I’m always searching to find facts and figures on the effectiveness of security measures on phishing attacks, which is harder that it would first seem. This is all is in aid of framing a picture to the boss on why to spend money, energy and resources on this most insidious and highly successful type of attack. That makes it very important to understand what happens towards your company, then you’re industry sector and, finally, how other non-related sectors are doing to create an impact that is meaningful to management. There’s already a number of great human awareness training to turn people in to phishing sensors [1], but let's stick to technical controls for alerting on phishing attacks. 

 

One of my favourites to providing that global view is the Anti-Phishing Working Group (APWG), which does a marvellous job of providing quarterly reports [2] as part of its goal to blunt the damage phishing attacks inflict. So now you’ve got some data points to wow management with how bad phishing globally and it covers different sectors, so how you go about getting some data on phishers targeting your company? 

 

Having an understanding of the phishing problem you face can be hard to fully comprehend. Looking to your own inbox or even that of your company’s mail abuse tracking system is probably missing out on the bigger picture, due lack of visibility: it may have already been blocked up stream, be targeted at your customers, or a number of other reasons and you never get to see the full scope of the phishing attacks. This means you may have to work with external vendors or third parties to tell you what they’re seeing, but that could be a waste of money. So what other option do you have? Glad you asked. 

 

One neat option is DMARC [3], which stands for "Domain-based Message Authentication, Reporting & Conformance", and it has raised debates in bars, meeting rooms and forums on its value and effectiveness, but is worth discussing. In a nutshell "DMARC makes it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn't." Let’s jump the “Well, it has to be configured properly first” argument that normally ignites impassioned ranting [4] and move to the utopia where it's working properly and suddenly you've got reporting that provides decent visibility on one channel of attack the phishers use against your DMARC protected domains. As an added bonus the reporting includes the IP addresses of the botnets/remailer/specific attacker send the email from which allows possible attribution or it to be added to your known bad IP lists.

 

The DMARC guide [5] makes this is pretty easy to get the results back and I've have great reporting for the personal domains I own, but then wondered how this stacks up for the big players and how it does actually reduce the impact of real phishing; then I stumbled over a report by Agari [6]. From reading between the lines and pleasantly coloured graphics, it paints DMARC as a solid defense and reporting mechanism to filter out one line of attack and provides some actionable information on a certain format of phishing attack. 

 

Most of us have come to the realization that despite the technical controls we put in place, a well-crafted phishing email is likely to be opened by the nice person sitting in front of the keyboard. Who doesn’t want to see the salaries for the entire department or a piano-playing kitten? Here’s the but…but if technical controls can drop a percentage of emails bearing the aforementioned kitties getting to the nice people then why the heck not implement it?

 

DMARC isn’t a silver bullet to phishing, can be circumvented by smarter attackers and may have technical factors that means it doesn’t work for your company, but it can provide insight in to attacks you never had before. Anything that makes it harder for a phisher to target your company, friends or family and gives you more visibility in to attacks is worth putting in place or at least reading the specification and making the decision for yourself.

 

As always, if you have any suggestions, insights or tips please feel free to comment.

 

 

[1] http://www.securingthehuman.org/

[2] http://www.apwg.org/resources/apwg-reports/ 

[3] http://www.dmarc.org/

[4] http://www.merriam-webster.com/dictionary/rant 

[5] http://www.dmarc.org/faq.html#s_6 

[6] http://agari.com/2013/07/31/agari-releases-its-2013-email-trustindex-second-quarter-edition/ 

 

 

Chris Mohan --- Internet Storm Center Handler on Duty