SPF is not an acronym for "Spoof"! Let's utilize the most out of the next layer in Email Security!
Robert Sherwin, Cisco Email Security TME
BRKSEC-2327 Cisco Webex Teams
Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Email Security specific sessions this week
250 not OK: Going on the From Zero to DMARC Hero API Integrations for Cisco Email defensive with Cisco Email • TECSEC-2310 Security Security • Monday, January 27 | 02:30 PM - 06:45 • DEVNET-2326 • TECSEC-2345 PM • Tuesday, January 28 | 10:00 AM - 10:45 • Monday, January 27 | 08:45 AM - 01:00 • Hall 8.0, Session Room D138 AM PM • Hall 6 - The Hub, DevNet Classroom 2 • Hall 8.1, CC8, Room 8.29/8.30
AsyncOS Release 13.0 - What's SPF is not an acronym for Fixing Email! - Cisco Email new in Email Security "Spoof"! Let's utilize the most Security Advanced • LTRSEC-2319 out of the next layer in Email Troubleshooting • Thursday, January 30 | 09:00 AM - Security! • BRKSEC-3265 01:00 PM • BRKSEC-2327 • Friday, January 31 | 09:00 AM - 10:30 • Hall 8.0, Session Room B110 • Thursday, January 30 | 02:45 PM - AM 04:15 PM • Hall 8.0, Session Room A104 • Hall 8.0, Session Room B115
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Agenda
Our session has 90 minutes! We have a lots to cover...
• Review (or Intro) to Cisco Email Security • Email Pipeline • Acronyms • A typical message
• Utilizing SPF, DKIM, DMARC on Cisco Email Security • Next-level utilization of SPF, DKIM, DMARC • Cisco Advanced Phishing • Cisco Domain Protection
• Phishing Efficacy
• Cisco Security Awareness Let’s get started!
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Agenda
• What this session will not cover: • In-depth SPF, DKIM, DMARC record creation and understanding. (Please see TECSEC-2310, From Zero to DMARC Hero) • SPF, DKIM, DMARC troubleshooting. (Please attend BRKSEC-3265, Fixing Email! - Cisco Email Security Advanced Troubleshooting)
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 The Speaker
• Technical Marketing Engineer, Email Security • Joined Cisco December 2011 • Cisco Live Speaker in US, EMEA, APJC • 18 years of combined Network, Data Center, and Security experience • 6 years in Cisco TAC, joined TME team in 2018 • Based out of Morrisville, NC (US)
Robert Sherwin ([email protected])
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 January 28, 2020 “... sent phishing emails that gave them access to the companies’ email systems — giving the fraudsters an even bigger trove of information about the victim companies.” “The two companies wired several payments to the fraudulent accounts, adding up to more than $120 million.” - US FBI News: Leader of Fraud Ring Sentenced “6.4 billion – the number of fake emails sent worldwide – every day.” - EY Global Information Security Survey 2018-19 Let’s take a different look in context at 6.4 billion and compare to something more quantifying, like, time... 6,000 minutes = 4.166667 days 6,000,000 minutes = 4166.667777 days (or 11.41 years) 6,000,000,000 minutes = 4166666.667777 days (or 11407.71 years)
That is a LOT of emails! Everyday... Review of Cisco Email Security
As we discuss layers of email security, our ‘layers’ are provided from the mail flow pipeline... Cisco Email Security Mail Flow Pipeline INCOMING Connection level protection Sender Reputation Filtering (SBRS)
Anti-spoof, throttling & verification Connection Filtering
Sending domain verdict analysis Sender Domain Reputation (SDR) * Message Filtering Spam protection, URL analysis Content Scanning (CASE)
Virus protection Anti-virus Scanning (AV) Per Malware protection Advanced Malware Protection (AMP) - policy Marketing/Social/Bulk email detection Graymail Detection
Content protection Content Filtering
Malware, Phishing, URL threat protection Outbreak Filtering (VOF)
Phishing behavioral analytics & protection Advanced Phishing Protection (APP)
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Cisco Email Security Mail Flow Pipeline OUTBOUND Connection level protection Sender Reputation Filtering (SBRS)
Encryption & authentication enforcement Connection Filtering * Message Filtering Spam protection, URL analysis Content Scanning (CASE)
Virus protection Anti-virus Scanning (AV)
Malware protection Advanced Malware Protection (AMP) Per - Marketing/Social/Bulk email detection Graymail Detection policy
Content protection Content Filtering
Malware, Phishing, URL threat protection Outbreak Filtering (VOF)
Sensitive data protection & encryption Data Loss Prevention (DLP)
Brand protection, SPF/DKIM/DMARC administration Domain Protection (DP)
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Within these layers of email security, Cisco Email Security features and services that always come with acronyms... Typical acronyms used in email security Who loves acronyms? Cisco loves to utilize acronyms a lot...
ADFS : Active Directory Federation Services HAT : Host Access Table TA : Threat Analyzer AMP : Advanced Malware Protection ICID : Incoming Connection ID TLS : Transport Layer Security API : Application Programming Interface IETF : Internet Engineering Task Force TME : Technical Marketing Engineer APPC : Advanced Phishing Protection Console IMS : Intelligent Multi-Scan TOC : Threat Operations Center AS (A/S) : Anti-spam IPAS : IronPort Anti-Spam UI : User Interface AV (A/V) : Anti-virus ISQ : IronPort Spam Quarantine vESA (ESAv/ESAV) : Virtual Email Security BATV : Bounce Address Tag Validation LDAP : Lightweight Directory Access Protocol Appliance BEC : Business Email Compromise MAR : Mailbox Auto Remediation vSMA (SMAv/SMAV) : Virtual Security BIMI : Brand Indicator Message Identification MFP: Mail Flow Policy Management Appliance CASE : Context Adaptive Scanning Engine MID : Message ID VOF : Virus Outbreak Filtering CDP (DMP) : Cisco Domain Protection MX : Mail Exchange (DNS record) WBRS : Web Base Reputation Service CES : Cloud Email Security NTP : Network Time Protocol WSA : Web Security Appliance CLI : Command Line Interface PoC : Proof of Concept XML : Extensible Markup Language CRES (see RES) PoV : Proof of Value 2FA : (2) Two Factor Authentication CTR : Cisco Threat Response PXE : PostX Encryption DCID : Delivery Connection ID RAT : Recipient Access Table DHAP : Directory Harvest Attack Prevention REPENG : Reputation Engine DKIM : DomainKeys Identified Mail RID : Recipient ID DLP : Data Loss Prevention RES : Registered Envelope Service DMARC : Domain-based Message SAML : Security Assertion Markup Language Authentication, Reporting and Conformance SBG : Security Business Group DNS : Domain Name System SBRS : Sender Base Reputation Service ESA : Email Security Appliance SDR : Sender Domain Reputation ESMTP : Extended (or Enhanced) Simple Mail SLBL : Safe List Block List Transfer Protocol SMA: Security Management Appliance ETF : External Threat Feed S/MIME : Secure/Multipurpose Internet Mail EUQ : End-user Quarantine (aka Spam Extensions Quarantine) SMTP : Simple Mail Transfer Protocol FA : File Analysis (Threat Grid) SNMP : Simple Network Management Protocol FED : Forged Email Detection SOC : Security Operations Center FR : File Reputation (AMP) SPF : Sender Policy Framework GUI : Graphical User Interface SSL : Secure Sockets Layer
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Email pipeline (what happens and where)
SMTP Server Workqueue SMTP Client • Host Access Table (HAT) • LDAP RCPT Accept (WQ • Encryption • IP Reputation deferred) • Virtual Gateways System or virtual gateway System • External Threat Feeds • Masquerading • Delivery Limits (Table/LDAP) (IoC) • Received Header • LDAP Routing • Connection Throttling • Domain Based Limits • Message Filters • Sender Verification • Domain Based Routing • (Per-policy scanning) • SPF, DKIM, DMARC • Global Unsubscribe • CASE (Anti-Spam) • Sender Domain • S/MIME Encryption Reputation • Anti-Virus • DKIM Signing • Received Header • AMP listener settings • Bounce Profiles - • Default Domain • File Reputation • Message Delivery
Per • Domain Map • File Analysis • Encryption • Recipient Access Table • Graymail Detection • Virtual Gateways • Alias Table • Content Filtering • LDAP RCPT Accept • DLP filtering • SMTP Call-Ahead (Outbound) • Outbreak Filtering
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 A typical SMTP conversation
$ telnet alln-mx-01.cisco.com 25 Trying 173.37.147.230... Connected to alln-mx-01.cisco.com. Escape character is '^]'. 220 alln-inbound-e.cisco.com ESMTP helo pipershark.com 250 alln-inbound-e.cisco.com Envelope From, Mail From, Envelope Sender, … MAIL FROM:
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public What gets verified or authenticated?
