Email is a top communication tool used by the government and is a primary threat vector utilized by attackers. Forged emails are one of the top cybersecurity threats of this time. According to CSO, phishing attacks account for more than 80% of reported security incidents and $17,700 is lost every minute! To address the risk imposed by this channel, the Department of Defense (DoD) has implemented the Cybersecurity Maturity Model Certification (CMMC), a five-level framework that covers the gap in email protections not previously covered by the NIST 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations).
CMMC has included a new security practice that addresses the risks of email forgery, SI.3.219 (“Implement email forgery protections”). SI.3.218 is a CMMC level 3 system and information integrity practice that focuses on the application of spam filters on both inbound and outbound email paths.
SI.3.219 builds upon spam protection mechanisms implemented in SI.3.218 by integrating more advanced measures, ones that usually use DNS and/or cryptography. To understand how an email can be compromised, or forged, one should understand what can be forged.
There are typically five different ways emails can be forged:
- Compromised Email Account: This attack leverages a hacked email account to send spam or a phishing message.
- Forged “Envelope From”: This attack spoofs the envelope sender (or hidden header) by using the domain of a known company in an attempt to bypass a mail server’s filters. This can also be used to gain the trust of the recipient, but they may not be able to view the address if it is only utilized by the mail server.
- Forged “Message From”: This method is similar to a forged “Envelope From” attack, except the display name (or visible header) of the sender is spoofed. This can allow the attacker to appear more credible than in a forged “envelope from” attack since the recipient is consistently able to view this field.
- Cousin Domain Abuse: Also known as a similar domain attack, this method tries to trick the recipient by using a domain that looks like it uses the official and correct spelling of another verified or trusted domain. However, the attacker’s domain typically has added, subtracted, or substituted characters. Substitution can make identifying a domain incredibly difficult as there are characters that are identical down to the pixel but have a different Unicode value (ex. English “o” versus Russian “o”).
Free Email Account Abuse: This attack utilizes a free email service (i.e., Gmail) to create an account. This valid email address is more easily able to bypass filters and authentication protocols, and thus may allow an attacker pretending to be an employee to gain access to the company’s network.
Even though only one type of email forgery protection mechanism is required by S.I.3.219, there are three different email authentication protocols and protections recommended and they can be very effective when implemented collectively. It is also recommended that a forgery mailbox be implemented where users can send emails that they suspect are forged. In addition to utilization of a forgery mailbox, there should be a policy in place that requires periodic review of this mailbox. It is also a best practice to have a process in place for determining if one’s organization has been inappropriately blacklisted by others due to email forgeries. To lessen the likelihood of falling victim to email forgery schemes, various proactive steps can be taken.
Email Authentication Protocols
To mitigate risk of receiving forged emails, a variety of email authentication protocols can be put into place.
- SPF: Sender Policy Framework, allows an organization to specify who is allowed to send emails from their name through a record published within the DNS. This can improve the reputation and deliverability of an organization’s emails, as it discourages attackers from spoofing their domain. As a result, spam filters may be less likely to blacklist it. However, it is not enough to protect an organization from sophisticated phishing attacks.
- DKIM: DomainKeys Identified Mail, allows an organization to take responsibility for transmitting a message by signing it via cryptographic authentication. This prevents spoofing by preserving the integrity of a message and proving whether or not the data in the signature has changed in transit, thus allowing it to be verified by email providers. Like SPF, DKIM on its own cannot properly protect an organization from sophisticated phishing attacks.
- DMARC: Domain-based Message Authentication, Reporting, and Conformance, combines both SPF and DKIM to validate whether any messages using a company’s header from domain are legitimate, protecting the domain-level of emails and preventing forging. For a message to be authenticated by DMARC, it must pass SPF authentication and/or DKIM authentication. If a message fails DMARC, senders instruct receivers on what to do with it through a DMARC policy.
With these supplemental measures and the various forms of mail authentication and spam filtering, you will not only align with two CMMC controls but will also be able to properly protect your organization from one of the most vulnerable points of your network. Be sure to implement these measures properly to provide the most coverage for your organization. To get started on your CMMC compliance, talk with one of our experts.
by: Hayley Froio
Information Assurance Team Member at NuHarbor Security