DHS' 4-step plan to counter DNS hijacking
- By Derek B. Johnson
- Jan 23, 2019
Nearly all federal agencies will be locking down their Domain Name System infrastructure to mitigate tampering with DNS infrastructure.
In a Jan. 22 letter from the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency Director Christopher Krebs said executive branch agencies will have 10 business days to complete four required measures: audit public DNS records and secondary DNS servers, update passwords for all accounts on systems that can change DNS records, add multifactor authentication to DNS accounts and monitor certificate transparency logs.
The directive applies to all executive branch departments except the Department of Defense, the Central Intelligence Agency and the Office of the Director of National Intelligence.
CISA wants preliminary status reports by Friday, Jan. 25, and a completed action report no later than Feb. 5. Krebs said the agency is ready to provide technical and logistical assistance to agencies that detect anomalous activity or are unable to implement the directive.
In the letter, Krebs wrote that CISA has observed instances where attackers compromise or obtain login credentials to accounts that can make changes to DNS records. After altering the address, attackers then directs user traffic to a controlled address and obtains encryption certificates that allow them to decrypt and read incoming traffic.
"This allows the redirected traffic to be decrypted, exposing any user-submitted data," Krebs wrote. "Since the certificate is valid for the domain, end users receive no error warnings."
The directive comes after DHS and private threat intelligence firm FireEye issued warnings about the campaign earlier this month. FireEye said the campaign involved "dozens" of domains throughout North America, Europe, North Africa and the Middle East, affecting governments, telecommunications companies and internet infrastructure entities.
FireEye's analysis did not make a formal attribution, but it expressed "moderate confidence" that the activity was linked to groups based out of Iran, with some of the IP addresses tracked being used in a previous campaign attributed to Iranian cyber espionage actors. The DHS letter and alert do not mention Iran or provide any information regarding attribution.
CyberScoop first reported on the impending directive shortly before it was publicly released.
This article was first posted on FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.