Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC)...
Transcript of Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC)...
![Page 2: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/2.jpg)
2
![Page 3: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/3.jpg)
3
Additional Benefits of DMARC
• Inbox Protection on the Consumer side: • DMARC Verification, not policy• 80 percent of the current total number of worldwide email accounts
(source: Valimail).
• Deliverability
• Visibility: Provides insight into attempts to spam, phish, or even spear-phish using your organization’s brand/name
![Page 4: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/4.jpg)
4
• Protects against Domain spoofing ([email protected])
• Create policy for all public domains
DMARC con’t
4
![Page 5: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/5.jpg)
Overview
1
23 4
5
6
7
![Page 6: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/6.jpg)
6
• Basic:Host: _dmarcValue: v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:<email address>;
• Complex:Host: _dmarcValue: v=DMARC1; p=none; rua=mailto:[email protected];ruf=mailto:<email address>; fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=reject;
DMARC DNS TXT Record
![Page 7: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/7.jpg)
7
What do each of the tags mean?
Required:• v=DMARC1 - version• p= - policy level• rua= - aggregate reports
Recommended:• ruf= - forensic/failure reports
Consider using• sp= - sub-domain policy
Optional Tags:• fo= send message samples of
emails that failed either SPF and/or DKIM.
• adkim= Alignment mode for DKIM
• aspf= Alignment mode for SPF• pct= - % of messages impacted • rf= - report format• ri= - reporting intervals
![Page 8: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/8.jpg)
8
Proper Implementation
DMARC implementation requires Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) in order to work
• SPF is used to define which mail servers are authorized to send mail• DKIM is used to add a digital signature for an additional layer to
authenticate the sender
![Page 9: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/9.jpg)
9
SPF
• use –all or ~all• Can only can one record• Flattening vs Dynamic (instant) SPF
• 10 domain lookup issue
• Alignment vs Verification
9
![Page 10: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/10.jpg)
10
SPF AlignmentGood:From: [email protected]: <[email protected]> Received-SPF: pass (google.com: domain of [email protected] designates 2607:f8b0:4864:20::d34 as permitted sender) client-ip=2607:f8b0:4864:20::d34;
Fail:From: [email protected]: < [email protected] > Received-SPF: pass (google.com: domain of [email protected] designates 205.201.133.58 as permitted sender) client-ip=205.201.133.58;
To achieve a passing SPF alignment, the From: header domain must match the domain used to authenticate SPF (e.g., envelope “mail from:” “return-path” domain).
![Page 11: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/11.jpg)
11
DKIM
• Protect private key• Publish public key• Can have more than one record• CNAME or TXT• Use if using cloud service provider• Alignment vs Verification
11
![Page 12: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/12.jpg)
1212
Message Header:DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalcyberalliance.org; s=gca; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc;
DKIM Alignment
![Page 13: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/13.jpg)
13
DNS Implementation
DMARC• One record per domain
SPF• One record per domain• hostname set to @, null or blank
DKIM• Multiple records per domain• must start with <selector>._domainkey.
