We’ve all heard of the increases in e-mail phishing/scamming/spoofing. Typical phishing or spear phishing scams usually include a malicious URL or attachment, that attempts to install malware or to gather more information (credit card, bank account, etc…), while whaling is a pure social engineering hack. If your organization falls victim to these exploits, it can be financially impactful to you and your customers; and if word gets out, it can be damaging to your organizational reputation.
In this installment, of the multi-part series on “Protecting Your Organization’s Reputation”, we’ll be focusing on the area of Email Reputation.
So, what can you do to help protect your e-mail reputation…There are five key components that assist in protecting your email communications from spammers, spoofers, and phishers; but most organizations don’t use all of them and many don’t use any of them. The first three components are: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC). These components provide the best coverage when implemented together. I am not diving deep into these technologies right now, so please refer to the links above for detailed explanations. The fourth component is inbound email URL rewrite/redirect, which can go by a variety of names depending on the vendor. Last, but not least, is the fifth component: Security Awareness Training.
Let’s start with the bare minimum of email domain reputation coverage with SPF. In a nutshell, SPF provides a list servers (by name or IP address) that are authorized to send mail on behalf of your e-mail/SMTP domain. If the receiving system(s) check(s) for the SPF record of the sending system and its name or address is not on the list, then it is about to receive mail from an unauthorized server and may likely be spam. SPF is not the cure-all and it is quite possible that server name, IP address and/or FROM user e-mail address may be spoofed; but by having SPF record(s) set up and maintained for your domain(s), it will likely keep you off blacklists/block-lists maintained by Spamhaus, Spamcop and other spam reporting services. Unless, of course, you are sending a lot of unsolicited bulk email, then you will rightly be put in the lists for email abuse, but that is within your control and a different discussion. An important point to remember, when defining the SPF record, is to make sure you include third-party vendors, such as marketing companies that send mail as/on-behalf of your e-mail domain.
DKIM provides a verification mechanism for receiving e-mail systems by applying a digital signature to all outgoing message headers. This is not the same as signing a message from an e-mail client, which signs the message itself. This process is transparent to both the user sending and user receiving the message. DKIM allows for verification of the signing domain of a message, as well as the integrity of its contents. If the digital signature doesn’t match, then likelihood of spoofing is high and DKIM verification will fail.
SPF and DKIM provide some different types of authorization checking mechanism, but used alone can still allow spoofing. In particular, one type of spoofing, spear phising, can still happen if the mail appears to be coming from an internal user and whaling, a more specific type of spear phishing, targets C-level and Board-level users to get them to divulge financial and other types of sensitive information. DMARC is the third component that helps to protect against direct domain spoofing, where mail appears to come from another user internally, yet the sending system is from outside the organization. Leveraging SPF and DKIM with DMARC, allows for additional spam/spoof filtering options, depending on your e-mail filtering solution, to protect your internal users.
URL Rewrite/Threat Protection
As inbound mail arrives at the gateway, it is scanned for embedded URLs, which are rewritten as they pass through and eventually delivered to the mailbox. When a user clicks on the hyperlinks, the URLs are examined in real time. If a link is unsafe, the user is warned not to visit the site or informed that the site has been blocked. This is a great way to dramatically reduce the risk of zero-day malware attacks.
Since this is a gateway solution, there is no client software or device dependency issues and this rewrite need only be done once per user email, regardless the client. There are on-premises/device-based offerings, as well as cloud-based offerings that are part of our layered protection services.
Automated Phishing Response and Mailbox Anomaly Detection
Automated Phishing Response uses a combination of human intelligence with machine learning to streamline phishing incident analysis. This can then be used to setup orchestration rules to automatically respond to phishing attacks.
A Mailbox Anomaly Detection system can continuously study every organization inbox to detect anomalies (using machine learning algorithms) based on both email data and metadata extracted from previously trusted communications.
Our layered protection services, includes these capabilities.
All these technologies help, but nothing is 100% foolproof. As attacks get more sophisticated, things could still slip through, so we have the human element to contend with. Just one spoofed or even non-spoofed email message asking for very sensitive information to what some may think are a more innocuous request for info, a sign-up link, a free gift, etc…if launched or replied to, could spell disaster.
Security Awareness Training is something that is often overlooked or even dismissed, much to the dismay of impacted organizations. Some very targeted and effective phishing training and tools, that can be used to dramatically reduce the human error component. Contact Us
In Protecting Your Organization’s Reputation – Part 3, we’ll look at Data Loss/Leakage Protection (DLP) technologies/tools to help protect your data and your organization’s reputation.