The U.S. Department of Homeland Security issued an emergency directive in January 2019 giving government agencies ten days to verify that they weren't compromised by DNS hijacking. A few days later, the Internet Corporation for Assigned Names and Numbers (ICANN), the organization responsible for governing large parts of the internet, issued a bleak warning urging businesses to do the same, and to enact stronger security measures.
For cybersecurity professionals, the welcome urgency behind these recent warnings may get lost in the wilderness of the cyber issues that they face. "Positive developments" like the above directive too often come in the form of a Hail Mary alert when an attack is already underway, and generally after countless warnings have been issued. ICANN has been pointing out vulnerabilities in the DNS system since at least 2001, and for the better part of the last decade urging companies to adopt the more secure Domain Name System Security Extensions, or DNSSEC.
Today, less than 20% of DNS traffic is secured by DNSSEC, and only three percent of Fortune 1,000 companies have implemented it. It's not news that companies and enterprises need to start taking cybersecurity more seriously, but as far as DNS is concerned, it's especially urgent.
What Is DNS and How Does It Get Hijacked?
DNS, or The Domain Name System, is a core Internet service. Every server has a unique address, called an IP address. It consists of numbers, dots and sometimes letters. They are used to locate other computers and connect to them. The way all this works is extremely user-unfriendly. This is where domain names help. Instead of typing 188.8.131.52, we type "Google.com." From there, your connected device connects to a DNS server, which looks up the domain name and sends the request to the correct IP address.
That moment when a name is matched to a number is where hackers can intervene. There are a number of ways it can happen, but DNS hijacking is when your page request doesn't go to the site you asked for, or it takes a detour through a hacker's computer before it gets there. And you guessed it--there's no obvious way to tell that it's happening.
If this sounds far-fetched, keep in mind that hacking groups with connections to the Iranian government have been doing it with great success for a few years now, targeting companies, governments and universities with a wide array of sophisticated DNS hijacks. Other hackers deployed similar methods for years: Google's DNS servers were hijacked in 2014, and even ICANN's domain names were hit by a DNS hijack in 2008.
Why are so few businesses adopting DNSSEC?
With hackers able to exploit this flaw for years, and organizations like ICANN sounding the alarm, why is DNSSEC adoption lagging?
- Low Information Environment: Virtually every article online describing DNS hijacking needs to explain what DNS is first. Complex tech issues often create priority gaps when cybersecurity experts fail to communicate why decision makers should commit resources to the implementation of DNSSEC.
- DNSSEC Requires Experts: It takes a qualified IT person to check DNS settings to identify a hijack, and an even more qualified person to implement DNSSEC to prevent it. The reluctance to implement stems from widespread obsolescence. Internal networks and corporate intranets often require extensive structural re-working to accommodate DNSSEC. A misconfiguration could effectively take an entire business offline, or worse, open it to a wide array of cyberattacks.
- No One's Doing It: Getting executives to commit sufficient resources to cybersecurity is a struggle, and when everyone else isn't following a protocol it's even harder. DNSSEC depends on widespread compliance, and businesses still haven't reached a tipping point where it's viewed as a requirement.
Hackers and other bad actors on the world stage are constantly evolving. Cybersecurity should be front and center in every boardroom and government agency. All too often it is not. The fact that state actors have been stepping up DNS hijacks on businesses and government sites of late should be no surprise. The door's been wide open for more than a decade.