Unlocking the Power of Online Signature Legitimateness for Business Transaction Management in Mexico

How to eSign a document: online signature legitimateness for Business Transaction Management in Mexico

thank you for coming to my presentation I hope you find it informative and helpful you can take notes if you'd like but I try and build my slides so that when you go back later and you get the slides off of the website you can look through them and all of the most useful information will already be there so feel free to take notes but you'll find that my slides are meant to be informative and useful after this activity so again thank you all for coming we're talk about business email compromise or executive fraud goes by a lot of names it's basically using and using an email to acquire funds illegitimately directly from a company so the way it works basically is very simple concept the attacker pretends to be someone that the company an individual at the company would expect to trust it could be a business partner could be your customer could be an executive that they would expect to be able to trust when they get an email so they want to try and help out when they get these requests and the emails are intended to convince the victim that they meet by helping to what they need to do to help is to send money and this makes business email compromise unique from other types of IT attacks so normally when we think about my companies under attack from a I can say a hacking group right what they're after typically is personally identifiable information credit cards medical records perhaps intellectual property all of those things are things that may financially impact you at some point in the future if you fall victim to business email compromised you are impacted right now it's not about you're going to lose money a year from now three years from now five years and now because your intellectual property got lost you're going to lose money today because someone in your company just sent money to the attacker and it's gone when people talk about business email compromised normally what they're thinking about is what happens when my company is attacked right so when I get one of these violent emails in and it's requesting money be transferred how do I defend against it the other thing that you need to be thinking about is what happens if I'm the impersonated party right what if it's your business partner who got the email and your company was the one they were pretending to be right so when that happens your business partner is going to call you up potentially depending on their level of maturity in their own security program or if they have one and say we wired the money to you why did you send us another bill right you need to be able to respond to that so as part of that one of the things I'm going to talk to you about or I'm going to mention is engage both your legal department and also your marketing group or whoever it is that is the primary contact for your business partners and make sure they're aware of this situation so that when that call comes if it comes your you're ready to respond to it right so I've had that happen to me already I work in the aviation industry there was a large targeted attack against aviation industry last year and we had over a hundred of our business partners contact us in a three week period saying hey we've already paid money why are you reinforcing us follow-up so we had a response after response I mean it was just ongoing four weeks of this so be prepared for that so how do what are the ways that people are going to come after you with a business email compromised in all the ones I've been looking at I've been looking at a lot of these I would sum them up differently than some government agencies or other groups have published works on business email compromised I sum them up based on what I've really seen in and it comes down to these four things right your supplier will contact you and say we've changed banks we don't like our bank anymore for whatever reason or we got a better deal we're changing banks and so here's our new banking information for all future payments send it over here right so that sounds pretty simple and you think companies would have a check for that right but it's amazing how many companies have not had a check for that fraudulent invoicing so this is where they simply send you and invoice that pretends like hey you owe us money and it might not be a business partner in some cases we've seen this be government agency impersonation whereas a tax department or a government auditing department or whatever where they send you a note saying hey you're behind or your last payment was not correct please send us this additional money executive transaction fraud or request that can come from an executive or corporate attorney and typically what they're doing is they're going to say we're in the middle of a business transaction that requires immediate and and private transactions funds to be transferred right so we're in the middle of acquiring another company you can't tell anybody because this could affect stock prices if it was known so keep it to yourself and we need the money today because we're tanley in the transaction today and I'm going to show you an example of this where this happened with our company and and it was a it was a really good example because they were very diligent it wasn't just emails it wasn't just a single person it was an entire process they went through to try and get money out of us and the other is executive data requests this is becoming more common this is a way of it's not a direct funds request but this is becoming more and more common where rather than take the time to find a vulnerability and hack into your system or try and get into your end-user device and compromised their system and get to the PII why not just send an email to somebody who has all that information and say I'm the president of the company and I need this because I'm responding to a corporate audit send it to me now right and of course they're going to want to help and they're going to send it to the corporate they're going to send it to the executive whether it's a chief financial officer or the CEO because who wants told CEO no and then all that information is gone in one email right and lock them off the company's hundreds of companies fall victim to this every year so why is this important again with its direct financial loss this is not just a small piece of that of the I hate the word hacking but of the cybercrime industry this is a huge piece of cybercrime why because it's effective and it is a business how many businesses in here are grossing over a billion dollars a year right that's a fairly significant sized company right these guys are doing that in 18 months a billion and a half dollars of reported losses right so that's only the losses that were reported to government agencies or central cyber crime gathering groups that gather statistics on this so how many of your companies if you fell victim to this would actually report you don't have to raise your hand but I'm just saying a lot of companies would not refuse to report that they lost a million dollars because someone sent them a bogus email right so if we're talking about 1.5 billion dollars in 18 months and 3 billion dollars in 3 years I suspect that that's a small fraction of what companies have actually lost in