1 / 41

Martijn van Geffen – Http://tech-savvy.nl

How to run a DMARC project Email and Brand name security to provide identification, validation & GAIN insight REPORTs for domain owners. Martijn van Geffen – Http://www.tech-savvy.nl. The following topics will be discussed in this deck. Why start a DMARC project Attack vectors?

oscarj
Download Presentation

Martijn van Geffen – Http://tech-savvy.nl

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to run a DMARC projectEmail and Brand name security to provide identification, validation & GAIN insight REPORTs for domain owners Martijn van Geffen – Http://www.tech-savvy.nl

  2. The following topics will be discussed in this deck Why start a DMARC project Attack vectors? Implementation phases as domain owner Implement monitoring mode Implement quarantine mode Implement Reject mode Implementation phases as mail receiver Technical best practices Although this document outlines the steps to a full implementation, a design will need to be created to define how the technical implementation will be done and how to monitor this Http://www.tech-savvy.nl

  3. Why START a DMARC Project Http://www.tech-savvy.nl

  4. Why START a DMARC Project Protect employees & customers: Control: • Protect company from brand name reputational damage • Protect employees and customers from Phishing attacks • Protect employees and customers from Data theft • Protect employees and customers from impersonation • Office 365 tags unauthenticated mail as junk • Gain insight into numbers, size and targets • Gain control over trusted 3rd party email delegation • Make your domains less appealing for malicious intent Http://www.tech-savvy.nl

  5. “Cyber security is a CEO issue.” -McKinsey 87% 81% of senior managers have admitted to accidentally leaking business data. $4.0m >300K is the average cost of a data breach per incident. of breaches involve weak or stolen passwords. new malware samples are created and spread every day. CYBER THREATS ARE A MATERIAL RISK TO YOUR BUSINESS Sources: McKinsey, Ponemon Institute, Verizon, Microsoft Http://www.tech-savvy.nl

  6. Phishing is on the rise… >255K >600 >800M >$5B Potential loss via Business email compromise since 2013 Unique phish attacks in 2016 Unique brands attacked Phish mails seen in Q2 & Q3 2017 Source:IC3 report, APWG, Microsoft Http://www.tech-savvy.nl

  7. Protect company from brand name reputational damage Malicious persons might attempt to do reputational damage to your corporation impersonating your company Http://www.tech-savvy.nl

  8. Protect employees and customers from Phishing attacks Malicious persons might attempt to steal credentials from your employees impersonating internal departments Http://www.tech-savvy.nl

  9. Protect employees and customers from Data theft Malicious persons might attempt to steal data from your employees impersonating colleges Http://www.tech-savvy.nl

  10. Gain Insight into numbers, size and targets DMARC will provide you with the data to generate reports of mail that is failing your SPF and DKIM policy. Exposing domain abuse and misconfigured 3rd party’s mail delegation Http://www.tech-savvy.nl

  11. Gain Control over trusted 3rd party email delegation • How do you control a 3rd party sending on behalf of your company. • How do you control your company`s projects asking a 3rd party to send on your behalf. DMARC will give you the insight of projects attempting to launch a new trusted 3rd party sender and DMARC / SPF / DKIM will allow you to stay in control at end of a contract. Http://www.tech-savvy.nl

  12. Make your domains less appealing for malicious persons Your company has a world wide trusted brand name. This makes it appealing for malicious persons as trust with the target victim is already in place. A malicious person will try to find the largest publicly known domain with least defenses. Increasing defenses will decrease attack vectors and numbers. Http://www.tech-savvy.nl

  13. Implementation phases as domain owner Http://www.tech-savvy.nl

  14. Implementation phases as domain owner Http://www.tech-savvy.nl

  15. Implementing the monitor phase Start simple by only monitor the domain and classify abuse and trusted senders. Actions: • Create functional mailbox for reports • Register DNS record SPF (if none is present) • “v=SPF ?all” • Register DMARC record (if none is present) • v=DMARC1; p=none; rua=mailto:report@contoso.com; Http://www.tech-savvy.nl

  16. Create Reports from data received Within 48 hours first reports will be received. ( at least 35 days is needed before a preliminary report can be made ) Actions: • Use a Free tool or script to generate a report based on failed DKIM and failed SPF.(Available from tech-savvy) OR • Outsource DMARC reporting to a 3rd party Http://www.tech-savvy.nl

  17. Identify threads VS trusted senders Use the report to identify trusted senders Actions: • Start with the highest volume count of failed SPF senders. • Validate if the sender is a known trusted sender • Optional: If it is a trusted sender, identify responsible contact of both your company and the 3rd party. This is needed in phase 2 & 3 of implementation Http://www.tech-savvy.nl

