thinking differently: protecting the public, employees ......social engineering tactics over email...
TRANSCRIPT
1 © 2018 Proofpoint, Inc.
Thinking Differently: Protecting the Public, Employees, Educators and the Supply Chain Through DMARC Enforcement
Denis Ryan
Sr. Dir., Field Sales – Email Fraud
2 © 2018 Proofpoint, Inc.
Highly Targeted
3 © 2018 Proofpoint, Inc.
Payload Free
4 © 2018 Proofpoint, Inc.
Socially ManipulativePrey upon basic human emotion: fear
(of being incompetent)
5 © 2018 Proofpoint, Inc.
“Email is vulnerable to identity deception”
▪ Anyone can pretend to be anyone
▪ Think of the “from” field being entirely editable
▪ Even the SMTP protocol itself states that email is inherently vulnerable to identity deception
▪ “There is nothing to stop me sending an email to anyone pretending to be Donald Trump at the White House dot gov.”
▪ https://www.globalcyberalliance.org/white-house-e-mail-domains-lack-basic-phishing-spoofing-security.html
6 © 2018 Proofpoint, Inc.
Email Fraud Affects The Great…
7 © 2018 Proofpoint, Inc.
And The Lowly
8 © 2018 Proofpoint, Inc.
Border Control: Identity & Security Screening
9 © 2018 Proofpoint, Inc.
DMARC Secures Legitimate Domains
“ “We’re rapidly moving toward a
world where all email is
authenticated...If your domain
doesn’t protect itself with DMARC,
you will be increasingly likely to see
your messages sent directly to a
spam folder or even rejected.”
John Rae-Grant
Product Manager
“Setting a DMARC policy of “reject”
provides the strongest protection
against spoofed email, ensuring
that unauthenticated messages are
rejected at the mail server, even
before delivery. Additionally, DMARC
reports provide a mechanism for an
agency to be made aware of the
source of an apparent forgery,
information that they wouldn’t
normally receive otherwise.
Department of Homeland Security
Binding Operational Directive 18-01
10 © 2018 Proofpoint, Inc.
Definitions
▪ Email fraud:
▪ Criminal use of identity deception and…
▪ Social engineering tactics over email to…
▪ Dupe a target into giving up money, data, information or access
▪ Email fraud targets:
▪ Employees/Educators
▪ Supply Chain
▪ Public
▪ Business Email Compromise (aka CEO impersonation, whaling, etc.):
▪ B2B flavor of email fraud
▪ Originally synonymous with “wire transfer fraud”
11 © 2018 Proofpoint, Inc.
Independent survey of 2,250 businesses
75 percent of organizations experienced at least one targeted email fraud attack
> 77 percent of businesses expect they will fall victim to email fraud in next 12 months
12 © 2018 Proofpoint, Inc.
How Are Business Affected By Email Fraud?
13 © 2018 Proofpoint, Inc.
Who Is Most At Risk?
14 © 2018 Proofpoint, Inc.
How Are Companies Protecting Themselves?
15 © 2018 Proofpoint, Inc.
Under Attack, Vertical Analysis
16 © 2018 Proofpoint, Inc.
Email fraud: STOP ATTACKERS’ KEY TACTICS
Domain spoofing
Look alike domain
Display name spoofingOther brand impersonation
Domain Monitoring
EmailAuthentication
Email Gateway:Policy and ML Classifier
Brand impersonation email threat data
yourcompany.com
y0urc0rnpany.com
John Smith <[email protected]>
Internal Threats External Threats
EmailAuthentication
Domain Monitoring
17 © 2018 Proofpoint, Inc.
Multiple Stakeholders Targeted
EMPLOYEES CONSUMERS PARTNERS
Business email compromise or BEC
Consumer phishing Supply chain spoofing
18 © 2018 Proofpoint, Inc.
92% OF COMPANIES WERE TARGETED BY AT LEAST 1 ATTACK IN
Q1 2018
DOMAIN SPOOFING
yourcompany.com
DISPLAY NAME SPOOFING
<John Smith>
LOOK-ALIKE DOMAIN
y0urc0rnpany.com
92%
15%
63%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
% of customers targeted by BEC tactic
19 © 2018 Proofpoint, Inc.
