DHS' 4-step plan to counter DNS hijacking
- By Derek B. Johnson
- Jan 23, 2019
Nearly all federal agencies will be locking down their Domain Name System infrastructure to mitigate tampering with DNS infrastructure.
In a Jan. 22 letter from the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency Director Christopher Krebs said executive branch agencies will have 10 business days to complete four required measures: audit public DNS records and secondary DNS servers, update passwords for all accounts on systems that can change DNS records, add multifactor authentication to DNS accounts and monitor certificate transparency logs.
The directive applies to all executive branch departments except the Department of Defense, the Central Intelligence Agency and the Office of the Director of National Intelligence.
CISA wants preliminary status reports by Friday, Jan. 25, and a completed action report no later than Feb. 5. Krebs said the agency is ready to provide technical and logistical assistance to agencies that detect anomalous activity or are unable to implement the directive.
In the letter, Krebs wrote that CISA has observed instances where attackers compromise or obtain login credentials to accounts that can make changes to DNS records. After altering the address, attackers then directs user traffic to a controlled address and obtains encryption certificates that allow them to decrypt and read incoming traffic.
"This allows the redirected traffic to be decrypted, exposing any user-submitted data," Krebs wrote. "Since the certificate is valid for the domain, end users receive no error warnings."
The directive comes after DHS and private threat intelligence firm FireEye issued warnings about the campaign earlier this month. FireEye said the campaign involved "dozens" of domains throughout North America, Europe, North Africa and the Middle East, affecting governments, telecommunications companies and internet infrastructure entities.
FireEye's analysis did not make a formal attribution, but it expressed "moderate confidence" that the activity was linked to groups based out of Iran, with some of the IP addresses tracked being used in a previous campaign attributed to Iranian cyber espionage actors. The DHS letter and alert do not mention Iran or provide any information regarding attribution.
CyberScoop first reported on the impending directive shortly before it was publicly released.
This article was first posted on FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.