Domain Name System (DNS) attacks are not a new
phenomenon. They first emerged as a preferred tool of
political hacktivists; however, over the past four years DNS attacks have escalated
and become a major source of cybersecurity risk for corporations. Risks
associated with these types of attacks include possible reputation challenges,
loss of intellectual property or funds, threats stemming from data breaches,
and potential loss of control of
business-critical Internet assets like websites, email, apps, VPNs, and VoIP. As the
Cybersecurity Tech Accord looks ahead to the organization’s third year, addressing
persistent attacks against the Internet’s Domain Name System (DNS), by
cybercriminals and state-sponsored actors, has emerged as a priority.
At a basic level, the DNS serves as the
Internet’s address book. It is responsible for translating the domain name an
individual enters (ex. cybertechaccord.org) into a corresponding IP address (a
unique string of numbers) that web browsers use to identify where traffic is
trying to go. At a more advanced level, the DNS is used to signal authorization
in the form of Sender Policy Framework DomainKeys Identified Mail (DKIM). These
processes, like other protocols, may not be highly visible, but nevertheless
underpin the entire functioning of the public Internet. Therefore, malicious
efforts to corrupt or otherwise exploit the DNS not only threaten to harm
individual users and organizations, but can also jeopardize overall trust and
confidence in the Internet itself.
In fact, we have seen these attacks already
take place:
- In 2018 there were multiple
Border Gateway Protocol hijacking events targeting authoritative DNS
nameservers. One, for example, hijacked Amazon’s Route 53 targeting crypto
currency wallets,
and another targeted authoritative DNS infrastructure supporting some large US payment
platforms. - In early 2019, FireEye’s
Mandiant team shed light on a global DNS
hijacking campaign that
appeared to be connected to the Iranian government. This prompted subsequent
warnings from the U.S. Cybersecurity and Infrastructure Security Agency, the U.K.’s
Cybersecurity Centre, and ICANN. - Throughout last year, Cisco
Talos warned about the
apparently state-sponsored ‘Sea Turtle’ attacks taking control of DNS
systems. - And as recent as January
2020, Reuters reported that a
group of hackers, alleged to be working in the interests of the Turkish
government, attacked foreign government organizations and companies via DNS
hijacking.
Vulnerabilities within domain name management
systems can allow cybercriminals to change the authoritative DNS and redirect
users to malicious sites, apps or intercepted email. In addition, such attacks can
incorporate the issuance of rogue digital certificates to make the activity
appear legitimate to end users. Attackers can also try to obtain the username
and password to a registrar’s portal that is not protected by two-factor authentication,
IP validation, or registry lock, giving them access to change the nameservers
for domains accessible within the account. Moreover, even when accounts are
protected by two-factor authentication and the second factor is dependent in
telephony infrastructure, the end users need to deploy additional protections
with their carrier to ensure this control works as expected to protect against
sim swapping / number porting attacks.
Recent analysis from Krebs on Security, Does Your
Domain Have a Registry Lock?, underscores the global scale of
this threat. Similarly, research from CSC, a Cybersecurity
Tech Accord signatory, showed that 78% of the world’s most valuable companies
have not implemented key domain
name security measures, such as a domain “registry lock.”
The research demonstrates that this is a systemic problem that has the
potential to compromise organizations of all sizes, geographic locations, and sectors.
Cybersecurity Tech Accord signatories will, in the coming
months, focus on driving greater awareness around what types of attacks
threaten the Domain Name System and how to best protect against them, in line
with our commitment to the Paris Call for Trust and Security in Cyberspace and its principle on promoting cyber hygiene. We will drive research
into adoption of good practices, as well as bring together a variety of
stakeholders to help us design an effective way to share solutions and spread
awareness to improve security. These efforts will build on the webinar hosted on the topic in
November, and on the recent guest blog by CSC that looked at
DNS as the missing link in cybersecurity risk postures.
To kickstart this workstream, there are some good practices
when it comes to protecting organizations from DNS hijacking that are worth
sharing. While some organizations would prefer more direct control over DNS
infrastructure, the threat landscape and performance expectations of end users
have pushed many organizations to outsource operating authoritative DNS
infrastructure. With that in mind, the Cybersecurity Tech Accord signatories want
to encourage organizations to apply security controls that will help them defend
their digital assets outside the firewall, such as:
- Incorporate secure domain,
DNS, and digital certificate practices into your overall cybersecurity posture. - Utilize enterprise class
providers for your domain, DNS and digital certificates:- Organizations should validate
that their domain name registrar is Internet Corporation for Assigned Name and
Numbers (ICANN) and registry accredited and can demonstrate their investment into
systems and security. This should include both staff training on cybersecurity,
as well as a variety of controls, processes, and security measures that ensure
a defense-in-depth approach. The
provider should offer two-factor authentication, IP validation, and federated
identity for a single sign-on environment. It should also have security controls
in place for the registry lock process.
- It is business-critical
that organizations leverage a multi-provider
strategy for redundancy in DNS services to avoid a single
point of failure.
- Organizations should validate
- Control user permissions
- User permissions for staff with access to domains and their DNS
portal should be continuously reviewed and only trusted individuals should have
access to elevated permissions.
- User permissions for staff with access to domains and their DNS
- Introduce proactive,
continuous monitoring and alerting:- Organizations should ensure
that their domain name registrar or DNS hosting provider offers proactive and
continuous monitoring, including of routing security, so that any potential
disruption of business continuity can be quickly mitigated.
- Organizations should ensure
- Utilize Resource Public Key
Infrastructure- The routed prefixes
associated with authoritative DNS nameserver ranges should leverage Resource
Public Key Infrastructure. The route origin authority represents a cryptographic
confirmation of relevant authorization.
- The routed prefixes
- Proactively leverage the appropriate advanced
security measures:- Utilize domain name
system security extensions (DNSSEC), for both signing zones and validating
responses.
- Prevent the execution
of unauthorized requests with registry locks to stop automated changes of DNS
records.
- Initiate a Digital
Certificate Policy with certification authority authorization (CAA) records
allows only authorized certification authorities to issue a certificate on your
domains.
- Ensure (/DMARC/MTA domain-based
message authentication, reporting, and conformance (DMARC/ DKIM/SPF/MTA), which
gives organizations protection against unauthorized use of their domains,
commonly known as email spoofing.
- Utilize domain name
The post Domain Name Security: Why businesses across the globe need to act now appeared first on Cybersecurity Tech Accord.