Analysis: DHS Domain Name System Breach Directive
On January 22, the Department of Homeland Security (DHS) issued a directive to government agencies in response to breaches of the Domain Name System (DNS). The attackers used stolen credentials to alter DNS entries and steal certificates used for encryption and decryption. In combination, these actions let the attackers redirect sensitive traffic to their own sites, and to decrypt the traffic once it was received.
DHS’s directive provides good advice for responding: audit DNS records & prioritize those related to critical services; change DNS account passwords; add multi-factor authentication to DNS accounts; and monitor and review certificate logs. The time frame for these actions is ten days, but MFA implementation can be postponed indefinitely with an explanation of why it cannot be implemented. DHS also warns, rightly, against the use of SMS-based MFA (i.e., the kind where a security code is texted to the user).
Several questions arise. Do agencies have the tools and expertise to conduct these response activities? Do they have the infrastructure and software to implement MFA quickly? Why don’t these agencies have MFA on DNS accounts in the first place? Did affected agencies have strong controls in place on systems storing sensitive data while leaving DNS servers relatively unprotected? Can agencies correlate findings to validate the identification of perpetrators?
After these initial tasks, affected agencies will need to determine what data was compromised and when, assess the impact of the breach, conduct forensic investigations to identify the attacker(s), and share that threat intelligence without creating a secondary risk. If Personally Identifiable Information (PII) was taken, victim notification will be necessary, and if covert operations of any kind were compromised, then safeguarding those human assets will be a top priority. Depending on the data stolen, other adjustments to operations will likely be necessary.
Under the NIST Risk Management Framework (RMF), Federal IT systems are assigned an impact level of “High”, “Moderate”, or “Low”. The impact level determines the stringency of security measures implemented on those systems. Do all agencies assign the same impact level (and attendant security controls) to DNS systems? Is a review of impact levels appropriate, to ensure the appropriate safeguards are in place?
This incident reveals:
• The need for adequate identity protection, particular privileged accounts that should be protected by MFA
• The need threat hunting and post-incident investigative tools and expertise
• The need for an inconsistent assignment of impact levels to mission-critical systems such as DNS servers, or systems hosting DNS”
DHS’ incident response capability has improved significantly in recent years, and for that, they deserve great praise. The next phase is to concentrate on a harder task: incident prevention.
Related Blog Posts
Cybersecurity September 10, 2021
Current IT modernization initiatives are challenging federal agencies to implement significant changes to their infrastructure at a breakneck pace. As they look to keep pace with an increasingly sophisticated cyber threat environment and accommodate workflows shifting to the cloud, the federal government is looking to zero trust as a solution. Zero trust is a security model that maintains secure access to data and applications based on dynamic security policies reacting to access request specifics, as opposed to the network from where access originates.
Asad Zaman
Cybersecurity August 16, 2021
The Zero Trust (ZT) architecture is a modern concept shaping cybersecurity in the public and private sectors. The growing use of SaaS applications, migration to cloud-based architecture, a rising number of remote employees, and bring-your-own-device (BYOD) have rendered perimeter-based security obsolete. The concept of a network perimeter where those outside of the enterprise's control are malicious and insiders are trustworthy — is no longer a viable approach to cybersecurity.
Asad Zaman
Cybersecurity August 5, 2021
Are you next? Will criminals target your organization with ransomware? No one can say for sure, so prepare now.
Here are four and a half critical decisions to make – and things to do – before a crisis hits.
(What’s half a decision, you ask? What’s half an action, you may wonder. Read to end if you want to find out).
1. Do: Have a plan
This sounds so obvious, but I have seen major organizations in business and government scrambling to respond to a ransomware attack. Your plan should include at least these elements?
Don Maclean
Cybersecurity, DevSecOps July 26, 2021
Article originally posted to the GovDevSecOpsHub here.
When in-person processes became impossible during the pandemic, the extent to which public sector services relied on them became apparent. Town halls, municipal offices, schools, and colleges were forced to close their doors to the public, and the need to provide digital alternatives to citizen services so that constituents could continue to access them became clear.