$ telnet alln-mx-01.cisco.com 25 Trying 173.37.147.230... Connected to alln-mx-01.cisco.com. Escape character is '^]'. 220 alln-inbound-e.cisco.com ESMTP helo pipershark.com 250 alln-inbound-e.cisco.com MAIL FROM:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Sender Policy Framework (SPF) • Allows recipients to verify sender IP addresses by looking up DNS records listingWhat authorized is Mail SPF, Gateways forDKIM, a domain. DMARC? • Verification of SPF records can > dig igo232.com TXT +short produce these results: "v=spf1 ip4:139.138.32.156 ip4:139.138.56.31 ip4:136.56.60.2 -all"
Pass Fail SoftFail Neutral PermError TempError
Domain Keys Identified Mail (DKIM) • Specifies methods for gateway- > dig google._domainkey.igo232.com TXT +short "v=DKIM1; k=rsa; based cryptographic signing of p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqDsxWVJKWk/MO0fEIhaTqJFECwVysZnASTnl" outbound messages, embedding "5me66ixhpsTfpvt4bw7sbTeM5a8OHadKkReCx1D2tBoXKPWhDICq5glRBcCh1f5pkpcUtc4ZV49GUI0T" verification data in an e-mail "pUcMoOZl8QJhiRIoEN5VH+bJBHC4B3UuUaGA778j0r1zgyVluHOgBTipl5YKwvOl7SaLwrvhI054O62p" header, and ways for recipients to "hu5OoZfBhXVmwh1l3hcTaeQbfrZOwpVX3+5RuFPwD+qdANCJVjzm5Xz5vVI1mDtqrg+df5EXra5YrWjE" verify integrity of the messages. "E4qd2CMz7KTd+CMfvS4WdYmLgEjKNExvg0NXC4DCYr0QVykmtvM/c31TjYD2MmKGZQIDAQAB"
Domain-based Message Authentication, Reporting, and Conformance (DMARC) • Leveraging great existing technologies, providing a glue to keep them in sync, and allowing senders to mandate rejection > dig _dmarc.igo232.com TXT +short policies and have visibility of offending traffic. "v=DMARC1; p=none; fo=1; ri=3600; • Reports back to the spoofed entity. rua=mailto:[email protected],mailto:[email protected]; • BOTH SPF authentication and DKIM verification. ruf=mailto:[email protected],mailto:[email protected]" • Synchronization between Envelope From, Header From.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 A typical incoming mail example INCOMING Sun Jan 19 07:48:31 2020 Info: New SMTP ICID 553697 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Sun Jan 19 07:48:31 2020 Info: ICID 553697 ACCEPT SG WHITELIST match 136.56.60.2 SBRS None country United States Sun Jan 19 07:48:31 2020 Info: Start MID 47831 ICID 553697 Sun Jan 19 07:48:31 2020 Info: MID 47831 ICID 553697 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 A typical incoming mail example Sun Jan 19 07:48:31 2020 Info: New SMTP ICID 553697 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Sun Jan 19 07:48:31 2020 Info: ICID 553697 ACCEPT SG WHITELIST match 136.56.60.2 SBRS None country United States Sun Jan 19 07:48:31 2020 Info: Start MID 47831 ICID 553697 Sun Jan 19 07:48:31 2020 Info: MID 47831 ICID 553697 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 A typical incoming mail example Sun Jan 19 07:48:31 2020 Info: New SMTP ICID 553697 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Sun Jan 19 07:48:31 2020 Info: ICID 553697 ACCEPT SG WHITELIST match 136.56.60.2 SBRS None country United States Sun Jan 19 07:48:31 2020 Info: Start MID 47831 ICID 553697 Sun Jan 19 07:48:31 2020 Info: MID 47831 ICID 553697 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 A typical incoming mail example Sun Jan 19 07:48:31 2020 Info: New SMTP ICID 553697 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Sun Jan 19 07:48:31 2020 Info: ICID 553697 ACCEPT SG WHITELIST match 136.56.60.2 SBRS None country United States Sun Jan 19 07:48:31 2020 Info: Start MID 47831 ICID 553697 Sun Jan 19 07:48:31 2020 Info: MID 47831 ICID 553697 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 A typical incoming mail example Sun Jan 19 07:48:31 2020 Info: New SMTP ICID 553697 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Sun Jan 19 07:48:31 2020 Info: ICID 553697 ACCEPT SG WHITELIST match 136.56.60.2 SBRS None country United States Sun Jan 19 07:48:31 2020 Info: Start MID 47831 ICID 553697 Sun Jan 19 07:48:31 2020 Info: MID 47831 ICID 553697 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 A typical incoming mail example Sun Jan 19 07:48:31 2020 Info: New SMTP ICID 553697 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Sun Jan 19 07:48:31 2020 Info: ICID 553697 ACCEPT SG WHITELIST match 136.56.60.2 SBRS None country United States Sun Jan 19 07:48:31 2020 Info: Start MID 47831 ICID 553697 Sun Jan 19 07:48:31 2020 Info: MID 47831 ICID 553697 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 A typical incoming mail example Sun Jan 19 07:48:31 2020 Info: New SMTP ICID 553697 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Sun Jan 19 07:48:31 2020 Info: ICID 553697 ACCEPT SG WHITELIST match 136.56.60.2 SBRS None country United States Sun Jan 19 07:48:31 2020 Info: Start MID 47831 ICID 553697 Sun Jan 19 07:48:31 2020 Info: MID 47831 ICID 553697 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 A typical incoming mail example Sun Jan 19 07:48:31 2020 Info: New SMTP ICID 553697 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Sun Jan 19 07:48:31 2020 Info: ICID 553697 ACCEPT SG WHITELIST match 136.56.60.2 SBRS None country United States Sun Jan 19 07:48:31 2020 Info: Start MID 47831 ICID 553697 Sun Jan 19 07:48:31 2020 Info: MID 47831 ICID 553697 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 A typical incoming mail example Sun Jan 19 07:48:31 2020 Info: New SMTP ICID 553697 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Sun Jan 19 07:48:31 2020 Info: ICID 553697 ACCEPT SG WHITELIST match 136.56.60.2 SBRS None country United States Sun Jan 19 07:48:31 2020 Info: Start MID 47831 ICID 553697 Sun Jan 19 07:48:31 2020 Info: MID 47831 ICID 553697 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Utilizing SPF, DKIM, DMARC on Cisco Email Security Anti-spoof, throttling & authentication Connection Filtering INCOMING
Encryption & authentication enforcement Connection Filtering OUTBOUND Where does Cisco Email Security help?
