DHS CISA publishes emergency directive to mitigate against DNS infrastructure tampering

• DHS published an emergency directive with a four-step action plan and urges government agencies to complete the four-steps within 10 days.
• DHS is currently aware of at least six civilian agencies that have been impacted by the recent DNS hijacking attack.

A cyber-espionage group, believed to be operating out of Iran, had modified DNS records for the domains of private companies and government agencies after hacking into web hosting or domain registrar accounts.

The purpose of these DNS hijacking attacks was to redirect web traffic towards their malicious servers to snoop in on the login credentials and later redirecting the traffic to the target's legitimate site.

On January 22, 2019, the US Department of Homeland Security (DHS) published an ‘Emergency Directive 19-01’ that contains the guidelines with respect to the recent DNS hijacking attacks.

Four-step action plan

DHS published an emergency directive with a four-step action plan to mitigate DNS infrastructure tampering and to secure DNS management accounts.

• Action #1 - Audit DNS records
  The emergency directive orders government agencies and other agency managed domains to audit DNS records on all authoritative and secondary DNS servers of unauthorized edits.
  
  
• Action #2 - Change DNS account passwords
  The directive urges government agencies to update passwords of all DNS accounts on systems and recommends the use of password managers to enable strong and unique passwords.
  
  
• Action #3 - Add multi-factor authentication to DNS accounts
  The security directive prompts agencies to implement multifactor authentication to all DNS accounts on the systems. It further urges agencies to provide CISA with the list of systems for which multifactor authentication couldn't be enabled along with the reasons. However, it does not recommend SMS based multifactor authentication.
  
  
• Action #4 - Monitor certificate transparency logs
  CISA will deliver newly added certificates to Certificate Transparency logs for agency domains via Cyber Hygiene service. Upon receiving the certificates, agencies should regularly monitor Certificate Transparency log data for certificates that have been issued to the domains of government agencies but were not requested by the government agencies.
  
  

“CISA will provide additional guidance to agencies through an emergency directive coordination call following the issuance of this directive, as well as through individual engagements upon request (through CyberLiaison),” the directive read.

The emergency directive urges government agencies and other agency-managed domains to complete the four-step action plan within 10 days. Moreover, it is said that DHS is currently aware of at least six civilian agencies that have been impacted by the recent DNS hijacking attack.