the last three years right so this is a huge industry and it's much simpler if you can just send someone an email and get them to just send you money that's way easier then okay I got a compromise there endpoint I've got to escalate my privileges I've got to get domain credentials I've got to find the database break into the database extract the PII get on to the black market find someone who will buy it for pennies on the dollar and be done and then make my money right if I can just send you one email and you'll say oh sure here's the money that's so much easier why wouldn't you do that so what happens most of the time you know attacking in business email compromised very significantly from people who basically do nothing to do reconnaissance they just send an email with very little information hoping you'll fall for it two people who've done significant reconnaissance reconnaissance in the tournament business email compromised is different than a pen test so or penetration activity if someone's trying to penetrate your network they're going to be looking at what type of operating systems you run what type of software custom software commercial software are you patching what is your footprint on the internet look like where your potential weaknesses who your partners those are the kind of things you're going to look like when you're doing a technical compromised but this is not this is a business process compromised so what an attacker is looking at during a reconnaissance activity is different right they want to understand what your company does what are its business processes who are your partners who are your customers who are people you pay and who are people that pay you right how are those financial things conducted they want to collect information about your organizational structure who's the CFO who's a CEO who's the head of your legal department because those are people that I can get you to believe the emails from them you're going to trust or fear one of the two and send what they asked for they're going to look for particularly interesting targets like they're not going to send an email saying wire money to me because I'm conducting this significant venture acquisition of this company they're not going to send that to a guy in your IT department right because he's going to get that email going what I can't do anything with this right they're going to send it to your finance department and not only that they're going to try and find out exactly who would be the person to process that and if you published something on your website that says oh we just hired someone in our new finance department they're joining the team but they're going to target that person why because they don't know your business processes and policies but they might already have the authority and how do they find out about your company so from this perspective it's not a lot different than a technical attack right if I'm going to come in and try and breach your systems or breach your endpoints I'm going to gather information about your business but it is a little bit different again because this is not meant to gather information to support that technical attacks really about your business process so they're going to look at your website they know your Facebook account now it you do see instances where malware is used as part of one of these attacks but I would say that's not the most common mechanism mostly because it's not necessary and it also stands a chance of being detected which could throw the whole attack process off right so there are other ways of going about this and don't require that but we do see it it's just not as common so I'm going to talk about it a little bit how they'll target your end-users with malware usually email based Moeller they're going to go to your linkedin they we've seen several cases where they will call the company as a business partner they'll make a phone call not just be email they're part of their reconnaissance will be they'll get on the call and if they don't know who to call they'll just call the front desk the call reception like hey I need to talk to someone in your finance department we had a problem with billing who would I need to talk to I've got all the email addresses I just need the name so I can get the right person right so of course you're going to help and I'm going to get information that way they're going to look in the news the news talk about any of the people who are involved with these or who your business partners are interesting transactions that they could leverage as part of this con because that's what it is and they also use why I use the term dragnet phishing which has never shown up anywhere so you guys can either use that or say that was a stupidest thing I saw at the conference but what dragnet phishing is it's when you're fishing for stuff that is not the end target right I'm going to send emails to people to gather information that I can use later right so I'm sending a lot of information I'm sending it maybe information to the HR department I maybe send information to an IT department on seeing information just not because I'm trying to compromise them at that point all I'm trying to do is get a response from them and some of the information I'm trying to gather it may be just to validate for instance what's the naming convention of your email accounts is it first letter last name is it first name dot last name what how do you structure that how do your signature blocks look are they standardized is there a logo right so you get somebody to interact with you so you can start seeing what the email from the company looks like and how people at the company communicate right next so now they've got information and they're going to want to do something with that information so what do you want to do they want to come after you they've got to figure out a where where do they launch their attack from okay so they could create an email spoofing app or use a user service we'll talk about that in just a minute that services are out there now you can rent a spoof to send emails very handy and if you're going to do that they're going to set up if they're going to do their own email spoofing they're going to set up a domain somewhere and there's some reasons why they would do it in certain locations and I'm going to talk about that a little later because it makes it harder to block them if they do it in certain places they also might acquire a look-alike domain and I'm going show you some examples of that that's actually very very common if somebody is taking the time to really target your company they've put together an entire process right they've they've kind of come up with a business plan for how they're going to extract money from your company they'll usually acquire a look-alike domain because if they can at some point they're hoping to interact with you it's not just a one-shot deal they're not just going to send you an email and it's done they're typically going to send you an email with the hope that you're going to respond and what happens is you get a conversation going and that conversation make turn into an email back and forth oh yeah here's the information please send I'll verify once I've gotten the money and it may turn into phone calls hey I want to call you make sure that you've got the right information anyway so they'll start a conversation well if they're going to are