brksec-3770

5/21/2018 BRKSEC-3770

1/83

5/21/2018 BRKSEC-3770

2/83

Dont Be A Phish Deep Dive Into E-maAuthentication TechniquesBRKSEC-3770

Hrvoje Dogan, Security Solutions Architect

5/21/2018 BRKSEC-3770

3/83

2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public

Agenda

Introduction to Phishing

Hardening Your E-mail Infrastructure With Message Authentication

Sender Policy Framework (SPF)

Domain Keys Identified Mail (DKIM)

Domain-based Message Authentication, Reporting & Conformance (DMA

Q&A

5/21/2018 BRKSEC-3770

4/83 2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public

Content Aids

Anything in blueRelates to

Sender / Signer

Anything in magentaRelates to

Recipient / Verifier

Note: Some of the concepts laid out will be abstracted/simplified for easier delivery. I will make the best effo

point out when there is more happening behind the scenes but is not practical to deliver in this session.

The curious fish that wants to know moreAdorns the slides that are For Your Reference

The caught fish is our Progress Indicator

5/21/2018 BRKSEC-3770

5/83

Introduction to Phishing

5/21/2018 BRKSEC-3770

6/83

phishing noun \fi-shi\

a scam by which an e-mail user is duped into revpersonal or confidential information which the scacan use illicitly

Merriam-Webster On

What Is Phishing?

5/21/2018 BRKSEC-3770


A Short History of Phishing

First use: 1996, alt.online-service.america-online

2001 Moved to wider Internet, targeting payment systems Easy to spot messages, spelling errors

2003 Legitimate site opens in the background, phisher runs a fake login windo Gartner reports global cost of phishing in 2003 at 2.4 billion US$.

2004 Implemented data validation with real sites Creating completely fake Websites of imaginary banks and financial firm

5/21/2018 BRKSEC-3770


Phishing Today

Source: APWG Phishing Attack Trends Report 2Q2013, http://docs.apwg.org/reports/apwg_trends_report_q2_2013.pdf

Country hosting mossites: USA

Top 5 countries by abrands: USA, UK, In

Australia, France

Most phishing attacklaunched on Fridays

Worldwide cost of P2012: >1.5 billion U

Source: RSA Online Fraud Report,http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-0

5/21/2018 BRKSEC-3770


Who Is Attacked?

Energy sector target An oil and gas explor

operations in Africa, MBrazil;

A company that ownselectric plants througRepublic and Bulgari

A natural gas power A gas distributor loca

An industrial suppliernuclear and aerospac Various investment a

that specialize in the

Source: Cisco TRAC Q1 2014 Quarterly Threat Briefing

5/21/2018 BRKSEC-3770

10/83

Hardening Your E-mail Infrastructure: SPF

5/21/2018 BRKSEC-3770


Sender Policy Framework

Specified in RFC4408(bis)

In a nutshell: Allows recipients to verify sender IP addresses by loorecords listing authorized Mail Gateways for a particular domain

Uses DNS TXT(16) or SPF (Type 99) Resource Records SPF RR will be obsoleted due to low use

Can verify HELO and MAIL FROM identity (FQDN)

A Short Introduction

5/21/2018 BRKSEC-3770

12/83


SPF Operation

DNS TXTand/or

SPF RR

Work out whichmachines send

Outgoing msg Just forward it

G

Par

Deli

CheHM

5/21/2018 BRKSEC-3770

13/83


SPF Record Semantics

acmilan.com IN TXT v=spf1 ip4:77.92.66.4 -a

SPF version

Verification mech

5/21/2018 BRKSEC-3770

14/83


SPF Record SemanticsMechanisms and Qualifiers

IP4

IP6

A

MX

INCLUDE

PTR

EXISTS

ALL

PASS (+)

NE

SOFTFAIL (~)

