There’s an old saying that rings true most of the time and way too often namely “the plumber’s house has the worst plumbing in the street, or relating it back to technology “an online service provider still running on physical non virtualized servers”. The key message here is that for those that should know better and lead by example and apply their own recommendations back into their own systems they fall short of the objective.
Email spoofing aka spear phishing, whaling, CEO email fraud, BEC (business email compromise) and probably afew others used interchangeably, has caught out many organizations, specifically large multinationals that have functional teams distributed across many centres around the globe.
News report that broke this past week of a Lithuanian national being charged with connection to a $100M USD email spoofing attack against two USA global tech giants, that have not been named, proved surprising for me. Talk on the street is that one of the tech giants makes smartphones and we’re not talking about android !!
Running a quick check on the DMARC record for that domain proved insightful and disappointing.
Following this news story, an important key lesson for the rest of us.
Going back about 12 months, we covered a similar story – Executives / CxO level targeted in CEO Email Abuse scams.
DMARC at p=none doesn’t provide security
The DMARC standard provides for 3 policy settings:None – otherwise known as passthrough mode and is used for reporting or discovery purposes only. This is the initial state.Quarantine – emails are flagged as suspicious and sent to the recipient’s spam or junk folderReject – the most powerful policy where the ISP or email gateway is told by the domain owner to reject anything that doesn’t look authentic and is not received by the recipient.
In fact, a policy of p=none provides many with a false sense of security and it’s up to the service provider to recommend to the domain owner a DMARC Compliance program to assist them to move from passthrough mode, to quarantine and even to reject. We can’t say for certain if the USA global tech giant, who fell victim to the email spoofing attack, is or is not conducting a DMARC compliance program. The obvious question to them is “why are you still on the DMARC policy of p=none, passthrough ?”
Email borne security breaches are one of the most common techniques used by cyber criminals to breach an organization’s perimeter security. It is surprisingly effective, not due to any advanced software coding skills, but by lax or even non-existent email security controls.
So what do you do ? Initiate a DMARC Compliance program !Implement a DMARC record on all your top level domains in passthrough mode – this is the discovery phase – reporting should begin overnight.Subscribe to a DMARC reporting platform – you’ll need this as the reporting that is generated by all the ISPs and email gateways is in XML.Correct any obvious errors with SPF and DKIM records of the domains– the dashboard should provide you with the initial status of those records for any initial updates resulting primarily from syntax errors. Wait for a period of time to collate a good volume of DMARC reporting. Discuss with the stakeholders and define how your organization deals with 3rd party email senders that send email on your behalf – do you keep in the TLD and if so why, or do you delegate it to a specific subdomain.DMARC provides the ability to have different policies for a parent domain vs a subdomain – so it is possible initially have a strict quarantine policy for the TLD and a more relaxed passthrough mode for the subdomain or vice versa.After a period of a few weeks, you should have an audit of majority/ALL email sources that use your email domains and believe me when I say this is an eye-opening moment. With the assistance of the DMARC service provider and using the statistical data collected from the dashboard, an implementation plan can start to take shape to remediate any underlying email security issues with SPF and DKIM and to begin to plan to move to a stricter quarantine policy or even reject in the short to mid term.
Wow, now I feel safer all ready !!
By Con Lokos