going to reply to them in their email and their spoofing your CEO obviously you can't reply to your CEO with email right they're going to change that up so that you're replying to them but it looks enough like you're replying to your CEO that you don't catch on finally there is there is the possibility and occasionally we do see it happen where we see an actual compromise of an endpoint and in those cases the email isn't spoofed it's really coming from the place that that says it's coming from it's just not coming from the people you think it's coming from so in one case we've had a two or three of our business partners who were breached and their email system was used to send email to us to try and extract money well because it was a legitimate partner that we do business with on a regular basis it went right past our filters right because we had that we had their domain whitelisted as an approved email sender for us so they got in they made a request and the problem was they were in control of the email account so we caught it before it turned into anything but it was a lot harder because it got through a lot of our defenses and so when you get an actual breach involved it does make detection harder that's something to keep in mind and one of the things we did is once we realized we'd take a look at the email headers this is where if you if you haven't done a lot of email header analysis and unless you're a forensic investigator or a government agency someone involved in investigations you might not do a lot of email analysis there was a webinar I did last week on forensic analysis of email headers talks about what you need to look for what information you can gather by looking at email headers because it's useful it helps you understand if hey my partner might have been breached I probably need to call them and say hey it looks like somebody's really fraudulently sending email from your domain so what happens if they get a lookalike domain so lookalike domains are very common and some of these are hard to spot the longer your domain name is that easier it is for me to put something in there that is going to get missed alright so here's a great here's a great example abacus property in Australia fairly large company right if I take out the are how many people would notice that right are you that paying that much attention to the address on the email that you would catch that or what about this this is a common one this is probably in Singapore this is this is probably of one that people should pay attention to substituting a queue for a G is the most hard to detect substitution you can have in it in a URL or an email address it looks so close that almost nobody will catch that I'm actually going to show you this Singapore an example of Singapore domain ownership in just a second using dashes this shows up a lot right where they actually use the correct words in the correct name they just put a dash in there all right see it depends on how well your users are paying attention to who they're sending the email to and the other is they'll do stuff like with the end of the domain right instead of com bill use Co which is Columbia's national domain registry right so they'll see oh now this is a you'd think that this is something people would catch a lot of time they do but it's close enough and if you've gone out and talked to a lot of your users you are all IT people like that you're probably most you're probably IT security savvy most of your end users know how to do what they have to do for their job on their computer and that's probably about as far as it goes unless they're in their 20s and then they know a lot about social activities they know a lot about Twitter and Facebook and how to get on there and they know nothing about security because their entire life on their social media okay so let's take a look at Singapore dot air we take a look at Singapore air this is the actual Singapore dot air registry so if you go out to who is and you look up their registry you can see who owns that you can see how long they've owned it they've owned it for a long time 1995 germane register and the organization's Singapore Airlines Limited if you go out to Singapore air with the queue instead of the G you can see that this is registered through two cows and that the registrant name is this two prints technologies right this to print I would go as far as to call vistaprint notorious for hosting scamming domains if I see somebody who's put a lot of effort into setting up a fraudulent domain mr. prince is a Canadian company they allow a free 30-day domain any domain you want and get three you can get for free for thirty days and have low low cost hosting and so I see I see Vistaprint show up on a lot of very targeted email compromised schemes so just come something keep aware of so the other thing that's interesting is this particular domain Singapore air comm is offline so if it weren't I would I would make note of that here I don't know if anyone from Singapore air happens to be in the room but that domains offline the REIT the fact that it is offline makes me suspect that at some point there may have been an incident related to this domain and Singapore air took action to get that domain taken down just guessing sharp mail this is an example of spoofing as a service right so you don't want to go to all that trouble of scripting up your own solution to modify email headers and create a custom email or you don't want to have to get into building your own package you know you want to stay simple well sharp metal offers that to you you can go to sharp mail you can register with them you can spoof most of the header fields I'm trying to figure that there's legitimate business purposes or legitimate individual purposes for this and I'm sure that that's probably okay mostly not true it's mostly a lie but I think they're probably cases anyway so you see this come up a lot and with tools like that you can legitimately send an email pretending to be anybody oh my gosh who is that oh look at that the Prime Minister of India thought I wished me good luck on this talk how nice is that I didn't even know he knew me and if you look at the email headers oh my gosh look it's right it's from India guys from Diane it's actually from Hamlin that's awesome right so that's convenient because there's a difference between what what a user see oh sorry a little wild there his wrong button there's a difference between what a user sees in the from field and in this particular case the header fields are all actually if I replied to the CMS email message it went back to him and he would have it what is this guy how did he get this email who sent this right but so that probably wouldn't have gone over very well because then I would have gotten a phone call and it would have been Pleasant but a lot of case cases what happens they change out some of the values and I'll talk about why that happens so in the email header structure there are there's a field for to like who's this email going to there's a there's like who is this email coming from there's a from field but there's also a field called reply to and reply to will override the from field if it's in the header so that's why you can have an email that looks like it's from one person it looked it may legitimately have your CEOs email address in the from field that the user sees and then as soon as they click reply to the