5/21/2018 BRKSEC-3770

15/83


SPF Record Examples

cisco.com IN TXT v=spf1 ip4:173.37.147.224/27ip4:173.37.142.64/26 ip4:173.38.212.128/27 ip4:173.38.2ip4:64.100.0.0/14 ip4:72.163.7.160/27 ip4:72.163.197.0/ip4:144.254.0.0/16 ip4:66.187.208.0/20 ip4:173.37.86.0/ip4:64.104.206.0/24 ip4:64.104.15.96/27 ip4:64.102.19.1ip4:144.254.15.96/27 ip4:173.36.137.128/26 ip4:173.36.1mx:res.cisco.com ~all

amazon.com IN TXT v=spf1 include:spf1.amazon.com

include:spf2.amazon.com include:amazonses.com allamazon.ses.com IN TXT v=spf1 ip4:199.255.192.0/22ip4:199.127.232.0/22 ip4:54.240.0.0/18 ~all

openspf.org IN TXT v=spf1 all

5/21/2018 BRKSEC-3770

16/83


SPF Record Nesting

google.com IN TXT v=spf1 include:_spf.google.com ip4:216.73.93.70/31ip4:216.73.93.72/31 ~all

_spf.google.com IN TXT v=spf1 include:_netblocks.google.cominclude:_netblocks2.google.com include:_netblocks3.google.com ~all

_netblocks.google.com IN TXT v=spf1 ip4:216.239.32.0/19 ip4:64.233.16ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.

_netblocks2.google.com IN TXT v=spf1 ip6:2001:4860:4000::/36ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36

ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all_netblocks3.google.com IN TXT v=spf1 ~all

Maximum of 10 mechanisms querying DNS (any other than IP4, IP

5/21/2018 BRKSEC-3770

17/83


What SPF Does NOT Address

Primary purpose of SPF is to validate whether a message sender ca legitimate host

Only checks Envelope Fromheaders can still be faked Complementary technology, SenderID, checks purported sender (Purpo

Responsible Address) in the headers, but has many shortcomings

Does not ensure message integrity

Does not prevent intra-domain forgery

5/21/2018 BRKSEC-3770

18/83


SPF Best Practices

Plan to include -all in your SPF records

Consider all legitimate servers sending e-mail on your behalf

Make it part of security policy for roaming users to use authenticated SMgateways for sending outgoing mail

Add your relay hosts HELO/EHLO identity to SPF records

Create SPF records for all of your subdomains too

Publish null SPF records for domains/hosts that dont send mail!

nomail.domain.com. IN TXT "v=spf1 -all" Only include MX mechanism if your incomingmail servers also send out

(for now) Publish both TXT and SPF DNS Resource Records with your SP

5/21/2018 BRKSEC-3770

19/83

Setting up SPF DNS Records andConfiguring SPF Verification on Cisc

5/21/2018 BRKSEC-3770

20/83

Hardening Your E-mail Infrastructure: DKIM

5/21/2018 BRKSEC-3770

21/83


Domain Keys Identified Mail

Specified in RFC5585

Additional RFCs: RFC6376 (DKIM Signatures), RFC5863 (DKIM DeveloDeployment and Operation), RFC5617 (Author Domain Signing Practice

In a nutshell: Specifies methods for gateway-based cryptographic outgoing messages, embedding verification data in an e-mail headfor recipients to verify integrity of the messages

Uses DNS TXT records to publish public keys

A Short Introduction

5/21/2018 BRKSEC-3770

22/83


DKIM Operation

DNS TXT RR

Generatekeypair

Outgoing msgCanonicalize

+Sign

InsertDKIM-Signature

Re

PaS

Dela

5/21/2018 BRKSEC-3770

23/83


DKIM SignatureExample DKIM-Signature Header

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;d=gmail.com; s=20120113;h=mime-version:date:message-id:subject:from:to:

