A key takeaway from the annual MarkMonitor Summit: Look for security compromise — and expect it.
Noted security blogger and investigative journalist Brian Krebs joined MarkMonitor as keynote speaker to break down the latest in online schemes and scams.
He quantified damages to brand owners and consumers, as well as the evolution of threats over time, with examples from the obscure to the notorious. One theme remained consistent across the board: The threat to brand owners. It is one that will never cease, only transmogrify. In absence of cure, preparedness and response are prescribed.
The emerging DNS threat
One instance touched upon was the recent DNS hijacking event allegedly undertaken by Iranian state-sponsored perpetrators.
This incident prompted a rare emergency directive from CISA (Cybersecurity and Infrastructure Agency), a division of the US Department of Homeland Security (DHS). This followed the manipulation of DNS information for myriad sites associated with internet infrastructure in Europe and of companies and government agencies within the Middle East.
The attack succeeded by infiltrating various points of breach, but some of the most notable included registrar accounts that did not employ two-factor authentication (2FA) or registry locking.
These accounts were compromised via targeted spear phishing attacks which then allowed for DNS information to be altered for a very brief period of time (literally minutes) via EPP – the language used to send and receive commands between registries and registrars. Unfortunately, this was enough time to issue a valid, deceptive DV cert for the site and permit data collection of associated systems and sites by the attackers.
The importance of domain security
This attack highlights the absolute necessity of use of a corporate-only registrar who employs mandated use of 2FA.
There were failures beyond these, but much of the mayhem could have been avoided had the domain owners in question used systems like those afforded to MarkMonitor clients. In addition to these safeguards, registry locks (where available) would have prevented the EPP command from being sent to change the DNS.
Finally, were an unauthorized change to happen to a MarkMonitor client, our proactive DNS Monitoring would have alerted us to the disparity between DNS published at the registry and DNS indicated in the client account.
To read Brian Krebs’ own article about this specific incident, please click here.
Security tips to live by
Krebs concluded with an insightful checklist of best practices to employ in workplaces/environments in order to mitigate risk as much as possible.
To paraphrase his words, “A bad guy has to be successful once, whereas the good guys have to make no errors and be right 100% of the time.”
- How do you/your company look from the outside (“broken windows” theory)? Do you appear to be an easy target if a bad actor looked at your publicly-facing data? A good domain-related corollary would be that it’s visible via WHOIS if your organization uses a broad retail registrar, doesn’t lock key domains at the registry, and/or uses registrar-accessible DNS.
- Look for compromise (and expect it). Not looking doesn’t mean it isn’t there.
- Manage third-party risk. Who are the partners and vendors in use for your systems and sites? What is their level of security reliability? Again – in the domain world – this would mean ensuring your registrar mandates 2FA works directly with registries wherever possible/practicable, performs regular penetration testing, as well as social engineering and spear phishing drills, and does not leverage their registrar systems to operate a constellation of registrar operations (i.e. retail, reseller, and corporate).
- Two-factor authentication. Many risks can be simply mitigated by requiring 2FA across employees and vendors.
- Conduct regular security awareness/testing (and don’t tip off the students before the exam!).
- Have a breach response plan (and run fire drills).
- Password spray your employee/user/customer accounts. Recent attacks have leveraged simple random application of top 100 most-used passwords and applied them to an active directory list of corporate emails.
- Monitor, log, and alert on DNS and SSL changes. Set up real-time alerting (frequency matters) to ensure immediate response in the event of an unauthorized change. Alerts can be as simple as RSS. It is worth noting that MarkMonitor monitors the DNS for all the domains in their management constantly to ensure that registry records match our own. Over the years, this DNS Monitoring has allowed us to alert numerous registry operators to a breach in their own systems before they’d identified it themselves.
- Hack your stuff and encourage others to do the same. Importantly, listen to feedback from third parties when vulnerabilities are detected and don’t dismiss their findings out of hand.
For more information on protecting your brand against digital threats, read our latest Global Business Survey.