Recorded Webinar: DNS Hijacking

Security Learnings From the Latest Incidents

A recent wave of DNS hijacking affecting government and telecommunications domains, as well as internet infrastructure entities across the globe, has resulted in increased efforts—even emergency directives—to protect domains from further attacks.

The U.S. Department of Homeland Security (DHS) has quickly implemented new procedures to further protect federal domains. And other governments—including the UK and France—are following suit.

In this recorded webinar, CSC Global Product Director of Security Services, Mark Flegg, discusses recent events, learnings gained, the most relevant developments around digital asset security, and how it all impacts your company in the fight against cyber threats.

The recorded presentation will cover:

  • Linux.org, FireEye®, and the DHS emergency directive
  • DNS Flag Day

Slideshare

DNS Hijacking: Security Learnings From the Latest Incidents from CSC

Webinar Transcript:

Announcer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo. To set up a live demo or to request more information, please complete the form to the right, or if you are currently not on CSC Global, there's a link to the website in the description of this video. Thank you.

James: Hello, everyone, and welcome to today's webinar, "DNS Hijacking: Security Learnings from the Latest Incidents." My name is James Weir and I will be your moderator.

Joining us today is Mark Flegg. Mark is responsible for advising a global client base on digital risk and the preventative measures brands can take to safeguard their digital assets. During his 17-year career, Mark has acquired a wealth of experience in cyber security technology, focusing on a number of areas including domain management systems, and distributed denial of service protection software and mitigation. And with that, let's welcome Mark.

Mark: Thank you, James. Welcome, everybody. So I want to start with what's happening. We've all heard about the high profile DNS hacking cases from various credible sources via their press releases and mandates. So what I want to get into today is, what does all of this mean? How do we understand it and what can we do about it?

Just for note, if you haven't seen some of these notifications that are out, and I'm guessing you have and that's why you're here today, to learn more, Krebs on Security, they're a very good source of information from a blog scene perspective. They've written articles about it.

We've even had an emergency directive from the Department of Homeland Security so that all of the local government agencies are adhering to this threat that we're hearing today.

We've heard from reputable companies like FireEye, who do a lot of threat research on this subject. And even from ICANN. ICANN is the governing body of everything domain names, the internet corporation for assigning names and numbers. And when they publish warnings and ask people to pay attention, you can tell that this is a very, very serious incident.

Just before we get into what DNS hijacking is, I wanted to share an example. It's an older one, but it's still one of the most notorious out there. And as we do see many attacks against big brands recently and there are many examples we could share, this worst-case scenario was from October 2016. It was a Brazilian bank where hackers used DNS hijacking to redirect traffic to all 36 of the Brazilian banks domains. So for six hours, they rooted all of the bank's businesses to perfectly reconstructed fakes at the bank's properties where the marks obediently handed over their account information.

The fake sites even had valid SSL certificates issued in the bank's name so that visitors' browsers would notify and create that trust, just as they would with the real sites.

The spoofed sites, of course, also had another purpose, which was to infect the victims with malware disguised as an update to the bank's browser security plugin, which included a Trojan designed to disable antivirus software.

This enabled the attackers not just to harvest hundreds of thousands or millions of customer account details from the bank in question, but from eight other banks as well. This included email information, FTP credentials, and FTP stands for File Transfer Protocol, and contact lists from Outlook and Exchange.

So now to the main topic, what exactly is DNS hijacking? So to understand DNS hijacking, first thing that we need to understand is, how do you get to a website? What are the basics of the internet?

As you can see on the illustration that we've put here, you sit down at a computer, a browser, a tablet, whatever it might be, and there are certain processes that happen behind the scenes. The first thing is that your ISP, if I want to search for www.cscglobal.com, they're going to go to what we call the root DNS, and the root DNS is the master database of all of the different TLDs, or top-level domains that are out there. Dot-com is the one that we use for CSC Global, and they will do a lookup. They will say, "Hey, root DNS, can you tell me who is responsible for dot-com?"

And the answer that they will get to dot-com is a company called Verisign, and the ISP will then go to the registry, which is Verisign, and it will say, "Hey, Verisign, I have a domain name, CSC Global, it is in dot-com. Who is the authoritative DNS for that?" And the registry's job is to answer that query and they will come back and they will say, "It's CSC's," if it's on CSC's DNS.

So the ISP then has the information it needs. So pdns1.csc.dns.net as the name server. So it can go to that DNS name server and say, "Hey, I've got a query. I need to find www.cscglobal.com." And the authoritative DNS will answer and it will say, "You need to go to a specific IP address."

So from that big diagram that talks about the root, the registry, the authoritative DNS, and then the website, we can simplify this to talk about DNS hijacking. So essentially, the authoritative DNS is going to send you to a website. If I have the ability to infiltrate that, change the records on there, then I can direct traffic wherever I want.

And authoritative DNS is actually a hosting server and it hosts something that we call a zone file. The zone file is that mapping table that helps us understand an easy-to-remember domain name, like cscglobal.com, and converts it into a computer-machine-readable IP address.

So in essence, if a cybercriminal changes the authoritative DNS or the zone file that's hosted on it, then it can take control of the content that's served up.