DLT Solutions
Cybersecurity June 16, 2021
Zero Trust may seem like a daunting security architecture to implement. But Zero Trust is more a change of mindset towards cybersecurity than it is new tools and solutions. Zero Trust is a concept that can help you simplify and strengthen your defenses by adopting “never trust/always verify” principles. The truth is you probably already have many of the tools you need to get started. In addition to using existing security solutions, new tools and technologies can be added incrementally.
James Hofsiss
Cybersecurity May 24, 2021
The COVID-19 pandemic has forced a rapid, widespread shift to remote work, necessitating a new approach to security. Many public sector agencies are responding by adopting a Zero Trust model.
What is Zero Trust? Why is it important? What’s required to implement it? Let’s explore.
What Is Zero Trust?
James Hofsiss
Cybersecurity May 20, 2021
The Colonial Pipeline hack by DarkSide created Malicious code that resulted in the pipelines shut down, FBI officials have confirmed. According to the company, the Colonial pipeline transports about 45% of the fuel consumed on the East coast. U.S. fuel prices at the pump rose six cents per gallon on the week to $2.967 per gallon for regular unleaded gasoline, the American Automobile Association (AAA) said on Monday, while Wall Street shares in U.S. energy firms were up 1.5%. The U.S. issued emergency legislation on Sunday after a ransomware cyber-attack hit the Colonial Pipeline.
Asad Zaman
Cybersecurity May 18, 2021
President Biden has recently issued the “Executive Order on Improving the Nation’s Cybersecurity”, which requires government agencies to present plans for implementing a Zero Trust architecture, imposes stringent standards for threat sharing on government contractors and agencies alike, requires software vendors to show a Software Bill of Materials to demonstrate the security of their products, and seeks broad modernization of the Federal government’s cybersecurity posture.
Don Maclean
Cybersecurity May 14, 2021
The United States’ pipeline infrastructure, which carries oil, natural gas, and other commodities, is made up of nearly 3 million miles of pipelines. This vital enabler of domestic economic and national security is under constant threat of cyber attack due to its increasing reliance on automation through information technology.
James Hofsiss
Cybersecurity May 11, 2021
Hackers recently attacked computer systems belonging to the Colonial Pipeline company, forcing them to shut down operations and inhibiting delivery of diesel fuel, gasoline, and jet fuel throughout the East Coast of the United States. The company has responded quickly but cautiously and expects to resume normal operation very soon. In the meantime, a declaration of emergency from the White House allows extended operation of other means of petroleum transport.
Don Maclean
Cybersecurity April 27, 2021
Original article published by Signal Magazine here.
Many federal government agencies are interested in improving their cybersecurity by moving to a zero trust architecture model. But such a move, while very beneficial to the organization, is a complex and involved process that requires some fundamental changes in how security and operations are approached, says Don Maclean, chief cybersecurity technologist for DLT Solutions.
Brandon Norris
Cybersecurity March 25, 2021
Earlier this year, a downright chilling cyberattack against our nation’s critical infrastructure was exposed and reported in Oldsmar, Florida, a town of fewer than 14,000 people just outside of Tampa. The attack was targeted against a local water treatment facility and – if successful – could have managed to poison the area’s water supply.
Brandon Norris
Cybersecurity March 25, 2021
According to the 2020 Verizon DBIR, (Data Breach Investigations Report) there were 3,950 confirmed breaches in 2020. The onset of the COVID pandemic resulted in a drastic increase in exploitable vulnerabilities, phishing attempts, ransomware campaigns, and remote compromise attempts.
Brandon Norris
Cybersecurity March 24, 2021
Crises and disasters are unavoidable; especially, from the perspective of information security professionals, whose adage is to "assume you've already been hacked." It would be naïve to assume that any network was impervious to adversarial campaigns. The difference between a cybersecurity novice and a leader isn't whether they can infallibly prevent incidents; rather, the distinction lies in how they respond to crises, mitigate impacts, remediate compromises, and incorporate lessons into their risk assessment, policies, and response plans.