reply to will go to a different place and the reason is because the reply to header over writes a from header it overrules it right so if those values are different it'll go to the reply to address and in this case this is a good example we've seen several cases of this where what they did is like here's blue gem at sender right this is the real address they sent it there in the email message that's what the person saw as soon as they hit reply this is the email address that showed up right and mail calm another very common place to see these go-to people register these domains mail calm and they set up a recipient email address it's very easy to do I wouldn't say that their intent is to be bad I just think they facilitate it through the way they've established their business so and what they'll do is they'll change the naming convention so in this particular case it's bread at Cogswell cogs calm they'll put bread Cogswell cogs at mail so they're hoping that when someone hits reply to you because it looked like a trusted sender in the original message that they don't they don't pay attention or don't pay close attention to who that reply went to SMTP relays if you have an open relay the challenge with open relays is it obvious gates at least for the last hop where an email came from right and that can allow people to do things like bypass certain types of email security controls you might have in place it can make it look like it was an internally generated email when it wasn't because the email came through your email system or it came from your email servers and trusted senders this this doesn't happen that often but if you want to stop it from happening at the back of this presentation I provide links to several different tools that will allow you to test your domain for open e mail relays it's very easy to do if you don't have your own tools there's web-based tools that will allow you to do that and if you'd if you download the presentation off of off of The Blackout website you can go to the last page and it's got links to those tools that's not actually the most common mechanism though trusted senders is the most common mechanism I see trusted senders are ISPs Internet service providers hosting providers like a Let Go Daddy for instance right where you can go register domain the problem with you registering a domain on GoDaddy if you're if that's where your domain lives and a bad guy wants to leverage it is all of the emails that come out of the various GoDaddy domain domains go through their consolidated group or their consolidated set cluster farm however you won't look at it of email servers so no matter what domain within their space generated the message it gets stamped by their email servers going outbound and so it all looks the same if you want to demand a new owner domain you own a domain you send emails that first hop out of the email system all looks the same to the recipient right so what happens is they'll get and the other thing is is it's generally accepted practice within most email security tools to have what's called trusted senders because lots of groups use them lots of legitimate businesses use them and so places like and again I keep saying GoDaddy there's nothing wrong with GoDaddy I've actually found them very responsive when there's been security incidents but I'm just saying they're a common place where we see attackers will set up a domain or or like Vista prints they'll set up a domain and there there's some reasons which we'll cover why they use that how they optics gate things but this becomes a problem because you can't block everybody on GoDaddy you can't block everybody at Microsoft comm you can't stop everyone who's on office 365 is using the same set of email server IP ranges right you can't just block all of office 365 and that's the problem that you run into in these shared hosting environments all right so here's an example this is a legitimate example they went to a lot of trouble to try and get money out of our company so one of the things they did is they want to sound very ha bad bad email they went to the trouble saying this is a this is being supervised by the security Exchange Commission so it's must be legitimate a government agency is watching this so trust it don't leak any information don't share with anybody because then somebody might ask questions and that would be bad and I need this today so we don't have time to discuss this and talk about it what's interesting in this particular account is they then follow up with a second email saying here's the money we need and the bank information is going to be provided by a third party now this is really clever for an attacker because this sets up the opportunity for a completely different set of email transactions with different email addresses that no longer have to try and spoof your internal email communications these works were spoofs of an internal email they were using they were using in this case I think it was a chief financial officer they were spoofing them to start the communication process but they handoff they're going to hand off to mr. Gordon from Deloitte right so now you now you can start an entirely separate email chain entirely separate conversation and you don't have to keep trying to impersonate the domain and get caught at it right and what happened is mr. Gordon called our finance office and said hey did you get the email here's the information I want to talk to you about well it the finance person in our organization had some questions that we run through when people are asking transactions and he stumbled on those questions and so they immediately said ok I need it I need to put you on hold for a minute while I investigate this name because of that and because of our business process it stopped right there right but this was very interesting the way that they did this because they they did a handoff of the email names and then and who was being involved so it makes it harder to make one makes it sound more legitimate and two because you can handoff you quit spoofing you get less likely you're going to be detected from people identifying a mismatch domain so this is another good example of data extraction right where someone contacts in this case they contacted our HR department and they said this was a CEO he said we're under audit from the government and basically the cup the basic body of the message was right here which was send me all the w-2s for all of our current employees and leading into that was another paragraph talking about the fact that we were under a government audit and it was necessary to gather this information we had to provide it to the auditors it needed to come from the board of directors rather than from the HR that's why it was being requested by the CEO so they had an explanation right there's a story and you can see in cases like this ended up Bloomberg News Seagate Technology our favorite hard drive company in March of last year sent all their employees information based on a request just like this right so you might think that people would catch the or be suspicious but it happens all the time all right another thing we see is people when we talk about email compromise if we're going to talk about breach related compromise right house get sewing again into your system endpoint protection is getting better now there's lots I can I used I came out of the pen testing I'm probably more