Anti-spoof, throttling & authentication Connection Filtering INCOMING
Encryption & authentication enforcement Connection Filtering OUTBOUND
Remember the email security mail flow pipeline?
AsyncOS supports email verification and signing to prevent email forgery.
Incoming mail verification supports & uses: • Sender Policy Framework (SPF) (And, remember list our acronyms?) • Sender ID Framework (SIDF) • DomainKeys Identified Mail (DKIM) • Domain-based Message Authentication, Reporting and Conformance (DMARC) • Forged Email Detection (FED)
To authenticate outbound mail, DomainKeys and DKIM signing are supported.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Where does Cisco Email Security help?
Anti-spoof, throttling & authentication Connection Filtering INCOMING
Encryption & authentication enforcement Connection Filtering OUTBOUND
SPF, DKIM, DMARC checks using the security features inside of a Mail Flow Policy are included in the Cisco Email Security licensing.
Note: Starting with AsyncOS 13.5 for Email Security, the ESA will incorporate the Cisco Advanced Phishing Protection (APP) product and act as the sensor, forwarding metadata of an email to the APP Cloud, just before delivering the email to the end-user’s mailbox.
This will require the use of the Advanced Phishing Protection offerings subscription (license). See the Cisco Email Security Ordering Guide for GPL: http://cs.co/email_GPL
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Where does Cisco Email Security help?
Anti-spoof, throttling & authentication Connection Filtering INCOMING
To pass DMARC verification, an email must pass at least one of these authentication mechanisms, and the Authentication Identifiers must comply with RFC 5322.
The Email Security appliance allows you to: • Verify incoming emails using DMARC. • Define profiles to override (accept, quarantine, or reject) domain owners’ policies. • Send feedback reports to domain owners, which helps to strengthen their authentication deployments. • Send delivery error reports to the domain owners if the DMARC aggregate report size exceeds 10 MB or the size specified in the RUA tag of the DMARC record.
• The ESA will not perform DMARC verification of messages from domains with malformed DMARC records. However, the appliance can receive and process such messages.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 DMARC verification workflow
Anti-spoof, throttling & authentication Connection Filtering INCOMING 1. A listener configured on an ESA receives an SMTP connection. 2. The ESA performs SPF and DKIM verification on the message. 3. The ESA fetches the DMARC record for the sender’s domain from the DNS. • If no record is found, the ESA skips the DMARC verification and continues processing. • If the DNS lookup fails, the ESA acts based on the specified DMARC verification profile. 4. Depending on DKIM and SPF verification results, ESA performs DMARC verification on the message. • Note: If DKIM and SPF verification is enabled, DMARC verification reuses the DKIM and SPF verification results. 5. Depending on the DMARC verification result and the specified DMARC verification profile, the ESA accepts, quarantines, or rejects the message. If the message is not rejected due to DMARC verification failure, the ESA continues processing. 6. The ESA sends an appropriate SMTP response and continues processing. 7. If sending of aggregate reports is enabled, the ESA gathers DMARC verification data and includes it in the daily report sent to the domain owners. For more information about the DMARC aggregate feedback report, see DMARC Aggregate Reports. • Note: If the aggregate report size exceeds 10 MB or the size specified in the RUA tag of the DMARC record, the ESA sends delivery error reports to the domain owners.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Policy level (Mail Flow Policies)
Anti-spoof, throttling & authentication Connection Filtering INCOMING
• Cisco recommendation is to configure at the policy level, SPF, DKIM, DMARC verification during the initial connection for incoming, and signing during outgoing.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Mail logs example
Anti-spoof, throttling & authentication Connection Filtering INCOMING When enabled, looking at the mail logs, we see the ESA validates SPF, DKIM, DMARC right at the start of communication...
Thu Jan 16 08:57:35 2020 Info: New SMTP ICID 550475 interface Data 1 (139.139.139.139) address 136.136.1.1 reverse dns host unknown verified no Thu Jan 16 08:57:35 2020 Info: ICID 550475 ACCEPT SG WHITELIST match 136.136.1.1 SBRS None country None Thu Jan 16 08:57:36 2020 Info: Start MID 47676 ICID 550475 Thu Jan 16 08:57:36 2020 Info: MID 47676 ICID 550475 From:
...
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Logging additional headers
• Under Log Subscriptions Settings (GUI) or the logconfig command (CLI), configure additional headers to be logged
• These will be displayed in the mail_logs and message tracking output upon creation of a DCID (Delivery Connection ID)
Sun Jan 19 07:48:36 2020 Info: Message done DCID 27388 MID 47832 to RID [0] [('Authentication-Results', 'esa1.hc3033- 47.iphmx.com; dkim=none (message not signed) header.i=none; spf=Pass [email protected]; dmarc=pass (p=none dis=none) d=igo232.com'), ('from', '[email protected]')]
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Content filtering conditions (Incoming/Outgoing Mail Policies)
Content protection Content Filtering INCOMING As mail moves through the pipeline, with Content Filtering, an administrator could choose to take further actions based on SPF & DKIM conditions...
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Content filtering example
Content protection Content Filtering INCOMING In this example, we’ll choose to quarantine any message that Fails or SoftFails SPF...
Thu Jan 16 09:39:49 2020 Info: MID 47695 SPF: mailfrom identity [email protected] SoftFail (v=spf1) Thu Jan 16 09:39:54 2020 Info: MID 47695 DMARC: Verification skipped (No record found for the sending domain) Thu Jan 16 09:39:54 2020 Info: MID 47695 DMARC: Thu Jan 16 09:39:54 2020 Info: MID 47695 Subject '.:|:.:|:. SMTP - EMAIL Jan 16 12:32:20 PM ' ... Thu Jan 16 09:39:56 2020 Info: MID 47696 was generated based on MID 47695 by duplicate-quarantine filter 'SPF_DKIM_FAIL' ... Thu Jan 16 09:39:56 2020 Info: MID 47696 enqueued for transfer to centralized quarantine "SPF_DKIM_FAILURES" (duplicated by content filter SPF_DKIM_FAIL) Thu Jan 16 09:39:56 2020 Info: MID 47696 queued for delivery Thu Jan 16 09:39:56 2020 Info: MID 47695 Custom Log Entry: <<<=== SPF_DKIM_FAIL ===>>>
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Forged Email Detection (FED) Taking what we know from ‘authentication’ and applying w/ FED
• FED will only create a log entry for a score that is the same or higher than what is configured; Enable logging of From and Reply-To headers.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Skipped DMARC verification
Content protection Message & Content Filtering INCOMING New with AsyncOS 12.5: Configuring content and message filters to handle messages that skipped DMARC verification... You can configure your appliance to take actions on the messages that skipped the DMARC verification.