type;bh=pMD4ZYid1vn/f7RZAy6LEON+d+W+ADlVSR6I0zrYofA=b=n3EBxT5DwNbeISSYpKT6zOKHEb8ju51F4X8H2BKhDWk9Y

h

srfeFCvf+/2XEPnQaIVtKmE0h7ZTI8yvV6lDEQtJQQWqQ/RJAXPR+yF6xwLLcQqMwzsgLxC3pQAPw3Lp7py9C62nauei3nUvq6IS+qfJBOKeMby9WUsqRecg0AWX8Dfb8gxXHQH8wKFJ9ufIOTaZWMhiFnL+NHR06v0PwsCQhsSccuk0eTDu9Uqyf8bDSyGhUFeuqwxJoCJcghGf7edZ0OIgZtEcuxLMcgl+mpSje2Y

Algorithms used

Signing Domain ID

Signed Headers

Header Hash

Body Hash

5/21/2018 BRKSEC-3770

24/83


DKIM SignatureAlgorithms

RSA-SHA1 or RSA-SHA256

Signers MUST Signers SHOULD

Verifiers MUST Verifiers MUST

512 bits 1024 bits 2048 bits

Verifiers MUST Verifiers MUSTSigners MUST(for long-lived keys)

Verifie

Max. practicalkey length

5/21/2018 BRKSEC-3770

25/83


DKIM Signature

Process of adapting the message content for signing to compensa

changes by MTAs in transit

MUST NOT change the transmitted data in any way; just its presen

Two canonicalization schemes are supported for both headers and Simple (almost no modification tolerated) Relaxed (some modification, like header name case changes, line wrapp

whitespace replacement allowed)

Canonicalization

5/21/2018 BRKSEC-3770

26/83


DKIM Signature

Simple Header Canonicalization No changes to headers Retains order, case and whitespacing

Relaxed Header Canonicalization Header names -> lowercase Unfolds all multiline headers

Replaces sequences of WSP characters with a single WSP Deletes WSP characters at EOL Deletes WSP before and after the colon separating the field name from t

Header Canonicalization

5/21/2018 BRKSEC-3770

27/83


DKIM Signature

Return-Path: v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.comX-Original-To: [email protected]

Delivered-To: [email protected]: from mx1.hc4-93.c3s2.smtpi.com (esa1.hc4-93.c3s2.smtpi.com [68.232.136.98])by rotkvica.dir.hr (Postfix) with ESMTP id B08562ABC01Efor ; Thu, 26 Dec 2013 12:03:32 +0100 (CET) Received-SPF: Pass (mx

93.c3s2.smtpi.com: domain ofv-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.comdesignates 208.95.132.58 as permitted sender)identity=mailfrom; client-ip=208.95.132.58;receiver=mx1.hc4-93.c3s2.smtpi.com;envelope-from=v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.com;[email protected];

x-conformance=sidf_compatible; x-record-type="v=spf1Received-SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of

[email protected] designates208.95.132.58 as permitted sender) identity=helo;client-ip=208.95.132.58; receiver=mx1.hc4-93.c3s2.smtpi.com;envelope-from=v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.com;x-sender="[email protected]";x-conformance=sidf_compatible; x-record-type="v=spf1

Authentication-Results: mx1.hc4-93.c3s2.smtpi.com; dkim=pass (signature verified)[email protected]

X-IronPort-Anti-Spam-Filtered: true

Header Canonicalization in Action

5/21/2018 BRKSEC-3770

28/83


DKIM Signature

return-path:v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.comx-original-to:[email protected]