“We need to retrofit security to email”
▪ Solution must address the 360-degree nature of the problem
▪ Multiple targets (your employees, business partners and public)
▪ Multiple tactics
▪ Government increasingly determined that all companies must do this
▪ DHS Binding Operational Directive 18-01 mandates it for all civilian agencies
▪ The average wire transfer fraud loss is $130,000
▪ Given that companies of all sizes across all verticals are targeted, we’d like to help you understand and ultimately reduce your exposure
20 © 2018 Proofpoint, Inc.
Controls Against All Tactics
Domain Spoofing Look Alike Domain Display NameSpoofing
Domain Monitoring
EmailAuthentication
Machine Learning Classifier, Policy
yourcompany.com y0urc0rnpany.com <John Smith>
21 © 2018 Proofpoint, Inc.
Controls Against All Tactics
Domain Spoofing Look Alike Domain Display NameSpoofing
Domain Monitoring
EmailAuthentication
Machine Learning Classifier, Policy
yourcompany.com y0urc0rnpany.com <John Smith>
DMARC Domain DiscoveryImpostor Classifier
& EBD
EFD360
22 © 2018 Proofpoint, Inc.
“We authenticate everything…”
Access point Authenticated?
Network Access
Applications
Endpoints
Financial Transactions
Physical Access
…Except Email
23 © 2018 Proofpoint, Inc.
We Make it Easy
24 © 2018 Proofpoint, Inc.
MANAGED SERVICE
Deployment Methodology
IDENTIFYDetect use and abuse ofidentities (domains, brands & people)
POLICYBuild policies and eliminate risk of false positives (blocking good)
ENFORCEEnforce policies across public and private channels
MANAGEContinue to curate policies for on-going efficacy
25 © 2018 Proofpoint, Inc.
Policy Enforcement: Eliminate Fraudsters in Weeks
26 © 2018 Proofpoint, Inc.
Summary
▪Email Fraud is a big, growing and costly problem
▪Email Fraud is multi-faceted:▪Multiple assets at stake
▪Multiple stakeholders targeted
▪Multiple tactics employed
▪Proofpoint’s EFD360 is the only solution that addresses the whole problem
27 © 2018 Proofpoint, Inc.
28 © 2018 Proofpoint, Inc.
Appendix
29 © 2018 Proofpoint, Inc.
EFD can protect your employees from trusted-domain spoofing thru DMARC policy enforcement
Domains w/ DMARC blocking policies were used that
you could be enforcingDomains w/ DMARC ‘monitor’ policies were used that will
eventually graduate to blocking policies
Example of inbound domains sent to your employees…
30 © 2018 Proofpoint, Inc.
Why Automation Fails: Partner Limitations
Third Party Authentication Challenges
Tenant ID configuration, SPF include management, reporting
False positives from calendar invites (SPF misalignment)
Cannot sign DKIM, cannot report
Bounce management reporting Mfrom issue
Laborious process to get authentication correct
Double signing leading to intermittent DKIM failure, Mfrom issues
Deliberate SPF misconfiguration, do not understand authentication
30-40% DKIM failure rate
Double DKIM signing leading to intermittent DKIM pass rate
31 © 2018 Proofpoint, Inc.
How DMARC Works
Email Received By
Recipients’ ISP/SEG
Has DMARC been
implemented for
“header from” domain?
Does email pass
DMARC authentication?
ISP/SEG Filters
& Delivers Appropriately
NONE
REJECT
Deliver Report
DMARC
Control & Visibility
Send to Junk
Delete
Deliver
ISP / SEG then send regular reports to DMARC Recipient detailing
what email authenticated, what email did not, and why.
Apply
Policy
NO
YES
YES
NO
DMARC Policy Settings:NONE: Entire email ecosystem is
monitored to map out legitimate
traffic.
: Messages that fail
DMARC move to the spam folder.
REJECT: Messages that fail
DMARC do not get delivered at all.
Visibility