Enterprise Domain Management for the new TLD Era
Blog
Perspectives, Strategies and News
Domain & DNS Management

Serious New Domain and DNS Compromise Demands a Preventative Approach

Traditional DNS security procedures are easily bypassed by determined attackers.

On April 17, Cisco Talos reported a DNS hijack targeting government and enterprise domains in certain TLDs. It was a sophisticated and effective attack highlighting the damage bad actors can do using external DNS compromises to harvest data and customer information. In this case, credentials were obtained to gain access to enterprise VPNs. The attack method is repeatable, especially against enterprises that fail to address exposures with a prevention mindset. Enterprises must update policies and enforce them with domain and external DNS security control systems designed to address modern security threats.

What Happened? In a nut shell…

  1. The bad guys accessed Registry/Registrar systems and hijacked domain DNS settings
  2. They directed traffic through their servers intercepting and harvesting ALL data in transit
  3. They forwarded legitimate requests to the intended servers to avoid detection – and it worked
  4. Nobody Noticed
  5. Compromised data and credentials were likely sold and used to perpetrate other breaches including compromising VPNs.

An article in Wired on the same compromise, advises that enterprises purchase “Registry Lock” on their domains in order to prevent this type of attack. By itself, registry lock is a good action, but it is wholly inadequate as an effective network defence measure, akin to locking the car door while leaving the back window open. In order to defeat this single protection measure, the attacker merely needs to add or edit an A Record vs. edit a Name Server. Result: Registry Lock Security Action DEFEATED.

Bad actors know that enterprises are slow to adapt, constrained by budgets, limited by internal expertise focus, and inclined to maintain status quo, particularly in terms of external DNS. Attackers have big monetary incentives, don’t follow rules, are creative and nimble, and act without constraint. This gives them a considerable advantage in what is becoming an arms race in IT security.

The consensus view in research is that enterprise exposures generally exist due to the actions and inactions of internal human resources. Executive leadership fails to prioritize action to equip their IT teams and overseers with modern systems to keep companies and customers safe on the external DNS. Consider also that best practice guidance from experts fail in the real world because it typically reinforces traditional, manual security processes that are themselves weak. Ten such ineffective measures are detailed in this paper: Domain and DNS Security Measures Don’t Work

Applying a comprehensive preventative strategy to domain and external DNS security is more important than ever. The pace of change, resources and skills of bad actors continues to advance while enterprises are slow to adapt with a status quo mindset. We see this all the time, evidenced by persistent and endemic failure of enterprises to adopt DNS security policies such as DNSSEC, SPF and DMARC as well as disconnected silo systems and operations, lack of clear asset ownership and use of multiple legacy external Domain and DNS services. These conditions make external DNS almost impossible to control.

Enterprises must urgently recognize the exposures and prioritize project activity to modernize their control systems for external DNS. If your enterprise security approach is limited to an internal network focused “Castle and Moat” and ignores external DNS, you are managing external DNS cyber risk with the same approach conceived in the 1990’s that cannot address modern threat vectors.

“And I think a lot of the groups that pick it up are finding that it’s not hardened on enterprise networks, because it’s not part of the network. No one really thinks about who their [domain] registrar is.”

Security Layers Enforced with Easy to Use Systems that Empower Teams

Enterprises need to apply security layers to domains and external DNS by empowering teams with modern tools that specifically address all known DNS administrative security weaknesses. Moreover, merely listing the weaknesses and establishing a policy is impractical without assurance that measures are easily manageable and scalable. Security layers need to be easy to set up, efficiently enforced with change management and monitoring systems vs. being reliant on people to do the right thing, without fail or error. The following chart details preventative security practices to address modern threats.

Security ActionDescription
Define and Enforce Security PoliciesSet the rules and use control systems to bring visibility and enforcement into place to manage enterprise policies
Access ControlsPermissioned team members, ideally with SSO integration
2 Factor AuthenticationProtect against stolen credentials & unauthorized access
Role-based PermissionsLimit and grant permissions based on functional need
Change WorkflowEnforce and log internal change approvals for compliance
Change NotificationsAlert IT of any domain and DNS edit or addition
Change Digest LogAudit proof and asset lifecycle record
Registry LockEnsure Name Servers are not changed without approval
Registrar LockEnsure domains are not transferred without approval
DNSSECThwart DNS cache poisoning and Man-In-The-Middle
SPF and DMARCEnsure domains owned are not used for phishing
HTTPS EverywhereProtect against session eves dropping and don’t forget about redirects. Enable with Https or park
DNS Start of AuthorityEnsure every domain in use or not has a SOA record to mitigate DNS hijack risk
Zone File Hygiene1. Clean up legacy DNS settings, and
2. Establish systems to maintain good hygiene
Consolidation of DNS and Registrar ServicesLimit-providers where access, security, change management controls are unified and consistent

Every domain owned must be managed for security and regulatory compliance reasons. It doesn’t matter if it is a core domain used for flagship products and services or a lowly brand protection look-a-like domain. If you own it, you must manage it, or malicious parties can use it against you.

Summary

Threats and compromises on domains and external DNS are growing because they are open and can be used to harvest credentials to execute deeper network exploits. This compromise raises the game and points to the entire DNS “Chain of Trust” that underpins the Internet, including the Top-level Domains, DNS and TLS certificates. Attackers are more agile and better equipped than many enterprise domain and IT security teams. Comprehensive domain and DNS hygiene with control systems to enforce policies is the only way to proactively protect your enterprise and its customers.

It is not rocket science or expensive − in fact it will reduce Total Cost of Ownership. Prioritizing modernization for as little as a single business quarter can equip your teams with must-have change management tools. And you are done!

Post Script

Brand Top-Level Domains

If you really want to get serious about staying ahead and improving your security, compliance and trust posture, you need to own your own Brand Top Level Domain. As the anchor of trust, it offers control of the entire external DNS environment from the root of the Internet up to the DNS security setting defaults, zone files and TLS certificates. Brand Top-Level Domains are the end game for all major and aspiring brands. Learn more about Brand Top Level Domains

References

Wired Article – https://www.wired.com/story/sea-turtle-dns-hijacking/

Source Article – https://blog.talosintelligence.com/2019/04/seaturtle.html