technical than the average CSO I grew up in software analysis and pen testing and there's very few systems that given the right time and effort you can't get into but it's getting better it's getting a little harder right so some of the ways they're trying to get past things like email defenses are you know they know they can't if you just put the link in the email that's typically going to get caught as a malicious link if you embed a malicious document a lot of document standard document formats are getting scanned or outright blocked right so how most companies won't allow an exe to be sent to their employees most companies will scan word documents for active macros those kinds of things in block but what we've seen interest lately is this idea of link embedding and in some cases they made the link they made the embedded link an image file and then the image file had an embedded link but they made it look like an attached document right so we had a case like this come in it set off all the alarms got through our email system at one point and set off our all of our red flags went off when a user clicked on this and we went back we're doing the forensic analysis we're like how did how did a zip file get through our system we don't even allow zip files well so then we figured out one thing this isn't a zip file this is a picture of a zip file with it with the URL link in it right so it took us a little bit because we saw when we first saw this I was like that's not possible right so this is what people are doing because it's getting harder most secure get most email security gateways and other tools are not good at embedded link analysis so they're good at analyzing a link that's directly in the email they're pretty good at identifying active content scripting or executables they're not so good at digging down into the embedded URLs and another vulnerability I guess I would call it in some of the tools that do do analysis of embedded links is they have link limits right so if you make your url long enough they quit trying to analyze it it sounds stupid but they do they actually have limits on some of the tools that conduct link analysis so you know talk to your vendor ask them about it so how do you stop this right or at least make it harder to be successful so this is it like a lot of like a lot of attacks this relies on three different things relies on your people your business process and your technology if you can stop this attack with any one of those three things the whole thing will fall apart right you don't have to do all of these right just do one just do one of these right all the time or do a combination of these things right at different times and you can stop this attack so we'll take a look at each one so your people people are the weak link right because you can't get them to respond consistently you can't get them to pay attention during your training they ignore the emails from your security department and I know that number happens I know your employees are different I'm sure that that's true one of the things I tell people is if it doesn't feel right contact someone contact your security department contact your manager say hey I got this email I don't know what it is but this doesn't feel right it doesn't seem like our normal transaction requests that we get from this business partner right get them comfortable with asking and saying I don't know why but this doesn't feel right or normally they would send it and they would normally have some other type of hello hi how you doing because I work because we interact with them all the time this was very dry didn't seem right right so if it doesn't seem right ask carefully review the from and the to field when replying so a lot of times depending on how technical or how dedicated the attacker sometimes they don't even try they don't even they'll say in the email body it'll say I'm the CEO please send me money now right maybe a little more complicated in that but if they look at the to field it's clearly someone at gmail.com right that's not even trying so if they pay attention you can catch some of them that way the other thing you can do is when you hit reply it may look legitimate in the tus in the two field that you or that you got it from or the from field but when you hit reply before they send especially if it's related to disclosing information or handling financial transactions carefully look at who the email is going to because it may be different also here are the three things that your employees should have red flags for anything that involves them in funds transfers asking for sensitive information or if it's if they're told it's urgent and needs to be done outside of our normal business process right so if you have typically of a business process for handling how you're going to transfer funds how you're going to disclose information if you get a letter and it says an email and it says this is urgent and we have to skip our normal processes that warning warning danger danger right that's normally a pretty good warning sign so the other thing is this is more going back to the compromising of endpoints never tell your users you know maybe little electrodes that shock them if they try and open up a document enable the macros know that bad employee don't do that also unusual fund transfers information requests previously established contacts if if you get a request and it doesn't feel right don't use the phone number in the email don't use the email in the email you've got if it's a company you do business with an organization that you do business with or a government agency find their phone number the contact information outside of that email chain and verify the transaction right verify that this is really something that they're requesting and finally for hovering over links this is like if you don't have link rewriting so certain tools like Proofpoint Microsoft's Advanced Exchange Online Protection will allow you to set up a link rewriting well they'll well they will rewrite a link and it'll and if the user clicks on it it will go through a sanitization process to verify that the insight is accurate assuming there's not too many hops in the insight but for if you don't have that you can teach users to hover Kyle click that's a cover over a link to see where that links sending them is it so the link might say hey click me I'm harmless but it really goes to wel site com come here for bad stuff right your PC is my PC ok processes and policies make sure that you've got a good policy in place for how you're going to handle financial transaction information disclosures outside the company that your business processes how you go about doing these things aligns to your policy so having a policy and then not building a business process which reflects that policy is not very helpful because when people go to do their jobs they're not typically going to go what did the policy say about doing that was it was a step 14 I should go look that up nobody nobody ever does that right but if your day-to-day business process is an incorporation of your policy so that your process that they do every day reflects that then when it's outside of the process they'll understand they'll see right away this isn't normal right so the other thing is you can test your users right so there I'm sure that we can find a vendor I listed a few here I don't actually have any one I'm trying to