In late January, the Department of Homeland Security (DHS) issued an emergency directive to mitigate the effects of a domain name system (DNS) hijacking campaign.
DHS’ Cybersecurity and Infrastructure Security Agency noted in a letter to agencies that it was aware of multiple executive-branch domains targeted by the attacks, which redirected and intercepted web and mail traffic from government websites.
DNS is a protocol that translates a domain name, like DHS.gov, into a corresponding IP address. Essentially, when a user types a web address into their browser, the DNS resolver locates the proper IP address to open up the website.
During a DNS attack, a bad actor compromises a DNS administrators account and modifies DNS by replacing a legitimate IP address with a rogue address. So when someone types in a URL, instead of linking to the correct IP address, the DNS connects to an IP address that directs traffic to an illegitimate website. Often, the site mirrors the one the user was originally trying to access. When users click on links, they unintentionally download malware and malicious code.
In the instance of a government website, the attack could not only infect the computers of common users, but also agency systems and personnel trying to access their own sites.
DHS quickly set out to a directive to explain the severity of the issue and provide required actions to mitigate the exposure. We go into some of the actions and recommendations below.
Continuous monitoring is one of the only ways to truly cut off attackers before they’re able to infiltrate systems. With DNS that means recursive monitoring with reporting that gives real-time insights into network activity. Being able to analyze DNS traffic as it’s happening, as opposed to relying on log-based reporting mechanisms, is crucial to preventing DNS-based attacks.
This kind of monitoring can’t be done alone. It would take endless man-hours to track and trace traffic effectively. Deploying an automated system provided by a trusted vendor will free up agency IT teams to focus on only the most imminent threats. The private sector, with massive networks that reach across the world, is perfectly positioned to help the federal government stop DNS hijacking before damage is done.
With Cisco Umbrella Investigate provides a complete view of the relationships and evolution of internet domains, IP addresses and autonomous systems to pinpoint attackers’ infrastructures and predict future threats. It provides easy access to a company’s DNS resolution and anything changing associated with the DNS resolution. This an effective way to monitor DNS records.
Protection of the accounts used to administer DNS records is also vitally important. Multi-factor authentication is a required action as part of this directive. Cisco Duo Security can provide the multi-factor authentication in an easy to use manner.
While this directive is focused on the Federal government it is also relevant to the private sector as well. The same recommendations should be seen as highly recommended actions for the private sector.
Cyberattacks are evolving at break-neck speed. Bad actors are constantly finding novel ways to infiltrate systems, and DNS-based attacks like those on government websites in January aren’t going away. It takes leading-edge technology to stay ahead of hackers and foreign actors. Cisco and Iron Bow can help make that process easier.
For more information about how Iron Bow can help prevent future attacks, visit our cyber security webpage.
COMMENTS