Use the following settings in the Other Header content filter to categorize the messages that skipped the DMARC verification:
• Add the Header Name as X-Ironport-DMARC-Check-Result • Select Header Value, choose Equals, and add any one of the following values: validskip, invalidskip, temperror, and permerror
The following is an example of a message filter rule syntax that is used to categorize a message that skipped the DMARC verification:
Quarantine_messages_DMARC_skip: if(header("X-Ironport-DMARC-Check-Result") == * Message Filtering "^validskip$") { quarantine("Policy"); }
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Signing Keys + Signing Profiles
Encryption & authentication enforcement Connection Filtering OUTBOUND
• With DomainKeys or DKIM email authentication, the sender signs the email using public key cryptography. The verified domain can then be used to detect forgeries by comparing it with the domain in the From: (or Sender:) header of the email.
• DomainKeys and DKIM consist of two main parts: signing and verification. The ESA supports the “signing” half of the process for DomainKeys, and it supports both signing and verification for DKIM.
Cisco ISPs & other End user ESA mail gateways
Internet
Private Public DNS
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 A typical outbound email OUTBOUND Tue Jan 21 12:21:33 2020 Info: New SMTP ICID 555358 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Tue Jan 21 12:21:33 2020 Info: ICID 555358 RELAY SG RELAYLIST match 136.56.60.2 SBRS 5.1 country United States Tue Jan 21 12:21:34 2020 Info: Start MID 48002 ICID 555358 Tue Jan 21 12:21:34 2020 Info: MID 48002 ICID 555358 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 A typical outbound email Tue Jan 21 12:21:33 2020 Info: New SMTP ICID 555358 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Tue Jan 21 12:21:33 2020 Info: ICID 555358 RELAY SG RELAYLIST match 136.56.60.2 SBRS 5.1 country United States Tue Jan 21 12:21:34 2020 Info: Start MID 48002 ICID 555358 Tue Jan 21 12:21:34 2020 Info: MID 48002 ICID 555358 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 A typical outbound email Tue Jan 21 12:21:33 2020 Info: New SMTP ICID 555358 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Tue Jan 21 12:21:33 2020 Info: ICID 555358 RELAY SG RELAYLIST match 136.56.60.2 SBRS 5.1 country United States Tue Jan 21 12:21:34 2020 Info: Start MID 48002 ICID 555358 Tue Jan 21 12:21:34 2020 Info: MID 48002 ICID 555358 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 A typical outbound email Tue Jan 21 12:21:33 2020 Info: New SMTP ICID 555358 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Tue Jan 21 12:21:33 2020 Info: ICID 555358 RELAY SG RELAYLIST match 136.56.60.2 SBRS 5.1 country United States Tue Jan 21 12:21:34 2020 Info: Start MID 48002 ICID 555358 Tue Jan 21 12:21:34 2020 Info: MID 48002 ICID 555358 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 A typical outbound email Tue Jan 21 12:21:33 2020 Info: New SMTP ICID 555358 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Tue Jan 21 12:21:33 2020 Info: ICID 555358 RELAY SG RELAYLIST match 136.56.60.2 SBRS 5.1 country United States Tue Jan 21 12:21:34 2020 Info: Start MID 48002 ICID 555358 Tue Jan 21 12:21:34 2020 Info: MID 48002 ICID 555358 From:
Content Filtering
Outbreak Filtering (VOF)
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 A typical outbound email Tue Jan 21 12:21:33 2020 Info: New SMTP ICID 555358 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Tue Jan 21 12:21:33 2020 Info: ICID 555358 RELAY SG RELAYLIST match 136.56.60.2 SBRS 5.1 country United States Tue Jan 21 12:21:34 2020 Info: Start MID 48002 ICID 555358 Tue Jan 21 12:21:34 2020 Info: MID 48002 ICID 555358 From:
Tue Jan 21 12:21:34 2020 Info: MID 48002 DomainKeys: signing with _igo232_com-DK - matches [email protected] Tue Jan 21 12:21:34 2020 Info: MID 48002 DKIM: signing with _igo232_com-DKIM - matches [email protected]
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 A typical outbound email Tue Jan 21 12:21:33 2020 Info: New SMTP ICID 555358 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Tue Jan 21 12:21:33 2020 Info: ICID 555358 RELAY SG RELAYLIST match 136.56.60.2 SBRS 5.1 country United States Tue Jan 21 12:21:34 2020 Info: Start MID 48002 ICID 555358 Tue Jan 21 12:21:34 2020 Info: MID 48002 ICID 555358 From:
Tue Jan 21 12:21:35 2020 Info: MID 48002 DKIM: signed with _igo232_com-DK Tue Jan 21 12:21:35 2020 Info: MID 48002 DKIM: signed with _igo232_com-DKIM
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Audience question What is the following... Tue Jan 21 12:21:33 2020 Info: New SMTP ICID 555358 interface Data 1 (139.138.56.31) address 136.56.60.2 reverse dns host unknown verified no Tue Jan 21 12:21:33 2020 Info: ICID 555358 RELAY SG RELAYLIST match 136.56.60.2 SBRS 5.1 country United States Tue Jan 21 12:21:34 2020 Info: Start MID 48002 ICID 555358 Tue Jan 21 12:21:34 2020 Info: MID 48002 ICID 555358 From:
Tue Jan 21 12:21:35 2020 Info: MID 48002 DKIM: Signing: Pre-check failed (profile - _igo232_com-DK) : unable to get signing profile, available profiles: ['_igo232_com-DKIM']
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 It’s a bug...
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 Next-level utilization of SPF, DKIM, DMARC Phishing behavioral analytics & protection Advanced Phishing Protection (APP)
Brand protection, SPF/DKIM/DMARC administration Domain Protection (DP) Cisco Advanced Phishing Protection
More users rely on cloud applications like O365, making them more vulnerable to advanced phishing attacks. “Phishing attacks cost companies $9.1B in 2017.” - 2017 Global Fraud and Cybercrime Forecast “32% of breaches involved phishing.” - Verizon 2019 Data Breach Investigations Report The average solution does not work against advanced phishing attacks because they do not contain malware making them hard to detect. These are sophisticated, low-volume, and targeted email attacks. Cisco Advanced Phishing Protection
With Cisco Advanced Phishing Protection (APP):
• Gain a real-time understanding of senders, learn, and authenticate email. identities and behavioral relationships to protect against BEC attacks. • Remove malicious emails from users’ inboxes to prevent wire fraud or other advanced attacks. • Get detailed visibility into email attack activity, including total messages secured and attacks prevented. • Augment phishing and BEC detection and blocking capabilities offered in Cisco® Email Security.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Cisco Advanced Phishing Protection
Threat Trends Real Time $ Summary
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 Cisco Advanced Phishing Protection
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Cisco Advanced Phishing Protection
Cisco Advanced Phishing Protection (APP) provides:
• Advanced intelligence that authenticates senders in real-time. • A self-learning network that models your organization’s unique inbound traffic patterns to detect fraud quickly. • Efficient removal of malicious emails from users’ inboxes - even from Office365 mailboxes.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Cisco Domain Protection
Your organization allows third party senders use of its domain for brand communications.
Attackers can exploit this and impersonate your domain to send out phishing emails to your customers.
“3% of people will click on any given phishing campaign.” - Verizon 2019 Data Breach Investigations Report Cisco Domain Protection
With Cisco Domain Protection (CDP or DP)(sometimes DMP):
(Acronyms!!!!?) • Automates the DMARC email authentication process to achieve DMARC compliance. • Gives you visibility into all your email senders via an easy-to-read reporting. • Helps you block unauthorized senders to reduce or eliminate phishing emails from your domain.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Cisco Domain Protection
• Typically, a customer sets up their DMARC record and receives reports. • There are two distinct report types: • Aggregate report (rua) • Sent on an interval • Summary of all incidents from a sender domain • Failure report (ruf) • Sent on (every) failure • Detailed report on individual failures
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 Cisco Domain Protection $ Summary
Email Traffic
Senders
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Verifying incoming emails, signing our outbound emails is a start to reduce fake emails...
What is Cisco doing to improve efficacy when it comes to Phishing? Phishing Efficacy “32% of breaches covered in the 2019 Verizon Data Breach Investigations Report involved phishing.” - Gartner 2019 Market Guide for Email Security • Download: http://cs.co/email_Gartner2019 Phishing efficacy Customers demand more!
• Cisco Email Security Engineering and Cisco Talos work
towards AsyncOS 13.5 for Email Security. (*) AsyncOS 13.5 tentative for Feb 2020
• AsyncOS 13.5 will introduce Cloud URL Analysis (CUA) and Cloud Phishing Analysis (CPA) - both aimed at improving efficacy and conviction rates.
• This presentation will look at the Research and Efficacy Team (RET) & Threat Grid improvements made to detection and conviction rates.
• This strongly benefits Cisco Email Security customers that utilize AMP and Threat Grid with-in their mail policies.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 Phishing efficacy Improving detection and conviction
• Cisco Email Security relies on constant and incremental improvements from...
Research and Natural Language Machine Learning Static analysis for Efficacy Team (RET), Understanding (NLU) (ML) classifiers email [CASE] Threat Grid (TG) PoCs [CUA, CPA]
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 Threat efficacy Improving Threat Detection Efficacy in AsyncOS 13.5 for Email Security
Cloud URL Analysis (CUA)
• A new engine deployed in Cisco cloud, that intakes URLs from telemetry and collects artifacts and make behavioral determinations based on the URL and the content that it points to. Cloud Phishing Analysis (CPA)
• A new engine deployed in Cisco cloud, that intakes the consolidated telemetry and features from the platform engines and CUA responses in order to convict phishing attacks.
(*) AsyncOS 13.5 tentative for Feb 2020 BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Cloud URL Analysis (CUA)
Threat Grid Cloud URL Analysis Umbrella
URL verdict, rewrite link Full re-scan on release
Delay Rewrite Full Quarantine Analysis http://www.xyz.com Provides enhanced coverage on: • Credential Phishing (Financial, Brand, Documents, Surveys) • File-Based Malware (Emotet) • Browser Exploits • Shortened URL services
(*) AsyncOS 13.5 tentative for Feb 2020 BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 A closer look into phishing detection with Research and Efficacy Team (RET) & Threat Grid (TG)
• Starting June 2019, RET focused on five major filetypes in TG:
• URL • HTML • Office documents • PDF • Email
• Each of these provides a different surface via email to entice the user to do some action.
• RET’s end goal: To study phishing attempts to understand what techniques they employ and how they can be detected.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 Results from Research and Efficacy Team (RET)
• Since June 2019, by taking these file types and samples seen in Threat Grid, RET was able to:
• Produce sixty (60) YARA rules
• Produce seventeen (17) Behavioral Indicators (BI)
• Produce or improve five (5) utilities to assist with phishing detection efforts
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 Results A closer look at the results
• These BI and YARA rules had a direct and immediate impact on Threat Grid data, reporting and convictions.
50,033 110,351 489,238 49,861 294,796 75,704 ESA submitted ESA submitted ESA submitted Samples with one Samples samples with one Samples hit by one samples hit by one samples containing of the phishing containing one of of the phishing of the convicting of the convicting one of the Behavioral phishing-inspired Behavioral the phishing- phishing-inspired phishing-inspired Indicators, ending Behavioral Indicators, ending inspired Behavioral Behavioral in the convicting Indicators. in the convicting Behavioral Indicators. Indicators. score range. score range. Indicators
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Threat Grid YARA rules produced
html_iframe_remote html_formal_script_suffix html_possible_phishing html_js_eval_fromchar html_href_data_base64 html_suspicious_pdf_view html_onmouse_action html_document_write_obfuscated_data html_script_write html_document_open_and_write html_double_close html_bitwise_operators html_window_base64_function html_object_clsid html_href_data_base64_scriptnewhtml_eval_csv_obfuscation YARA rules html_tag_after_close html_ready_function html_object_wsh html_references_cipherproduced html_iframe_static_ip html_references_base64 html_iframe_write html_formal_script_prefix html_multi_jquery html_script_prefix html_references_navigator html_js_eval_catch html_substr_obfuscation html_no_html_close html_on_load_action html_form_post_action html_script_suffix html_false_html_close html_self_location_redirection html_base64_image html_href_data html_head_script_jquery html_encoded_uri_component html_base64_image_multi html_href_data_script html_encrypted_phishing html_iframe_no_space html_email_input html_document_location_href html_js_eval_func html_href_data_base64_zip
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 What is YARA? What are YARA rules?
• YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. • YARA is a name only, not an acronym! (Thank goodness, not another acronym!) • With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns.
• Each description, a.k.a. rule, consists of a set of strings and a Boolean expression which determine its logic.
More on YARA: • https://yara.readthedocs.io/en/latest/# • https://cybersecurity.att.com/blogs/security-essentials/explain-yara-rules-to-me • https://securityintelligence.com/signature-based-detection-with-yara/
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 YARA rule example Realtime example from RET, in use on TG today! rule html_iframe_remote : anomaly { meta: description="HTML has 'iframe' containing only remote material." author="afasen" created_at="2019-09-20"
strings: // $a1 = /
condition: any of them }
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 How does Email Security benefit from YARA?
• Currently Cisco Email Security relies on tools and engines that operate outside of the ESA to utilize YARA rules.
• Research and analytics behind Threat Grid samples leads to creating YARA rules, which then influences the Behavioral Indicators (BI) with-in Threat Grid.
URL HTML YARA DOC PDF EML YARA YARA Threat Grid Threat Grid
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 What are Behavioral Indicators?
• Behavioral Indicators are the key traits and behaviors that have been identified as indicators of malicious activity.
• Behavioral Indicators include threat severity levels, HTTP Traffic, DNS Traffic, TCP/IP network sessions, Processes, Artifacts, Registry activities, and more. • How can you see these Behavioral Indicators? 1. Log-in to https://panacea.threatgrid.com/ 2. Click on Indicators; search Category: Malware > Phishing
• Or, Threat Grid Release Notes: https://panacea.threatgrid.com/mask/doc/mask/release_notes
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 Behavioral Indicator example
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 New or updated Threat Grid Behavioral Indicators
Jun 6 Aug 29 Oct 24 Additional An Encrypted Phishing HTML Page Was HTML Email Based Login Page HTML Iframe Static IP Referenced artifact-html-onedrive- Found Detected phish HTML Object Class ID Referenced Phishing Test Detected Suspected Phishing Login Page HTML Using Hidden Iframe Detected Detected HTML Suspicious Unescaping Detected new or updated behavioral indicators Jun 6, 2019 Aug 15, 2019 Aug 29, 2019 Sep 12, 2019 Oct 24, 2019 Nov 7, 2019 Additional
Aug 15 Sep 12 Nov 7 Known Phishing Service Document HTML File Starts And Ends With Script Tags Submitted HTML Minimal Code With Detected (*) Redirect Javascript in HTML References Multiple * Updated BI, originally published JQuery Scripts May 23 FakeJquery Javascript Function Within HTML HTML Contains Only Redirection Code Javascript in HTML Uses Document.Location.Href Property Javascript in HTML Uses Self.Location Property BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Stopping fake, unauthenticated emails is great... But we all know that threats happen.