provide as I you know these guys are awesome I know that their vendors here that provide the service but testing your users to ensure that they understand right you can give them passing grades if they if they open up two or three of these emails you can send them back to the training they get the slap on the hand or you know you get the reward what heritance dick however you want to work it but to help one it it will help provide data back to your executives how bad is our company employee base at identifying fraudulent emails versus realistic emails because if you can show them that wow we're really bad at this ninety five percent that people click to the email that says whatever you do don't click this that may help you get some funding for additional user training right so this is not just to use it as a way of identifying all the bad users you need to retrain but you can also use this too help establish where do you need to be funding to get improved performance from a security controls of your users because people are the are probably the weakest link they're also the strongest link we have if they're well informed and I'll talk about that later it's another thing a lot of companies I've worked with have the idea that to tell users that we have a problem is to acknowledge something's wrong with a company right so what these companies will do is every time they get a breach every time they have an email compromised every time something happens they're like no no don't tell anybody it didn't happen right our users need to feel comfortable and safe okay that's wrong that's an understanding now it's a bad idea because when your users feel safe and they get a fraudulent email they don't question it because why because the IT security department is protecting us they wouldn't let anything bad through so this must be okay right so communicate out to them when emails get through a system like maybe you get hey 5,000 users got this email we know this email is is problematic let them know right we we communicate very actively with our users so that they know hey things get through we will do everything we can to protect you as a community and as a user base and protect our company but this is complicated and things get through right and you can also use your own free fishing tools here here's an example of one you can use email security gateways email security gateways would be something like Proofpoint Symantec has one fireEye has one there's a whole collection of companies the offer email security gateways they do two things one is they do generic spam prevention right so they're checking for known senders known bad IPS or URLs that generate spam on a regular basis and they'll just block those right so your email normally you get you would get twenty twenty million emails a month and 19 million of those are would you like to buy viagra right so they will sort those out so that the ones that get through are less likely to be fraudulent scam emails not not preventive but less likely so that will filter out like the the spam type stuff the very generic stuff and then the second thing they do depending on the email gateway security gateway you have is they'll implement additional things they'll mate they'll make comparisons within the headers they'll say hey does that does the from and the reply to actually match do do the various aspects of domain so I'll talk a little bit about SPF D command D mark which is probably the most misunderstood set of email technologies on the planet and I would say that 65 or 70 percent of the articles I've read about these on the internet actually are incorrect so we'll talk a little bit about that but and I'll give you some resources to go find out more information from good resources the talk about these but implementing these is challenging and and making them effective as a protection mechanism can be even more challenging but they if all the stars align and you and your partners all agree to do the same thing could this technology help you sure is it really truly implemented at a level that makes it helpful today yeah not so much okay some some providers also offer additional zero day protection like Microsoft advanced exchange online protection that's different than their standard like if you get office 365 you get Microsoft online protection as part of your package that's their baseline email security gateway however you can for a little extra money depending on the size of your country or a lot of extra money depending on the size your company you can sign up for their advanced exchange online protection and that offers a couple of important features those features compete with with proof points a targeted attack protection I think they were kind of leader in this space where they would sandbox emails and they would actually so that you might deliver the email about the same time they'll bill sandbox it and they'll execute the payload and see what happens the other thing they do is they'll do URL rewriting and the URL rewrite we'll put the proof point or the Microsoft Box in the middle of any link that's embedded in an email so if you click the link it'll go to the to the security gateway system the security gateway system will follow that link to see where it goes and does it land on a site that looks to be malicious does it try and execute a payload does it is it a known bad site and if it is they'll immediately block the email similar to what a web security gateway would do if you had a if you had a force point web security gateway if they they have some similar characteristics to that but for specifically for email embedded links and they'll block those for you so those an email security gateway is a very valuable tool the other thing I would I would suggest if your company has the budget for it is to have more than one security gateway in line because like a lot of security tools there while they do a similar task the mechanisms or the details of how they execute that task are different and so while this tool might block 85% of the stuff and and they're blocking this range and the next tool blocks 85% but they're blocking this stuff so now you've just picked up like they overlap in some places but they don't overlap in others so the lot very similar to if you look at vulnerability analysis tools a lot of vulnerability analysis tools are similar to that okay so SPF SPF if you go out and read articles there are lots of articles on the Internet which is our friend nothing on the internet is ever false we all know that and lots of things on the internet will tell you the SPF will prevent domain spoofing Wow great I'm going to implement SPF and nobody will be able to my domain ever again like that exactly that's a good reaction because that's not true what SPF does is SPF checks the return path which is a header field that basically says if this email cannot be delivered for some reason right so I delivered it the email box no longer exists the return path is where your email server will send notification that says this wasn't deliverable right that's all it does it doesn't it doesn't prevent them from modifying the from field and faking that it doesn't modify that it doesn't keep them from putting a different reply to email address none of the things that are the most commonly manipulated field that make email business email compromised successful SPF doesn't stop any of those however attackers are aware