Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The Cybersecurity and Infrastructure Security Agency is rolling out a new service to help defend a wider range of agency systems from cyber attacks, and CISA is looking to potentially expand the tool beyond federal systems, according to an agency official leading the effort.
CISA is rolling out a Protective Domain Name System (DNS) service to all federal agencies after spending the last year beta testing the tool.
DNS is essentially a phonebook for the Internet, facilitating web communication by translating domain names into IP addresses. CISA’s Protective DNS service sits between agency networks and the rest of the Internet, resolving DNS queries and blocking those that seek to access known malicious IP addresses, according to Branko Bokan, lead architect for Protective DNS at CISA.
The goal is to scale it across federal agencies and potentially even further, Branko said in an interview.
“When we originally designed this service, we designed it in mind of the need to scale it to serve the biggest enterprise,” he said. “We would really like to be able to offer this service not just to the federal enterprise, not just the federal civilian executive branch agencies, but to other levels of U.S. governments that might be interested in same type of protection.”
The prime contractor for the new Protective DNS is Accenture Federal Services, which developed the user interface. The DNS resolver is provided through Cloudflare, one of the biggest commercial DNS providers in the world.
“This is a very reliable, very distributed, high availability service that also is capable of scaling and supporting a very large number of organizations with a very large number of users,” Bokan said. “And we are already experiencing that we are already seeing numbers of DNS queries that are in the billions.”
Matt Hayden, the former assistant secretary of Homeland Security for cyber, infrastructure, risk and resilience policy, said Protective DNS is a crucial capability in a world in which DNS is used as an attack vector in a wide variety of cyber incidents ranging from ransomware to Distributed Denial of Service attacks. Hayden is now vice president of cyber client engagement at General Dynamics Information Technology (GDIT).
“If I get a phishing email, and I get a link that looks real, but it’s spoofed to point me to a bad part of the Internet that’s going to trick me into logging into a website that harvests my credentials and then uses that back against me? It’s going to nip that in the bud,” Hayden said.
Expanding to mobile, cloud
The new DNS resolver replaces the DNS sinkholing service provided through CISA’s EINSTEIN program. The previous service was limited to agencies’ on premise networks. The new one covers roaming and mobile devices, as well as cloud-based assets, according to Bokan.
“A lot of federal technologies are no longer behind those on-premise networks, behind firewalls,” he said. “They’re now all over the Internet, in the cloud, but also we see a large number of what we call roaming and nomadic devices and mobile devices that federal users, both employees and contractors, are using to access federal resources.”
He said agencies that are using Secure Access Service Edge solutions, for example, by “changing a few configuration settings, route their DNS traffic to Protective DNS and then immediately satisfy not only requirements to route the traffic through Protective DNS, but also satisfy some of the requirements for the from the federal zero trust strategy.”
Bokan said the new service also features commercial threat intelligence about malicious IP addresses. The previous EINSTEIN sinkholing service was limited to the government’s own threat information, according to Bokan.
“We’re bringing these vast amount of commercial indicators through commercial threat intelligence feeds, that in terms of the numbers, they by far outweigh what we are capable of producing on the proprietary side,” he said. “And that allows us to provide much better protection to federal agencies.”
Beyond resolving DNS queries, CISA is also logging the requests and storing them in a “data lake,” Bokan said. That will allow the agency to analyze threat trends and provide agencies with much sought-after “visibility” into DNS traffic logs. Bokan said the traffic logs will be stored for up to three years.
“We can go back and we can do analysis after the incident to determine whether there was malicious activity taking place before we even knew about these malicious indicators,” he said. “And we can also now analyze this huge amount of data and look for trends to try to make future predictions and block malicious events, even before they happen.”
Beyond federal agencies
The Protective DNS service is currently limited to federal agencies. But Bokan said CISA is looking at how it could provide the service beyond the federal enterprise.
“We would be very interested and very happy to offer this service and the same level of protection that we now offer to federal agencies to other levels of U.S. governments and just beyond government, any interested party,” Bokan said.
The natural next step for expanding CISA’s Protective DNS service are state and local governments, according to Hayden. CISA took over policy and management authority for the .gov top-level domain last year under the DOTGOV Act of 2020.
“I think you’re going to find the state and local networks are probably the next closest low hanging fruit to providing this service over a broader area,” Hayden said.