forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdns_hijacking.yml
70 lines (62 loc) · 3.9 KB
/
dns_hijacking.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: DNS Hijacking
id: 8169f17b-ef68-4b59-aa28-586907301221
version: 1
date: '2020-02-04'
author: Bhavin Patel, Splunk
description: Secure your environment against DNS hijacks with searches that help you
detect and investigate unauthorized changes to DNS records.
narrative: 'Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613),
DNS plays a critical role in routing web traffic but is notoriously vulnerable to
attack. One reason is its distributed nature. It relies on unstructured connections
between millions of clients and servers over inherently insecure protocols.\
The gravity and extent of the importance of securing DNS from attacks is undeniable.
The fallout of compromised DNS can be disastrous. Not only can hackers bring down
an entire business, they can intercept confidential information, emails, and login
credentials, as well. \
On January 22, 2019, the US Department of Homeland Security 2019''s Cybersecurity
and Infrastructure Security Agency (CISA) raised awareness of some high-profile
DNS hijacking attacks against infrastructure, both in the United States and abroad.
It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which
summarized the activity and required government agencies to take the following four
actions, all within 10 days: \
1. For all .gov or other agency-managed domains, audit public DNS records on all
authoritative and secondary DNS servers, verify that they resolve to the intended
location or report them to CISA.\
1. Update the passwords for all accounts on systems that can make changes to each
agency 2019''s DNS records.\
1. Implement multi-factor authentication (MFA) for all accounts on systems that
can make changes to each agency''s 2019 DNS records or, if impossible, provide CISA
with the names of systems, the reasons why MFA cannot be enabled within the required
timeline, and an ETA for when it can be enabled.\
1. CISA will begin regular delivery of newly added certificates to Certificate Transparency
(CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies
must immediately begin monitoring CT log data for certificates issued that they
did not request. If an agency confirms that a certificate was unauthorized, it must
report the certificate to the issuing certificate authority and to CISA. Of course,
it makes sense to put equivalent actions in place within your environment, as well.
\
In DNS hijacking, the attacker assumes control over an account or makes use of a
DNS service exploit to make changes to DNS records. Once they gain access, attackers
can substitute their own MX records, name-server records, and addresses, redirecting
emails and traffic through their infrastructure, where they can read, copy, or modify
information seen. They can also generate valid encryption certificates to help them
avoid browser-certificate checks. In one notable attack on the Internet service
provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively
minor change that did not inflict excessive damage but allowed for more effective
spam campaigns.\
The searches in this Analytic Story help you detect and investigate activities that
may indicate that DNS hijacking has taken place within your environment.'
references:
- https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
- https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/
- http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/
- https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html
tags:
analytic_story: DNS Hijacking
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection