In part two of this blog series, we explored the interdependencies of SPF, DKIM and DMARC; the limitations and vulnerabilities of each and addressed some of the unintended consequences of DMARC adoption.
As evident by the success of Mailsploit - a phishing method that enables attackers to create a nearly undetectable spoof – and other DMARC complexities and limitations – attackers are unlikely to abandon their spoofing techniques any time soon, no matter how widespread protocol adoption becomes.
In fact, an unintended consequence of DMARC adoption is that the more companies & organizations implement it, the more that attackers will launch domain impersonation attacks, which DMARC does nothing to protect against. Domain impersonation attacks (also known as homograph or cousin attacks), change character(s) in a domain, replacing numbers with letters, symbols etc. that look the same to both the naked eye and technology. Domain impersonation attacks are far more popular and easier to execute than exact domain spoofing.
In this third and final blog installment, we’ll introduce an anti-spoofing solution that provides all of the benefits of DMARC with none of the limitations.
The Unrealistic Expectations of DMARC Users
As a reminder, the underlying responsibility of DMARC is policy enforcement, so if SPF and DKIM are not properly implemented by both sender and receiver, then DMARC cannot be effective at limiting domain spoofing attacks. In other words, if DMARC is not adopted by every sender that you receive emails from, then you are not protected from domain spoofing attacks. Take note DHS - this reliance on full scale adoption is unrealistic.
Instead of focusing on preventing messages from getting into mailboxes, which will inevitably occur so long as email is a communications medium of choice, organizations must begin to approach email security from a different perspective – from inside the mailbox itself. This approach recognizes that attackers will always find a way in (which they do), and as such, acts as an added layer of security battling the millions of messages they bypass DMARC & secure email gateways (SEGs) every day.
Inoculating the Mailbox via Anomaly Detection & Smart Fingerprinting
The email protocol was not designed with security in mind, and there is no authentication mechanism in place whatsoever. However pseudo-authentication is now possible using ‘sender fingerprinting,’ an advanced machine learning based technology that can identify the true identity of a sender to answer the basic question of “who is sending me what?”
At IRONSCALES, we’ve developed IronSights, advanced protection against
business email compromise (BEC), for our anti-phishing platform. This layer of security protects company's employees from all types of business email compromise (BEC) attacks, including domain spoofing, display spoofing and impersonation attempts, by analyzing data at the mailbox-level.
To authenticate emails, IronSights scans every message for:
- The implementation level (no/full/partial) of DMARC/SPF/DKIM
- Sending IP addresses
- Normal communication context
- Email data & metadata
The aggregate of this information creates a baseline of normal communications that is consistently analyzed by machines to build out a unique fingerprint, which is assigned to every sender. Once the fingerprint is established, any deviation from the norm will be immediately detected and recipients will be notified of any potential threat through inline messaging.
WATCH OUR VIDEO.
By examining user communications and meta data to establish a fingerprint, anomalies in communications can more easily be spotted and automatically flagged as suspicious to help people make smarter and quick decisions that can be acted upon automatically or for the SOC/security to investigate, analyze and respond accordingly.
To prevent email compromises from hitting the mark, organizations need tools without limitations that are smart enough to warn end-users of the imminent detonation danger and empower them to neutralize the risk.
DMARC is practical in theory, but in reality, it is hard to use and maintain, and is only effective at stopping exact domain spoofing, which accounts for only a small subset of advanced email phishing threats. Sender fingerprinting, in contrast, is a solution built on advanced machine learning technology, with the primary purpose of discovering the true identity of any sender – no matter the type or technique of the phishing attack.
To find out how IRONSCALES’ IronSights can help you defend against today’s spoofing threats when DMARC can’t, visit: https://ironscales.com/bec-protection-ironsights/