests are blocked, and risky requests are routed to our cloud-based proxy for a more in-depth inspection. The Umbrella proxy uses Cisco Talos web reputation and other third-party feeds to determine if a URL is malicious. The Umbrella proxy also inspects files before they are downloaded from those risky sites using anti-virus (AV) engines and Cisco Advanced Malware Protection (AMP) and blocks suspicious content.