delivered-to:[email protected]:from mx1.hc4-93.c3s2.smtpi.com (esa1.hc4-93.c3s2.smtpi.com [68.232.136.98]) by rotkvwith ESMTP id B08562ABC01E for ; Thu, 26 Dec 2013 12:03:32 +0100 (CET)received-spf:Pass (mx1.hc4-93.c3s2.smtpi.com: domain of v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@designates 208.95.132.58 as permitted sender) identity=mailfrom; client-ip=208.95.132.58; rec93.c3s2.smtpi.com; envelope-from=v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.com; [email protected]; x-conformance=sidf_compatible; x-recorreceived-spf:Pass (mx1.hc4-93.c3s2.smtpi.com: domain of [email protected] as permitted sender) identity=helo; client-ip=208.95.132.58; receiver=mx1.hc4-9envelope-from=v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.com; [email protected]; x-conformance=sidf_compatible; x-record-type="

authentication-results:mx1.hc4-93.c3s2.smtpi.com; dkim=pass (signature verified)header.i=email@ecklers.messages1.comx-ironport-anti-spam-filtered:true

Header Canonicalization in Action

5/21/2018 BRKSEC-3770

29/83


DKIM Signature

Simple Body Canonicalization

No changes to the message, except: removes any empty lines at the end of the message body adds CRLF at the end of the message body, if not already there

Relaxed Body Canonicalization Simple Canonicalization, plus:

Ignores all WSP characters at EOL

Replaces sequences of WSP characters in a line into a single WSP

Body Canonicalization

5/21/2018 BRKSEC-3770

30/83





h


Algorithms used

Signing Domain ID

Signed Headers

Header Hash

Body Hash

5/21/2018 BRKSEC-3770

31/83


DKIM Signature

Signing Domain ID (SDID)

Identifies the entity claiming responsibility for the signed message Must correspond to a valid DNS name under which a DKIM key is publis

Selector Enables publishing of multiple keys per signing domain Use cases:

Periodic key rotations Delegating/splitting signing authority for different OUs Delegating signing authority to 3rdparties Allowing roaming users to sign their own messages

Signing Domain ID and Selector

5/21/2018 BRKSEC-3770

32/83





h


Algorithms used

Signing Domain ID

Signed Headers

Header Hash

Body Hash

5/21/2018 BRKSEC-3770

33/83


DKIM Public Key Retrieval

DNS query:

._domainkey.

For our example:

20120113._domainkey.gmail.com IN TXT k=rsa\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJbFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yxcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD0" "7y2+08svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghkx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+Yqd0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiLUTD21MycBX5jYchHjPY/wIDAQAB

5/21/2018 BRKSEC-3770

34/83


DKIM SignatureAnatomy of the DKIM-Signature Header

Mandatory tags

V A D S H B BH

Optional tags

C I L Z

Recommended tags

T X

5/21/2018 BRKSEC-3770

35/83


DKIM Public KeyAnatomy of the DKIM DNS Record

Mandatory tags

P

Recommended tags

V=DKIM1

Optional tags

H=SHA1 K=RSA NS=EMAIL GT=Y T=S

5/21/2018 BRKSEC-3770

36/83


DKIM Public Key Examples

iport._domainkey.cisco.com IN TXT v=DKIM1\; s=email\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCctxGhJnvNpdcQL

pzFIJuo73OYFuw6/8bXcf8/p5JG/iME1r9fUlrNZs3kMn9ZdPYvTyRbUyMrsM3ZN2JAIop3M7sitqHgp8pbORFgQyZxq+L23I2cELq+qwtbanjvrvbuz9QL8CUtS+V5N5ldq8L/lwIDAQAB\;

lufthansa3._domainkey.lufthansa.com IN TXT g=*\; k=rsan="Contact [email protected] with any questions this signing"\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg

WF9kW/HY6ppS6g3U6Be0JRfu59Iv3oYgW+ztDJK1HsLf/hmah4buPBtCagDNN7wK12uhs6ko6f4SulZpwqVdtp1R6jujvW56hcNhx4RJ0E17meDhQmE8lkUzJR4BXWuKsPSSSy/pT3rM+LusuTAbFWKsMQIDAQAB\;

Ch i Y DKIM P

5/21/2018 BRKSEC-3770

37/83


Choosing Your DKIM Parameters

Make the best use of selectors Periodic key rotation

Delegation of signing authority

Sacrificing security for performance If you must, consider weakening your signatures in the following order:

Reduce the signing key size (and combine with selector rotation) Use simple for body canonicalization Use simple for headers canonicalization

Change signing algorithm to sha-1However, RFC6376 says: Signers MUST implement and SHOULD sign usin

5/21/2018 BRKSEC-3770

38/83

Configuring DKIM Signing and VerifiUsing Cisco ESA

DKIM Ad ti t P bl d ADSP

5/21/2018 BRKSEC-3770

39/83


DKIM Advertisement Problem and ADSP

The biggest problem of DKIM is that there is no straightforward adv Unsigned messages can come in unverified

ADSP (Author Domain Signing Practices, RFC5617) is an extensio A DNS-based method for sender domains to advertise that they are sign A simple TXT record at _adsp._domainkey., containing just:

dkim=unknown|all|discardable

ADSP is obsoleted as of November 2013 due to lack of deployme

_adsp._domainkey.yahoo.com IN TXT dkim=unknown

5/21/2018 BRKSEC-3770

40/83

Hardening Your E-mail Infrastructure: DMA

5/21/2018 BRKSEC-3770

41/83

DMARC is designed to prevent bad actors fromsending mail which claims to come from legitimasenders, particularly senders of transactional emOne of the primary uses of this kind of spoofed mphishing

draft-kucherawy-

IETF Network W

Moving Towards DMARC

5/21/2018 BRKSEC-3770

42/83


Moving Towards DMARC

Both DKIM and SPF have shortcomings, not because of bad desigbecause of different nature of each technology

DKIM policy advertising was addressed by ADSP, but: There was no visibility by spoofed parties into offending traffic Even though a receiver implemented both SPF and DKIM verification, th

requirement of the two technologies being in sync A smart attacker might make use of this to push illegitimate messages through

SPF checks HELO/MAILFROM identity, but no verification or align

Header From is ensured

Thus, DMARC was born: Leveraging great existing technologies, providing a glue to keep them in

allowing sendersto mandate rejection policies and have visibility of offen

DMARC Operation

5/21/2018 BRKSEC-3770

43/83


DMARC Operation

SPF (or TXT)DNS RR

Publish SPF

Outgoing msg

Publish DMARC

InsertDKIM-Signature

Check SPF

Check SPF onHeader From

Fetch DMARCPolicy

Publish DKIM Check DKIMDKIM (TXT)

DNS RR

DMARC (TXT)DNS RR

DMARC Policy

5/21/2018 BRKSEC-3770

44/83


DMARC PolicyExample of a DMARC DNS Record

_dmarc.amazon.com IN TXT v=DMARC1\; p=quarantpct=100\; rua=mailto:[email protected]=mailto:[email protected]

Version

Sampling rate

Failure Reports URI Aggre

Failure polic

DMARC Policy

5/21/2018 BRKSEC-3770

45/83


DMARC Policy

Policies requested by senders:

None Quarantine Reject

Receivers MAY deviate from requested policies, but SHOULD infosender why (through Aggregate Report)

Sampling rate (p tag) instructs the receiver to only apply policy tomessages

Policy Specification and Slow Start

DMARC Policy

5/21/2018 BRKSEC-3770

46/83


DMARC Policy

mailto: and http:// URIs supported

Two distinct report types: Aggregate report

Sent on an interval Summary of all incidents from a particular sender domain

Failure report Sent on (every) failure

Detailed report on individual failures

Reporting URIs

DMARC Policy

5/21/2018 BRKSEC-3770

47/83


DMARC PolicyAnatomy of the DMARC DNS Record

Mandatory tags

V=DMARC1

Optional tags

PCT FOSP RIADKIM RF

P

ASPF RUFRUA

DMARC Policy

5/21/2018 BRKSEC-3770

48/83


DMARC Policy

Sender can request Strict (s) or Relaxed (r, default) adherence

SPF DKIM (adkim):

