Domain Name System (DNS) attacks are not a new phenomenon. They first emerged as a preferred tool of political hacktivists; however, over the past four years DNS attacks have escalated and become a major source of cybersecurity risk for corporations. Risks associated with these types of attacks include possible reputation challenges, loss of intellectual property or funds, threats stemming from data breaches, and potential loss of control of business-critical Internet assets like websites, email, apps, VPNs, and VoIP. As the Cybersecurity Tech Accord looks ahead to the organization’s third year, addressing persistent attacks against the Internet’s Domain Name System (DNS), by cybercriminals and state-sponsored actors, has emerged as a priority.
At a basic level, the DNS serves as the Internet’s address book. It is responsible for translating the domain name an individual enters (ex. cybertechaccord.org) into a corresponding IP address (a unique string of numbers) that web browsers use to identify where traffic is trying to go. At a more advanced level, the DNS is used to signal authorization in the form of Sender Policy Framework DomainKeys Identified Mail (DKIM). These processes, like other protocols, may not be highly visible, but nevertheless underpin the entire functioning of the public Internet. Therefore, malicious efforts to corrupt or otherwise exploit the DNS not only threaten to harm individual users and organizations, but can also jeopardize overall trust and confidence in the Internet itself.
In fact, we have seen these attacks already take place:
- In 2018 there were multiple Border Gateway Protocol hijacking events targeting authoritative DNS nameservers. One, for example, hijacked Amazon’s Route 53 targeting crypto currency wallets, and another targeted authoritative DNS infrastructure supporting some large US payment platforms.
- In early 2019, FireEye’s Mandiant team shed light on a global DNS hijacking campaign that appeared to be connected to the Iranian government. This prompted subsequent warnings from the U.S. Cybersecurity and Infrastructure Security Agency, the U.K.’s Cybersecurity Centre, and ICANN.
- Throughout last year, Cisco Talos warned about the apparently state-sponsored ‘Sea Turtle’ attacks taking control of DNS systems.
- And as recent as January 2020, Reuters reported that a group of hackers, alleged to be working in the interests of the Turkish government, attacked foreign government organizations and companies via DNS hijacking.
Vulnerabilities within domain name management systems can allow cybercriminals to change the authoritative DNS and redirect users to malicious sites, apps or intercepted email. In addition, such attacks can incorporate the issuance of rogue digital certificates to make the activity appear legitimate to end users. Attackers can also try to obtain the username and password to a registrar’s portal that is not protected by two-factor authentication, IP validation, or registry lock, giving them access to change the nameservers for domains accessible within the account. Moreover, even when accounts are protected by two-factor authentication and the second factor is dependent in telephony infrastructure, the end users need to deploy additional protections with their carrier to ensure this control works as expected to protect against sim swapping / number porting attacks.
Recent analysis from Krebs on Security, Does Your Domain Have a Registry Lock?, underscores the global scale of this threat. Similarly, research from CSC, a Cybersecurity Tech Accord signatory, showed that 78% of the world’s most valuable companies have not implemented key domain name security measures, such as a domain “registry lock.” The research demonstrates that this is a systemic problem that has the potential to compromise organizations of all sizes, geographic locations, and sectors.
Cybersecurity Tech Accord signatories will, in the coming months, focus on driving greater awareness around what types of attacks threaten the Domain Name System and how to best protect against them, in line with our commitment to the Paris Call for Trust and Security in Cyberspace and its principle on promoting cyber hygiene. We will drive research into adoption of good practices, as well as bring together a variety of stakeholders to help us design an effective way to share solutions and spread awareness to improve security. These efforts will build on the webinar hosted on the topic in November, and on the recent guest blog by CSC that looked at DNS as the missing link in cybersecurity risk postures.
To kickstart this workstream, there are some good practices when it comes to protecting organizations from DNS hijacking that are worth sharing. While some organizations would prefer more direct control over DNS infrastructure, the threat landscape and performance expectations of end users have pushed many organizations to outsource operating authoritative DNS infrastructure. With that in mind, the Cybersecurity Tech Accord signatories want to encourage organizations to apply security controls that will help them defend their digital assets outside the firewall, such as:
- Incorporate secure domain, DNS, and digital certificate practices into your overall cybersecurity posture.
- Utilize enterprise class
providers for your domain, DNS and digital certificates:
- Organizations should validate that their domain name registrar is Internet Corporation for Assigned Name and Numbers (ICANN) and registry accredited and can demonstrate their investment into systems and security. This should include both staff training on cybersecurity, as well as a variety of controls, processes, and security measures that ensure a defense-in-depth approach. The provider should offer two-factor authentication, IP validation, and federated identity for a single sign-on environment. It should also have security controls in place for the registry lock process.
- It is business-critical that organizations leverage a multi-provider strategy for redundancy in DNS services to avoid a single point of failure.
- Control user permissions
- User permissions for staff with access to domains and their DNS portal should be continuously reviewed and only trusted individuals should have access to elevated permissions.
- Introduce proactive,
continuous monitoring and alerting:
- Organizations should ensure that their domain name registrar or DNS hosting provider offers proactive and continuous monitoring, including of routing security, so that any potential disruption of business continuity can be quickly mitigated.
- Utilize Resource Public Key
- The routed prefixes associated with authoritative DNS nameserver ranges should leverage Resource Public Key Infrastructure. The route origin authority represents a cryptographic confirmation of relevant authorization.
- Proactively leverage the appropriate advanced
- Utilize domain name system security extensions (DNSSEC), for both signing zones and validating responses.
- Prevent the execution of unauthorized requests with registry locks to stop automated changes of DNS records.
- Initiate a Digital Certificate Policy with certification authority authorization (CAA) records allows only authorized certification authorities to issue a certificate on your domains.
- Ensure (/DMARC/MTA domain-based message authentication, reporting, and conformance (DMARC/ DKIM/SPF/MTA), which gives organizations protection against unauthorized use of their domains, commonly known as email spoofing.