that SPF is in play and so it's probably one of the most frequently spoofed values outside of what the user sees once you get into the email header itself SPF the reply to which is what SPF uses get spoofed a lot and the reason this goes back to earlier I talked about how attackers will host in shared hosting environments like like GoDaddy or on Microsoft or like Vista parents or or like Google right they'll set up an email address there and they'll communicate from that location the reason that they do that is because let's let's say GoDaddy is victimized by this a lot right what'll happen is they set up a domain their domain is going to go through the same exchange server or somebody else's so what they'll do is they'll go out on GoDaddy and they'll find a parked domain does anyone know where to park them at Park domain is a domain that's been set up by somebody maybe they set it up a few years ago you can go on here is you can see how long the domains been alive and they either took their site down or they never set it up or whatever but it's still there it's registered it's live it's active on GoDaddy but if you go to the site there's really nothing there right nothing going on obvious anyway so what they'll do is they'll find these inactive sites and then they're in the return path they'll list the inactive site so if you're if they send an email out and they do an SPF check they sent it from somewhere else within GoDaddy but the SPF check will say well did this come from GoDaddy and it'll say yes and if you decide you want to investigate further later you can't really tell because GoDaddy off the skates what happens behind the scenes you can't tell what dome actually generated that email right the all you can see is that it hit the GoDaddy email servers and that's as far as a forensic analysis of an email header can take you right after that you're on the phone with GoDaddy saying hey this looked like a problem I need your help in figuring out what happened and and they will they will be responsive they've got a responsive security team but because of this the fact that they all the domains share like and this is true I keep saying go date but there are lots of other hosting providers I just try to stick with not having to have fifty seven names in my head all of them will use a single email set of servers to send out emails from the thousands of domains that they have and so one of the ways that people throw one of the ways the attackers will try and throw people off is they'll change the return path to another domain that's in that same co-hosted environment so that throws off your forensic investigation later if you want to trigger out figure out what what really went on Dee Kim is a little different Dee Kim is a digital signing of an email message it verifies the originating source of the domain but again what it's what it's verifying is the is the sending is the sending domain based on the what the what the email server sees not what the end user sees so there's a set of headers the I mean if you look at a set of headers within an email they're very long and you can see every server that hand it off to every other server what their IP was what the domain was what the process they went through so what happens is in that set of stuff they do a verification and they basically do a signature that's a hashed encrypted hash signature that says here I'm digitally signing this emails coming from my domain they have a public private key set up but what it doesn't do is it doesn't protect what the user sees right so you can still spoof the from address you can still spoof the reply to this just and it depends I guess I should say depends they can digitally sign different aspects of the message right and be Kim I would say it's probably one of the most complicated email technologies to imp and when people do implement it a lot of times they do it in a very soft way so even though you could do some things with with DCAM that might help with fraud prevention most places don't implement it that way and and very few places have implemented it at all which is another problem right so if you're trying to set up a hard check that says hey if somebody fails the DCAM check I'm going to reject the email well that would be like 90% of the Internet does not have D Kim setup right so it doesn't you're blocking everybody's email because they fail because they don't have one and you could do is you could set up some other rules you know like if they don't have one let it through but if they do have one it fails anyway so it gets complicated Demark if you implement Demark which requires SPF and DKIM Demark actually by default does a verification of the from address it matches the from address to the d kim record it matches the from a DES and the return path so it covers all the bases and it legitimately can stop spoofing of your company again it requires all of these other steps and one of the other problems that we ran into and implementing this is a lot of your business partners will either not have this implemented or will have it implemented incorrectly right so once you create these are all DNS records basically or based on DNS records what that means is you've got to keep them up to date right so you stood up a new server the allocated new IP for it and it's going to be joined your server farm for sending email you didn't update your DNS record for your SPF or your DCAM and now it's getting blocked because it's not it's IP based check and the IPS don't line up and so now you're blocking your legitimate customers email and that's when you get a call from the CEO that says hey my buddy over at this other company just called me and says he's been trying to reach me for a week and I don't have any emails from him what's going on that's not a call you want to have trust me I mean I'm not saying I got that call okay maybe maybe I got that call so it's just not a call you want to have so when you're when you're doing this you have to be very careful so one of the things you can do is instead of setting up a failure to go to just block period you might have failures go to a security box where you have somebody who's monitoring all checking looking for anything that looks like hey maybe we should make sure we forward this on before somebody calls us alright another thing you can do is it's very simple within most email security gateways or even within the exchange system to add a label to the subject line that identifies emails that came from outside your company right now this is just kind of a heads up for your users you didn't block the email this will not completely idiot-proof your email there are still people who will see external and pretend it doesn't exist and just respond to the email right but this makes it this makes it a little easier to help them try and see that this is an email that even though it says it came from CEO at our company comm well if it did it probably wouldn't have that on there right so you teach them that it's not that hard to do one of the things you will have to do is you'll have to setup up some rules within your within your exchange system or within your security gateway that strip it out so you don't end up with external external external because you replied back and forth with somebody like three or four times so you want to be able to strip those things out outgoing so that it doesn't keep showing up over and over