How can we focus on educating the end-user? For your review!
Email: Click with Caution How to protect against phishing, fraud, and other scams
• Download: http://cs.co/email_ClickWithCaution
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public “52% of breaches featured hacking, 28% involved malware and 32–33% included phishing or social engineering, respectively.” - Verizon 2019 Data Breach Investigations Report
“Over 3.4 billion email scams or phishing emails are sent every day. This adds up to one trillion email scams per year” - Security Magazine (June 11, 2019) Phishing tips Protect you and your business
• Security begins with YOU!
• It only takes one wrong click for cyber-criminals to access your company’s data.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 Phishing tips Protect you and your business
• Avoid strangers, check name and email address. • Don’t rush, be suspicious of emails marked “urgent”. • Notice mistakes in spelling and grammar. • Beware of generic greetings, “dear sir/ma’am”. • Don’t be lured by incredible “deals”. • Hover over the link before you click to ensure it has a secure URL (https://). • Never give out personal or financial information based on an email request. • Don’t trust links or attachments in unsolicited emails.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 Cisco Security Awareness Introducing Cisco Security Awareness • Providing flexibility and support to effectively deploy phishing simulations, awareness training, or both — and measure and report results.
• Empowering security operations teams with the ability to focus on real time threats and not end user mitigation.
• Security training providing the education that helps employees to work smarter and safer.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87 Cisco Security Awareness Available in the GLP starting mid-February
• High-quality content is central to any security awareness program and a pre- requisite to provide a training experience that is fun, compelling and relevant.
• Our content is developed by a team of experts using a proven pedagogical approach and methodology for adult learning that ensures the highest degree of engagement.
• Your users will learn about cyber security in a way that expands user knowledge and increases their affinity for your organization to help protect it.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 Cisco Security Awareness Available in the GLP starting mid-February
Communication/ Content Simulation Multilingual Reinforcement Consultation • 150+ learning • 40+ languages • CISO coaching modules • Simulation of real • Internal campaign threats • Narration + text promotion • Deploy, measure, • Micro and nano • Further and report learning • Integrated with • Videos, posters, training content customization newsletters • Customer success • Course builder available • Just in time program • Customization of feedback content available • Role based • High degree of interaction • Gamification
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 Review of our session...
• We discussed Cisco Email Security • Email Pipeline • Acronyms • A typical message • Took a deeper look to utilizing SPF, DKIM, DMARC on Cisco Email Security • Next-level utilization of SPF, DKIM, DMARC • Cisco Advanced Phishing • Cisco Domain Protection • Talked about “how” Cisco is constantly working to address Phishing Efficacy • Introduced a new product - Cisco Security Awareness Thank you for attending!!! Complete your online session • Please complete your session survey survey after each session. Your feedback is very important.
• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 Continue your education
Demos in the Walk-In Labs Cisco Showcase
Meet the Engineer Related sessions 1:1 meetings
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 Thank you
SPF Authenticating The Envelope What is SPF?
Anti-spoof, throttling & authentication Connection Filtering INCOMING
Encryption & authentication enforcement Connection Filtering OUTBOUND
• Sender Policy Framework (SPF), specified in RFC4408.
• Allows recipients to verify sender IP addresses by looking up DNS records listing authorized Mail Gateways for a domain. • SPF uses DNS TXT resource records. • Can verify HELO/EHLO and MAIL FROM identity (FQDN). • Upon evaluation of SPF records, the following can these results:
Pass Fail SoftFail Neutral PermError TempError
> dig igo232.com TXT +short "v=spf1 ip4:139.138.32.156 ip4:139.138.56.31 ip4:136.56.60.2 -all"
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96 Sender Policy Framework (SPF)
• Allows recipients to verify sender IP addresses by looking up DNS (TXT) records listing authorized Mail Gateways for a domain. (RFC7208)
• What does an SPF record look like?
$dig TXT pipershark.com +short "v=spf1 ip4:139.138.32.156 ip4:139.138.56.31 include:mailgun.org -all"
Version Verification Mechanisms • The record is evaluated in order from left to right, checks all mechanisms until it either passes one or fails all checks. • The “all” setting is traditional at the end, handling anything that did not match the rest.
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97 SPF Operation
Work out which Get incoming machines send connection
DNS TXT Parse SPF record RR
Check remote IP, Outgoing msg Just forward it HELO/EHLO, MAIL FROM
Deliver/Drop/ Quarantine…
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98 SPF Record Semantics
Mechanisms Qualifiers Modifiers all (-) fail redirect a (~) softfail exp (explanation) mx (+) pass ptr (?) neutral ip4 ip6 include exists extensions
http://www.openspf.org/Mechanisms
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 99 SPF Record Example(s)
dhs.gov IN TXT “v=spf1 ip4:216.81.91.184 ip4:216.81.85.157 include:spf.protection.outlook.com –all” dmarc.org IN TXT “v=spf1 a mx –all” google.com IN TXT “v=spf1 include:_spf.google.com ~all” _spf.google.com IN TXT “v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all” _netblocks.google.com IN TXT “v=spf1 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all”
* 255 characters in TXT/SPF record, but not > than 255 characters in a single string https://kb.isc.org/docs/aa-00356
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100 SPF Record Nesting... continued
cisco.com IN TXT “v=spf1 ip4:173.37.147.224/27 ip4:173.37.142.64/26 ip4:173.38.212.128/27 ip4:173.38.203.0/24 ip4:64.100.0.0/14 ip4:72.163.7.160/27 ip4:72.163.197.0/24 ip4:144.254.0.0/16 ip4:66.187.208.0/20 ip4:173.37.86.0/24" " ip4:64.104.206.0/24 ip4:64.104.15.96/27 ip4:64.102.19.192/26 ip4:144.254.15.96/27 ip4:173.36.137.128/26 ip4:173.36.130.0/24 mx:res.cisco.com mx:sco.cisco.com include:spf.protection.outlook.com ~all” spf.protection.outlook.com IN TXT “v=spf1 ip4:207.46.100.0/24 ip4:207.46.163.0/24 ip4:65.55.169.0/24 ip4:157.56.110.0/23 ip4:157.55.234.0/24 ip4:213.199.154.0/24 ip4:213.199.180.128/26 include:spfa.protection.outlook.com -all” spfa.protection.outlook.com IN TXT “v=spf1 ip4:157.56.112.0/24 ip4:207.46.51.64/26 ip4:64.4.22.64/26 ip4:40.92.0.0/14 ip4:40.107.0.0/17 ip4:40.107.128.0/17 ip4:134.170.140.0/24 include:spfb.protection.outlook.com ip6:2001:489a:2202::/48 -all” spfb.protection.outlook.com IN TXT “v=spf1 ip6:2a01:111:f400::/48 ip4:23.103.128.0/19 ip4:23.103.198.0/23 ip4:65.55.88.0/24 ip4:104.47.0.0/17 ip4:23.103.200.0/21 ip4:23.103.208.0/21 ip4:23.103.191.0/24 ip4:216.32.180.0/23 ip4:94.245.120.64/26 -all
Maximum of 10 mechanisms querying DNS (any other than IP4, IP6, ALL)!
