1 / 11

DNS Flag Day 2019 What you need to know about this Day can affect your CI Operations

DNS Flag Day 2019 What you need to know about this Day can affect your CI Operations. InfraGard Louisiana Member’s Alliance Charles George, CISSP – Water Sector. Domain Name Services Discussion. Defining DNS, the change, potential impact and opportunity Regulatory Impacts Operational Impacts

lindsey
Download Presentation

DNS Flag Day 2019 What you need to know about this Day can affect your CI Operations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNS Flag Day 2019What you need to know about this Day can affect your CI Operations InfraGard Louisiana Member’s Alliance Charles George, CISSP – Water Sector

  2. Domain Name Services Discussion • Defining DNS, the change, potential impact and opportunity • Regulatory Impacts • Operational Impacts • Internal networks • Hybrid Networks • Cloud-only environments • How to know if your environment is affected right now? • What about suppliers and partners? • Bring it to the strategic planning process now • Why education is critically important – Skills, Resources, Time

  3. Does this apply to me? January 2019: “An emergency directive from the Department of Homeland Security provides “required actions” for U.S. government agencies to prevent widespread DNS hijacking attacks.” – Threatpost.com DHS has issued a four-step plan that must be enacted.  1. Audit all .gov and agency-managed domains on authoritative and secondary DNS servers and ensure that they direct traffic to the intended location. NS records and those associated with key agency services should be prioritized. If DNS changes are discovered, they must be reported to Cyber Security and Infrastructure Security Agency (CISA). 2. All federal agencies have been instructed to change DNS account passwords on accounts that can make changes to the agency’s DNS records. New unique, complex passwords should be set. 3. All DNS accounts that can make changes to DNS records should have multi-factor authentication enabled. If MFA cannot be enabled on systems, CISA must be notified. 4. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service in the next 10 days. CT logs must be immediately monitored for certificates that have been issued that have not been requested by the agency. If logs are found to be inaccurate, they must be reported to CISA.

  4. What Changed? DNS => EDNS • Essentially a workaround has existed so long that not everyone thinks of it as a work around….. • It comes down to the number of bits allowed in the response for an address on the Internet by a client • Just as “extensions or plug-ins” for a web browser allow additional capabilities to be added, DNS also provides for extensions • Enforcement of certain rules will cause issues with both legacy and contemporary services that have misused these protocols

  5. DNS – More than a web address • DNS as an analogy: Need to call someone? • Seen another way: Need to go to a new place? What if your number is misdirected? If you do not know where you are going, any path can take you there.

  6. DNS History

  7. DNS – Threats, Attacks & Trends Understanding the threats and proactively seeking weaknesses within your environment – before an incident or breach. Recommendation: Develop in-house Threat Hunting capabilities • Types of breaches noted in 2018 (Source: Verizon DIBR):

  8. Common Attacks on DNS • Zero-day attack – the attacker exploits a previously unknown vulnerability in the DNS protocol stack or DNS server software. • Cache poisoning – the attacker corrupts a DNS server by replacing a legitimate IP address in the server’s cache with that of another, rogue address. Cache poisoning may also be referred to as DNS poisoning. • Denial of Service – an attack in which the DNS mechanisms become overwhelmed by DNS requests and becomes unable to service legitimate requests. • Distributed Denial of Service – a Denial of Service attack involving many sources of DNS request generated by bots or zombie computers against a targeted DNS service provider or IP address. • DNS amplification - the attacker takes advantage of a DNS server that permits recursive lookups and uses recursion to spread his attack to other DNS servers.

  9. DNS Attack Examples – How it works • The obligatory “technical diagrams”:

  10. References & Resources • Flag Day Resources • DNS Internet Flag Day (www.flagday.net) • https://www.isc.org/blogs/dns-flag-day/ • US CERT Resources • DNS Testing Information & Tools: • http://ednscomp.isc.org/ • Compliance Testing Tool Source Code Repo: GitHub Repo for Test Tool Source Code • References Cited: • Secure Domain Name System (DNS) Deployment Guide - NIST Special Publication 800-81-2 • InfoTech Research Group • Microsoft Azure DNS - Getting Ready for Flag Day • Center for Internet Security (CIS) •  DNS standards (1987 - RFC1035) & EDNS (1999 (RFC2671 and RFC6891) • 2018 Data Breach Investigations Report - Verizon

  11. Charles George, CISSP President, First Maridian LLC cj.george@firstmaridian.com

More Related