Back in July of this year, DHS’s Transportation Security Administration (TSA) issued a second Security Directive that requires owners and operators of critical pipeline systems and facilities to implement certain security measures to defend against threats like ransomware. This is on top of the initial Security Directive that was issued in May 2021 at the heels of a major ransomware attack on a major US pipeline company that caused widespread disruptions and long lines at the gas pumps for several regions in the country.
The directive requires implementing specific mitigation measures using guidelines published by the National Institute of Standards and Technology (NIST) and recommendations from recent CISA (Cybersecurity and Infrastructure Security Agency) alerts (such as AA21-131A, AA21-201A). It also requires pipeline owners and operators to develop a cybersecurity contingency/response plan to reduce risk of disruptions after an attack, and have their cybersecurity architecture design reviewed by a third party so that businesses are using the most advanced technology and most recent information to minimize damage from cyber crime.
The Secretary of Homeland Security, Alejandro N. Mayorkas, stressed the importance of protecting the country’s critical infrastructure from evolving threats. “Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security”, he said.
DNS Security for Blocking Cyberattacks and Fulfilling some of the Security Directive Measures
90% of malware, including most ransomware, use DNS at some point in its lifecycle. When users click on phishing links or go to a website that may be hosting ransomware, it requires a DNS lookup before it connects. This initial connection is then followed by several back and forth communications between the device (which could now be infected) and the C&C destination, which also happens over DNS. So, using threat intelligence and analytics on DNS can block these activities, effectively either preventing the initial infection or preventing C&C callbacks that could result in downloads of further malicious code or encryption software. Thus DNS security offers a continuous threat monitoring and response solution and helps pipeline companies and others in critical infrastructure sectors to fulfill some of the measures put forth by the second Security Directive.
NSA and CISA’s View
Anne Neuberger, Director of Cybersecurity at NSA (National Security Agency), recently noted that “using secure DNS would reduce the ability for 92 percent of malware attacks both from command and control perspective deploying malware on a given network.” based on NSA analysis. Earlier this year, the NSA and CISA also put out a document on selecting a Protective DNS Service that talks about how DNS is central to modern networks and why it can be used as a key defense mechanism against cyberthreats.
DNS is foundational Network Infrastructure for America’s Critical Infrastructure
As IT and OT systems converge and more systems become IP-aware, shifts in thinking are required both in terms of continuous asset discovery and knowing the external locations that certain systems are reaching out to — even if those systems have been historically considered safely walled off from the outside environment. As a ubiquitous foundational network protocol, DNS will be a trustworthy source of data on this front for years to come because a DNS resolver 1) captures the source of the outbound query and 2) distributes information on the external address in question. As a simple example, some of the domains used in the major pipeline attack were registered in risky corners of the Internet, on commonly abused top level domains (TLDs). Properly configured DNS servers serve as instant identifiers of this suspicious activity and as effective control points via Response Policy Zone implementation in this case. The DNS server can provide context around policy and tactical questions like “Why were systems on this network segment communicating with those TLDs? Should they be allowed to?”.
BloxOne Threat Defense for Comprehensive Visibility and DNS Security
BloxOne Threat Defense is an award winning DNS security solution from Infoblox that uses a combination of highly accurate threat intelligence with ML/AI analytics to detect threat activity and block C&C communications. It also triggers remediation action in real time, as soon as the threat is detected, through integrations with other security ecosystem tools in the network such as vulnerability scanners, NAC, and ITSM.
Together with the underlying DNS, DHCP and IPAM platform, BloxOne Threat Defense provides unparalleled asset visibility and awareness by providing additional contextual info on a compromised system such as location in the network, type of device and an audit trail of all activity from that system. This helps administrators quickly identify systems that are reaching out to suspicious destinations and take quick, precise action.
Learn more about BloxOne Threat Defense here.
