NSA, Homeland Security Push Service to Mitigate Cyber-Attacks
(Bloomberg) -- As the U.S. reels from major cyber-attacks by suspected Russian and Chinese hackers, officials are looking to implement new technologies that would allow the federal government to respond more effectively.
The National Security Agency and the Department of Homeland Security believe they have part of the answer within the Domain Name System, or DNS, often referred to as the phone book of the internet. They are encouraging government agencies and high-risk companies to embrace a system known as Protective DNS, in which a private security firm would monitor and filter web traffic.
The payoff could be enormous, officials say. PDNS blocked connections to malicious websites millions of times in a recent test involving five U.S. defense contractors. After it was installed in the U.K., the system blocked nearly 60 million connections to suspect sites in 2018 alone, including 450,000 related to the infamous WannaCry strain of ransomware, according to a report issued by the National Cyber Security Centre.
DNS is “often a problem for agencies that we protect,” said Cameron Dixon, a policy technologist at the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. That is because, while DNS is a basic component of the internet, it is often overlooked by network defenders, Dixon said.
Protecting DNS would allow the U.S. to “take more swift and comprehensive action quite immediately” in the aftermath of major cyber-attacks, such as the two recent breaches, said Lieutenant Zachary Dannelly, a deputy chief operations officer at the National Security Agency.
The NSA and the Department of Homeland Security issued guidance recommending PDNS the same week Microsoft Corp. revealed that suspected Chinese hackers had compromised users through flaws in its code for Microsoft Exchange, the company’s software for email. The attack affected tens of thousands of users, according to cybersecurity experts.
Months earlier, cybersecurity investigators revealed that suspected hackers had exploited a vulnerability in software by the Texas-based firm SolarWinds Corp., which is used across the government and private sector. At least nine U.S. agencies and 100 companies were targeted by the suspected Russian hackers.
The twin attacks created a sense that efforts to secure the internet, despite years of multi-billion dollar investments and technology advances, had simply broken down. PDNS only works in cases of known malware, meaning it wouldn’t have been able to block the attacks on SolarWinds and Microsoft. But it would have aided the response to both attacks, according to the officials.
The PDNS service recommended by the U.S. government has two major benefits in the face of cyber-attacks, the officials said. First, it scans DNS queries to identify requests to access web addresses that are associated with known malware and blocks them, stopping users from going to malicious sites such as when they inadvertently click on links sent in phishing emails.
The second benefit is that it tracks DNS queries and maintains a log. This log is valuable when new malware is discovered because the tracked information can provide a road map to where the malicious code has landed -- the information needed to “facilitate strong incident response activities,” said Dixon.
The U.S. government and private sector have struggled to respond to the recent Microsoft and SolarWinds attacks because of their size and complexity. For example, a senior administration official said Friday that the nine agencies breached in the SolarWinds attack will complete their network reviews by the end of March -- almost four months after the suspected Russian hackers were first discovered.
The U.S. decision to recommend PDNS is the result of a study conducted by the Department of Defense and NSA. Over six months, starting in March 2020, Defense officials added protections to DNS on computer systems of five different companies in the defense sector.
Then, the officials monitored the DNS queries -- or requests to translate domain names entered by people into IP addresses that are usable by computers -- that took place within the company networks during that period. The officials studied how many hacking attempts they could catch using PDNS protections.
The study was highly successful, said Dannelly. Of the 4 billion DNS queries made in the course of the six months at the companies under observation, PDNS flagged 3,500 malicious domains and blocked suspicious connections 13 million times. In addition, his team was able to use information generated by PDNS logs to find two malicious devices connected to the company networks -- an internet-connected light switch and an employee’s personal device that contained malware.
In 2017, the U.K.’s National Cyber Security Centre released similar guidance. While the U.K. government built a PDNS service for use by the public sector, the American effort relies on private-sector security companies to provide the protection. The U.S. guidance is largely aimed at operators of critical infrastructure and national security systems in the public and private sector.
The NSA chose to study PDNS because it is low-cost and scalable, according to Dannelly. It’s one of the security elements needed to protect the U.S. from cyber-attacks moving forward, he said, adding that U.S. is considering similar studies on other cybersecurity techniques.
“It is not the silver bullet,” Dixon said. “It is a piece of a layered approach. You need to have more pieces than just this.”
©2021 Bloomberg L.P.