Relaxed: Header From FQDN can be a subdomain of d tag of DKIM sig Strict: Header From FQDN must completely match the d tag of DKIM

SPF (aspf):

Relaxed: Header From domain can be a subdomain of SPF-AuthenticateFROM) domain Strict: Header From domain must match MAIL FROM domain

Adherence to SPF/DKIM

DMARC Policy

5/21/2018 BRKSEC-3770

49/83


DMARC Policy

Two supported Report Formats (rf):

afrf Authentication Failure Reporting Format, defined in RFC6591, and extended by d

dmarc-base (default)

iodef Incident Object Description Exchange Format, defined in RFC5070

Failure reporting options (fo), separated by colons in the Policy R

0: generate a report if allunderlying mechanisms fail to align and pass ( 1: generate a report if anyunderlying mechanisms fail to align and pass d: generate a DKIM failure report if DKIM verification fails, regardless of s: generate an SPF failure report for failed SPF verification, regardless o

Failure Reporting

DMARC Reporting

5/21/2018 BRKSEC-3770

50/83


DMARC Reporting

_dmarc.facebook.com IN TXT "v=DMARC1\; p=reject\; pct=1rua=mailto:[email protected],mailto:[email protected]=mailto:[email protected]\;

Delegating Reporting Authority

DMARC Reporting

5/21/2018 BRKSEC-3770

51/83


DMARC Reporting

_dmarc.facebook.com IN TXT "v=DMARC1\; p=reject\; pct=1rua=mailto:[email protected],mailto:[email protected]=mailto:[email protected]\;"


facebook.com._report._dmarc.ruf.agari.com

DMARC Reporting

5/21/2018 BRKSEC-3770

52/83


_dmarc.facebook.comIN TXT "v=DMARC1\; p=reject\; pct=1rua=mailto:[email protected],mailto:[email protected]=mailto:[email protected]\;"

facebook.com._report._dmarc.ruf.agari.comfacebook.com._report._dmarc.ruf.agari.com

DMARC ReportingDelegating Reporting Authority

DMARC Reporting

5/21/2018 BRKSEC-3770

53/83


DMARC Reporting



facebook.com._report._dmarc.ruf.agari.com

DMARC Reporting

5/21/2018 BRKSEC-3770

54/83


DMARC Reporting



facebook.com._report._dmarc.ruf.agari.com IN TXT v=DMARC1

DMARC Record Examples

5/21/2018 BRKSEC-3770

55/83


p

_dmarc.google.com IN TXT v=DMARC1\; p=quarantine\;

rua=mailto:[email protected]

_dmarc.cs.helsinki.fi IN TXT v=DMARC1\; p=reject\; sp=

pct=100\; aspf=r\; rua=mailto:[email protected]

_dmarc.microsoft.com IN TXT v=DMARC1\; p=none\; pct=10

rua=mailto:[email protected]\; ruf=mailto:[email protected]

_dmarc.dk-hostmaster.dk IN TXT v=DMARC1\; p=none\;rua=mailto:[email protected]\; ruf=mailto:d

[email protected]\; adkim=r\; aspf=r\; rf=afrf

DMARC Identifier Alignment

5/21/2018 BRKSEC-3770

56/83


g

DMARC authenticates the domain from Header From

DKIM authenticates the domain from DKIM-Signature (d tag)

SPF authenticates domains from MAIL FROM or HELO identities

Identifier Alignment is a concept of alignment between Header Fidentifiers checked by DKIM and SPF

Message passesDMARC check if one or more of the authenticatmechanisms (DKIM and/orSPF) pass with proper alignment

When Does A Message Pass?

