Using these techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services:
- The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records;
- The attacker changes DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection;
- Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization's domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.
To deal with the significant risks to agency information and information systems presented by this activity, this directive requires the following actions to address risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.
1. Audit DNS Records
Within 10 business days, for all .gov or other agency-managed domains, audit public DNS records on all authoritative and secondary DNS servers to verify they resolve to the intended location. If any do not, report them to CISA.
2. Change DNS Account Passwords
Within 10 business days, update the passwords for all accounts on systems that can make changes to your agency's DNS records.
3. Add Multi-Factor Authentication to DNS Accounts
Within 10 business days, implement multi-factor authentication (MFA) for all accounts on systems that can make changes to your agency's DNS records. If MFA cannot be enabled, provide CISA with the names of systems, why it cannot be enabled within the required timeline, and when it could be enabled.
4. Monitor Certificate Transparency Logs
- Within 10 business days, CISA will start regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains, via the Cyber Hygiene service;
- Upon receipt, agencies must start monitoring CT log data for certificates issued that they did not request. If an agency confirms that a certificate was unauthorized, it must report the certificate to the issuing certificate authority and to CISA.
As for CISA, it informed that it will take the following actions:
- CISA will provide technical assistance to agencies that report anomalous DNS records;
- CISA will review submissions from agencies that cannot implement MF A on DNS accounts within the timeline and contact agencies, as needed;
- CISA will provide regular delivery of newly added certificates to CT logs for agency domains via the Cyber Hygiene service;
- CISA will provide additional guidance to agencies through an emergency directive coordination call following the issuance of this directive, as well as through individual engagements upon request.
Starting from February 6, 2019, the CISA Director will engage Chief Information Officers (CIO) and/or Senior Agency Officials for Risk Management (SA ORM) of agencies that have not completed required actions, to make sure their most important federal information systems are protected.
By February 8, 2019, CISA will provide a report to the Secretary of Homeland Security and the Director of Office of Management and Budget (0MB) identifying agency status and outstanding issues.