Safe domain: How to protect your enterprise from DNS hijacking
In August 2019, cybersecurity researchers revealed that a hacker group known as Sea Turtle targeted 40 telecoms, internet service providers, domain registrars and government organizations in the Middle East and North Africa.
The attackers hijacked the domain names of ministries of foreign affairs, intelligence/military agencies and energy-related groups in those regions. As a result, Sea Turtle was able to intercept all internet data – including email and web traffic – sent to the victims.
Then, in June 2020, the Japanese cryptocurrency exchange Coincheck reported that hackers gained access to its domain registrar provider and hijacked its coincheck.com domain name. They then contacted Coincheck customers and asked them to verify account information, which could be used to access the accounts and steal funds.
The two incidents illustrate the growing threat of Domain Name System (DNS) hijacking.
DNS hijacking: Protect your brand and organization
When users type in or click on a domain name, they typically assume that they are going to the site that they want to go to. But if a successful DNS hijacking attack has been executed, cybercriminals can take the user to a completely different – and dangerous – web space. Cybercriminals do this for financial gain, and it also allows them to intercept email to conduct espionage and harvest credentials, which could lead to network breaches.
Companies put much thought into a domain name and a broader portfolio of names because of their marketing significance. Customers and prospects associate them with a brand’s products, services and corporate persona.
At the same time, an overwhelming majority of companies have not adopted basic security measures to guard their portfolio of domain names. For example, the majority use retail-grade registrars instead of enterprise-class ones. But an enterprise-class registrar knows its customer and will bring superior technology controls, accreditation standards, operations processes, compliance practices, continuous vulnerability assessments and penetration testing.
Don’t ignore the risks
Why are businesses essentially overlooking domain name and DNS-related risk? Because they are taking a tunnel-vision approach to cybersecurity, with a singular focus on familiar network challenges. This prevents them from developing a more holistic strategy which covers the entire range of attack vectors. As Silviu Stahie, Security Analystat Bitdefender, states: “Companies focus on other types of threats, strengthening endpoints and their own networks. But different kinds of cyberattacks can be deployed against companies that will never reach that level, and it can still cripple an organization without compromising the corporate infrastructure. Domain security needs to be taken as seriously as any other form of cybersecurity.”
That’s because the bad guys are constantly coming up with new tricks to enhance their capacity for damage. A successfully executed DNS hijack serves as a gateway into the network, triggering phishing campaigns to steal credentials, conduct surveillance and carry out other cyber schemes.
To effectively establish countermeasures, organizations must commit to the following two responses:
Deploying defense-in-depth. This is hardly a “new” or revolutionary concept. However, enterprises aren’t applying defense-in-depth to domain name protection – and they need to. A formidable defense-in-depth approach requires the coordinated implementation of multi-layered policies that lead to the incorporation of secure domain, DNS and digital certification practices. This includes controlling user permissioning and deploying two-factor authentication, IP validation and federated identity management for anyone seeking access to domain or DNS systems.
In addition, a robust defense-in-depth program leverages registry lock, domain name system security extension (DNSSEC) and domain-based message authentication, reporting and conformance (DMARC). Via a registry lock, the registrar confirms any requested changes with the domain owner, to eliminate unauthorized and potentially risky changes to the domain.
Using encryption and keys, DNSSEC identifies and blocks malicious DNS data by verifying digital signatures within the data – the signatures must match those stored in master DNS servers to proceed. DMARC ensures email authentication, with senders and receivers sharing information to verify that a given message is coming from a legitimate sender. This prevents hackers from hijacking a corporate email domain, and then launching spoofing and phishing scams.
Creating a C-suite council. In the hacker universe, criminals gain an edge over their intended victims by routinely sharing information and resources in forums to keep innovating. Companies need to do the same. That’s why, more than ever, it’s imperative to establish what we can call a Domain Security Council, in which a company’s CISO collaborates with other C-suite members to identify and continuously monitor domain security practices and procedures. The group should also develop and agree to a set of KPIs to continuously measure progress.
First, this would include making sure that domain security is a risk component noted in the organization’s risk registrar, which then brings this important security blind spot into the most important discussions the organization conducts around risk.
The second step to measure progress would be to set goals and priorities toward improving your domain security posture based on a multi-layered defense in depth approach. This would include assessing the number of vital domains your organization has locked on a continuous basis. Additionally, you can monitor changes in user permissions or elevated permissions, the risk profile of providers for DNS and SSL/TLS, along with other security metrics showing vital domains not utilizing DNSSEC or email authentication (SPF, DKIM, DMARC).
Lastly, the Domain Security Council will need to keep up to date on the current digital threat landscape. They can do this by establishing a cadence of monitoring new threats and updating the C-suite in the form of threat intelligence reports. Bad actors are continuously finding new ways to infiltrate networks for unlawful purposes. The Domain Security Council should be accountable for updating the company on how this is happening and assessing the risk.
Conclusion
In a sense, it is understandable that companies are not paying closer attention to domain name protection. Adversaries, after all, are coming at them fast and furiously through network and device attacks and it’s extremely difficult to keep up with everything. But the domain remains the “big sign” on the front door which hackers know they can exploit.
Fortunately, organizational leaders can take advantage of readily available defense-in-depth tools while implementing best practices. Then, they can come together within a unified, collaborative council to further enhance their defensive profile. With this, the bad guys will see that the “door” is closed – hopefully for good.