The Homeland Security Department should never have had to issue its first-ever “emergency directive” earlier this week on domain name security (DNS).
The Cybersecurity and Infrastructure Security Agency (CISA) directed agencies to take four steps over the next 10 days to protect against DNS tampering — what many experts termed a well-known and unsophisticated attack.
Insight by Kodak Alaris: Practitioners provide insight into how states and the IT industry are dealing with Real ID in this exclusive executive briefing.
Chris Krebs, the director of CISA, said in a Jan. 24 blog post that “malicious actors obtained access to accounts that controlled DNS records and made them resolve to their own infrastructure before relaying it to the real address. Because they could control an organization’s DNS, they could obtain legitimate digital certificates and decrypt the data they intercepted – all while everything looked normal to users.”
Krebs said DHS is “aware of a number of agencies affected by the tampering campaign and have notified them; though the extent of the impact is limited based on available information. In part, by issuing the directive, CISA seeks to work with agencies to detect and prevent additional impacts on agencies and systems.”
But the fact is, agencies would’ve faced a lot less risk if that Office of Management and Budget’s 2008 memo requiring the use of DNS security had taken hold.
Remember that oldie, but goodie from the “early days” of cybersecurity? It basically required agencies to “deploy DNSSEC to the top level .gov domain by January 2009. The top level .gov domain includes the registrar, registry and DNS server operations.
“This policy requires that the top level .gov domain will be DNSSEC signed and processes to enable secure delegated sub-domains will be developed. Signing the top level .gov domain is a critical procedure necessary for broad deployment of DNSSEC, increases the utility of DNSSEC, and simplifies lower level deployment by agencies,” the memo said.
Basically, OMB was telling agencies more than 10 years ago that the threat of a bad actor taking over their main website domains and any subdomain was real and incorporating DNS security would provide source authentication and integrity protection for the government.
If agencies had met the goal, this threat may not have risen to the level of needing an emergency directive, and would’ve been more like how the government successfully reacted to WannaCry in 2017.
The latest data available on DNSSEC implementation came in OMB’s fiscal 2014 Federal Information Security Management Act (FISMA) report to Congress showing that while 92 percent of all domains are using DNSSec, the Defense Department (36 percent) and the Energy Department (52 percent) were well behind and another six agencies were not at 100 percent.
This was probably the high water mark as OMB stopped tracking DNSSEC progress in the 2015 FISMA report to Congress so it’s hard to tell what the true implementation of DNSSEC is and if agencies continued to implement the protocols.
“DNSSEC has been advocated more in the financial sector, but a lot of internet service providers have not implemented it and they are missing an opportunity,” said Patrick Sullivan, the senior director of security technology and strategy at Akamai, which serves more than a trillion responses to DNS queries a day. “It was helpful guidance that OMB put out in 2008 for agencies to adopt DNSSEC. But that adoption hasn’t grown, and that is fundamentally another step to improve your DNS look ups. It would help reduce the attack surface and it would improve the integrity of DNS look ups, but we still would’ve seen the action from DHS.”
Experts said the action by DHS also is surprising because of the type of attack, a basic man-in-the-middle assault, which is a well-known vector and one that can be protected against.
“These types of attacks are not new and in many ways not even that sophisticated,” said John Banghart, the senior director of technology risk management at Venable and the former National Security Council’s director for federal cybersecurity during the administration of President Barack Obama. “We don’t know for sure why DHS issuing the directive. We can guess they are seeing this occurring and notified some agencies. The worst part about this attack is if it goes unnoticed, which it seemed it did for some time, it’s hard to detect.”
Krebs confirmed in his blog post what many experts pointed to, malicious activity coming from the Middle East to Western Europe, first detected by FireEye and Cisco Talos.
John Pescatore, the director of emerging security trends at the SANS Institute, said there was a similar round of DNS hijacking about five years ago and several agencies hardened their DNS.
But he said it’s still “hit or miss” about which agencies are well protected and which ones aren’t.
“The DHS alert said, ‘hey agencies, you should’ve locked your doors, but since all your neighbors are getting burglarized, you really should lock your doors,’” Pescatore said.
“Informed by security researchers and in consultation with IT security teams across federal civilian agencies, the Office of Management and Budget, and the National Institute of Standards and Technology, we’ve crafted a set of near-term mitigations that protect systems in a risk-informed, straightforward, and high impact manner,” Krebs wrote.
Banghart said the fact that DHS gave agencies 10 days shows how serious the threat is.
“When DHS issues this and has specific direction in it, unlike sometimes when DHS puts out less specific requirements, they are raising this to a certain level that says to heads of agencies you have to do this and you have 10 days. As we know, in government 10 days is not a long time,” he said.
All three experts agreed that three of the four requirements are pretty straight forward, but implementing multi-factor authentication on the accounts to manage DNS records may be more difficult.
And again, this was something that agencies were expected to do years ago as part of the Homeland Security Presidential Directive-12 implementation. OMB made a major push for agencies to ensure all their privileged users—those system administrators who would have access to DNS records—use smart cards to log onto their networks after the 2015 cyber attack against the Office of Personnel Management.
In the fiscal 2017 FISMA report to Congress, OMB says 93 percent of all privileged users are using smart identity cards to log into the network, but that doesn’t necessarily mean multi-factor authentication is installed on specific DNS servers.
Pescatore said some of these servers and applications are too old to handle card readers much less multi-factor authentication.
“This is not a trivial thing to do,” he said. “The hardest part is where you put the smart card reader. There are number of things that have to made mandatory before it’s meaningful.”
Akamai’s Sullivan, however, said agencies should add even the most basic multi-factor authentication protections because it will make it harder for bad actors to successfully attack.
Sullivan also pointed out that DNS hi-jacking attacks are like the flu, they come back for a few months and then go away only to return again a few months later.
“The nature of these campaigns are not consistent where you see X per day. It will drop to 10 percent of X, and then six months later, it will be 10 times of X. These attacks come in waves, so once you have attackers spending time on DNS hi-jacking, you have to take care of it,” he said.
Unfortunately for agencies, the time they should have taken care of this was almost a decade ago and now required a fire drill during a partial government shutdown.