(The DNS Threat is Real and Very Few Understand It)

Chris Krebs, then CISA Director, understood, and wrote this emergency directive to the OMB about all Federal agencies back on January 22, 2019. This was before SolarWinds and before MOVEit:

In coordination with government and industry partners, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) is tracking a series of incidents involving Domain Name System (DNS) infrastructure tampering.

CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them.

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services:

1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires the following near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.

Required Actions:

Action One: Audit DNS Records

Within 10 business days, for all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers to verify they resolve to the intended location. If any do not, report them to CISA.

CISA recommends agencies prioritize DNS records and those associated with key agency services offered to organizational users and the public (for example, websites that are central to the agency’s mission, MX records, or other services with high utilization).

Action Two: Change DNS Account Passwords

Within 10 business days, update the passwords for all accounts on systems that can make changes to your agency’s DNS records. CISA recommends the use of password managers to facilitate complex and unique passwords.

Action Three: Add Multi-Factor Authentication to DNS Accounts

Within 10 business days, implement multi-factor authentication (MFA) for all accounts on systems that can make changes to your agency’s DNS records. If MFA cannot be enabled, provide CISA with the names of systems, why it cannot be enabled within the required timeline, and when it could be enabled. CISA recommends using additional factors that are resilient to phishing. Consistent with NIST SP 800-63B, Short Message Service (SMS)-based MFA is not recommended.

This includes accounts on agency-managed DNS server software, systems that manage that software, third-party DNS operators’ administration panels, and DNS registrar accounts (excluding the .gov registrar).

Action Four: Monitor Certificate Transparency Logs

Within 10 business days, CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains, via the Cyber Hygiene service.

Upon receipt, agencies shall immediately begin monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA.

CISA Actions:

CISA will provide technical assistance to agencies that report anomalous DNS records.

CISA will review submissions from agencies that cannot implement MFA on DNS accounts within the timeline and contact agencies, as needed.

CISA will provide regular delivery of newly added certificates to CT logs for agency domains via the Cyber Hygiene service.

CISA will provide additional guidance to agencies through an emergency directive coordination call following the issuance of this directive, as well as through individual engagements upon request.

Reporting Procedures:

January 25, 2019: Submit Status Report

February 5, 2019: Submit Completion Report for all actions detailed above

Beginning February 6, 2019, the CISA Director will engage Chief Information Officers (CIO) and/or Senior Agency Officials for Risk Management (SA ORM) of agencies that have not completed required actions, as appropriate, to ensure their most critical federal information systems are adequately protected.

By February 8, 2019, CISA will provide a report to the Secretary of Homeland Security and the Director of Office of Management and Budget (0MB) identifying agency status and outstanding issues.

Duration:

This emergency directive remains in effect until replaced by a subsequent binding operational directive or terminated through other appropriate action.

Result:

Two massive attacks on Federal networks, both originating through DNS manipulation.

Horses to water.