The Dutch Tax and Customs Administration had a problem, their domain names were being abused in phishing campaigns and they had to figure out a way to fix the issue. As it turns out the solution is all about implementing standards that already exist, to help minimize risk and improve overall email hygiene.
At a session at Black Hat USA in Las Vegas, titled, 'How to detect that your domains are being abused for phishing attacks using DNS, Karl Lovink, technical lead for the Dutch Tax and Customs administration and consultant Arnold Holzel outlined the standard and techniques they used to combat phishing.
"Our main objective was trying to find phishing campaigns as quickly as possible," Lovink said.
There are no shortage of technologies that can be used to combat phishing, but the key for Lovink was to take a path that didn't impact business operations and more importantly is based on existing standards.
Among the multiple standards that can help to improve overall email security is STARTTLS, which is a specification that is used to upgrade an unsecure email server connection that isn't using TLS (Transport Layer Security) to one that is. The risk of not using TLS is that connections are not encrypted and data is sent in the clear.
STARTTLS however isn't the only way to get a TLS connection for email servers. There is also a specification known as DNS-Based Authentication of Named Entities (DANE), which enables a domain name server (DNS) to supply information about TLS support for a given domain through a resource record.
Another key standard outlined by Lovink is Mail Transfer Agent Strict Transport Security (MTA-STS). He explained that MTA-STS allows a receiving domain to publish their TLS policies to help ensure secure connections.
Looking beyond standards that can ensure security for email delivery with TLS are a series of standards for helping to enforce the integrity and authenticity of incoming and outgoing email. Lovink explained that the Sender Policy Framework (SPF) validates if an email is sent from a valid IP address or domain, by checking against an SPF record that is stored in domain's DNS records.
For outgoing email, there is the DomainKeys Identified Mail (DKIM) standard that digitally signs outgoing mail to prove that it came from the right domain. Lovink said that the digital key for DKIM is also stored as a DNS record.
Tying SPF and DKIM together with an additional layer of reporting is the Domain-based Authentication, Reporting and Conformance (DMARC) specification. Lovink commented that DMARC provides direction and visibility into how to deal with the results of SPF and DKIM reports.
Both Lovink and Holzel commented that overall there are some configuration complexities in some cases with each of the standards, but it's important for organizations to implement them to improve email security.
"You really have to implement standards if you want to prevent phishing attacks," Lovink said. "We are convinced that if everyone implemented these standards, there will be a lot less phishing in the world."