Date post: | 27-Jul-2016 |
Category: |
Documents |
Upload: | o365infocom |
View: | 220 times |
Download: | 1 times |
Page 1 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
Why our mail system is exposed to Spoof and
Phishing mail attacks |Part 5#9
Let’s start with a declaration about a strange phenomenon: Spoof mail attacks and Phishing mail
attacks, are well-known attacks, and consider as a popular attack among the “hostile elements.”
Most of the existing organizations, do not have effective defense mechanisms against the above
attacks, and there is a high chance, at some point, that your organization will experience the
bitter taste of Spoofing or Phishing attacks!
In other words – most of the organizations are exposed to Spoof and Phishing mail attacks, and
it’s only a matter of “when”.
Dealing with Spoof and Phishing mail attacks | Article Series -Table of content
So the most obvious questions could be:
Page 2 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
1. Is this statement correct?
2. And if this Is this statement is correct is correct, how could it be that no one pays
attention to this problem, and doing something accordance?
In the current article, I would like to give you some “food for thought” regarding this strange
phenomenon, which we prefer to ignore the danger of Spoof mail attack and Phishing mail
attacks, close our eyes, and continue to declare that “we are doing our best for protecting our
mail infrastructure!”
The Common Misconception That Causes Us To Ignore The Threat Of Spoof
Mail Attack And Phishing Mail Attacks
1. It will not happen to me.
From time to time, we read some story about a company that was attacked by a Phishing mail
and a sad story such as – a story about the CEO who was lured to transfer a large amount of
money to the attacker’s bank account, but we don’t really believe that it will happen to us.
My answer is that it’s not a matter of “if” but only a matter of “when.”
Most of the chances are that your organization will experience Spoof E-mail attacks and
Phishing mail attacks at some point.
Page 3 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
2. Too much on my mind
Every average IT member or IT manager is experiencing the feeling of – “too much on my mind.”
Every day “invites” new challenges and new crises.
“I know that the subject of Spoof mail attack and Phishing mail attacks is important, but I have
more critical issues that I need to take care of them at the moment”
The little secret is that probably; you will never have the required time!
If you do not find the required time, the next Spoof mail attacks and Phishing mail attacks will
find you unprepared, and the result can become very critical!
Only when you are able to acknowledge the importance of this risk, you will “make the time.”
3. My organization is well protected from Spoof mail and Phishing mail attacks.
All of us, have the strong need to believe that someone watches us and will protect us when it’s
needed.
Page 4 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
This is a very basic human need.
When relating to the risk of – Spoof E-mail attacks and Phishing mail attacks, most of the time,
we prefer not to be realistic.
Instead, we prefer to cling to the general thought that “they” (my IT, my mail provider and so
on), are doing what they know to do, and that “they,” are doing whatever it takes for protecting
our organization from Spoof E-mail attacks and Phishing mail attacks.
The reality is much more complicated!
Most of the time, the “IT” doesn’t include a professional authority who is specialized in the
subject of “mail security” or doesn’t know what are the unique threats that relate to a modern
mail infrastructure, what are the specific characters of Spoof mail attack and Phishing mail
attacks, what is the available solution? and so on.
Hosted mail infrastructure such as Office 365 (Exchange Online) | My mail infrastructure is
automatically protected!
In a scenario in which your mail infrastructure is hosted at “external mail provider” such as Office
365 and Exchange Online, this Incorrect assumption is manifested most strongly.
Most of the mail provider such as Office 365, have all the required tools and infrastructures for
dealing and preventing Spoof E-mail attacks and Phishing mail attacks.
The “little thing” that we are not aware of the simple fact that these “defense mechanisms,” are
not activated by default. Instead, they are just sitting there waiting for us to use them!
Page 5 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
The main reason that this defense mechanism is not activated automatically is – because this
defense mechanism can intercept accidentally legitimate E-mail.
The important thing that most of us are not aware of being – that the responsibility to use the
existing defense mechanism is our responsibility!
For example, when relating to the subject of Spoof mail attack, Exchange Online support three
mail standards, that implements sender verification + support the option of creating an
Exchange rule that will identify events of the Spoof mail attack.
The responsibility of knowing the specific characters of each of the sender verification mail
standards, the required configuration settings for each of this standard, how to configure the
required adjustment that will suit our specific organization needs is our responsibility!
What Is The Weakness That The Hostile Element Exploits When Using Spoof
Mail Attack And Phishing Mail Attacks?
The base for Spoof mail attack and Phishing mail attacks, relies on two major weaknesses:
1. The SMTP protocol weakness
2. The Human factor weakness
Page 6 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
Spoof E-mail attack and SMTP as Innocent protocol
When we hear or experience a Spoof E-mail attack, the first question that can appear in our
mind could be:
Q1: Why mail servers don’t know how to protect themselves from Spoof E-mail attacks and
Phishing mail attacks?