Drew Spaniel
Cybersecurity March 24, 2021
An organization's personnel can be the strongest or weakest element of any security strategy. In times of national crisis, such as the COVID-19 pandemic, tensions can run high, and conventionally manageable stresses can accumulate and degrade focus, performance, and mental bandwidth.
Drew Spaniel
Cybersecurity January 6, 2021
Cybersecurity attacks have been a part of the national security conversation since the beginning of the technological age. However, with a significant changes in 2020, we have seen more intrusions in the first half of 2020 than throughout all of 2019 (as reported by NETSCOUT). A new wave of highly sophisticated attacks has evolved with fear tactics and the change of work environments from offices to work from home.
James Jaramillo
Cybersecurity November 30, 2020
Election day has come, and it has gone, with a few states still counting votes, the projected President-elect is Joseph R. Biden, with Vice President-elect Kamala Harris making history as the first African and Asian American women to be elected to higher office. However, just because the election is over does not mean that the task of securing the U.S. elections infrastructure stops; in fact, the work must continue.
James Jaramillo
Cybersecurity November 3, 2020
With election day upon us, and with millions already mailing in their ballot or taking advantage of early voting, it is safe to say this election will be like no other. However, this record-breaking turnout does not slow down bad actors from Iran and Russia from interfering in the upcoming election. According to a recent announcement from the FBI, both Iran and Russia have obtained US voter information.
James Jaramillo
Cybersecurity October 29, 2020
If your business sells products or provides services to the Department of Defense (DoD), then you should know about the Cybersecurity Maturity Model Certification (CMMC) program.
Don Maclean
Cybersecurity, Federal Government October 29, 2020
With just days remaining until Election Day, election security and mail-in voting have played a significant role in this presidential race. Currently, eighteen states and D.C. have started to ease and expand access to vote by mail due to the pandemic. This expansion allows concerned voters to avoid being exposed to the virus at polling places and still allows citizens to exercise their democratic rights. However, the question on every election official's mind across the country is how the United States post office will handle the expected influx in mail-in ballots?
James Jaramillo
Cybersecurity September 29, 2020
“The best virtual experience in cybersecurity” is fast approaching. On October 14-15, the Institute for Critical Infrastructure (ICIT) – the only think tank dedicated exclusively to cybersecurity – hosts its 2020 fall virtual briefing. Co-chaired by DLT, this year’s theme is: “A Secure Roadmap for the Future.”
Brandon Norris
Cybersecurity September 28, 2020
DLT Solutions recently sat down for an interview with Joyce Hunter, executive director for strategy and process at the Institute for Critical Infrastructure and Technology (ICIT), the nation’s leading cybersecurity think tank. On the table for discussion was how ICIT is cultivating a “cybersecurity renaissance” – including promoting the role of women in cybersecurity. We also talked to Hunter about how government agencies can compete more effectively for cybersecurity talent and nurture the next generation of cyber warriors.
Don Maclean
Cybersecurity August 19, 2020
There are 76 days until the 2020 presidential election, and it has already been upended by an unfortunate pandemic that has required states to go back to the drawing board to re-evaluate how voting will take place on November 3rd. However, government officials, particularly at the local level, not only have to contend with a pandemic but also an increase in digital threats such as ransomware attacks. These attacks are being used to create chaos in political campaigns and steal voting data before election day.
James Jaramillo
Cybersecurity July 28, 2020
Article by James Hofsiss, CISSP, DLT and Asad Zaman, Sales Engineer III, DLT
DLT Solutions
Application Lifecycle, Cybersecurity July 17, 2020
Federal agencies are developing and releasing software and apps at a rapid speed. This haste comes at a price. Verizon reports that nearly 70% of the data breaches it investigated in 2019 were due to attackers targeting vulnerabilities in public-facing web applications. It also introduces compliance risk.
Farah Alam
Cybersecurity July 13, 2020
With the general election approximately 113 days away, there are mounting concerns about what will occur on Nov 3rd, 2020! Election officials face an extensive array of new cybersecurity threats arising from voting remotely to election officials working from home on unsecured systems leaving delicate data exposed to hackers. Before this health crisis, Congress approved $380 million in grant funds through the Help America Vote Act (HAVA).
