By Dr. Edward Amoroso
Chief Executive Officer, TAG Cyber
Research Professor, NYU
The protection of email has risen gradually to the top priority for many enterprise security teams – and this should come as no big surprise. Every offensive threat actor knows that entry to a targeted network via email is always the point of least resistance. In fact, even the most advanced hackers will recommend email as a first step in any campaign, simply because it works so reliably and requires minimal offensive effort.
The types of early controls used to address email security began with the filtering of attachments for evidence of viral content, and this remains a useful and recommended safeguard. Such filtering evolved into full-featured secure email gateway (SEG) platforms that would serve as man-in-the-middle intermediaries to determine if an email should be allowed to proceed.
In these early filtering and SEG solutions, however, little was done to address the challenge of validating the reported source of an email. It has been both a strength and a weakness of email from its inception that its connectionless design allowed for any sender from any domain to send email to any recipient. Yes – there were filters, but these relied on weak metadata to make determinations as to the integrity of the originating party.
To address this weakness, a standard known as DMARC (domain-based message authentication, reporting, and conformance) was created to solidify certain aspects of the email handshake between senders and recipients. Constructed from earlier component standards known as SPF (Security Policy Framework) and DKIM (DomainKeys Identified Mail), the DMARC standard addresses the authentication shortcoming in email.
The way it works is that email sending organizations such as banks, government agencies, and other enterprise teams publish a DMARC record to the Domain Name System (DNS) that identifies the specific IP address from which valid email will originate from them. Since cryptography is involved, recipients can review the record and decide about what to do if something suspicious emerges.
Many commercial vendors including HelpSystems provide expert services that can assist enterprise customers in this regard. Our analyst team at TAG Cyber advises business and government customers to take advantage of such offers. The risk reduction is significant, and the value proposition for such offers is usually excellent. The only challenge involves making policy decisions about what to do when an inbound email looks suspicious.
In fact, to date, many organizations have drawn the incorrect conclusion that DMARC can lead to email outages. While it is true that inconsistencies emerge with some inbound email and their missing or incorrect source markings, the time and effort to clean this up, especially with a regular email partner would be well-worth reviewing carefully. In the most conservative case, DMARC can be deployed and used in an advisory mode to minimize any type of risk.
Take some time to review the HelpSystems email source authentication offering (which is, by the way, the world-class Agari solution acquired by HelpSystems recently) and we are certain that you’ll find it to be a valuable enhancement to your email security portfolio.