E-mail security protection experience summary

I. Mail is the primary breach of cyber attacks

E-mail security protection experience summary. As the main communication tool of the enterprise (especially the traditional and large enterprises), the mail is increasingly critical. At the same time, security issues are increasingly prominent. Due to the lack of authentication and security authentication mechanisms, e-mail protocols are inherently anti-tracing and cost-effective. Mail has become the main approach to telecom fraud and ransomware attacks. At present, the public generally believes that email security is phishing. In fact, the field of email security is very wide. This article is based on the knowledge of work and shares with you in many dimensions.

First introduce four kinds of mail counterfeit technology

a. Counterfeit Sender Alias ​​- Difficulty Index *

By using the alias field attribute of the email account, the public account (such as Gmail) is used to fake another's account. Such fake email accounts for the highest proportion, and because the actual sender's address exists, interactive fraud can be performed.

Example

From: Steve Jobs <sjobs@banana.com> (not sjobs@apple.com)

b. Counterfeit Senders - Difficulty Index **

Authentication defects using the mail protocol (the actual enhanced security protocol already exists, but penetration is not high), sending the victim an e-mail using the real sender address and alias. Advantage is that the victim has no resistance, all genuine, genuine, genuine; flaw is the attacker can not receive the victim's e-mail response, the need to combine malicious links or attachments to achieve the purpose of attack.

Example

From: Steve Jobs <sjobs@apple.com> (Build or rent a malicious mail server)

c. Similar Domain Name Counterfeit - Difficulty Index **

Cybersquatting similar domain names, such as app1e (not L, is the number 1), and then you can follow the routine operation.

The disadvantage is that registering a domain name, configuring a mail service and so on is too much of a hassle, and can easily leave traces of crime; and large companies have a brand monitoring service. Similar domains have been registered or monitored (domain name registrars have this service).

Example

From: Steve Jobs <sjobs@app1e.com>

d. Counterfeit respondents - degree of difficulty ****

Using the Reply to field in the header of the email, combined with the counterfeit real sender attack, the real sender address is maliciously sent from the Internet, and the victim email reply arrives at the Gmail mailbox.

Example

From: Steve Jobs <sjobs@apple.com> (Build or rent a malicious mail server)

Reply To: hacker@gmail.com (This field is hidden from the mail client, but can be modified via text or custom software)

Based on the type of attack can be summarized into three categories

1. Ransomware attack

Seventy-one percent of the world's businesses are attacked by ransomware, of which 70% choose to pay ransom. E-mail is the most common form of delivery, accounting for 59% of all attacks, followed by websites, social media and infected storage, either for webcasting or targeted attacks. Common commercial fraud topics include invoicing, shipping information, overdue accounts and more.

RAAS (Ransomware as a Service) is already very mature, you can wait to receive money by registering a bitcoin account (refer to the popular pay Q & A platform: as long as the script is good enough, the user base is positioned accurately, not lose money).

2016 was the first year of ransomware, with 3.8 million + malicious samples found in the third quarter. Chinese companies have also become victims of ransomware, while RAAS has become another weapon in the malicious competition in the industry (well known as DDoS) - the wretchedness of ransomware moves, and the consequences can be imagined!

Business Mail Fraud (BEC) BEC - Business Email Compromise.

Business Mail Scam, also known as the boss scam, is exactly the same as 'I am your leader' phone scam (there are QQ group, vest leader in WeChat group).

a. overseas business rules based on the signature of the contract, e-transfer (such as corporate credit cards, checks), so the e-mail fraud is the most pure routines, the process will not repeat them.

b. China's business rules are based on stamped contracts and paper invoices. It is deduced from the rules of the game that China is immune to mail scams. However, China's mail scams are very Chinese-style: the habit of leading is the result of case frequency Hair, the leadership requires financial employees to operate irregularities on the transfer (ignore authentication and process approval).

This type of email attack is usually exempt from security team, not a narrow category of information security!

3. Counterfeit enterprise mail

In the name of the enterprise to send phishing emails, especially counterfeit e-commerce businesses (Taobao, Jingdong, Amazon, etc.), public utilities (Gongxufa, 12306, etc.) to send phishing email is extremely harmful. Such attacks do not have a direct impact on the business, but indirectly affect the company's reputation.

II. Email Security Policy

The protective measures in this section are tactical passive response, in fact, IETF has released the e-mail security protocol, enterprises can start from the architecture design to protect e-mail.

Allow me to routine -NIST framework: identification, protection, monitoring, response, recovery.

1. Identify the risk

Asset Identification - At the core of email security is account and email content, and strategies can be used to reduce the exposure of assets.

A tip is the alias (alias, equivalent to multiple mail addresses for an inbox instance), Gmail mailboxes by default support alias settings, and commercial mailbox schemes and ISP's mailbox policies also allow aliases. E-mail address as a business contact belongs to the public information, business alias can effectively protect the mail account, increase access to the complexity of the account and password.

