forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdns_hijacking.yml
More file actions
87 lines (79 loc) · 4.5 KB
/
dns_hijacking.yml
File metadata and controls
87 lines (79 loc) · 4.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
category:
- Adversary Tactics
channel: ESCU
creation_date: '2017-11-21'
description: Secure your environment against DNS hijacks with searches that help you
detect and investigate unauthorized changes to DNS records.
detections:
- detection_id: 44d3a43e-dcd5-49f7-8356-5209bb369065
name: DNS record changed
type: splunk
- detection_id: 74ec6f18-604b-4202-a567-86b2066be3ce
name: Clients Connecting to Multiple DNS Servers
type: splunk
- detection_id: c77162d3-f93c-45cc-80c8-22f6v5464g9f
name: Detect hosts connecting to dynamic domain providers
type: splunk
- detection_id: 1a67f15a-f4ff-4170-84e9-08cf6f75d6f6
name: DNS Query Requests Resolved by Unauthorized DNS Servers
type: splunk
id: 8169f17b-ef68-4b59-aa28-586907301221
maintainers:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
modification_date: '2018-09-06'
name: DNS Hijacking
narrative: 'Dubbed the Achilles heel of the Internet (see https://www.f5.com/labs/articles/threat-intelligence/dns-is-still-the-achilles-heel-of-the-internet-25613),
DNS plays a critical role in routing web traffic but is notoriously vulnerable to
attack. One reason is its distributed nature. It relies on unstructured connections
between millions of clients and servers over inherently insecure protocols.\
The gravity and extent of the importance of securing DNS from attacks is undeniable.
The fallout of compromised DNS can be disastrous. Not only can hackers bring down
an entire business, they can intercept confidential information, emails, and login
credentials, as well. \
On January 22, 2019, the US Department of Homeland Security 2019''s Cybersecurity
and Infrastructure Security Agency (CISA) raised awareness of some high-profile
DNS hijacking attacks against infrastructure, both in the United States and abroad.
It issued Emergency Directive 19-01 (see https://cyber.dhs.gov/ed/19-01/), which
summarized the activity and required government agencies to take the following four
actions, all within 10 days: \
1. For all .gov or other agency-managed domains, audit public DNS records on all
authoritative and secondary DNS servers, verify that they resolve to the intended
location or report them to CISA.\
1. Update the passwords for all accounts on systems that can make changes to each
agency 2019''s DNS records.\
1. Implement multi-factor authentication (MFA) for all accounts on systems that
can make changes to each agency''s 2019 DNS records or, if impossible, provide CISA
with the names of systems, the reasons why MFA cannot be enabled within the required
timeline, and an ETA for when it can be enabled.\
1. CISA will begin regular delivery of newly added certificates to Certificate Transparency
(CT) logs for agency domains via the Cyber Hygiene service. Upon receipt, agencies
must immediately begin monitoring CT log data for certificates issued that they
did not request. If an agency confirms that a certificate was unauthorized, it must
report the certificate to the issuing certificate authority and to CISA. Of course,
it makes sense to put equivalent actions in place within your environment, as well.
\
In DNS hijacking, the attacker assumes control over an account or makes use of a
DNS service exploit to make changes to DNS records. Once they gain access, attackers
can substitute their own MX records, name-server records, and addresses, redirecting
emails and traffic through their infrastructure, where they can read, copy, or modify
information seen. They can also generate valid encryption certificates to help them
avoid browser-certificate checks. In one notable attack on the Internet service
provider, GoDaddy, the hackers altered Sender Policy Framework (SPF) records a relatively
minor change that did not inflict excessive damage but allowed for more effective
spam campaigns.\
The searches in this Analytic Story help you detect and investigate activities that
may indicate that DNS hijacking has taken place within your environment.'
original_authors:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
references:
- https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
- https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/
- http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/
- https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html
spec_version: 2
usecase: Advanced Threat Detection
version: '1.0'