A Maginot Line in Cyberspace: The Binding Operational Directive BOD-18-01 DMARC Mandate
Robert Zager
On 16 October 2017 the Department of Homeland Security issued Binding Operational Directive BOD-18-01.[1] Among the measures mandated in BOD 18-01 is a requirement that federal agencies adopt Domain-based Message Authentication, Reporting & Conformance (DMARC) to defend the federal government against phishing. The DMARC mandate has been positively received by the cybersecurity community.[2]
Although DMARC is a good step to enhance some aspects of email security, DMARC does not solve the phishing problem. Adversaries routinely overcome the protections afforded by DMARC.
DMARC is an email authentication standard.[3] The purpose of email authentication standards is to vest the owner of a domain name with exclusive control over emails that are sent in association with that domain name. The domain name owner exercises this control through the Domain Name System (DNS) infrastructure using the email management fields in the DNS record. One of email authentication’s features is the ability to publish authentication-based delivery instructions to email recipients. These instructions include telling the recipient that when emails fail email authentication, such emails should not be delivered to recipients. Before the advent of DMARC senders were reluctant to give definitive delivery instructions to recipients because email authentication standards, at that time, lacked efficient reporting mechanisms to track email authentication errors and delivery results. DMARC remedied the fear of publishing definitive delivery instructions by adding reporting mechanisms as part of the DMARC standard.
DMARC also addresses another problem with the control of the domain name that exists in prior email standards. Every email has four groups of sender elements. These are:
- The Display Name - free form text entered by the sender for display to the recipient.
- The angle_addr – the email address entered by the sender for display to the recipient.
- The Sending Domain – the domain name of the sending server entered by the sender which is displayed to the user in some email systems.
- The IP Addresses – the IP Addresses of the sending server and the other servers involved in the transmission of the email. This information is not displayed to the user, but is available to the user in some email systems.
This email image shows how Gmail displays the Display Name, the angle_addr and the Sending Domain.
Before DMARC, authentication standards only associated the Sending Domain with the DNS control mechanisms. This meant that the domain name owner did not have exclusive use of the domain name in the angle_addr. In other words, unauthorized senders could display the owner’s domain name in the angle_addr without permission. DMARC’s alignment feature requires that the angle_addr use the same domain name as the Sending Domain, thereby extending the domain owner’s control of the domain name beyond the Sending Domain to include the angle_addr.[4]
With DMARC putting the domain name owner firmly in control of the domain name in the angle_addr and the Sending Domain, why is DMARC a cyber Maginot Line? Because unauthorized servers sending email with the owner’s domain name is not the only phishing method available to adversaries. There are three forms of phishing. These are:
- Unauthorized use of the domain name, termed exact-domain spoofing;
- Attacks that do not use the domain name, termed deception; and
- Unauthorized use of a real email account, termed multi-stage.
DMARC only protects the real domain name against emails sent from unauthorized servers, leaving the adversaries with two forms of phishing at their disposal.
Deception attacks human cognition, not email domain names. People apply three factors when deciding how to react to an email’s call to action.[5] These factors are:
- Perceived Relevance
- Urgency Clues
- Habit
Before the advent of DMARC, other systems had effectively eliminated most exact-domain spoofing. Thus, for many years attackers have overwhelming relied on attacks that fool people using deceptive Display Names and deceptive angle_addr’s.[6] The recent gizmodo white hat attack used deceptive Display Names to trick government officials, including the FBI Director.[7] A deceptive angle_addr is termed a “cousin domain.” An example of a cousin domain is “we11point.com”, the deceptive domain used to compromise the Anthem insurance affiliate Wellpoint (which used the domain “wellpoint.com”).[8] FireEye/Mandiant discussed how the Chinese use deceptive Gmail accounts in the APT1 report.[9] Attackers on Russian banks used the domain “fincert.net” to pose as FinCERT, the Russian regulator; unknown to the victims, FinCERT’s real domain is “cbr.ru”.[10] Because DMARC only protects the real domain name, DMARC does not impact attacks which use deceptive Display Names and cousin domains. The DMARC specification acknowledges these shortcomings in Section 2.4:[11]
… DMARC can only be used to combat specific forms of exact- domain spoofing directly… DMARC does not attempt to solve all problems with spoofed or otherwise fraudulent email. In particular, it does not address the use of visually similar domain names ("cousin domains") or abuse of the RFC5322.From human-readable <display-name>.
Today’s primary phishing problem is the abuse of Display Names and cousin domains, the very problems that DMARC does not address. As the author discussed in Improving Cybersecurity Through Human Systems Integration, it is possible to fight the human deception problems that DMARC does not address.[12]
The third form of phishing is multi-stage. In a multi-stage event, the adversary uses phishing to steal the credentials from an email user who is inside of the targeted domain name. The attacker then uses the stolen credentials to send phishing emails from the targeted domain name.[13] Currently the only defense against a multi-stage attack is to protect against the initial compromise of credentials by defending against the other forms of phishing.