The important thing to remember here is it's not just for websites. DNS is used for a whole host of things now. It's probably the most critical infrastructure for the internet. We use it for email. If you're using Office 365, or Google authentication, if you're a remote worker, or you have the ability to log on outside of the office, you're going to use a VPN. If you're transferring large amounts of data, you're going to use it for FTP, File Transfer Protocol. You can use it for email authentication if you're going down the route of SPF, DKIM, and DMARC, which we highly recommend.

So without adequate protection on a name server, or DNS, it can be used for malicious activity, as we're seeing far too often. This is essentially what's prompting the myriad of warnings and mandates from all of these organizations. There are threats out there, there are risks, everybody's on high alert right now because of the thing called domain shadowing.

So one of the questions I often get asked is, "Are DNS hijacking and domain shadowing new threats that we're seeing?" The answer is no. What we are seeing is cybercrime is at an all-time high.

We do like to put them into two categories though. And what we call hacktivists, which are politically minded, this is like the Anonymous Group, Lizard Squad, Syrian Electronic Army, who do things for political gain to get their message out there. This is a true cybercriminal. That's somebody that is out for monetary gain. We all see the breaches in the press as well. Data is the new gold. That's what everybody wants to get their hands on. That's where they can make some very, very easy money.

So if we look at this little timeline that we've put together here back from 2012, you can see the separate categories there of what a cybercriminal versus a hacktivist would be looking to do.

They're not mutually exclusive. A cybercriminal is going to do anything where they can make money, and we're seeing a lot of issues around zone management where with domain shadowing, this is the process where they breach a system, a name server, and their insert their own records.

These are incredibly hard to identify. Why is that? Because if you look at the history of domain names . . . and we're a kind of 20-odd year old industry, in essence, in the mainstream. Ownership is passed from department to department, person to person as people leave or change roles. And a lot of things are wrong there that probably shouldn't be. We're not good at housekeeping.

But with DNS, the risks are so great that people are very reluctant to remove records. So what happens is there's a lot of noise on a zone. If I can penetrate that, knowing there's a lot of noise, and insert my own records, it becomes very, very difficult for you to understand what I've done.

So why have we seen the shift from hacktivists to cybercriminals? We haven't, really. I think the statistics out there will show that back in the day, a hacktivist was more active, but it's kind of getting lost now with the sheer volume of cybercriminals that are out there to try and steal data credentials, bank account details, personal information. So it's not necessarily a shift. It's just a huge uptick in what cybercriminals are trying to achieve.

If we talk about why cybercriminals are becoming more and more active, it is because of the disruption it can do, and because it's a very easy way for them to make money by stealing data.

And if we think about some of the risks that are out there . . . I've gone through a few of them. This illustration here just kind of highlights what can happen if domains or DNS fail. So it's obviously a website, FTP, any cloud-based authentication, your email, your VPN. Even VoIP, voice over IP phone systems, can all be rendered useless if somebody hijacks your DNS.

A lot of security professionals worry about a lot of things. Users keep them up at night. It's also the firewall, people trying to penetrate this. So they'll often do a lot of vulnerability scanning on their websites. But we always find that there's less attention paid to who's managing what we call the digital assets, so domain names, DNS, SSL certificates. These are all things that are foundational for any business to operate online.

And if I take them away . . . so I have a domain hijacking because I don't have appropriate controls in place, or a DNS hijacking because I'm using a vendor that doesn't have adequate security controls in place, everything that I worry about for my online presence kind of disappears. Hey, I now own cscglobal.com, so it doesn't matter if your website passes penetration testing and vulnerability scanning because nobody can get to it. I've changed it. I've changed how the internet will find the website associated with cscglobal.com.

So I need to mitigate risk, certainly this DNS hijacking risk, so what steps should I be taking? So let's revisit how a cybercriminal could change your authoritative DNS or change your zone file.

Cybercriminals can target three main areas in the DNS infrastructure to attempt a DNS hijacking attack, which correspond to the three examples we've spoken about.

So first and foremost, you have access to the portal. If you get phished, you give up your credentials. They can log in and they can make simple changes like you could. They could target your vendor or your service provider directly to make changes. They could even go after the registry themselves. And all of these things can end up with hijacked DNS, which would lead your consumers, your customers, to a fake website.

So these are the areas we've got to defend across the portal, all the way through to the registry. And there are various methods that you can employ to better protect yourself.

With security, there is no silver bullet. It's always a multi-layered approach on your security posture to ensure that you cover every angle that you possibly can. Some of those things overlap, but from an access to a portal perspective, you want things like IP validation, two-factor authentication, or even federated identity, which is essentially Single Sign-On, which gets authorized by your own network team.

You want at the vendor level to make sure you're using an enterprise class provider, okay? There are many, many different providers out there that say they all do the same thing. Some stack them high, sell them cheap. Some of them charge a premium price. But what you'll find is the ones that are doing a premium price, it isn't actually a premium, because they're reinvesting that money in their organization to increase their security posture to make sure they're not susceptible to some of the risks that we've talked about today.