  18. Update SPF monitor records Update DNS records for trusted party`s Actions: • For each identified trusted party update your record to include their mail servers in your SPF record. Migrating 3rd party`s to subdomain is preferred and can be done at a later stage. • Do not use include if the 3rd party also has an include. ( monitoring is needed for changes if using include. Risk of including 4th party, its better to use A, MX or IP4 ) Http://www.tech-savvy.nl

  19. Implement monitor phase - Evaluation Review the implementation cost and benefits. If the goal was to gain inside of the domain senders and domain abuse your implementation is finished. Do note timely iterations of the monitoring cycle are needed to maintain the implementation. If the goal is to do a full implementation and protecting the brand name you should start phases quarantine and reject. Http://www.tech-savvy.nl

  20. Implement Quarantine phase In this phase the implementation will be slowly set to advice receivers to quarantine mail that not validates the SPF, DKIM and DMARC checks. DKIM protocol will be implemented Optional: DNS sec will be implemented Http://www.tech-savvy.nl

  21. Implement Quarantine phase Http://www.tech-savvy.nl

  22. Implement Domain Keys Identified Mail • DKIM will be implemented to harden the solution as this brings cryptographic authentication and validation. DKIM is part of the DMARC validations. • To Implement DKIM a sender will need to start signing the mail with a certificate and send the public key to the domain owner. The domain owner publishes this key in DNS so receiver can read the key and validate the signing. Actions: • Validate that all sending mail servers in the SPF record are capable of DKIM signing • Send out instructions to all 3rd party's to start signing with DKIM using the provided selector • Implement DMARC signing at your own MTA`s • Monitor DMARC reports for implementation readiness Http://www.tech-savvy.nl

  23. Implement Domain Keys Identified Mail • At start of this phase you should be confident that the SPF record is solid and no 3rd party senders are missing. Monitoring and formal procedures are in place to secure a 3rd party migration. Creating DMARC reports and analyzing should be a formiliar process. • To ramp up to 100% quarantine you will need to change the SPF record to have a “-all” at the end. This is a big bang change. The impact should be low as you have DMARC report to know what will start to fail SPF check. • Next at intervals you can increase the quarantine for DMARC with any step between 0 and 100 % Actions: • Change the SPF record to “-all” and include a “exp” tag. • Change DMARC record to start quarantine mode with incremental percentages ( pct=10 ) till you reach 100% Http://www.tech-savvy.nl

  24. Implement DNSSEC • All your domains are now protected with SPF, DKIM and DMARC. But a protection is only as strong as the weakest link. All data and policy's for your protection are dependent on the DNS system. Hardening DNS with DNSSEC is recommended. Actions: • Implement DNSSEC on your DNS zones. Http://www.tech-savvy.nl

  25. Implement Quarantine phase - Evaluate After quarantine phase you should evaluate the implementation and review the design. Start procedures on how to implement new domains and 3rd party's. Start procedures on application onboarding to engage mail team implementing DMARC right from the start. Http://www.tech-savvy.nl

  26. Implement reject phase In the reject phase email domains will be set to reject if DMARC fails All the domains will be hardened protecting sub brands Http://www.tech-savvy.nl

  27. Implement reject phase Your advise is still set to quarantine, mail might still be accepted by receivers. As your confidence grows about the mail being quarantined is malicious or unwanted you can switch to reject. This will advice receivers to immediately drop if DMARC fails without the need for further inspection. Actions: • Change DMARC records to reject ( p=reject ) Http://www.tech-savvy.nl

  28. Protect brand names While the email domains have been protected from spoofing attempts the next level is to protect non-email domains used by brand names. As these domains don’t sent out mail registering a reject record will protect the domains. Actions: • Implement SPF on root domain ( v=SPF –ALL EXP:expdomain) • Implement wildcard SPF on sub domains ( v=SPF –ALL EXP:expdomain) • Implement DMARC on root domain (v=DMARC1; p=reject; rua=mailto:report@contoso.com; ) Http://www.tech-savvy.nl

  29. Protect any other domain Register and protect domains that might be perceived as your brand and protect them from abuse ( EAI ) . As these domains don’t sent out mail registering the domain and create the DNS reject record will protect these domains and their original domain. Examples:contoso.nI ( last letter is i instead of L )xn--cntoso-3wa.com.eu ( EAI puny code for còntoso.eu) Actions: • Register DNS domains that look like your Brand domains • Implement DMARC on root domain (v=DMARC1; p=reject; rua=mailto:report@contoso.com; ) • Implement SPF Wildcard & SPF records on root domain ( v=SPF –ALL EXP:expdomain) • Implement wildcard SPF & SPF on sub domains ( v=SPF –ALL EXP:expdomain) Http://www.tech-savvy.nl