I've seen that happen with people trying to implement this and they don't put the stripping room so every time your email comes back it adds an additional one and pretty soon the only thing you see in the subject line is a bunch of externals I don't even know if those emails about right so okay email security gateways when you don't think you can do is you can blacklist and this is something you can do in exchange and if you download this presentation in the backup slides I walk you through how in the current versions of exchange if exchange is your edge server right if that's what's on the edge delivering email for you or you might have a security gateway that's your edge system whichever it is I walk you through both for office 365 and exchange 2013 2016 I'll walk you through what the rules are that allow you to block blacklist a domain so if somebody's coming from the internet and and they're pretending to spoof your users in the from field it says CEO at your company comm you can set up rules that say hey I'm blacklisting my own domain if you came from the internet and you and the from field says it's coming from my internal domain I'm just going refused to deliver it right now the caution where to caution when doing this is communicate to all of the business departments in your company and find out who they've authorized to send on their behalf because lots of benefits providers insurance company insurance health programs employee benefits a lot of those groups have been delegated authority they'll send as if they're your HR department or your finance department at but the emails being generated from on the internet so what you have to do is you want to ask all those questions about ok who who has email sending for us right you also have to look for things like print service like you got a remote office and they've got a print server and that print servers can send email and so it gets it generates its own little like email service and goes out have you whitelisted that the other thing is once you've done asking your questions kind of built what you think your whitelist is then you implement it with us with a no fail but an alert for like a month or more so that you can see all the stuff you missed because they'll be a bunch right there'll be a bunch of emails coming in from your domain and you'll be you have to weed through them and start saying okay is this legitimate is this not legitimate it'll take you a while to get down to a list of truly authorized senders for your domain but once you do you can implement a black list that says we're in a black list all of these all these people to come from the internet white it's kind of a whitelist blacklist combination but you blacklist them if they're if it's stuff that is generated inside your network you're blacklisted if it's stuff that's outside your network you whitelist a saying it's okay we know that these are allowed to come in impersonating our domain you whitelist it so it's kind of a combination and creat the exceptions right okay deleting Exchange Management shell Exchange Management shell is a very powerful tool so let's assume bad emails are going to get through right I'm pretty sure they will so when they do get through do you have a process is your security team and your exchange team well integrate so that let's say 5,000 emails got through to your users you know that these emails are not just spam they're malicious they're carrying a malicious link of malicious payload what if for whatever reason it got past your defenses right well you can call or email every user saying please delete that right which is going to be hard to do and the problem pay attention anyway if they answer the phone or if they read your email so what we do is we do notify users we send them a follow on email but the other thing we immediately do is we immediate immediately engage our exchange instant response team and we've established the processes for how we identify that email in the system and it's not like a simple query because you think okay I'm going to look for the subject line well what if they use the subject line that commonly occurs in your business okay well I'm going to use the sender what if they impersonated a sender it's not as easy as you think it is you typically have to do a set of queries that get you to the right list but then you can mass delete them a lot of times they're gone out of people's email box before they ever had a chance to be exposed in the back of this presentation slide I walk you through how to do this okay last report it if you have an event report it it's important for a couple of reasons one it gives you a chance to potentially get your money back right so context your contact your financial institution have them contact the financial institution where the money meant went if you can do it fast enough before the money's withdrawn you might get it back so that's one thing too if you report the loss to whatever government agency in whichever country you're operating in they'll they'll keep track of this so maybe your loss isn't big enough to make a case or they don't have enough information but maybe you're lost you're lost you're lost in your loss which all have indicators back to the same perpetrator do make a case and and then they can go after somebody maybe they can get your money back and maybe it's just the person ends up in jail right so it's important to to report it if you want to see having one have a chance to get your money back and two if you want to keep other people from being a victim and that's it so thank you very much and and I'm running pretty long time but I will be around afterwards I'm happy to answer questions for anybody and also if you're interested in email header analysis which I don't cover here but gives you a lot of other information I've got a whole nother presentation I'm happy to share with you you tell me you want it I'll send it to you I'll send you a link to where you can get it hopefully it's a black hat presentation I think they posted it so I guess I should I bear should verify but I think I can share it with you right yeah yes with yeah so if you did that that's a problem for that's a problem for email security gateways right because it the email security gateways have to do have to do certain number of hops like that's it basically creates an extra hop in the process so it really depends on the security gateway you're using how far does it go does it just go to that URL or will it follow it will it follow forwards right so that becomes a problem like what happens is an attacker will compromise the domain somewhere and they'll they'll set up a forwarder so you'll you'll get a link to a somewhat innocuous domain which isn't hosting anything malicious but they've compromised that domain at least compromised the web server enough to set up a forwarder and the forwarder will send them on to the malicious domain so some email security gateways will account for that and will follow a certain number of hops they all have a limit though on how far they'll go but we've seen several cases of that particular thing where basically they use either a short and a URL shortener or they used a compromised website with a forwarder to try and get past this so those are things to be aware of and really you need to have a conversation with your tool provider and say okay if we have the situation how do you guys its account for this