Linux• check for $ORIGIN <domain>• requires quotation marks
All DNS• may not need FQDN• may not need quotation marks
![Page 14: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/14.jpg)
14
DMARC Reports
• DMARC generates two types of reports:• Aggregate (rua)• Forensic (ruf)
• Reports sent in XML format to email of choice (can be sent to multiple addresses)• Number and length of reports is dependent on amount of email sent• Reports will provide insight as to which messages were marked as suspicious• Allows for IT staff to correct any issues with valid messages being dropped by the
policy
![Page 15: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/15.jpg)
15
Sample Aggregate Report
<?xml version="1.0" encoding="UTF-8" ?><feedback><report_metadata><org_name>google.com</org_name><email>[email protected]</email><extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info><report_id>6156901232184779430</report_id><date_range><begin>1466121600</begin><end>1466207999</end>
</date_range></report_metadata><policy_published><domain>globalcyberalliance.org</domain><adkim>r</adkim><aspf>r</aspf><p>quarantine</p><sp>quarantine</sp><pct>100</pct>
</policy_published><record><row><source_ip>2607:f8b0:4001:c0b::22f</source_ip><count>2</count><policy_evaluated><disposition>none</disposition><dkim>pass</dkim><spf>pass</spf>
</policy_evaluated></row><identifiers><header_from>globalcyberalliance.org</header_from>
</identifiers><auth_results><dkim><domain>globalcyberalliance.org</domain><result>pass</result>
</dkim><spf><domain>globalcyberalliance.org</domain><result>pass</result>
</spf></auth_results>
</record>
![Page 16: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/16.jpg)
16
Aggregate Reports
![Page 17: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/17.jpg)
17
What to look for
DKIM Issues
Possible Spoofing
DKIM and SPF Issues
![Page 18: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/18.jpg)
18
DMARC Service Providers
![Page 19: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/19.jpg)
19
“Free” Options• UK National Cyber Security Centre - https://github.com/ukncsc/mail-check• St. Louis County - https://github.com/wwalker0307/ElasticMARC• Valimail Monitor• Github DMARC parse (search)
• XML to Human Converters (best if small number of reports are received) • Dmarcian - XML Uploader
• DMARC analyzers (limited capabilities)• Postmark - https://dmarc.postmarkapp.com/• MXTOOLBOX - https://mxtoolbox.com/dmarcsetup
• 3rd Party tools• LinkedIn LaFayette - https://github.com/linkedin/lafayette/• SendGrid DMARC Parser - https://github.com/thinkingserious/sendgrid-python-dmarc-parser• Yahoo’s DMARC Report Processor - https://github.com/prbinu/dmarc-report-processor
• Additional resources are available on DMARC.org’s Code and Library page
![Page 20: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/20.jpg)
20
• Review reports• Adjust SPF and DKIM as needed
• Apply p=reject to all public domains not used for email
• Move to Quarantine/Reject• Continue to review reports• Adjust SPF and DKIM as needed when new mail services are added.
• Consider using additional email authentication mechanisms
• GCA domain take down project - [email protected]
What Next?
![Page 21: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/21.jpg)
21source: https://medium.com/@ykhan30/an-easy-win-for-email-security-2b84ac2a22da
![Page 22: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/22.jpg)
22
ARC
• Authenticated Received Chain• “preserves email authentication results across subsequent
intermediaries (“hops”) that may modify the message”• http://arc-spec.org
• Used on Mail forwarders or Mail List servers• RFC 8617• Tools: OpenARC
(https://github.com/trusteddomainproject/OpenARC/releases)
![Page 23: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/23.jpg)
23
BIMI
• Brand Indicators for Message Identification• Requires DMARC policy of reject or quarantine• DNS TXT record
hostname: default._bimi.value: “v=BIMI1; l=<location of image file>;”
• Image file must be a SVG file• Reference:
• http://bimigroup.org/• https://bimi.agari.com/
![Page 24: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/24.jpg)
24
Other Email Authentication
• DANE (RFC6698)• DNS-Based Authentication of Named Entities• requires DNSSEC
• MTA-STS• requires valid SSL cert
• TLS-RPT
![Page 25: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/25.jpg)
25
Final Items
• Survey
• Certification of Completion
![Page 26: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/26.jpg)
26
Resources
• DMARC.org (http://www.dmarc.org) - Great source for DMARC information
• GCA DMARC - https://dmarc.globalcyberalliance.org• Webinar is available on this site
• GCA YouTube Channel• Webinar• Videos for GCA DMARC Setup Guide
• Community Forum – https://community.globalcyberalliance.org
• Bootcamp Resource page - https://dmarc.globalcyberalliance.org/dmarc-bootcamp/
![Page 27: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/27.jpg)
27
GCA Projects
• Cyber Security Toolkit (gcatoolkit.org)• AIDE (gcaaide.org)
![Page 28: Bootcamp Wrap Up - DMARC · Shehzad Mirza Director of Operations (NYC) smirza@globalcyberalliance.org gca-dmarc@globalcyberalliance.org Bootcamp Wrap Up](https://reader034.fdocuments.net/reader034/viewer/2022050200/5f53e5986e0b102bde495446/html5/thumbnails/28.jpg)
Q & A