  30. Implement reject phase - evaluate All domains , brands and subdomains have been protected Monitor you DMARC reports for abuse against any domain or brand name Keep educating your end users Http://www.tech-savvy.nl

  31. Implementation phases as Mail receiver Http://www.tech-savvy.nl

  32. Implementation phases as mail receiver Http://www.tech-savvy.nl

  33. Identify edge mta capabilities To apply the SPF, DKIM, DMARC policy`s to inbound email the edge Mail Transport Agent has to support the protocols. These protocols can only be enabled on edge MTA`s. Actions: Identify all edge MTA`s and verify if their brand supports SPF, DKIM and DMARC scanning. If needed upgrade the MTA to the latest version to support the latest DMARC releases. If needed import modules to enable the protocol scanning agents.

  34. Enable SPF, DKIM and DMARC validation checks As the domain owner is in control of the SPF, DKIM and DMARC records it is always the domain owner's responsibility to publish the correct policy and it’s a best practice to follow that advice. Due to this enabling the protocols is very low risk and can be done at the same time. Actions: Enable the protocols on your edge MTA`s If needed Configure them to follow the domain owners advise Do not enable DMARC RUF report sending unless your infrastructure can handle the load and you want to participate in troubleshoot other domain owners implementations.

  35. Technical Best practices

  36. SPF best practices • Optimization: • Make use of the SPF sequence lookup. Set your most used servers at the front of the SPF record. • Split your own servers from 3rd party servers by using “include”. This way other party’s can include your servers • Use redirect and include when your servers are responsible for many (sub)domains. • No brainers: • List a server only Once, having servers listed multiple times in different includes only bloats your record. remember SPF evaluation stops at the first match. • Only list outbound servers that send mail out. • Test your SPF records before you implement them. • Make sure the MTA that is doing the SPF check is not behind a NAT device. • Inform your marketing department and application departments. Specially marketing tents to host advertising campaigns via 3rd party mass mail solutions.

  37. SPF best practices • SPF <-> DMARC conflicts: • DMARC uses Boolean validation , SPF “?” and “~” equal “-” for DMARC. • Increased protection: • Harden your security by combining SPF with DKIM. • Use DNS SEC to harden your DNS system that is publishing the public keys. • Publish null SPF records for your domains that don’t send mail. “v=spf1 -all” • Common mistakes and Dont’s: • Use a “all” mechanism with a redirect modifier. • Many administrator think they have protected their domain when they use “~all”. • Do not use “Include” and have it pointed to an empty Record. • Do not change you record to use “include” or “redirect” when the record it points to does not yet exist. First create / change the record in the include. Do not enable SPF check on an MTA that is not on your edge mail infrastructure.

  38. DKIM best practices • Use certificates with a key strength of 1024 or 2048 bit. smaller keys are subjected to security risks. • Do not use 4096 bit certificates. the size of the key does not fit in a 512-byte DNS UDP response packet. • keep the selectors unique and don’t reuse them. • Using a part of the date in the selector name makes it easy to identify for example the date the certificate will expire ( example: mycert052018 ). Now you can query DNS for expiration date instead of investigating the certificates themselves. • Separate your MTA’s selectors from 3rd party servers using different certificates and selectors. This way YOU stay in control of what a 3rd party signs on your behalf. • Use DNS SEC to harden your DNS system that is publishing the public keys. • DKIM is better considered to be a  transport security mechanism than a anti phishing mechanism if used solo. You should combine it with SPF and DMARC.

  39. DNS best practices • Use DNS SEC to harden your DNS system that is publishing the public keys. • Your TXT records should not exceed 512 byte UDP size (roughly 450 characters). • Common mistakes and Don’ts: • Your TXT records on the same domain are NOT multiple records. (this is the same reason as there are only 13 root dns servers) • EAI Guidance: • Look at Tech-savvy.nl EAI post for more details

  40. DMARC best practices • Make an architectural design. • Use both SPF and DKIM. • Use DMARC authorization record when RUA address does not equal the domain. • Do not enable RUF. When needed consult legal ( GDPR / PII data ) • Common mistakes and Don’ts: • DMARC needs SPF and DKIM to succeed.

More Related