A1: The simple answer is that the “creator” of the SMTP protocol, didn’t relate to the issue of
“mail security” and instead, concentrated on creating mail protocol, that will deliver an email
message from point A to point B effectively and reliably.
The issue of “mail security” was neglected because at that time, the popularity of the SMTP
protocol was not so great, and the use of the SMTP protocol was not so common.
In a standard mail communication that involves two parties, the SMTP protocol is based on the
concept in which the destination mail servers (side B) “believe” in the identity
(E-mail address) that the sender (side A) provides.
The sender (side A), doesn’t need to prove his identity!
Phishing mail attack and we as a human being
Page 7 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
Regarding Phishing mail attack, the base for this attack is – the ability to exploit the “thing” that
makes us “human”.
Q1: Why is it so hard to deal with Phishing mail attacks? Or, why there are so many people that
fall prey to Phishing mail attack?
A1:
The standard Phishing mail attack is based on two “parts” that exploit the human character:
The Phishing mail attack starts with the “trust part”, in which the hostile element uses an E-mail
address of someone we trust or E-mail address that looks like an E-mail message that was sent
from respectable and trusted source.
The “sender trusts part,” relies on the “innocence” of the SMTP protocol, that doesn’t include a
built-in mechanism for verifying the identity of the “other side.”
The second part of the Phishing mail attack is based on the “content” that appears in the E-mail
message.
As the famous song of Michael Jackson – the “human nature” – the hostile element that
executes the Phishing mail attack, is aware of different “human button” that can be pushed and
manipulated.
The Phishing mail content is designed to address a common human character such as pity, fear,
greed, curiosity and so on.
The attacker address one of this “human failing” for manipulating the victim to “do something”
such as – open a specific file (malware) or click on a specific link in the Phishing mail that will
lead the victim to a Phishing website.
Page 8 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
The Awakening Of Our Awareness Of The Problem Of Spoof Mail Attack
And Phishing Mail Attacks | Additional Obstacles
Let’s assume that you decide that you agree that Spoof mail attack and Phishing mail attacks
constitute a great risk to your organization and that you are willing to make the effort and take
this threat seriously.
In this section, I would like to review additional obstacles that may appear on the way.
To be able to start handling the Spoof mail attack and Phishing mail attack threat, you will need
to overcome these obstacles.
Page 9 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
1. The fair from doing something that will harm the organization mail flow.
Let’s talk about the most prominent obstacle: the fear of a scenario, in which the solution that
will be implemented will damage the normal mail flow.
A scenario of false positive, in which a legitimate E-mail that sent to our users will be mistakenly
identified as Spoof E-mail or Phishing mail and for this reason, will be “blocked” or deleted by
the specific Spoof E-mail protection mechanism that we use.
Page 10 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
When implementing a security mechanism that deals with Spoof E-mail, we are facing two
problematic scenarios:
Incoming mail
In a standard mail flow, we welcome every E-mail message that sent to one of our users, as long
as the destination recipient exists. In other words, we don’t care about the element that
originates the E-mail message (the sender) but instead, the mail server that represents our
organization is only responsible for verifying the information about the destination recipient
(that he hosts the mailbox of the destination recipient).
When we implement a defense mechanism that is should protect us from Spoof mail attack, we
can compare it to a scenario in which we place a “guard” at the entrance to our base (our mail
infrastructure).
Versus a scenario in which every guest is welcomed to enter our perimeter when we force the
use of sender verification, we implemented a process in which we try to verify the identity of
each entity that wants to “enter our base.”
When we use this additional layer of security, there is a reasonable chance that we will
experience a scenario of false positive.
Page 11 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
In this scenario, some of our “legitimate guests,” will not be allowed to enter our base and will
be rejected because they do not have the required proof of their identity or from any technical
problem that relates to the proof of their identity (their E-mail message will be rejected).
Outgoing mail
The other aspect of implementing sender verification mechanism is the ability to “stamp”
a legitimate E-mail message that sent by our legitimate users, so, the “other side” will be able to
verify our identity, and will be able to differentiate our legitimate sender from E-mail messages
that send by hostile elements that spoof our organizational identity.
The problem of “false positive” can be realized also when relating to the scenario of outgoing
mail flow, meaning, an E-mail message that is sent by our user to external destination recipients.
In a complex mail infrastructure, the ability to “stamp” all of the E-mail messages that is sent
from our mail infrastructure fully and in a “proper,” way is a quite a challenging task!