Exposed mail content can implement the enterprise document encryption scheme (MS RMS, Adobe RM, etc.), to ensure that the confidential documents will not be unauthorized access to the mail account after the leak.

2. Protection of mail

a. Mail Gateway - Spam, virus attachment

Very mature protective measures, commercial coverage of the general coverage will not go into details, only lists the key reference point

Anti-virus engine - there will be additional features between different vendors (some manufacturers built more than one anti-virus engine), how many enabled?

Protection Policy Level - The gateway configuration includes multiple levels of protection. Administrators usually enable only medium- or low-level protection policies for rapid deployment, resulting in the inefficiencies of mail gateways.

In-line or by-pass - As the threat of mail increases, some organizations begin to deploy multi-tiered mail gateways. How to balance latency and efficiency?

b. Account protection

Dynamic verification code - Refer to 12306 god the same picture verification code, the difficulty of cracking the password rocket increase (personally recognized google robot recognition technology)

MFA two factors - the foreign Google authenticator, Duo is a good program; drawer bank Udon, password card, business allotments OTP token, are all sweeping the door before the snow solution; very much looking forward to The popularity of the domestic MFA two-factor authentication platform (sorry onion died).

c. Terminal Computer - Mail is the attack channel, the target is the terminal computer or account.

Phishing emails, whether the malware successfully infected the computer after being delivered by mail, and successfully executed.

Antivirus software coverage determines the short-term protection of the terminal computer (installation rate, exposure rates need to manage and technology two-way force).

Whether there is a software lock-in system loophole similar to host IDS (ransomware calls operating system encryption interface, restricting interface calls can effectively reduce ransomware execution)

d. Network Protection - Agent or Firewall

Through the feature library automatically block phishing email link or script download, at the same time in the response phase manually block the URL;

At the same time need to pay attention to the network layer malware outside the chain of alarms, you can usually find some clues;

3. Monitor attacks

a. Good daily operation and maintenance is the best monitoring

Whether the number of anomalies in the number of incoming and outgoing mail is detected or not, whether or not the reason is investigated;

How many clicks on phishing emails are you submitting? Are these usernames resetting your password?

b. borrowing tools to arm yourself

Mail header analysis: mail header analyzer (reference search engine, advertisement free)

Monitor company mail transmitted over the Internet: DMARC Data Platform (Refer to Ⅲ E-mail Security Protocol)

4. Respond to the incident

a. Have the ability to monitor is a precondition, domestic enterprises still stay in the user reporting stage;

b. Passive will be beaten, it is recommended to monitor the Exchange Log from the beginning, set the subject keyword filtering, matching intelligence malicious IP, sender real-time alarm

c. Test the safety team's equipment operating authority and emergency proficiency (high-frequency mail security attacks, the need for semi-automated and process-oriented)

Mail header analysis, analysis of the success rate of fishing (combined with network layer URL access log)

Network layer blocking URL, update antivirus software signature library

5. Resume business

Depends on the enterprise mail infrastructure and file backup strategy

III. Email Security Protocol

Driven by commercial interests, major vendors are recommending mail gateway devices; the optimization of email security protocol configurations is rarely mentioned, and the real world is always upside down.

In view of the lack of security of SMTP traditional mail, Brick House has developed five prescriptions: SPF, DKIM, rDNS, DMARC, Sender ID.

Talking about DMARC today (for more information refer to https://dmarc.org/)

What is DMARC?

DMARC "Domain-based Message Authentication, Reporting & Conformance," mail authentication protocols, federated SPF and DKIM protocols with feedback and step-by-step mechanisms.

The DMARC protocol requires the mail recipient server to send a mail header (with the PII information removed) back to the sender's company so that you can view your domain's mailings over the Internet, from the perspective of God, including corporate mail, shadow mail, Fake mail.

What does it mean for security personnel?

a. A few lines of txt scripts configured on the DNS server.

b. Set up a log server to receive recipient server feedback data (or purchase cloud services) over the Internet.

How does DMARC?

a. Enterprise email management perspective

Publish corporate DMARC policies through a DNS server, such as whether you tell third-party mail servers whether to isolate or discard messages that are not in line with SPF, DKIM configuration;

Publish the mailbox address of the third-party enterprise email feedback email status through the DNS server;

Based on DMARC status feedback from third-party enterprise mailboxes, get information for all domain emails

The DMARC feedback email status includes: email services you manage, shadow emails (such as marketing email campaigns purchased by marketing) and emails that are fraudulently fraudulent on the company's behalf.

b. Recipient perspective

Based on DMARC policies (SPF, DKIM, DMARC) released by third-party senders' domain DNS servers externally, it determines whether the received emails are secure and adopts isolation, discarding and the like.

At the same time, regardless of the final judgment of the security status of the third-party mail, you need to send the header information of the mail (except PII information) to the email address specified by the recipient.