Dns Hijacking Prompts Historic Cisa Emergency Directive

DNS Hijacking Prompts Historic CISA Emergency Directive

Arraya Insights | January 28, 2019

An ongoing malicious campaign targeting federal government websites prompted a historic response from the Cybersecurity and Infrastructure Security Agency (CISA). CISA DNA Hijacking emergency directiveThe agency, which operates under the banner of the Department of Homeland Security, issued its first ever emergency directive last week in an attempt to thwart a series of DNS hijacking attacks. Now, granted, at-risk executive branch agencies are the intended target of this directive. However, the threat vector it documents is something all organizations should be aware of – as are the defensive schemes.

CISA’s instructions come as evidence mounts of a persistent operation to hijack government accounts that manage agency website DNS records. CISA dismissed the techniques behind the campaign as not “especially innovative,” but that didn’t stop the agency from taking further action. DNS security is an all-too-common blind spot for organizations – both inside and outside the federal government. Failure to properly defend this weak point could allow criminals to intercept legitimate traffic, knock services offline, help themselves to sensitive data, and more.

So, what does CISA recommend federal agencies – and really any organization – do to prevent DNS hijacking? The emergency directive included four best practices gleaned from CISA’s own expertise as well as from the experience of other technology and security professionals, from the public and private sectors.

4 CISA-approved DNA defense best practices

Agencies – and, again, really all organizations – should:

  • Verify current DNS records to ensure traffic redirects as intended and not to an unknown third party
  • Update the passwords for any DNS management account to cut off the access of any unauthorized outsiders
  • Add multi-factor authentication to any DNS management accounts to provide an additional layer of security for this often-overlooked access point
  • Keep an eye on Certificate Transparency logs for suspicious activity, including phantom certificates

Defend your environment without further taxing your team

Despite its importance, there is a reason DNS security falls by the wayside for many organizations and even government agencies. Today’s technology teams are overwhelmed as it as and adding more manual tasks, such as regularly parsing DNS records and Certificate Transparency logs, will only worsen the matter. Furthermore, these routine tasks are often the first ones set aside in favor of higher value projects or more pressing fires.

One tool Arraya recommends for ensuring DNS security without adding more work to IT’s plate is Cisco Umbrella. Organizations are able to forward their DNS logs to Umbrella for analysis. If Umbrella identifies a change that would route DNS requests to high risk domains, it can block the move. Utilizing a solution such as Umbrella, backed by CISA’s best practices listed above, is an excellent way to transform DNS security from a weak point to a strength.

Want to learn more about Cisco Umbrella, DNS security and building a secure technology environment? Reach out to our team of cyber security experts now by visiting: https://www.arrayasolutions.com/contact-us/.

Also, let us know what you think of this post! Leave us any comments or questions through our social media presence. Arraya can be found on LinkedInTwitter, and Facebook. Then, follow us to keep up with our take on industry news and gain access to exclusive learning opportunities.