Page 12 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
In case that we didn’t manage to correctly “stamp” each E-mail message that uses our
organizational identity (E-mail message in which the sender uses our domain name), this could
lead to a scenario, and which a legitimate E-mail message that is sent from our users, will be
rejected by the “other” mail infrastructure.
2. Fear of hurting business activity
Every implementation of any security solution mechanism will probably cause some disruption
to the business activity, at least in the first phase of the adoption and assimilation.
The fear of this anticipated disruption leads us to the attitude of – don’t rock the boat!
Alternatively, if no one complained, until now, I guess everything is OK!
The false sense that if, until now, everything was fine, in the future everything will be fine will
eventually explode in our face.
In other words – If you can’t stand the heat, get out of the kitchen.
3. The resources issue
To be able to clearly understand the “enemy” we will need to ask (and answer) many questions
such as:
How the enemy thinks and functions?
What is the vulnerability of your mail infrastructure?
What are the possible solutions for the existing mail infrastructure vulnerability?
What is the difference between the different solution such as SPF, DKIM, DMARC?
Page 13 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
You will need to have a patience and the willingness to devote the time required to read and
internalize information.
4. The vanity syndrome
The fact that you are veteran IT professional doesn’t mean that you are a security professional
and doesn’t mean that you are familiar with the existing risk that threatens your mail
environment, and the possible solution to this risk.
5. The fear of the unknown syndrome
Like any “un-know territory”, the mail security standard territory, is an un-know territory” for
most of us.
In the process of implementing a specific solution to the problem of Spoof E-mail attacks and
Phishing mail attacks, you will certainly encounter many questions and problems.
It’s OK; this is expected as part of the process.
6. The need for simplicity syndrome
Most of the time, we are looking for a simple solution and try to avoid the need to understand
and implement complex solutions.
The simple answer is – there is no simple solution for the task of dealing with Spoof E-mail
attacks and Phishing mail attacks.
Page 14 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
7. The military approach syndrome
This is one of the noticeable features of many managers.
The subtext of this approach is – I don’t care how, just make it work!
Well, we can make it work but, only of the “management” is obligated to the process, and is
willing to allocate the require resource for the implementation of the possible solutions.
Why Is There No Simple Solution For The Problem Of Spoof E-Mail Attacks
And Phishing Mail Attacks?
The simple answer is that Phishing mail attack is not simple!
The phishing mail attack is a sophisticated attack that combines a couple of attacks, which we
will have to deal with each of them separately.
In addition, the ability to deal with the infrastructure for the Phishing mail attack – spoof mail
attack is not so simple!
Page 15 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
The common confusion between Spoof mail attack versus Phishing mail attacks
A very important observation that I like to mention regarding the task of – “dealing with a
scenario of Spoof E-mail attacks and Phishing mail attacks” is – that we should distinguish Spoof
mail attack from Phishing mail attacks.
Each type of attack has different characters, and for this reason, need a different type of
solutions.
Most of the Phishing mail attacks, use the Spoof mail attack in the initial phase of the attack.
For this reason, it’s reasonable to assume that in case that we identify and block
Spoof E-mail; the derivative will be blocking the Phishing mail attack.
Page 16 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
However, the important thing is, that we cannot build our defense infrastructure based on this
assumption for a couple of reasons:
Not all the Phishing mail attack uses the option of spoofing the sender identity.
There is a reasonable option, in which the Phishing mail attacks will use just a standard E-mail
address from well-known mail providers such as Gmail, Hotmail or Yahoo.
It’s very reasonable to assume that even when we use some protection mechanism that will
use to identify Spoof mail attack, we will not be able to identify and block 100% of the Spoof
mail attacks.
Note – another aspect of Phishing attacks is that not all the Phishing attacks are “Phishing mail
attacks”. It’s true that most of the Phishing attacks are executed via the “mail channel” but some
of the Phishing attacks can be executed by using a phone call or a phone SMS, via a message
that sent to instant messaging users, via a message that sent to social-network users and so on.
What are the challenges that we need to face when we want to fight Spoof E -mail
attacks?
Regarding our ability to protect our mail infrastructure from Spoof mail attack, there are a
couple of well-known mail standards, that was created by completing the SMTP protocol
“missing part” meaning, the ability to verify sender identity.
Along the current article series, we will review in details the different sender verification mail
standard such as – SPF, DKIM and DMARC, and other optional solutions such as – solutions that
we can implement in Exchange based environment.
Page 17 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
If you think, you can sit back, relax and drink a refreshing cocktail because you found the perfect
solution to all the Spoof E-mail problems, you are wrong!
It’s true that there are standards and solutions that were created for dealing with the
phenomena of Spoof E-mail but this solution is very far from providing a perfect solution.
