How Defense Contractors Protect DNS Security within the Defense Industrial Base

Defense Contractors DoD

In an increasingly digitized world, the security of critical internet infrastructure like the Domain Name System (DNS) has never been more important. DNS serves a relatively simple function – keeping the World Wide Web running smoothly by mapping domain names to IP addresses – but it is fundamentally crucial. Without well-secured DNS, criminal cyber actors and adversary nations are free to use this service against us. Defense contractors play a vital role by securing DNS in the end. DIB organizations need well-secured DNS in an ecosystem of modern technological tools that are vital to national defense. As one group of US officials put it in The New York Times in 2015, DNS is equivalent to the ‘plumbing’ that underpins the modern internet. Without this plumbing, defense contractors as well as average internet users aren’t able to access vital technologies

Implementing Protective DNS (PDNS)

Perhaps the most obvious way that defense contractors help secure DNS is through Protective DNS (PDNS) services. DIB operators will leverage PDNS to re-route malicious domain traffic by identifying and blocking it. Cybercriminals routinely exploit vulnerabilities in the DNS to phish users or attempt to inject malware on corporate networks. PDNS leverages automated methods by examining DNS queries that point to known harmful domains and blocks them before they can cause mischief. This automated preventative defense is important because it substantially reduces the risk of widespread infections caused by phishing or ransomware attacks, which can stop sensitive military operations in their tracks or leak classified government information online by crippling DIB networks.

Enhancing Cybersecurity Frameworks

Protective DNS is one way that defense contractors protect DNS, but other digital security mechanisms help secure other aspects of the network. For example, to take a more holistic approach to defense, defense contractors can often develop more comprehensive cybersecurity frameworks. Advanced threat intelligence is another important part of the equation, as it can provide contractors with early warnings about potential adversaries and the recent cyberattacks associated with those adversaries. Advanced threat intelligence allows the defense contractor to not only enhance its traditional cyber defenses, like Protective DNS, but also augment its other cyber defenses throughout the network. Important examples for potential cyber protection include DNS filtering, multi-factor authentication, and rigorous network segmentation; in short, anything that could prevent an adversary from copying, manipulating or ‘sniffing’ data in transit over a corporate or federal network. By leveraging advanced persistent threat intelligence about known adversaries, defensive cyber operators could detect threats before they even arrive at an organization and stop breaches in their tracks. Although DIB operators are unlikely to have their entire corporate or government network scanned or hacked into, the more sophisticated an adversary’s cyber capabilities become, the more likely it is that segmented, and better secured networks will help secure the data those networks filter.

Adopting Encrypted DNS Protocols

Another way that defense contractors can help secure DIB data privacy and security is through the adoption of emerging encrypted DNS protocols, such as DNS over HTTPS (DoH) and DNS over TLS (DoT). These newer protocols will soon become a standard way to encrypt DNS queries preventing sensitive digests from being intercepted. This includes potentially leaking DNS queries, such as information about a military operation, from the mirror’s glass to a foreign adversary after walking by.

Compliance with Regulations

While the adoption of DNS filtering and encrypted DNS protocols are meaningful ways that defense contractors work to secure DIB data, defense contractors also help to secure DNS systems by making sure that those systems comply with the specific regulations put in place by the DIB. For example, DIB operators are required to implement DNS filtering as part of the Cybersecurity Maturity Model Certification (CMMC) currently being rolled out to defense contractors. Retaining one’s CMMC certification depends upon overall compliance with the security framework. Attaining some certificate of compliance is mandatory, and lacking defenses like DNS filtering could jeopardize one’s ability to secure contracts since the DoD needs to have a mechanism in place to vet suppliers. This is where defense contractors come in.

Research and Development

While simply securing DNS is one important way that defense contractors can contribute to overall DIB security, defense contractors can also help protect the DNS by investing in more research and development. As the challenges with modern cyber threats increase, defense contractors that maintain the DIB understand that proper defense requires heightened investment for better cyber tools. The right set of tools to detect and stymie adversarial activities is essential to preventing a DIB infidelity – making defense contractors a necessary piece of the puzzle needed to protect DIB systems.

Training and Awareness

Having the right technical prowess is important, but defense contractors can also help defend the DIB by properly training DIB personnel in the best practices of DNS security – an important component of securing the plumbing of the DIB. By educating DIB operators and personnel about how DNS functions, but especially to look out for cyber­attack indicators related to DNS infrastructure, defense contractors can help companies minimize the likelihood of a breach. Not only can properly trained personnel detect and prevent harmful attacks on the DIB, but they can also limit the scale and scope of those attacks, helping to contain and remediate any damage that may have been caused. By proving their training, defense contractors can demonstrate to the DIB ethos to prevent large scale hacks and systemic vulnerabilities in the first place. A well-trained defense contractor helps train the whole world.

Collaboration

While defense contractors can also play a vital role in an overall defense of the DIB, they certainly aren’t alone. In fact, defense contractors might not be necessary to defend the DIB – both the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) can effectively help companies protect against cyber threats on their own. However, defense contractors can still contribute by leveraging their relationships to the federal government to facilitate collaborations and knowledge-sharing.

Related News

Shane McNeil has a diverse career in the US Intelligence Community, serving in various roles in the military, as a contractor, and as a government civilian. His background includes several combat deployments and service in the Defense Intelligence Agency (DIA), where he applied his skills in assignments such as Counterintelligence Agent, Analyst, and a senior instructor for the Joint Counterintelligence Training Activity. He is a Pat Roberts Intelligence Scholar and has a Master of Arts in Forensic Psychology from the University of North Dakota. He is currently pursuing a Doctor of Philosophy degree in National Security Policy at Liberty University, studying the transformative impacts of ubiquitous technology on national defense. All articles written by Mr. McNeil are done in his personal capacity. The opinions expressed in this article are the author’s own and do not reflect the view of the Department of Defense, the Defense Intelligence Agency, or the United States government.