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101 SPF Record Look Up
From Cisco Domain Protection UI (Tools > SPF) 1
2
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102 SPF Best Practices
• Plan for “-all”
• Add HELO identity to SPF
• Include ALL senders
• SPF for subdomains
• SMTPAUTH for roaming users
• Be careful when using “mx”
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103 DKIM Authenticating The Body What is DKIM?
Anti-spoof, throttling & authentication Connection Filtering INCOMING
Encryption & authentication enforcement Connection Filtering OUTBOUND
• Domain Keys Identified Mail (DKIM), specified in RFC5585.
• Specifies methods for gateway-based cryptographic signing of outbound messages, embedding verification data in an e-mail header, and ways for recipients to verify integrity of the messages. • Additional RFCRFC6376 (DKIM Signatures), RFC5863 (DKIM Development, Deployment and Operation), RFC5617 (Author Domain Signing Practices (ADSP)). • DKIM uses DNS TXT records to publish public keys.
> dig google._domainkey.igo232.com TXT +short "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqDsxWVJKWk/MO0fEIhaTqJFECwVysZnASTnl" "5me66ixhpsTfpvt4bw7sbTeM5a8OHadKkReCx1D2tBoXKPWhDICq5glRBcCh1f5pkpcUtc4ZV49GUI0T" "pUcMoOZl8QJhiRIoEN5VH+bJBHC4B3UuUaGA778j0r1zgyVluHOgBTipl5YKwvOl7SaLwrvhI054O62p" "hu5OoZfBhXVmwh1l3hcTaeQbfrZOwpVX3+5RuFPwD+qdANCJVjzm5Xz5vVI1mDtqrg+df5EXra5YrWjE" "E4qd2CMz7KTd+CMfvS4WdYmLgEjKNExvg0NXC4DCYr0QVykmtvM/c31TjYD2MmKGZQIDAQAB"
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105 Domain Keys Identified Mail (DKIM)
• Specifies methods for gateway-based cryptographic signing of outgoing messages, embedding verification data in an e-mail header, and ways for recipients to verify integrity of the messages • Uses DNS TXT records to publish public keys • DKIM Signatures (RFC5585 + RFC6376) • DKIM Development, Deployment and Operation (RFC5863) • Author Domain Signing Practices (ADSP)(RFC561)
http://domainkeys.sourceforge.net/keygen.html
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 DKIM Operation
Generate Receive msg keypair
DNS TXT RR Parse DKIM- Canonicalize Signature Outgoing msg + Sign Verify b and bh
Insert DKIM-Signature Deliver/Drop/ Quarantine…
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107 DKIM Signature
Example DKIM-Signature Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; h=To:From:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; bh=+ImqGr4kx/dtZpQKjmcWyVJtHFzo8kD6dIgqvZvk2gY=; b=DmDxUUN1XBQTWb99003VdnQn5ntUmK6kvuF6Iu/ZFmIHjoo/r5B85Cu8u4x HlZF2gh664WyOb2ffYJ9bcfwb3JvT6d3bndL8/bvYtOXUR7g1MqMc32Zn/d60 pXWbQOa16+ZW6KwwWF+mDlhpztNwFsG6oRprrLUUzBSupVx7s74=
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 DKIM Signature
Example DKIM-Signature Header
Algorithms used Canonicalization scheme
Signing Domain ID DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; Selector Signed Headers d=ietf.org; s=ietf1; h=To:From:Date:Subject:List-Id:List-Unsubscribe:List-Archive: Header Hash List-Post:List-Help:List-Subscribe; bh=+ImqGr4kx/dtZpQKjmcWyVJtHFzo8kD6dIgqvZvk2gY=; Body Hash b=DmDxUUN1XBQTWb99003VdnQn5ntUmK6kvuF6Iu/ZFmIHjoo/r5B85Cu8u4x HlZF2gh664WyOb2ffYJ9bcfwb3JvT6d3bndL8/bvYtOXUR7g1MqMc32Zn/d60 pXWbQOa16+ZW6KwwWF+mDlhpztNwFsG6oRprrLUUzBSupVx7s74=
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109 DKIM Signature - Anatomy
Mandatory tags
V A D S H B BH
Optional tags
C I L Z
Recommended tags
T X More details in Appendix B - DKIM
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 DKIM Signature - Algorithms
RSA-SHA1 or RSA-SHA256
Signers MUST Signers SHOULD Verifiers MUST Verifiers MUST Max. practical key length
512 bits 1024 bits 2048 bits
Verifiers MUST Signers MUST Verifiers MUST Verifiers MAY (for long-lived keys)
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111 DKIM Signature Header Canonicalisation
SIMPLE CANONICALISATION RELAXED CANONICALISATION
• Almost no modification • Header names -> lowercase tolerated • Line wrapping • Casual about whitespaces
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112 DKIM Signature - Header Canonicalization return-path:[email protected] x-original-to:[email protected] delivered-to:[email protected] received:from esa2.hc252-80.c3s2.iphmx.com (esa2.hc252-80.c3s2.iphmx.com [68.232.151.78]) by rotkvica.dir.hr (Postfix) with ESMTPS id 146791A82A35 for
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 113 DKIM Signature - Header Canonicalization
Return-Path: [email protected] X-Original-To: [email protected] Delivered-To: [email protected] Received: from esa2.hc252-80.c3s2.iphmx.com (esa2.hc252-80.c3s2.iphmx.com [68.232.151.78]) by rotkvica.dir.hr (Postfix) with ESMTPS id 146791A82A35 for
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 114 DKIM Public Key Retrieval
• DNS query:
• Example(s): $dig TXT ietf1._domainkey.ietf.org +short "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNzNnjKTd5cczd2CDzHflCZuv1tMWYwd7zE+deoJ6s/fXR7/n9ZIBn DS5egt7HAHjNjZrmjcoRlfSsNxRJvUQFyYvaU1BT1s8R+mkPgSOqZ4t9HqAVjiczn2B9+dbjdNN+S/zvSyMMuSCSJDKKAX hBpDeQTpeY7/UdP9s6ws0yjQIDAQAB"
$dig TXT iport._domainkey.cisco.com +short "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCctxGhJnvNpdcQLJM6a/0otvdpzFIJuo73OYFuw6/8bXcf8/p5JG/i ME1r9fUlrNZs3kMn9ZdPYvTyRbyZ0UyMrsM3ZN2JAIop3M7sitqHgp8pbORFgQyZxq+L23I2cELq+qwtbanjWJzEPpVvrv buz9QL8CUtS+V5N5ldq8L/lwIDAQAB;"
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116 DKIM Record Look Up
From Cisco Domain Protection UI (Tools > DKIM)
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117 DKIM Public Key - DKIM DNS Record Anatomy
Mandatory tags
P
Optional tags
H=SHA1 K=RSA S=EMAIL T=Y T=S G N
Recommended tags
V=DKIM1 More details in Appendix B - DKIM
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118 Choosing Your DKIM Parameters Best Practices
• Make the best use of selectors • Periodic key rotation • Delegation of signing authority
• Sacrificing security for performance Reduce signing key size Sign partial message Use simple body canonicalisation Use simple header canonicalisation Change signing algorithm to sha-1
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119 DMARC Authenticating The Visible What is DMARC?