1. The implementation of the sender identification mechanism is not so simple.
Each of the different standards has advantages, disadvantages and “blind spots.” spots”.
The implementation of this standard is not so simple and required preliminary assessment,
planning and constant accompaniment.
For example – at the current time, we can mention three mail standard that was created for
dealing with the need to verify the sender identity.
Each one of this standard uses a different method for verifying the sender identity and each one
of this standard, required to implement different preparations and configuration settings.
The implementation of this standard (sender verification standard) becomes quite complicated
and challenging, in a complex mail environment that includes many mail servers many sites, etc.
Page 18 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
A standard such as SPF, considered as an easy to adapt standard, but have built-in “blind spot,”
spot”, that can be exploited by a hostile element that will bypass the existing “SPF wall.”
The DKIM standard can provide a good protection, but because the solution is based on Public-
Key infrastructure (certificate, digital signature and so on), it’s not so easy to implement this
standard in a compound mail environment that includes many different entities that send mail
on behalf of the organization.
2. Not all the organizations use sender identification mechanism.
Another major issue is that we should not forget is – that the implementation of a complete
solution for the problem of “Spoof E-mail,” is depended on a “logical circuit” that will include
two sides: the sending mail infrastructure and the receiving (the destination) mail infrastructure.
Page 19 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
In case that “our side” is implementing all the required solutions for dealing with Spoof E-mail
phenomenon, but the “other side” doesn’t implement any Spoof E-mail protection solution, the
outcome is that every hostile element can use our identity and attack the “other side” using our
organizational identity.
Page 20 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
What Are The Challenges That We Need To Face When We Want To Fight
Phishing E-Mail Attacks?
Regarding the subject of existing solutions for the problem of Phishing mail attacks, the
situation is much poorer compared to the status of Spoof E-mail solutions.
The Phishing mail attack considers as sophisticated attacks. The ability to identify and block
Phishing mail attacks is much more complicated than dealing with the Spoof mail attack.
Page 21 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
The “interesting news” is that at the current time, there is no formal standard or a well know
protection mechanism, that can directly deal and prevent all the types of Phishing mail attacks.
If you perform a simple search using a question such as – “solution for Phishing email
attacks,” most of the results that appear are dealing with tips and tricks, guideline and best
practices that instruct users how to avoid or to recognize a scenario of Phishing mail.
The “missing part” is that the answers and the solution are related to the “end point” meaning,
the users and not to the “server side” meaning our mail infrastructure.
The information is not related to a specific technology or a standard, that can be implemented
on the “server side”.
Some links, will lead you to a company that provides services for testing your mail infrastructure
(by simulating a Phishing mail attack), and the reaction of your users to Phishing mail attack, but
Page 22 of 22 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
the painful truth is – that there is no “tangible” standard, that promises to protect your mail
infrastructure from all the Phishing mail attacks.
My answer to the question of – “Why is there no formal solution to the threat of Phishing mail
attack?” is, that the Phishing mail attack made of “different parts.”
We cannot relate to Phishing mail attack as “one problem” but instead, as a “collection of
problems.”
For example-
One of the building blocks of Phishing mail attack is a Spoof mail attack.
To be able to successfully deal with a Phishing mail attack, we will need to find a good
solution for the problem of Spoof mail attack such as – implementation of sender
verification standard – SPF, DKIM, DMARC and so on.
One of the building blocks of Phishing mail attack is infecting the user desktop with a
malware (most of the time, “smart malware” that are injected into legitimate files).
To be able to successfully deal with a Phishing mail attack, we will need to find a good
solution for the problem of malware such as – “send box” solutions.
One of the building blocks of Phishing mail attack is social engineering.
To be able to successfully deal with a Phishing mail attack, we will need to find a good
solution for the problem of social engineering such as – guide and instruct our users
about the characters of Phishing mail attack.
Q1: Should I feel despaired from the fact that there is no formal solution to the threat of
Phishing mail attack?
A1: No! although there is no “magic button”, that we can use for dealing with a Phishing mail
attack, there are a couple of solutions that we can use, and the combination of these “solutions”
can provide good and effective protection for most of the Phishing mail attack scenarios.
In the article – Using sender verification for identifying Spoof mail | SPF, DKIM, DMARC,
Exchange and Exchange Online |Part 8#9 , we will review the list of the solutions that we can use.
Page 23 of 23 | Why our mail system is exposed to Spoof and Phishing mail attacks |Part
5#9
Written by Eyal Doron | o365info.com | Copyright © 2012-2016
The next article in the current article series is
Dealing with the threat of Spoof and Phishing mail attacks |Part 6#9