James Jaramillo
Cybersecurity May 12, 2020
The old saying goes, there are only two kinds of organizations: those that have been breached and those that will be soon. Clearly, the “moat-and-castle” approach to security has not worked. Simply being “inside” a network – behind a firewall, DMZ and other traditional defenses – does not confer trustworthiness, whether it’s a device, a user, network traffic, or an application.
Don Maclean
Cybersecurity, IT Infrastructure April 22, 2020
Election security is a big topic, but it resembles a many-legged centipede. Federal contractors face the reality that elections are the purview of state, county and municipal officials. The technical and managerial abilities of these entities vary from what you might expect in a tiny hamlet to what you might encounter in a million-person suburban county.
David Blankenhorn
Cybersecurity April 14, 2020
DHS recently published version 3.0 of the Trusted Internet Connection (TIC) architecture. A response to changing IT conditions, Executive Orders, and OMB mandates, the new architecture seeks to support IT modernization through cloud adoption while keeping security as a top priority. The comprehensive set of documents includes an overview, a catalog of security capabilities, a reference architecture, guidance for pilot programs, advice for service providers, and a very helpful set of use cases relevant to agency needs.
Don Maclean
Cybersecurity April 14, 2020
The Threat
Risk is a function of likelihood times impact. When it comes to zero-day exploits, particularly those that use return-oriented programming (ROP) or one of its many cousins the likelihood is high, and the impact is higher. How do these attacks work, and what is the industry doing to stop them? More importantly, what can you do to stop them? Is it possible to stop a zero-day without patching or updating systems? Let’s explore these questions.
How ROP Works
Don Maclean
Cybersecurity March 20, 2020
The Cyberspace Solarium Commission recently released a groundbreaking report detailing 75 recommendations for improving the cybersecurity of the nation, including both the private and public sectors. The Commission, bipartisan in both name and spirit, conducted over 300 meetings with industry, academia, U.S. government, think tanks and foreign governments. I had the privilege of participating in this effort. The result is a comprehensive report that urges immediate and concrete action on its recommendations, organized into six pillars”:
Don Maclean
Cybersecurity March 20, 2020
Last week, my associate, Shane Rogers, shared an article on GovCybersecurityHub discussing the Cybersecurity Maturity Model Certification (CMMC) and its potential impact on small- and medium-sized government contractors.
Don Maclean
Cybersecurity March 20, 2020
I recently had the opportunity to visit an amazing new facility—the Cyber Range at Tech Data—and got to meet the truly exceptional people who make it happen. The facility has many purposes, stemming from the powerful sense of mission that drives the staff.
Don Maclean
Cybersecurity March 19, 2020
At RSA this year, Chris Krebs gave an important talk: “Cybersecurity Has a Posse” where he stressed the importance of collaboration between government and industry to fight the cybersecurity war. He started by pointing out that his agency, Cybersecurity and Infrastructure Security Agency (CISA) is an “all-source” group. He meant that CISA collects threat information from sources all over the world, including government agencies, private industry, and more. Krebs’ group consolidates that information and disseminates it – daily – to security professionals across all industries.
Don Maclean
Cybersecurity March 18, 2020
With the designation of the COVID-19 disease as a global pandemic hotly followed by a declaration of a national emergency by President Trump, the American way of life shifted dramatically – with the home office becoming a new reality for millions.
Unfortunately, the rise in the global remote workforce puts more pressure on IT teams, network architectures, and even equipment. But there are also very real cybersecurity challenges to consider.
DLT Solutions
Cybersecurity December 2, 2019
By Brandon Shopp, VP, Product Strategy, SolarWinds
Is unnecessary complexity making Office 365 monitoring a headache for your agency? A new presidential mandate requires federal agencies to “transform and modernize” their IT systems, with the goal of creating a more streamlined, cost-efficient, and secure IT environment.
DLT Solutions
Cybersecurity October 23, 2019
This is a repost of a blog originally posted to GovLoop here.
This blog post is an excerpt from our new report, How Artificial Intelligence Combats Fraud and Cyberattack, download the full report here.
