Without letup, the cyberattacks keep coming but they are not necessarily aimed at your network’s protocols or software vulnerabilities — at least, not at first. Instead, they maneuver themselves into part of your corporation’s most vulnerable infrastructure and manipulate your employees to fall for some email message that is not what it appears to be.
Knowledge workers encounter these hazards during every working day when they are reading and responding to emails. A decade ago, the network’s email industry developed ways to provide greater assurance of the identity of an email sender. These technologies gradually came into more widespread usage, but the opt-in nature of email technology on the internet means that adoption is far from universal; it remains so today. In addition, the lack of universal implementation of the technologies, plus some built-in vulnerabilities, make these approaches useful but hardly a silver bullet for phishing and business email compromise (BEC) attacks.
It started with great promise early during the past decade. Domain-based Message Authentication, Reporting & Conformance (DMARC) brought together such heavyweights as Google, Comcast, Yahoo! Mail, and LinkedIn to implement Domain Keys Identified Mail (DKIM), which uses an asynchronous key pair to verify that a message was sent from a legitimate user of an email address to prevent email forgery.
Sender Policy Framework (SPF), which like DKIM was codified into a standard by the Internet Engineering Task Force (IETF), detects email spoofing by evaluating the path it took and comparing a message’s originating IP address against Domain Name Service (DNS) records.
Where DMARC enforcement falls short is that it only authenticates at the time each email gets inspected. DMARC cannot make any assurances that future emails will always be authentic, says CISO John Masserini of Millicom International Services LLC, a Coral Gables, Florida, operator of the Tigo brand of cable TV and cell phone services in 14 countries in Latin America and Africa.