How have anti-phishing technologies evolved in the last 2-3 years?
The biggest development in anti-phishing solutions is the standardization of DMARC and its enforcement capabilities.
Domain-based Message Authentication, and Reporting, and Conformance is a policy that adds to SPF and DKIM and gives a receiving set of instructions on what they should do when an email they received fails other authentication checks.
DMARC is a powerful tool to help ensure that a bad actor can’t spoof your domain, and from the standpoint of an enterprise that may have numerous partners and platforms mailing on their behalf, it affords them control because they can create a set of policies that conform to their security and brand needs.
What’s crucial to keep in mind about phishing is that it is a social engineering attack that targets an individual and hopes to pass muster because the message looks like a legitimate sender. Making it harder for bad actors to impersonate or spoof legitimate brands is how the legitimate mailing world will make the inbox a healthier environment.
We can think of criminals a step ahead in using Blockchain and dark data intelligence to break into systems? What other technologies can you name here?
The idea that hackers are deploying sophisticated tools and cracking code like Neo stopping bullets is the stuff of Hollywood fiction. The truth of the matter is that the simplest way is often the best—and the simplest, in this case, is the most insecure link in the chain: people. Hackers target people and gain access through account takeovers and phishing emails. That’s the most effective form of hacking currently. There’s some work that’s happening on using quantum computers to crack encryption but that’s further away because of the cost of the hardware needed. Again, the simplest form of attack, impersonation, is still the most effective.
Based on research from the Verizon Data Breach Investigation Report, the number one vector in data breaches remains phishing! This has been constant year over year, so although the idea that there are bad actors hiding in a bunker banging away at firewalls enthralls our imaginations, the reality is a bit more mundane and sadly, far too prevalent.
What makes DMARC a global security barrier against phishing?
It’s important to understand that DMARC isn’t a panacea and it’s part of a set of email authentication standards that began development as open source projects in the early 2000s. DMARC is the latest standard that ties together SPF and DKIM as the basis for a policy that helps a receiving mailbox provider such as Gmail understand if they should accept a message that failed the previous checks or reject it. In this case the message is one that is spoofing a legitimate domain or perhaps simply not authenticating correctly or authorized to send on behalf of a domain as is the case with large companies that leverage partners to message their workforce on their behalf. Like all things, the devil is in the details and it’s critical to understand how DMARC works:
– DMARC provides visibility into the platforms and services using your domain to send email. This visibility isn’t just necessary to mitigate bad senders, it also helps bring legitimate services and senders into authentication compliance and allows domain owners to take stock of their total mailing footprint. In addition to visibility across your entire mailing program, you’ll know exactly where SPF and DKIM are failing, along with alignment of your “from domain”.
– Domain alignment is when the from domain (RFC 5322) matches the SPF and DKIM domains. For DKIM, the message’s from domain and “d=” domain must match. Similarly for SPF, the from domain and the “return-path” domain must match. This is a very important concept to understand because it’s where the value of DMARC really shines. Cyber criminals can simply configure SPF and DKIM in an attempt to look legitimate, but aligning authentication with the from domain they’re spoofing is nearly impossible because you, the legitimate sender, are in control of that domain. Once this alignment has been achieved, a domain owner can publish a reject policy knowing with confidence that messages not authorized to send as his or her domain will not be delivered to unsuspecting recipients, given that 80% of email inboxes around the world are validating DMARC.
Thank you, Len! That was fun and hope to see you back on MarTech Series soon.
Len Shneyder is a 15+ year email and digital messaging veteran and the VP of Industry Relations at Twilio SendGrid. Len serves as an evangelist and proponent of best practices and he drives thought leadership and data-driven insights on industry trends based on the massive volume of email SendGrid delivers on behalf of their customers.
Len is a longtime member of M3AAWG (the Messaging, Malware, Mobile Anti-Abuse Working Group) and served on its board in addition to Co-Chairing the Program Committee. He’s also part of the MAC (Member Advisory Committee) of the EEC (Email Experience Council) where he serves as the organization’s MAC Chair. The EEC is a professional trade organization focused on promoting email marketing best practices. The EEC is owned by the ANA (Association of National Advertisers), a nearly 100-year-old organization where he also sits on the Ethics Committee. Also, Len has worked closely with the ESPC (Email Sender & Provider Coalition) on issues surrounding data privacy and email deliverability.
Millions of developers around the world have used Twilio to unlock the magic of communications to improve any human experience. Twilio has democratized communications channels like voice, text, chat, video, and email by virtualizing the world’s communications infrastructure through APIs that are simple enough for any developer to use, yet robust enough to power the world’s most demanding applications. By making communications a part of every software developer’s toolkit, Twilio is enabling innovators across every industry — from emerging leaders to the world’s largest organizations — to reinvent how companies engage with their customers.