Anti-spoof, throttling & authentication Connection Filtering INCOMING
Encryption & authentication enforcement Connection Filtering OUTBOUND • Domain-based Message Authentication, Reporting, and Conformance (DMARC), specified in RFC7489.
• Leveraging great existing technologies, providing a glue to keep them in sync, and allowing senders to mandate rejection policies and have visibility of offending traffic. • Provides BOTH SPF authentication and DKIM verification. • Synchronization between all senders' identities (Envelope From, Header From). • Reports back to the spoofed entity! dig _dmarc.igo232.com TXT +short "v=DMARC1; p=none; fo=1; ri=3600; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected],mailto:[email protected]"
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121 Domain-based Message Authentication, Reporting And Conformance (DMARC)
• Both DKIM and SPF have shortcomings, not because of bad design, but because of different nature of each technology... (enter)... DMARC (RFC7489)!
• Leveraging great existing technologies, providing a glue to keep them in sync, and allowing senders to mandate rejection policies and have visibility of offending traffic • Provides: • SPF authentication • DKIM verification • Synchronization between all sender identities (Envelope From, Header From, HELO/EHLO, DKIM Siging Domain ID [“d”]) • Reporting back to the spoofed entity
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122 DMARC Operation
SPF (TXT) Apply DMARC Publish SPF Check SPF DNS RR Policy
DKIM (TXT) Send DMARC Publish DKIM Check DKIM DNS RR Report(s)
DMARC (TXT) Fetch DMARC Publish DMARC DNS RR Policy
Insert Align Outgoing msg DKIM-Signature Identifiers
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 123 DMARC Identifier Alignment When Does A Message Pass?
Technology Authenticates…
SPF MAIL FROM, HELO
DKIM SDID (“d=“)
DMARC From Header
• Identifier Alignment is a concept of alignment between From Header and identifiers checked by DKIM and SPF • Message passes DMARC check if one or more of the authentication mechanisms (DKIM and/or SPF) pass with proper alignment
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 124 SPF And DKIM Do Different Things What can go wrong?
• SPF authenticates the Envelope Sender of the message • A bad actor can register a bad domain (or a cousin domain), and create SPF records that will make messages pass SPF, then use a different identity in From header • DKIM authenticates the message itself • DKIM identifies the key to fetch only based on DKIM signing domain ID • If the message has no DKIM-Signature header, there is no way for the receiver to know that the sender signs their email • A bad actor can register a bad domain, publish a DKIM public key, modify the message in transit, remove the existing DKIM-Signature, and sign it with the key from the bad domain – modified message will pass DKIM verification
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 125 DMARC Policy
Version Failure policy Sampling rate
_dmarc.amazon.com IN TXT “v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]”
Aggregate Reports URI Failure Reports URI
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126 DMARC Record Look Up (& Modify/Host!)
From Cisco Domain Protection UI (Tools > DMARC)
1
2 3
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 127 DMARC Policy Policy Specification and “Slow Start”
• Policies requested by senders: • None • Quarantine • Reject
• Receivers MAY deviate from requested policies, but SHOULD inform the sender why (through Aggregate Report) • Sampling rate (“pct” tag) instructs the receiver to only apply policy to a fraction of messages
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 128 DMARC Policy Reporting URIs
• “mailto:” and “http://” Uniform Resource Identifier (URI) supported • Two distinct report types: • Aggregate report (rua) • Sent on an interval • Summary of all incidents from a sender domain • Failure report (ruf) • Sent on (every) failure • Detailed report on individual failures
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 129 DMARC Policy Failure Reporting
• Two supported Report Formats (“rf”): • afrf • Authentication Failure Reporting Format, defined in RFC6591, and extended by draft- kucherawy-dmarc-base (default) • iodef • Incident Object Description Exchange Format, defined in RFC5070 • Failure reporting options (“fo”), separated by colons in the Policy Record: • 0 : generate a report if all underlying mechanisms fail to align and pass (default) • 1 : generate a report if any underlying mechanisms fail to align and pass • d : generate a DKIM failure report if DKIM verification fails, regardless of alignment • s : generate an SPF failure report for failed SPF verification, regardless of alignment
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 130 DMARC Best Practices
1. Correctly deploy SPF and DKIM
2. Make sure your identifiers will align
3. To start: publish DMARC record with “p=none (or “Monitoring”)
4. Analyze the data and modify your mail streams (or DKIM/SPF parameters)
5. End goal for DMARC: apply “reject” policy
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 131 Bringing It All Together SPF, DKIM, DMARC on ESA Checking SPF, DKIM, DMARC
• SPF/SIDF Verification, Domain Key/DKIM Signing, DKIM Verification, DMARC Verification ALL occur at the Mail Flow Policy, or in the Host Access Table (HAT)
• SPF • When SPF is enabled, the ESA will stamp headers in the message • Use the results inside message or content filters to determine the action • PRA identities are evaluated in the message filters only
SPF vs SIDF http://www.openspf.org/SPF_vs_Sender_ID
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 133 Enable SPF Verification
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 134 SPF in Message Filters
• spf-status() with Message Filters allows to check separate posture for • HELO SPF identity - spf-status(“helo”) • MAIL FROM identity - spf-status(“mailfrom”) • PRA identity - spf-status(“pra”)
• spf-passed() - faster than spf-status, but less granular
• Naturally, multiple “and” and “or” conditions make rule creation much more flexible
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 135 After enabling SPF
Sun Jan 27 07:01:00 2019 Info: New SMTP ICID 33127 interface Data 1 (216.71.134.24) address 68.183.144.44 reverse dns host mailbot2.teamnorthwind.com verified yes Sun Jan 27 07:01:00 2019 Info: ICID 33127 ACCEPT SG BYPASSLIST match .teamnorthwind.com SBRS None country Sun Jan 27 07:01:00 2019 Info: Start MID 144 ICID 33127 Sun Jan 27 07:01:00 2019 Info: MID 144 ICID 33127 From:
SPF Record: TXT="gmail.com descriptive text "v=spf1 redirect=_spf.google.com"
• By enabling SPF, you gain additional intelligence on the sender • We still accepted the message, but can use the verdict later to decide to convict the message • Effectiveness is bound by participation – you need to invest time to ensure SPF records are up to date!
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 136 Checking SPF, DKIM, DMARC
• DKIM • Create profile for action on DKIM (by default ESA sets as “Monitor”) • Enable DKIM Verification in Mail Flow Polices • Act on failures via a content filter. Use an action to Policy quarantine to be able to review spoofs
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 137 How to enable DMARC (Monitor)
• DMARC is configured by creating a Profile and then by 1 applying the Profile to a Mail Flow Policy • By default, the Profile is set to no action (“monitor”) for DMARC violations, however it needs to be applied to a policy 2 for it to evaluate DMARC records • Monitor and Tune settings and SenderGroups and move to reject (block) when ready
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 138 DMARC - Honor thy tag
v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]
ICID 33136 From:
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 139 Use DMARC pass/fail as a factor in filters
• DMARC results are stored in the authentication-results header
• This can be leveraged inside a Content or Message Filter if DMARC is not being used to block during the connection phase
• Use the header results along with other factors such as Geo-Location, Forged Email Detection, etc. to increase accuracy of a possible threat
BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 140