And then even at the registry, there are solutions out there. Registry Lock or MultiLock that you may have heard it by. These are things that remove automation, which is great in the normal sense because it keeps costs down and it makes things very efficient, but in the wrong hands, it's our worst nightmare because changes happen without humans seeing them.

So understanding your vital domains is . . . well, it's vital, right? You need your provider to be doing everything to protect their systems, but you've also got to ensure that your staff are protecting their access to the portal as well, that only authorized users have action to certain functionality on those vital domains, and that where available, you are employing additional security or things like Registry Lock on the right domains.

One of the things that we found managing some of the world's largest brands for many, many years is that can be quite difficult to work out. What are my vital domains? How do I accurately maintain this list? It's not easy.

If you look at something like a domain portfolio, it's living, it's breathing, and it changes every day. Even if you don't perform a transaction like a renewal of registration or a modification, everything changes because tomorrow, I'm a day closer to an expiration date. Super important to try and keep on top of that. But how do you do it?

CSC can help. We have put a list of recommendations together. We call it a "Digital Asset Security Checklist." I won't go into the details of everything that's included in this, but just picking up on some of the subheadings here.

Vendor management. When's the last time you put a security questionnaire out to vendors that are critical to what your organization does, especially for online?

How do you manage those digital assets? So your domains, your DNS, your SSL. SSL in particular is something that we find troubles a lot of our clients. You'd be amazed at how many still use spreadsheets. We need to get a better grip on that. Businesses new to tracking assets, we've done it for . . . well, ever since double-entry bookkeeping was invented, whereby we list down all the assets, whether it'd be a shelving system or a ream of paper. Whatever it is, we track everything.

I'm sure a lot of you have company-issued laptops or cell phones. They've got all serial numbers on them that track by finance as well to depreciate it all the time. So it's not new. We need to really step up when we look at our domain management and all those assets.

It's the same with DNS. Can you tell me if you've got a thorough accounting of those? Same with SSL. If you had to pull a list, you're in a disaster recovery situation, which ones are important? Which ones do you need to replace and, more importantly, revoke in the first place to put back into your infrastructure?

But probably most important is understanding which domains are business critical. Again, if you find yourself unfortunately into a DR or disaster recovery scenario, you might have 2,000, 3,000 domain names, maybe more. Which ones are critical? Now, we can all guess the obvious ones. For me, cscglobal.com, we've got to get that back up and running if we found ourselves in that unfortunate place. But what else is there?

Sometimes, that might seem complicated or overwhelming, but it really shouldn't be. We can definitely help you. As a provider, we want to do everything we can to help protect our systems and make sure that your staff are protecting access to the portal, that only authorized users have access to it, and certainly within the portal, what functionality they have, especially when it comes to vital domain names.

Again, what we found is our clients struggle to figure out what those vital domains are. So it's very difficult to understand, "Hey, this DNS hijacking threat, does that apply to us? Which domains does it apply to?"

So when it comes to helping our clients, we took a long hard look at this and we looked at how they were managing their digital assets, the associated risks. And we found what we've kind of coined as a security blind spot.

There are a lot of things . . . again, if you think about what a security professional or a legal professional, marketing professional, worries about, it's risk. Digital assets, domains, DNS, and SSL seem to get overlooked for some reason.

So we set out to design something called CSC Security Center and we wanted to help and change or redefine what it really means to manage digital assets. And that starts with understanding what's critical, what's vital in the domain portfolio for our clients.

And as I've mentioned a couple of times, our clients find it difficult to tell us what that is because of the changing complexity of the portfolio. So we developed a proprietary algorithm that takes a portfolio and, with a 90% confidence, we can predict which domains should be vital to your organization.

What that allows us to do is then focus in on those vital domain names to present risks. Those risks can be across DNS, as we've been talking about today, and understanding the different providers. It could also be across SSL, looking at the providers, and also the validation level of the certificates that you've got in play.

But it also has two other main features, which is, number one, which vital domains do you not have locked? Like I said earlier, there is no silver bullet in security, but MultiLock or Registry Lock is one of the closest things that you will get to it.

But again, when we talk about how the cybercriminals are gaining access to things, what user has access to do what? So you can see on the screenshot that we have there, the left-hand section, that's the user part. We're telling you who has access to the system, what permissions they have. It's what we call an elevated permission as well.

So this information for anybody is very, very important. It's critical to protecting yourselves. Maybe it's not your responsibility directly, but believe me when I say there will be people within your organization that will be desperate for this kind of information.

When I ask a lot of security professionals, "What keeps you up at night?" I'll get the usual "users" and "firewall," but a lot of the time, it's, "What I don't know." And managing digital assets is, in a lot of examples, things that they don't know or they're not paying attention to. Hence, it's a security blind spot.

The cybercriminals will be very quick to utilize those blind spots, expose them, penetrate them, and use them for their own good, and it's something that we feel passionate about and we believe it will redefine what digital asset management means.

Super important that people in your organization understand what these risks are. It's important that they realize as well that there are tools to help with a lot of this. Every time a cybercriminal pops up with something, somebody will create a tool to be able to have visibility on that. And that's what we believe Security Center is doing for our clients.