Are SPF, DKIM and DMARC enough?
I have been dealing with secure email delivery for most of my career, and I frequently find organizations not properly setting up Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC). These configurations are essential, but they only offer partial protection from phishing attacks. If you want to operationalize phishing detection and response effectively, you need to rely on your employees and build a reporting culture.
Depending on whose report you read, over 96% of data breaches start with a phishing email. SPF, DKIM and DMARC help mitigate the impact of someone abusing your domain name or damaging your reputation with a partner or customer, and they can help improve your email deliverability to outside recipients.
Innovative and creative threat actors attempt to compromise your organization using more subtle and dangerous techniques, disguised not as a Nigerian prince but as something more akin to an overdue invoice or urgent CEO request.
Take the example of a business email compromise (BEC). It’s pure social engineering, and it’s very easy to slip past your automated email security pipeline. Here is actual text from a BEC in which the threat actor is posing as the CEO.
“Hi, Susan. Send me your personal number. I need you to get something done for me real quick.”
As unbelievable as it sounds, smart, trusting employees respond to emails like this all the time. They get tricked into sending large sums of money to a threat actor, installing malicious software or sharing user credentials, providing the threat actor with a toehold to start comprising another part of your organization.
Easy-to-implement phishing detection and response strategies you can use today.
1. Secure your email infrastructure with SPF, DKIM and DMARC with the strictest settings possible that your organization can tolerate. At a minimum, it can help your email reputation when communicating with business partners and customers. However, not everyone you do business with has good email security configurations. You deal with all sorts of “trusted” business vendors and third-party mailers who may or may not have the best email security and hygiene. The last thing the security or email teams want to hear is the CEO complaining about some million-dollar deal that your security infrastructure ate. Do the best you can without creating undue friction in your organization.
2. Monitor and review your DMARC reports. You need to know your deliverability rate for outbound emails as well as verify who is sending email on behalf of your organization. Too often, security is set aside to help improve email delivery issues encountered with third-party mailers, potentially giving a threat actor an avenue to send spoofed emails to your organization. Nontechnical teams often onboard new services that send an email on behalf of your organization without consulting the email security team. Suppose the email security team is not involved in helping set up proper security controls. In that case, the fantastic drip campaign generating million-dollar emails gets dripped into a junk folder, outright rejected by the receiving email gateway or, worse yet, leading to an internal ransomware incident.
3. Do not rely on a secure email gateway, artificial intelligence or machine learning to fully protect your organization from malicious emails. While they admittedly react faster than humans, they have been programmed by humans, and threat actors are adept at finding loopholes in their logic. Secure email gateways have their place in email protection, but they have a very hard (impossible) time catching business compromise emails like the example above. In this regard, every employee in your organization can lend a hand in spotting counterfeit email communications and notifying the team responsible for email security.
In my experience, the first two points are relatively easy to accomplish but need frequent auditing, similar to periodic firewall rule and vulnerability scan audits. The third point is, in my opinion, the most important and the most effective. Your employees are your best defense to identify counterfeit emails, not your weakest link.
Look at banks as an example. Tellers train to identify counterfeit bills by examining real bills. When they know what real money looks like, the counterfeits stand out like a sore thumb.
The same is true with emails. The majority of emails your employees look at are real. When you leverage a phishing simulation program to reinforce the identification of counterfeit emails, your organization starts to build up its phishing resilience. Employees reporting suspicious emails combined with consistent user feedback keeps spam and nonmalicious reporting low and suspicious email reporting high.
Building a reporting and response culture is essential because email and security teams are stretched thin. They need actionable information at their fingertips to be highly effective. Phishing-resilient employees are an extension of your email and security teams and compensate for the novel techniques threat actors use to bypass email security controls like secure email gateways, SPF, DKIM and DMARC. When phish reporting is encouraged and reporters receive real-time feedback, phishing resilience rates increase, and your security teams can become more effective at protecting your organization.
Email gateways, artificial intelligence, machine learning, SPF, DKIM and DMARC are all good tools to have on hand, but they don’t provide adequate security without human guidance. Your employees are the most important and cost-effective part of an in-depth phishing detection and response strategy. Invest in your people, and you shouldn’t go wrong.