DMARC Policy

5/21/2018 BRKSEC-3770

57/83


yAnatomy of the DMARC DNS Record

Mandatory tags

V=DMARC1

Optional tags

PCT FOSP RIADKIM RF

P

ASPF RUFRUA

DMARC Policy

5/21/2018 BRKSEC-3770

58/83


y

Sender can request Strict (s) or Relaxed (r, default) adherence

SPF DKIM (adkim):

Relaxed: Header From FQDN can be a subdomain of d tag of DKIM sig Strict: Header From FQDN must completely match the d tag of DKIM

SPF (aspf):

Relaxed: Header From domain can be a subdomain of SPF-AuthenticateFROM) domain Strict: Header From domain must match MAIL FROM domain

Adherence to SPF/DKIM

DMARC Identifier Alignment: SPF

5/21/2018 BRKSEC-3770

59/83


g

MAIL FROM:

From: Hrvoje Dogan (hrdogan)

To: Hrvoje Dogan Subject: DMARC test


5/21/2018 BRKSEC-3770

60/83


g

MAIL FROM:




5/21/2018 BRKSEC-3770

61/83


MAIL FROM:




5/21/2018 BRKSEC-3770

62/83


MAIL FROM:



MAIL FROM:

From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test


5/21/2018 BRKSEC-3770

63/83


MAIL FROM:



MAIL FROM:



5/21/2018 BRKSEC-3770

64/83


MAIL FROM:


MAIL FROM:


MAIL FROM:



5/21/2018 BRKSEC-3770

65/83


MAIL FROM:


MAIL FROM:


MAIL FROM:


DMARC Identifier Alignment: DKIM

5/21/2018 BRKSEC-3770

66/83


DKIM-Signature: v=1; [] d=cisco.com;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan

Subject: DMARC test


5/21/2018 BRKSEC-3770

68/83

2014 Cisco and/or its affiliates All rights reservedBRKSEC-3770 Cisco Public


Subject: DMARC test

DKIM-Signature: v=1; [] d=cisco.com;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test

adk


5/21/2018 BRKSEC-3770

69/83



Subject: DMARC test


adk


5/21/2018 BRKSEC-3770

70/83



Subject: DMARC test


DKIM-Signature: v=1; [] d=linux.hr;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test

adk


5/21/2018 BRKSEC-3770

71/83



Subject: DMARC test


DKIM-Signature: v=1; [] d=linux.hr;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test

adk

Multiple DKIM signatures? Anymust validate and align.

DMARCHow to start

5/21/2018 BRKSEC-3770

72/83


1. Correctly deploy DKIM and SPF

2. Make sure that your identifiers will align

3. Publish a DMARC record with p=none, gather ruaand rufrepowhile

4. Analyze the data and modify your mail streams (or DKIM/SPF pa

5. Apply reject or quarantine policy

How to start

DMARCHow to Delegate

5/21/2018 BRKSEC-3770

73/83


Create a subdomain for your 3rdparty mailers

Provide them with your DKIM signing key Make sure adkimis set to strict, and aspfset to relaxedif needed

How to Delegate

Received: from mta3.e.tripadvisor.com ([66.231.81.9]) by mx1.hc4-93.c3s2.smtpi.comJan 2014 21:16:36 +0100

Received-SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain ofbounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvisor.com designaas permitted sender) identity=mailfrom; client-ip=66.231.81.9; receiver=mx1.hc4-envelope-from="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvi

x-sender="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvisor.cx-conformance=sidf_compatible; x-record-type="v=spf1

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com;h=From:To:Subject:Date:List-Unsubscribe:MIME-Version:Reply-To:Message-ID:[email protected]; bh=ZNcj7Ir0D/Hc0M9uybYZydUdcZQ=; b=afqcdGZ2Vg8z38JB+c8vp3q89JcMLPtRfO1OtRV21UjsQgW1fKCFBZglZxnyQuE8TLGQJy2AkaCaV2YiiZPogw6PhNmmDMmxQ/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ=

From: "TripAdvisor"


