Phishing attacks are the cause of a significant number of breaches. It’s the email with the sense of urgency, that email with all the typos or more alarmingly it’s the email from your boss that’s asking for ten Amazon gift cards or to reset their password. These are often the ones you see, but what happens to everything else? There are multiple ways to prevent phishing attacks. These include training staff through security awareness training and test drills, the configuration of DNS records and the deployment or configuration of critical controls.
Simply put, phishing attacks are effective. At Packetlabs, our success rate ranges between 15% and 50% once the e-mail reaches the inbox. Ransomware campaigns profit from taking control over your business and if you don’t pay up, they’ll post your sensitive information online. Security is never about having a silver bullet, it’s about raising the bar to make attacks more difficult through a layered approach. Email starts with the domain name systems (DNS) protocol. DNS is what tells your customer’s mail server where to connect to send your mail.
Which DNS-based settings help reduce the likelihood of phishing attacks?
When you finish writing an email and hit send, your mail server looks for the mail exchange (MX) record for the recipient of your email. In the example below, you can see that Packetlabs leverages G Suite for email. Regardless of where your email ends up, your mail server will also check additional DNS records to see who is authorized to send mail on your behalf.
;; QUESTION SECTION:
;packetlabs.net. IN MX
;; ANSWER SECTION:
packetlabs.net. 3599 IN MX 10 aspmx3.googlemail.com.Command line output of dig mx packetlabs.net
packetlabs.net. 3599 IN MX 10 aspmx2.googlemail.com.
packetlabs.net. 3599 IN MX 5 alt1.aspmx.l.google.com.
packetlabs.net. 3599 IN MX 5 alt2.aspmx.l.google.com.
packetlabs.net. 3599 IN MX 1 aspmx.l.google.com.
- SPF: Sender Policy Framework (SPF) is responsible for exactly this task, establishing which mail exchanges (MX) are allowed to send mail on your behalf. In contrast to DNS type MX records, SPF records are implemented via a DNS type TXT record. Here’s an example:
;; ANSWER SECTION:
packetlabs.net. 299 IN TXT “v=spf1 include:_spf.google.com include:infusionmail.com include:servers.mcsv.net ip4:22.214.171.124/32 ~all”Command line output of dig txt packetlabs.net
In this example, Packetlabs authorizes Google, Infusionsoft, Mailchimp and our website (126.96.36.199) to send mail on our behalf. The final piece is the mechanism “~all”. ~ tells the mail server to accept the e-mail if it doesn’t come from our authorized list, but treat it as suspicious. The other mechanism you’re likely to encounter is “-all”. If mail is sent from an unauthorized mail server, it will be rejected.
- DMARC: DMARC stands for Domain-based Message Authentication Reporting and Conformance. The primary reason for this additional DNS type TXT record is to specify which actions to take if the mail server is unable to confirm the sender mail exchanger is authorized to send mail for the domain and may be spoofed. Below is Packetlabs’ DMARC policy.
;; QUESTION SECTION:
;_dmarc.packetlabs.net. IN TXT
;; ANSWER SECTION:
_dmarc.packetlabs.net. 299 IN TXT “v=DMARC1; p=none; sp=none; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org; fo=1; pct=100; rf=afrf”Command line output of dig txt _dmarc.packetlabs.net
- DKIM: DomainKeys Identified Mail (DKIM) allows the recipient to authenticate that an email came from a specific domain and was authorized by the sender to do so. DKIM deploys digital signatures to each outgoing message to verify the integrity of the email including the headers, body and attachments.
- RBLs: Real-time Block Lists are services provided by various groups, like Spamhaus, to keep track of mail exchanges with a poor reputation. The way this works is your mail server will look up the IP of the mail server connecting to it in the Block List and confirm whether it’s trustworthy. If the IP is flagged, it’s been previously reported and the email should be discarded or sent to spam.
How do we protect end-users against e-mail phishing attacks?
With all of the essential controls in place, it is crucial to plan for the phishing emails that will slip through the cracks. Three essential training techniques include phishing for awareness, phishing for security, and security awareness training.
- Security Awareness Training: Security Awareness Training is typically an instructor or self-led course that outlines several modules surrounding the most common threats end-users experience throughout the day. This may include several modules on phishing, password complexity, and general security practices. Afterwards, it is important to test their knowledge, this can either be reinforced through a quiz or an actual phishing campaign.
- Phishing for Awareness: Phishing for Awareness is when a company tests the awareness of its staff through sending out templated phishing emails to identify staff who may not be as diligent and may require additional training. If opened, the employee will be notified that they fell for a phishing campaign and could have been compromised.
- Phishing for Security: Phishing for Security is a simulation of an actual attack. The purpose of these campaigns is to evaluate what happens after the click. There are several additional controls worth testing including endpoint defences, network-based firewalls, intrusion detection systems, security incident and event management (SIEM), incident response, and more. Phishing for Security is part of our Objective-based Penetration Testing offering and helps evaluate the strength of these controls to better prepare your IT teams.
What are must-have controls for G Suite and Office 365?
Office 365 and G Suite are the two most common mail platforms aside from on premise mail systems like Microsoft Exchange. These are relatively secure out of the box, but can be drastically improved with a few tweaks. Regardless of which platform you use, the following controls are the essentials:
- Microsoft Advanced Threat Protection: Microsoft ATP intercepts all links, attachments and emails in an attempt to verify whether they’re trustworthy or contain malware. ATP can also detect email domains that appear to be intentional typos, which is a common technique used by attackers.
- Google Safety: Google scans all email attachments, links and emails for potential malicious intent both with automated and manual attachment testing. Google’s Context-aware Access is also worth reviewing.
- Two-factor Authentication: Two-factor authentication is a must. Most phishing attacks attempt to compromise your password, and if you do not have two-factor authentication, they can obtain access to your account which may enable them to reset passwords for various other accounts.
- Password Complexity Requirements: It goes without saying that terrible passwords make an attacker’s job much easier. This is why there is a long list of attacks on passwords including credential stuffing, password spraying and more. Configure your password complexity requirements to meet your organizational password policy or federate with Active Directory where possible. We recommend passwords over 12 characters with uppercase letters, lowercase letters and special characters.
- External Mail Warning: It’s simple and effective. Both platforms enable administrators to warn staff that email is coming from a potentially untrusted source and to be cautious about opening any attachments. Change the colour of this warning every so often to make sure they see it.
Putting the Pieces Together
There is a long list of controls that, if configured correctly, dramatically reduce the potential for phishing attacks. Phishing attacks will happen, and it is important to explore what happens before and after the click to understand the impact on your organization. Phishing for Awareness is not enough because we’re all guilty of reading emails first thing in the morning when our guard is down. Contact Packetlabs today to learn more about how we can help evaluate your defences and reduce the possibility of a breach.