DHS Issues Emergency Directive on DNS Infrastructure Tampering
The Department of Homeland Security (DHS) has issued an emergency directive that requires federal agencies to mitigate the threat of Domain Name System (DNS) infrastructure tampering.
In “Emergency Directive 19-01,” DHS explains that it’s been working with the Cybersecurity and Infrastructure Security Agency (CISA) to track a campaign of DNS infrastructure tampering.
A hijack in this series, as detailed by both Cisco Talos and FireEye, begins when digital attackers compromise or otherwise obtain the credentials of a user who has access to their organization’s DNS records. The attackers proceed with altering the organization’s legitimate DNS record by replacing its service address with one under their control. They can then use those modifications to direct user traffic to their own infrastructure for inspection and/or manipulation, if they so choose.
The emergency directive, which went live on 22 January, also notes how bad actors can obtain valid encryption certificates for an organization’s domain. Using that document, these malefactors can decrypt traffic that’s been redirected to their infrastructure and thereby expose personal information along with other user-submitted data.
Acknowledging the dangers of this ongoing campaign, DHS orders federal agencies to protect themselves against DNS infrastructure tampering. As quoted in its emergency directive:
To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires the following near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.
Under the directive, federal agencies must audit their public DNS records to make sure they resolve to the same location. They also need to update all of the passwords for system accounts that can make changes to DNS records, add multi-factor authentication (MFA) to those accounts and monitor Certificate Transparency (CT) logs for (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/government/dhs-issues-emergency-directive-on-dns-infrastructure-tampering/