5/21/2018 BRKSEC-3770

74/83




How to Delegate


Received-SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain ofbounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvisor.com designaas permitted sender) identity=mailfrom; client-ip=66.231.81.9; receiver=mx1.hc4-envelope-from="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvi



From: "TripAdvisor"


5/21/2018 BRKSEC-3770

75/83




How to Delegate


Received-SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain ofbounce-891195_HTML-783170676-35558060-77825-258@ bounce.e.tripadvisor.comdesignaas permitted sender) identity=mailfrom; client-ip=66.231.81.9; receiver=mx1.hc4-envelope-from="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvi



From: "TripAdvisor"


5/21/2018 BRKSEC-3770

76/83




How to Delegate


Received-SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain ofbounce-891195_HTML-783170676-35558060-77825-258@ bounce.e.tripadvisor.comdesignaas permitted sender) identity=mailfrom; client-ip=66.231.81.9; receiver=mx1.hc4-envelope-from="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvi



From: "TripAdvisor"

5/21/2018 BRKSEC-3770

77/83

DMARC deployment using Cisco ES

Dont Be A PhishDeploy DMARC!

5/21/2018 BRKSEC-3770

78/83


DMARC provides Easy, simple and powerful existing-standards-based message authentic Flexibility and gradual deployment A chance to clean up your mail flows and tighten up messaging security Easy protection from most phishing attacksboth as phish and as bait!

and endless opportunities for corny fish jokes.

Deploy DMARC!

DONT BE A PHISH.ITS SIMPLE.

For More Information

5/21/2018 BRKSEC-3770

79/83


http://www.openspf.org

http://www.dkim.org

http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishcloud/

https://support.google.com/mail/answer/3070163?hl=en

http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02

http://dmarc.org

http://dmarcian.com

Presentation videos: http://bitly.com/bundles/hrvojedogan/1

Image credits
http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/https://support.google.com/mail/answer/3070163?hl=enhttp://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://dmarc.org/http://dmarcian.com/http://bitly.com/bundles/hrvojedogan/1http://bitly.com/bundles/hrvojedogan/1http://dmarcian.com/http://dmarc.org/http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02https://support.google.com/mail/answer/3070163?hl=enhttps://support.google.com/mail/answer/3070163?hl=enhttp://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/

5/21/2018 BRKSEC-3770

80/83


Most photography on title slides courtesy of Novi List, http://www.novilist.hrpermission of the Editor of Photography. Authors of photography: Sergej DFabijan, Marko Gracin, Roni Brmalj, Damir komrlj, Silvano Jeina, Livio

Original artwork for icons and progress indicator done in ink on paper by Ivhttp://www.medri.uniri.hr/~imatic/

Special credits go to Helenka, for her relentless work on producing these sl

Call to Action

Visit the World of Solutions:

5/21/2018 BRKSEC-3770

81/83


Visit the World of Solutions:-

Cisco CampusCisco E-mail Security

Walk-in Labs Technical Solutions Clinics

Hrvoje Dogan, Dan Griffin, Tom Foucha, Scott Bower

Meet the Engineer

Lunch Time Table Topics, held in the main Catering Hall

Recommended Reading: For reading material and further resourcsession, please visit www.pearson-books.com/CLMilan2014

Complete Your Online Session Evaluation
http://www.pearson-books.com/CLMilan2014http://www.pearson-books.com/CLMilan2014http://www.pearson-books.com/CLMilan2014http://www.pearson-books.com/CLMilan2014

5/21/2018 BRKSEC-3770

82/83


Complete your online sessionevaluation

Complete four session evaluationsand the overall conference evaluationto receive your Cisco Live T-shirt

5/21/2018 BRKSEC-3770

83/83

brksec-3770

Documents

cisco andor

phishing5212018 brksec

spf5212018 brksec

cisco publicwho

financial firm5212018

cisco trac q1

global cost of phishing

email infrastructure