DKIM Signature & Verification

Tech Events – Sep 2020 Email Security

Peter Rusanovski Sales Engineer

Email Security CASB Data Guard

Web Security SD-WAN & NGFW

FIT DLP UEBA Insider Threat

DEP Boldon James RBI DUP Classification Isolation DDP

© 2020 Forcepoint Agenda • Email Hybrid / Cloud • Azure deployments • Security Hardening (Settings & Filters) o DKIM o SPF o DMARC • Business Email Compromise • Sandbox (File & URLs) • URL wrapping • Phishing Education • System Health Check • Troubleshooting steps • Tips and Tricks • End Of Life Products Status

Inbound Outbound • Anti-Malware, Anti-Spam, • Email Encryption • Anti-Spoofing (DKIM & DMARC) • Incident Risk Ranking • Phishing Defenses • DLP for free • Content Filtering • Content Filtering • Attachment Filters • Lexical Rule • DLP inbound • Disclaimer • Exploited Document Discovery • Attachment Filters • Advanced Malware Detection • Drip DLP (Stateful) • Phishing Education • Anti-Malware, • URL Wrapping • Anti-SPAM, • Inappropriate Image Filter • OCR (Optical Character • Spam Controls Analysis Tools Recognition) • ACE Analytics • ThreatSeeker Intelligence Cloud • Sandboxing / Forensic Reporting • High Risk User Behavior • Yara definitions © 2020 Forcepoint Email Deployment

IaaS, PaaS SAAS

On-Premises Hybrid Cloud

Three Options, One SKU Start anywhere – and move to the cloud when you’re ready

Virtual Appliance

V5000 V10000 V20000

~2000 ~8000 20,000+ Users Users Users

NEW VIEW, NEW FEATURES MORE SECURE

© 2020 Forcepoint FORCEPOINT EMAIL HYBRID DEPLOYMENT AND ADDITIONAL PROTECTION LAYER • HYBRID –“BEST OF BOTH WORLDS”, • GOOD SPAM/VIRUS EFFICACY, • SAME DEPLOYMENT REQUIREMENTS AS ON PREM, INCLUDES FULL EMAIL DLP

The cloud deployment installation is now standardized with Forcepoint Email Security installation, meaning that the installed product is identical for both cloud and on-premises deployment.

There is an option to also install the management in Azure (FSM).

DKIM(Domain Keys Identified Mail) is an email authentication technology based on digital signatures to help protect both email receivers and email senders from forged and phishing email. A DKIM-compliant must provide one or more pairs of asymmetric keys, then installs private keys into the signing MTA, and publishes public keys on the DNS. The DNS labels are structured as “selector._domainkey.example.com”, where “selector” identifies the key pair, and “_domainkey” is a fixed keyword, followed by the signing domain's name (example.com, in this example)

• The signing MTA uses stored private key to generate a digital signature that covers selected fields of the message header and body, such as “From:”, “To:”, “Date:”, and “Subject:” • Insert the digital signature into the message as a header • Deliver the message to next hop as normal

Note: In ESG, smtp service generates DKIM signature and insert it into message as header before deliver to next hop.

• The DKIM-enabled receiving email server extracts the domain from message header “From:” • Query DNS and retrieve the public key, for example: “test1._domainkey.es.com” • The receiving email server then uses this public key to decrypt the hash value in the header field and recalculates the message hash value (headers and body) • If the two values match, it indicates that the mail was truly sent from and the content has not been modified during transport • Receiving email server applies local policies based on the DKIM verification result (content filter)

Note: In ESG, filter service is responsible for DKIM verification

Signature added by MTA

Public key stored on DNS

▪The DKIM signature consists of a list of “tag=value” parts. ▪ v is the DKIM version. ▪ a is the signing algorithm. ‘rsa-sha1’ means use SHA-1 as the cryptographic hash and RSA as the public key encryption scheme. The encrypted result is encoded using Base64. ▪ c is the canonicalization algorithm(s) for header and body ▪ d is the signing domain ▪ s is the selector. In this example, the FQDN of the DNS is “test1._domainkey.es.com” ▪ t is the signature timestamp ▪ bh is the body hash ▪ l is the length of the canonicalized part of the body that has been signed ▪ h is the list of signed header fields. The DKIM-Signature header field itself is always implicitly included in h, with the value of tag b treated as though it were an empty string. ▪b is the actual digital signature of the contents (headers and body) of the mail message.