It is critical to note some technical details about email authentication. Email authentication is controlled by the owner of the domain name through the DNS infrastructure. In order to control the authentication of an email domain name, one must possess the DNS administrator credentials for the domain name of interest. Moreover, DNS does not operate at the Top-Level Domain (TLD), but only at the second-level domain and below. For example, “.gov” and “.com” are TLD’s. “whitehouse.gov” and “intel.com” are second-level domains. DMARC can protect “whitehouse.gov”, because the DNS administrators of “whitehouse.gov” can publish DNS records respecting “whitehouse.gov”. However, controlling “whitehouse.gov” does not prevent a phisher from displaying “thewhitehouse.gov” in the angle_addr because “thewhitehouse.gov” is not aligned with the protected domain. Although phishers cannot register “.gov” domains (because the U.S government maintains control over the registration of “.gov” domains) phishers can choose from over fifteen hundred TLD’s.[14] DMARC does not prevent the registration of confusingly similar domains nor the DMARC authentication of those domains by their respective owners.[15] Additionally, email authentication imposes no restrictions on what a sender can display in the Display Name; just as everyone is free to use the Display Name “Customer Service,” everyone can use the Display Name “IRS.”
While DMARC offers substantial technical advantages over prior email authentication standards, its focus on defending the exact domain name is ineffective against the methods actually being used in phishing compromises.
The views expressed herein are the views of the author and do not reflect the views of Iconix, Inc.
References and End Notes
[1] Duke, Elaine C. Binding Operational Directive BOD-18-01. Washington, D.C.: U.S. Department of Homeland Security, 2017. Homeland Security. DHS, 16 Oct. 2017. Web. 17 Oct. 2017. <https://cyber.dhs.gov/assets/report/bod-18-01.pdf>.
[2] Lohrmann, Dan. "DMARC: States Should Follow Federal Directive to Enhance Email and Web Security." Government Technology. e.Republic, 20 Oct. 2017. Web. 26 Oct. 2017. <http://www.govtech.com/blogs/lohrmann-on-cybersecurity/dmarc-states-should-follow-federal-mandate-to-enhance-email-and-web-security.html>.
[3] "DMARC." Dmarc.org – Domain Message Authentication Reporting & Conformance. DMARC.org, n.d. Web. 26 Oct. 2017. <https://dmarc.org/>.
[4] RFC 7489, Section 3.1.
[5] Vishwanath, Arun, Tejaswini Herath, Rui Chen, Jinggou Wang, and Raghav Rao. "Why Do People Get Phished? Testing Individual Differences in Phishing Vulnerability Within an Integrated, Information Processing Model." Decision Support Systems 51.3 (2011): 576-86. Print.
[6] Rasmussen, Rod, and Greg Aaron. Global Phishing Survey: Trends and Domain Name Use in 1H2011. Lexington, MA: Anti-Phishing Working Group, 2011. APWG. Anti-Phishing Working Group, Inc., Nov. 2011. Web. 26 Oct. 2017. <http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2011.pdf>.
[7] Feinberg, Ashley, Kashmir Hill, and Surya Muttu. "Here's How Easy It Is to Get Trump Officials to Click on a Fake Link in Email." GIZMODO. Gizmodo Media Group, 9 May 2017. Web. 26 Oct. 2017. <https://gizmodo.com/heres-how-easy-it-is-to-get-trump-officials-to-click-on-1794963635>.
[8] Krebs, Brian. "Carefirst Blue Cross Breach Hits 1.1M." Krebs on Security. Brian Krebs, 21 May 2015. Web. 26 Oct. 2017. <https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/#more-31043>.
[9] Mandiant. APT1 Exposing One of China’s Cyber Espionage Units. Milpitas, CA: FireEye, 2013. Mandiant APT1 Report. FireEye, 19 Feb. 2013. Web. 26 Oct. 2017. <https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>.
[10] Ragan, Steve. "Dozens of Russian Banks Phished by Crooks Pretending to Be FinCERT." Dozens of Russian Banks Phished by Crooks Pretending to Be FinCERT. CSO Online. CSO, 17 Mar. 2016. Web. 26 Oct. 2017. <https://www.csoonline.com/article/3045437/security/dozens-of-russian-banks-phished-by-crooks-pretending-to-be-fincert.html>.
[11] Fn. 4, Section 2.4.
[12] Zager, John, and Robert Zager. "Improving Cybersecurity Through Human Systems Integration." Small Wars Journal. Small Wars Foundation, 22 Aug. 2016. Web. 18 Sept. 2017. <http://smallwarsjournal.com/jrnl/art/improving-cybersecurity-through-human-systems-integration>.
[13] CERT Insider Threat Team. Unintentional Insider Threats: A Review of Phishing and Malware Incidents by Economic Sector. Pittsburgh, PA: Carnegie Mellon University, 2014. Software Engineering Institute. Carnegie Mellon University, July 2014. Web. 26 Oct. 2017. <https://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_297777.pdf>.
[14] "TLD DNSSEC Report (2017-10-27 00:02:56)." TLD DNSSEC Report. ICANN Research, 27 Oct. 2017. Web. 27 Oct. 2017. <http://stats.research.icann.org/dns/tld_report/>.
[15] For example, many U.S. Government agencies use “govdelivery.com” to send email. “govdelivery.com” is protected with DMARC. The author has registered and controls the domain name “usgovdelivery.com”, a domain name which could easily be confused for the real domain name being used by many agencies of the U.S. Government.