In my recent CircleID post, DNS, Domain Names, and Certificates: The Missing Links in Most Cybersecurity Risk Postures, I highlighted the importance of applying multiple layers of defense to secure these business-critical assets. Last Friday, Brian Krebs, the world-renowned cybersecurity journalist, reiterated the criticality of domain name security because the domain name “e-hawk.net” was stolen from the rightful owner using social engineering tactics targeting its domain name registrar.

In his post, Does Your Domain Have a Registry Lock? Mr. Krebs walked through the tactics and measures companies can use like Registry Lock to protect their vital domain names (see below). He also reiterated that an overwhelming majority of organizations, regardless of industry or geographic location, including the Forbes Global 2000 are at risk with less than 25% having adopted the Registry Lock Protocol.

Best Practices to Maximize Security Against Domain Name & DNS Hijacking (Source)

1. Use registration features like Registry Lock that can help protect domain name records from being changed. Note that this may increase the amount of time it takes going forward to make key changes to the locked domain (such as DNS changes).
2. Use DNSSEC (both signing zones and validating responses).
3. Use access control lists for applications, Internet traffic and monitoring.
4. Use 2-factor authentication, and require it to be used by all relevant users and subcontractors.
5. In cases where passwords are used, pick unique passwords and consider password managers.
6. Review the security of existing accounts with registrars and other providers, and make sure you have multiple notifications in place when and if a domain you own is about to expire.
7. Monitor the issuance of new SSL certificates for your domains by monitoring, for example, Certificate Transparency Logs.

From my perspective, the reason for this business risk is that there is a general lack of awareness related to domain name and DNS hijacking and the fact that most domain name registrars do not support the Registry Lock Protocol. However, security warnings came from FireEye’s Mandiant team in early 2019 about a global DNS hijacking campaign that appeared to be connected to the Iranian government. This prompted the Department of Homeland Security to issue an emergency directive about mitigating the risk of DNS hijacking.

Cybercriminals are taking advantage of this risk and have been doing so for quite some time. Throughout 2019, Cisco Talos warned about the state-sponsored ‘Sea Turtle’ attack taking control of DNS systems and stated, “the actor ultimately intended to steal credentials to gain access to networks and systems of interest.” And just this week, Reuters reported in “Exclusive: Hackers acting in Turkey’s interests believed to be behind recent cyberattacks—sources” that another group of hackers alleged to be working for the Turkish government’s interests attacked government organizations and companies via DNS hijacking.

Furthermore, domain name registrars have varied controls, processes and security measures. When assessing your domain name registrar capabilities validate that they are applying a Defense in Depth Approach to secure your “vital” domain names:

• Are they ICANN & registry accredited with enterprise-class technology and operational processes?
• Do they provide secure portal access with 2FA for example?
• Do they help apply advanced security features like Registry Lock/DNSSEC/DMARC/CAA Records?
• Do they allow for the control of user permissions?
• Do they help identify “vital” domain names and provide continuous monitoring and alerting?

In closing, ask your domain name registrar tough questions because they hold the “keys to the kingdom,” which can jeopardize your company’s reputation, finances, security, data and intellectual property.