▪ There is a new setting page to configure the DKIM on Triton Email. (Settings -> Inbound/Outbound -> DKIM Settings) ▪ From this page, we can manage private keys and public keys. ▪ And manage DKIM rules for how to sign the mail messages ▪ We can also enable or disable DKIM for inbound, outbound or internal messages separately.

Cloud Email Security Policy > Antispoofing > DKIM

© 2020 Forcepoint 23 DKIM Cloud Email records These are the Forcepoint CNAME records you must publish in order to enable DKIM signing. Map fpkey11-1._domainkey and fpkey11-2._domainkey to the corresponding values in out.mailcontrol.com. The same DKIM signing domain can be used for all sender domains.

DMARC stands for “Domain-based Message Authentication, Reporting and Conformance”. It is an email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain is authorized by that domain’s administrator and that the email has not been modified during transport. It expands on two existing mechanisms, the well-known Sender Policy Framework (SPF) and DKIM, coordinating their results on the alignment of the domain in the “From:” header field, which is often visible to end users. It allows specification of policies and provides for reporting of actions performed under those policies. The DMARC reporting consists in supplying feedback to the author domain on how its authentication methods do, thereby providing for informed policy crafting. DMARC is specified in RFC 7489.

▪ There is a new setting page to configure DMARC on Triton Email (Settings -> Inbound/Outbound -> DMARC Settings) ▪ We can configure the DMARC verification for the 3 directions separately. The direction is relative to the recipients. ▪ If there are multiple recipients, it’s possible that some recipients can’t receive the message due to violate DMARC checking

Select Filter inbound messages that spoof external domains using DMARC to detect spoofed incoming messages that appear to be sent from legitimate external domains, but which fail DMARC validation checks. This option validates both the Mail From sending address and the From address. DMARC is built on SPF and DKIM validation and allows the owner of a domain to publish a policy (via DNS TXT records) that defines how the receiver should deal with spoofed messages.

Internal Executive Spoofing

The Internal Executive Spoofing feature provides protection against spear phishing attacks targeting individuals within your organization. Such emails may come from legitimate (non-spoofed) email addresses, thereby passing other spoofing checks, but use the display name of a known user (often an executive), with the intention of tricking employees into sending money or information.

➢ Protect your self from finance scammers asking to transfer $ while spoofing themselves to C level employee ([email protected]) ➢Very easy to do in our email cloud / doing it on the local ESG nee to create a new filter & regex to identify this C level users.

© 2020 Forcepoint ESG – ANTISPOOF Rule Antispoof analysis helps determine the validity of message senders. Select the relevant sender address combinations you want to compare. With Advanced Options, use SPF, DKIM, and SIDF authentication results to determine the message validity.

The filter is triggered when at least one address comparison fails or one authentication result is met. If both address comparison and authentication conditions are enabled, then at least one address comparison must fail and one authentication condition must be met in order to trigger the filter.

END-USER UNKNOWN or Advanced Suspicious File: Malware INSPECT Detection

WEB FIREWALL CASB EMAIL

Signature-less inspection Application Layer Identification of malicious and analysis scripts and macros OS Layer True kernel visibility with Dynamic code analysis CPU Layer minimal OS dependencies elicits malicious behaviors Memory Layer Inspection of malware memory including encrypted strings

AMD Engine 1 NGFW

Web AMD AMD Engine 2 Advanced UNKNOWN or Security Manager Suspicious File: INSPECT Malware

Email AMD Engine 3 Detection Security

SAFE FILE: BAD FILE: 37 USER ALLOW BLOCK

Unlimited Manual URL and File Submissions AMD Cloud: CSI OnDemand subscription included Level 3 Access: https://csi.forcepoint.com/ AMD On-Prem: Available in AMD Manager UI

