Cyber security firm FireEye recently identified ‘a wave of DNS hijacking that has affected dozens of domains’ across multiple industries and countries, although with a particular focus on government services. ‘This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success’, write the FireEye researchers. The campaign, dubbed ‘DNSpionage’, even prompted the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to issue an ‘executive directive’—its first-ever—requiring all US government agency tech staff to take steps to verify their DNS settings and implement security measures.
The scale of these attacks is new, but the attacks themselves are not. In 2008, the US Office of Management and Budget issued a memo requesting many of the same security measures be implemented by January 2009—the advice, it seems, was little regarded. Of course, you may be wondering what ‘DNS hijacking’ is, and how to secure your own company’s sites. Even if you are not in one of the industries currently being targeted, it is nonetheless important that you secure yourself regardless.
First, what is ‘DNS’? The Domain Name System is the system that resolves human-readable domain names—e.g. ‘google.com’—to the IP address of the machine hosting the site itself—e.g. 188.8.131.52—so that a connection can be made. You likely use DNS hundreds of times every day without ever thinking about it. Every domain name comes with a list of rules that allow different devices to glean different bits of information it and the site(s) it is associated with, including your company’s.
DNS hijacking involves stealing the credentials of a DNS administrator, which allows the attacker to modify those rules. This allows them to, for example, redirect the domain name to point to the IP address of a malicious device owned by them. Obviously, this poses a major to risk to both your clients’ data and your company’s reputation. The surest way of preventing this credential theft is to ensure that your DNS administrators are fully trained in how to both secure their accounts and detect potentially phishing scams. For example, Mitigate, the complete internal security solution, which provides GCHQ-certified e-learning training to your employees and real-time risk calculation across your business to you.
What can you do to protect yourself against this sort of attack? You could certainly do worse than to follow the steps given in the CISA directive. First, audit your own DNS records to ensure that everything is still pointing to where you expect it to. Second, ensure that any and all of your DNS administrator accounts are securely protected—strong passwords, multi-factor authentication, etc.—and that access and activities are logged.
In addition, consider enabling DNS Security (DNSSEC) on your DNS records. This requires that you to cryptographically sign your DNS records, which ensures that only authorised users can make amendments (unless, of course, the attackers get hold of your private keys, in which case you have much bigger fish to fry). However, bear in mind that this can make a breach of your administrator account all the more damaging.
For more information on Mitigate, or for consultancy on how to ensure your DNS records are secure, please email [email protected] or call +44 (0)333 323 3981.