CISO Tradecraft

CISO Tradecraft header image 1
February 19, 2021  

CISO Tradecraft: Global War on Email

February 19, 2021

If you use email, this episode is for you.  Attackers leverage email for ransomware, Business Email Compromise (BEC), account takeover, and other threats that can be reduced with effective technical controls (as well as user education.)

These three tools all involve placing simple entries in your DNS records.  To work effectively, the recipient also needs to be checking entries.  They are:

  • SPF = sender policy framework; designates only mail from designated IP address(es) or mail server(s) are valid.  For example:  v=spf1 include:spf.protection.outlook.com 
  • DKIM = domain keys identified mail; advertises a public key that can be used to validate all mail sent was signed with corresponding private key.  For example:  v=DKIM1\; k=rsa\; 0123456789ABCDEF…
  • DMARC = domain-based message authentication, reporting, and conformance; establishes policy of what recipient should do when message fails an SPF or DKIM check.  For example:  v=DMARC1; p='quarantine'

Check your settings at Dmarcian

Implementing these protections require a small amount of work but can yield outsized benefits.  In addition to allowing recipients of your mail to validate SPF, DKIM, and DMARC, ensure your incoming mail is checked for conformance as well, labeling, quarantining, or rejecting any that fail.

Lastly, blocking top-level domains (TLDs) with which you do not do business can significantly improve your security by short-circuiting many ransomware, command-and-control, and malware URLs that will be unable to resolve through your DNS.  Get the latest list from IANA

Great Background Reading from Australian Signals Directorate Link