Email Spoofing
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity. This behavior may succeed when the spoofed entity either does not enable or enforce identity authentication tools such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and/or Domain-based Message Authentication, Reporting and Conformance (DMARC).(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation: Proofpoint-DMARC) Even if SPF and DKIM are configured properly, spoofing may still succeed when a domain sets a weak DMARC policy such as `v=DMARC1; p=none; fo=1;`. This means that while DMARC is technically present, email servers are not instructed to take any filtering action when emails fail authentication checks.(Citation: Proofpoint TA427 April 2024)(Citation: ic3-dprk) Adversaries may abuse absent or weakly configured SPF, SKIM, and/or DMARC policies to conceal social engineering attempts(Citation: ic3-dprk) such as Phishing. They may also leverage email spoofing for Impersonation of legitimate external individuals and organizations, such as journalists and academics.(Citation: ic3-dprk)
Контрмеры |
|
Контрмера | Описание |
---|---|
Software Configuration |
Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures: Conduct a Security Review of Application Settings: - Review the software documentation to identify recommended security configurations. - Compare default settings against organizational policies and compliance requirements. Implement Access Controls and Permissions: - Restrict access to sensitive features or data within the software. - Enforce least privilege principles for all roles and accounts interacting with the software. Enable Logging and Monitoring: - Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity. - Integrate logs with a centralized monitoring solution, such as a SIEM. Update and Patch Software Regularly: - Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities. - Use automated patch management tools to streamline the update process. Disable Unnecessary Features or Services: - Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs. Test Configuration Changes: - Perform configuration changes in a staging environment before applying them in production. - Conduct regular audits to ensure that settings remain aligned with security policies. *Tools for Implementation* Configuration Management Tools: - Ansible: Automates configuration changes across multiple applications and environments. - Chef: Ensures consistent application settings through code-based configuration management. - Puppet: Automates software configurations and audits changes for compliance. Security Benchmarking Tools: - CIS-CAT: Provides benchmarks and audits for secure software configurations. - Aqua Security Trivy: Scans containerized applications for configuration issues. Vulnerability Management Solutions: - Nessus: Identifies misconfigurations and suggests corrective actions. Logging and Monitoring Tools: - Splunk: Aggregates and analyzes application logs to detect suspicious activity. |
Ссылки
- Proofpoint. (n.d.). Retrieved March 24, 2025.
- Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024.
- FBI, State Department, NSA. (2024, May 2). North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts. Retrieved April 2, 2025.
- DMARC. (n.d.). Retrieved March 24, 2025.
- Cloudflare. (n.d.). What are DMARC, DKIM, and SPF?. Retrieved April 8, 2025.
- Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
- Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.