Every cyber security expert agrees that the most insidious attacks today start with some sort of email-based probe. Links to infected sites, social engineering to extract money, or payloads carrying malware slip through gauntlets to the target user’s PC. When the user clicks innocently, this leads to a series of steps including infection, lateral movement, and data exfiltration. As such, the ability to advance payloads into the enterprise in order to defraud partners or customers through fraudulent means continues to nag organizations doing business on the Internet. Luckily, effective cyber security techniques do exist that are standards-based, and that can reduce the security risk of fraudulent email, hijacked domains, and other techniques such as spear phishing popular among the offensive community. As part of the recently issued 2017 TAG Cyber Security Annual (you can download the PDF volumes at https://www.tag-cyber.com/), I had the privilege to sit down with Pat Peterson, founder of Agari, to discuss these issues in some detail.
EA: Many CISO teams consider phishing attacks to be essentially unstoppable. Are they wrong?
PP: With so many companies getting successfully phished these days, it sure might seem that way. In fact, it’s hard to remember a recent advanced persistent threat attack that did not start with maliciously spoofed email, combined with some sort of social engineering or phishing. The good news, however, is that the security risk associated with email infrastructure can be reduced significantly. One of the most potent building blocks in this regard is an open standard introduced in 2012 called DMARC, which stands for Domain Message Authentication Reporting and Conformance. DMARC enables global visibility of domain name use in email, allowing email senders to better authenticate their identity to email receivers, and to therefore prevent bad guys from spoofing domains in malicious email.
EA: Is DMARC different from previous standards like DKIM and SPF? And what do customers need to do to support such standards for email security?
PP: Good question. Actually, DMARC extends the existing standards you refer to, namely Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The result is an improved approach that helps senders establish some important properties. First, DMARC connects the actual identity of an email sender with their sending domain. Second, DMARC provides for the publication of policy-based options, such as message rejection, for how receivers should handle email that is not considered legitimate. And third, DMARC supports real-time intelligence gathering across the Internet for domains of interest, which is the basis for Agari’s solution offerings. Some say that DMARC is to email, as Secure Sockets Layer (SSL) is to Web eCommerce.=
EA: How does a CISO team use DMARC to improve their email security posture? Are there many steps involved and is there a learning curve?
PP: It’s not that complicated. First, the domain owner should publish a DMARC record. For larger organizations, there can be hundreds or even thousands of legitimate servers sending email on behalf of your organization. The challenge is identifying and publishing a DMARC record that accurately reflects all of those authorized email senders so that you can set the policy to reject and block the untrusted senders of email. With many companies, the number of third party services and domains sending email is in a constant state of change and the DMARC policy needs to be monitored and maintained. If the local staff is not sure how to do this, companies such as Agari can help. Second, email authentication should be deployed via DKIM and SPF. This requires publication of records that describe the servers authorized to send on behalf of an email domain. This might also require email servers to be configured to insert DKIM signatures, and yes – companies such as Agari can provide assistance for customers who might need reassurance that they are doing this properly. Finally, the team must enable Identifier Alignment, which is really how the DMARC-supplied aggregate feedback allows identification of where domain identifiers do not align with the email domain.
EA: How do companies like Agari participate in this process? Do you have a specific product or service that enterprise customers would buy?
PP: Yes. Our team offers a cloud-based SaaS solution called the Agari Email Trust Platform, which protects three billion of the world’s inboxes from threats such as phishing, targeted attacks, and business email compromise. Agari secures the entire email channel for customers, employees, and partners from advanced email threats. The Agari Trust Network creates a model of trusted email by analyzing an organization’s inbound email and outbound email senders, and correlating this information with analysis of billions of email messages per day from the world’s largest email providers including Google, Microsoft and Yahoo. Then, that trust model is used to categorize and prevent untrusted email from reaching the inbox of employees, partners, or customers.
EA: Establishing sender authenticity seems like such an obvious and important technique. Why do you think the industry has not been more aggressive in making this an absolute priority, especially in government applications?
PP: I think there are a couple of reasons. First, DMARC is relatively new, having been established only in 2012. And while it takes time for email receivers like Google, Yahoo, and Microsoft to fully adopt the standard and to begin authenticating emails based on DMARC, we have reached critical mass with more than 90% of inboxes in the United States authenticating based on the standard. This places us in a subsequent phase, where email senders such as enterprises and government organizations need to publish DMARC records and move toward a reject policy. With more and more email being sent through third-party services, organizations also need help by identifying, managing, and maintaining governance over their email senders to enable publishing a DMARC reject policy, which is one of the ways Agari helps customers. A second issue has been with compliance auditors, who are typically less familiar with new standards such as DMARC. Hopefully, the regulatory and compliance community will familiarize themselves with these sorts of controls so that DMARC can become more uniformly applied as part of compliance initiatives. The approach, as you would think, works best when more email senders and receivers take the time to get properly set up. As with the 2005 FFIEC two-factor authentications compliance requirements for Internet Banking, compliance auditors need to set standards that require publishing of DMARC records to protect the public and email communication in general.
EA: We’ve seen a dramatic increase in targeted attacks such as spear phishing and business email compromise from FBI statistics. Why don’t existing protections stop this, and what can organizations do to protect themselves?
PP: Email continues to be the primary way cyber criminals infiltrate enterprises. As much as 95% of cyber attacks and data breaches use spear phishing as the initial entry point. Existing solutions such as secure email gateways and advanced threat protection do not fully protect organizations from targeted email attacks, spear phishing, and business email compromise, because they focus on detecting malicious content and bad behavior. Attackers can evade detection by crafting socially engineered email attacks with no malicious code or URLs, and they can impersonate trusted senders such as internal employees, partners or vendors. The only way to fully stop these types of attacks is to identify the trusted sender of the email, and to focus security controls on defining trusted email behavior in order to prevent untrusted email from reaching employee inboxes. The Agari solution focuses on exactly this type of trust modeling as an additional security layer to protect enterprises from advanced email threats.
EA: As the founder of a successful cyber security firm, you have an interesting vantage point into present and future trends. What predictions do you have for Internet security in the coming years, especially as they relate to email fraud?
PP: Actually, I see things getting better, primarily because enterprise security teams and experts are getting better. Sure, the offensive community has surged ahead of the defense recently, as evidenced by one attack after another, including the terrible break-in and theft at the Office of Personnel Management (OPM). But with international government organizations and small, medium, and large businesses beginning to work together using common standards – and DMARC is just one example, I think it is possible for cyber security protections to catch up with the attackers and this will result in a safer and more secure environment for business, government, and industry.