DLT Solutions
Cybersecurity October 23, 2019
The security of public sector networks is under attack. Each day security and IT professionals work hard to defend the integrity of mission-critical data and systems against increasingly frequent and complex cyberattacks.
Staying informed is critical to staying ahead.
That’s great, but there are literally dozens of cyber news outlets, journals, and bloggers to follow. Security leaders and practitioners don’t have time to filter what’s urgent and relevant to their organizations. That’s why we’ve created GovCybersecurityHub.
Don Maclean
Cybersecurity October 17, 2019
*Article written by Jim Hansen, VP of Products, Security and Application Management
DLT Solutions
Cybersecurity October 10, 2019
This month, DLT sat down with James Ebeler, the Chief Technology Officer, Department of Defense, for Iron Bow Technologies. In this interview, James discusses the cybersecurity challenges facing our military and how Iron Bow is helping solve them with innovative solutions.
DLT: Good morning, James. Thanks for joining us today for this interview.
James: Good morning, happy to be here.
DLT: Fantastic, let’s dive right in. First, can you tell us about your role at Iron Bow Technologies?
DLT Solutions
Cybersecurity October 10, 2019
The first half of 2019 continued to be a busy one for cybersecurity teams and their organizations. But the nature of the adversary is changing.
New insight from DLT partner, CrowdStrike, finds that attackers are “continuing to ramp up in both their brazen behavior and sophisticated means.”
Don Maclean
Cybersecurity October 10, 2019
*Article originally posted on GovCybersecurityHub here.
DLT Solutions
Cybersecurity September 24, 2019
The DoD Cybersecurity Strategy https://www.fifthdomain.com/dod/2018/09/19/department-of-defense-unveils-new-cyber-strategy/ stresses nine key points. With the end of FFYE looming, are you aligning your spending with these objectives?
Don Maclean
Cybersecurity, IT Perspective August 2, 2019
Every Federal IT pro knows that security threats are a top agency priority. Yet, according to the SolarWinds 2019 Cybersecurity Survey, those threats are increasing—particularly the threat of accidental data exposure from people inside the agency.
DLT Solutions
Cybersecurity July 31, 2019
Capital One has announced that about 140,000 Social Security numbers and 80,000 linked bank accounts were compromised “in one of the biggest-ever data breaches,” affecting some 100 million individuals in the U.S. and 6 million in Canada.
DLT Solutions
Cybersecurity, Healthcare July 29, 2019
More and more organizations are making the move to cloud-based security solutions. Today, 33 percent of organizations are planning to adopt one or more security-as-a-service (SECaaS) solutions. The efficiency with which endpoint security solutions can provide protection, particularly when delivered as-a-service, is a key strategic consideration for many organizations – perhaps none more so than America’s network of medical schools and teaching hospitals.
DLT Solutions
Cloud Computing, Cybersecurity July 22, 2019
It’s often said that there are two types of organizations: those that have been hacked, and those that will be – turning the conversations around security breaches from ‘what if?’ to ‘when?’.
Isabella Jacobovitz
Cybersecurity July 10, 2019
Although state and local technology leaders are increasingly prioritizing cybersecurity in their operations, government has a long way to go in securing critical information and systems from cyberattacks.
In light of this struggle, Route Fifty, in partnership with CrowdStrike, recently hosted a webcast that showcases the work of state and local governments who have undergone a transformation in cybersecurity protocols – and the challenges they continue to face.
Melissa Perez
Cybersecurity March 29, 2019
Many government agencies, particularly large agencies, face enormous obstacles in simply compiling and inventory of the software and hardware under in their system. The difficulty is understandable: I know of one agency responsible for 220,000 makes and models of medical devices (note that this number refers to “makes and models” only. The actual number of devices is much, much higher). In addition, the devices are online intermittently, and many of them are on air-gapped (i.e., physically separate networks), complicating the use of automated tools for identification and inventory.
Don Maclean
Cybersecurity March 28, 2019
Every government organization has been the victim of a cybersecurity incident. These can range from mundane incidents such as a user leaving their desk without locking their screen, up to a major breach such as the OPM hack in which hackers stole comprehensive and confidential information on millions of government employees and contractors.
Don Maclean