DMARC Update–Agencies Seeing ‘Jaw-Dropping’ Email Impersonation Stats

(Image: Shutterstock)

Agencies have 68 days remaining to achieve compliance with the Department of Homeland Security’s (DHS) binding operation directive (BOD) 18-01, which requires the active enforcement of the Domain Message Authentication, Reporting, and Conformance (DMARC) protocol.

MeriTalk has reported on agency progress in implementing the protocol to comply with the DHS mandate. DMARC works to prevent unauthorized senders from impersonating Federal .gov domains through fraudulent email and using it as an attack vector to launch phishing and spoofing campaigns. Recent research found that just over half of Federal domains are now at active enforcement, but that leaves many agencies struggling to get on board as time draws closer to the BOD deadline.

At today’s FCW Cybersecurity Summit, a former Federal agency CIO and the CEO of an email authentication cloud provider discussed agency progress on DMARC, and why DHS is requiring agencies to take control of email security.

“Criminals, state actors, hackers take advantage of the fact that email’s not authenticated,” said Alexander Garcia-Tobar, CEO of Valimail, who today announced a FedRAMP Tailored authorization for its DMARC solution.

“As a merchant, you would never accept a credit card without swiping it first. You wouldn’t just say, ‘It looks good, I’ll just take my chances.’ That’s for a $12 purchase. But yet we seem to be okay with just accepting an email on its face value,” he said.

Jonathan Alboum, chief technology officer, U.S. Public Sector, Veritas, drew upon his experience as the former USDA CIO and said that he’d often train employees on email skepticism. But the warning signs at the time–which included domain misspellings and other fraudulent tells–have mostly eroded.

“Email spearfishing attacks have become much more sophisticated. Misspellings have largely gone away, the targeting is much better,” he said. “I don’t even know how to train people to be suspicious of that, because it’s pretty much every email that comes in you need to question.”

That’s compounded by a new issue that the BOD seeks to curtail, what Garcia-Tobar described as “exact domain attacks.”

“If someone can send email exactly as your agency, then why wouldn’t they?” he said. “That’s why it’s so important as a foundational protection to start with BOD 18-01 and actually protecting your own exact domain.”

Getting there–as previously described–is a multi-step process. The first involves discovery and monitoring, which requires the initial implementation of a DMARC record in a Domain Name System (DNS). DHS recently said adoption here has risen to around 90 percent.

“The first phase is just discover who’s sending as you. We just had an agency whose jaw just dropped when we showed them that there are 38 services–legitimate ones–that were sending as them globally. They had no idea,” Garcia-Tobar said.

Garcia-Tobar commended DHS’ efforts–through the BOD–to up the use of DMARC in the Federal government, citing how Federal implementation outpaces any vertical in the commercial sector. The second step–with the looming October deadline–presents more challenges. Actively enforcing a DMARC record to remove those illegitimate senders requires a little more legwork.

While agencies can attempt to go it alone, Alboum noted that “if you don’t understand the foundational landscape,” those efforts could be a poor use of agency resources. Garcia-Tobar said that only around 20 percent of agencies that try to implement active enforcement in the DNS actually succeed after 12 months.

The other side of the coin, Alboum noted, is that the BOD doesn’t come with any funding, just a mandate. “You have to make choices inside your agency about how you spend your resources,” he said. “Email is still, and will remain the most important application we run in our agencies,” and with cloud email migrations on the mind of many Federal agencies and the administration itself, he called this a time when decisions about proper authentication need to take place.

As for the future outlook, Garcia-Tobar noted that “look-alike” impersonation attacks still persist, alongside newer “friendly from” attacks. This emerging attack vector preys on a mobile email client’s tendency to scrape contact information–when an email is addressed from a colleague–and place that colleague’s image next to the sender line.

Many impersonation attempts exploit this convenience function to pose as legitimate senders, Garcia-Tobar said. As authentication tools make their way into the FedRAMP-approved market, agencies may increasingly turn to automation to aid in enforcement before the October 16 deadline.

Recent