DMARC - What Are You Waiting For?
By Shaun D. Marion, CISO, Honeywell International Inc.
According to Verizon’s 2015 Data Breach Investigation Report , more than two - thirds of incidents tied to Cyber-Espionage were originally sourced from phishing campaigns. Additionally, Symantec’s 2015 Internet Security Threat Report states that in 2014, nearly 1 in every 1,000 pieces of email was a phish. While this a noticeable improvement from the prior year, it highlights just how effective phishing campaigns remain and their effectiveness, I believe, is tied directly to their inherent technological simplicity. Despite enhanced defenses and expanded user awareness, 23 percent of users are going to open phishing messages and 11 percent are going to click on the attachments I don’t want to be dismissive of the value of an effective user awareness campaign; users are our last line of defense and an effective user awareness campaign is absolutely invaluable. However, no matter how hard we try, the fact is users will click. With potential damages ranging from little more than the installation of commodity malware to industrial espionage, loss of intellectual property, damaged brand reputation, and loss of strategic competitive advantage, the power of that click can be immeasurable. I’m not going to try to convince you that we can completely eradicate this problem. However, I will argue that as we reduce the simplicity of this attack, we will reduce its overall effectiveness and our most significant weapon in this fight is DMARC.
"Phishermen are crafty; as we begin to get the upper hand and phishing become less and less effective, I have no doubt that they will move on to more bountiful waters"
Domain Message Authentication Reporting & Conformance (DMARC) sounds great doesn’t it? Okay, so it isn’t exactly one of the most catching phrases but it’s something that, if you haven’t already, you need to familiarize yourself with. DMARC builds off two existing messaging frameworks, Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), and provides a solid mechanism for verification and authorization of the sending and receiving of email. Through SPF, the source domain is validated to confirm that it is in fact an authoritative source for the message that was sent. DKIM, on the other hand, focuses more on content and ensures that the message content was not altered while in transit from sender to recipient. DMARC ties these frameworks together, without any involvement from the sender or receiver, through clearly defined policies that dictate the actual implementation of SPF and DKIM and further stipulates how and where statistics can be gathered and sent.
That last piece is more significant than you may realize. Looking at this from another perspective, do you know who is falsely representing your company as part of a phishing campaign? It’s likely that you’ve received a phish claiming that your FedEx package has shipped and all you need to do is click the link to track your package. However, have you seen the phish with your companies name tied to it? Wouldn’t you like to know if your brand is being misrepresented by malicious actors? One of DMARC’s greatest strengths, something that you will not get through DKIM or SPF alone is the power to see who is attempting to send mail on behalf of your domain. This reporting capability will be absolutely critical during the initial deployment phase, you separate authorized from unauthorized Message Transfer Agents (MTAs), it will also provide your security operations team a valuable source of intelligence throughout your DMARC deployment lifecycle.
To be clear, DMARC is not a silver bullet and it will not be as simple as flipping a light switch. It will take research, planning, and a lot of heavy lifting to implement successfully. It will not supplant current filtering technologies and will certainly not replace enduser awareness and training. So why do it? Aside from the fact that many believe it will be the defacto standard at some point, statistics reported from several organizations before and after the implementation of DMARC are staggering. Through the implementation of DMARC, in 2013 PayPal noted a 70 percent drop in phishing and reportedly stopped roughly 25 million spoofed email messages from reaching their customers during the 2013 holiday season Additionally, after publishing a “reject” policy, Twitter reports that while there are roughly 1,000 messages each day that spoof their domain, this is down from nearly 110 million each day prior to the implementation of DMARC.
Implemented properly, DMARC’s impact on the effectiveness of phishing campaigns speaks for itself. However, as stated above, an effective DMARC implementation can be a considerable undertaking. There may be entities out there that are allowed to send email on your behalf (think of external Health & Benefits providers who send bulk messages to your employees) and it may be necessary for them to spoof your domain. These senders will need to be identified before any strict reject policies can be deployed. However, as stated previously, through the implementation of report-only policies, you can get an understanding of who is sending on your behalf which will prove to be invaluable as you begin to deploy more stringent policies.
Phishermen are crafty; as we begin to get the upper hand and phishing become less and less effective, I have no doubt that they will move on to more bountiful waters. In 2014, an estimated 60 percent of all inboxes were protected by DMARC. In just one year, we have effectively moved the needle from one phish in every 392 (0.25percent) messages to 1 in every 965 (.1percent) and as reported by Symantec in their 2015 Internet Security Threat Report, this reduction, at least in part, can be contributed to the increased adoption of DMARC. While we do not yet have the upper hand, through a layered defensive strategy which includes DMARC, we will continue to take ground.