Fast Time to Protection (AMD Cloud) Nothing to install/download No additional hardware or IT resources needed Quick to enable and set up policies

Strong Security Efficacy Full system emulation → Harder for malware to evade detection Lower rate of false positives → more accurate results and less time wasted on unnecessary investigations

Environmental Awareness Full system emulation, not virtualization • Programmed to detect devices or indicators that belong • #1 behavior observed by malicious files submitted to to a virtual environment Forcepoint AMD? Ability to check disk size.

Detecting User Interactions Simulates user interactions • Malware only detonates after a specific user action • Forcepoint AMD can manipulate and interact with takes place artifacts to elicit certain behaviors

Time-Based Techniques Deep content inspection • Sandbox analysis typical takes < 5 minutes, so • Monitors calls to the operating system's sleep function malware stalls or “sleeps” until the analysis is complete • Every instruction the malware preforms is evaluated and any object that attempts to stall is detected

Data Encryption • Encrypt API calls so that traditional malware sandboxed can’t read them

AMD Cloud AMD On Prem AMD AirGap

Manager Engines

Manager Manager NGFW NGFW NGFW Web Email Web Email Security Security Security Engines Security Engines

Cloud On-Premises Air Gapped • File signatures are updated • No IT resources needed for sandbox• Keeps scanned files local to manually by customer network • Fast time-to-protection • Available for NGFW only • Minimizes latency in select • Protects users everywhere geographies • NGFW forwards files to the sandboxing capability as normal • Adds onto cloud & on-prem • Controlled by appliance team appliances • Ensures physical isolation from (Web, Email, NGFW, CASB) • Adds onto on-prem appliances unsecured networks (Web, Email, NGFW)

Forcepoint Private © 2020 Forcepoint 42 File Sandboxing on ESG Verify the feature is enabled (works only if you bought this module , based on LastLine technology) & the filter is set to trigger the proper action to block.

Will replace any suspicious links in an email with a redirection link that scans the content of the page at Point of Click not matter when or where the email is viewed

Benefits • Ensures that the link is inspected even if the link is benign when received but activated days later.

• Protection follows the embedded URLs no even when they are forwarded out of the organization

• Around the clock real time protection

1 00:00 2 00:00 3 00:00

www.xyz.com www.xyz.com www.xyz.com

Email arrives with links to Link modified for additional harmless page ACE detects inconclusive, analysis later suspicious indicators

4 04:00 5 08:00 6 08:00

www.xyz.com

After passing security, the page Later, user clicks link and ACE Threat identified, is hacked reassesses user protected

The URL sandbox provides real-time analysis of uncategorized URLs embedded in inbound email. Navigate to Settings > Inbound/Outbound > URL Sandbox Simply select Analyze suspicious URLs to activate.

Reduce risk of compromise Real-time education based on real threats • “Tips-n-Tricks” educational material template • Customizable notification pages for phishing

Define policy to disarm and educate users

➢ Check f you see any alerts in the dashboard

➢ Check if something is stuck in the queue

➢ Check hybrid status by click on button,

➢ domains should be ownership and verified

➢ Check status Log Server ➢ Check Log database ➢ Check Maintenance configuration

➢ Check Database Updates

➢ Check Services ➢ Check Resources ➢ CPU ➢ Memory ➢ Disk ➢ Check Email Spool

➢ Check Available Hotfixes ➢ Check Available Upgrade

➢ Configuration Summary ➢ Backup Appliance

PCAP file for support

➢ SNMP ➢ Appliance health

Perform command: nc and nslookup, to verify connectivity and resolving: download.forcepoint.com download.websense.com ddsdom.websense.com ddsint.websense.com emailsecurity.cloud.threatseeker.com – best results with 8.8.8.8 Product Support Life Cycle

Add Classification Label: Forcepoint Private | Forcepoint Proprietary | 63 Thank You

Peter Rusanovski Sales Engineer