Email Spoofing (Part 1): STRIDEing through Email Threats
There are numerous threats to Email security and using a Thread Model provides a systematic and structured way to both identify these threats and mitigate the security risks posed to Email. A Threat Model we frequently use is one developed by Microsoft called STRIDE.
What is STRIDE?
STRIDE is a Threat Model developed by Microsoft. STRIDE is an acronym that stands for categories of security risks, namely: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges.
The table below provides a high-level overview of STRIDE with the Threat, a Definition of the Threat, the Property impacted by the Threat and an Example of a Threat.
Applying STRIDE to Email
Let's take a closer look at the STRIDE Threat Model and how this can be applied to Email. The focus on this article is on Spoofing.
Spoofing (the Threat)
Spoofing is the act of posing as someone else (i.e. spoofing a user) or claiming a false identity (i.e. spoofing a process). In Email terms, Email Spoofing is the creation of email messages with a forged or false sender address.
Authentication (the Property)
Fundamentally, the design of email means the core email protocols do not have any mechanism for authentication, which is why spam and phishing emails utilise spoofing to mislead the recipient about the origin of the message.
Countermeasures - Technical Controls
"Proper" Authentication is the primary method to address Spoofing.
There are a number of technical controls that can be implemented to prevent email spoofing and validate email authenticity:
Sender Policy Framework (SPF) - is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF is a mechanism that specifies which servers are allowed to send mails on behalf your domain. SPF helps both prevent spoofing and improved mail delivery.
Domain Key Identified Mail (DKIM) - is more complex that SPF and relies on digital signatures. DKIM proves the identity of the organisation who have chosen to vouch for the authenticity of the email. It can be compared to putting a letter into an envelope and stamping it with a wax seal. The person stamping has not necessarily written the letter, but is vouching for it. DKIM is more focused on ensuring legitimate emails are delivered than blocking spoofed emails.
Domain-based Message Authentication, Reporting and Conformance (DMARC) - DMARC ties both SPF and DKIM together and builds on both. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise (BEC) attacks, phishing emails, email scams and other email threats.
A Secure Email Gateway that provides anti-spam and phishing protection will ensure that these mails are not delivered to your mailbox.
Countermeasures - Administrative Controls
The key to thwarting both the existing and emerging email threats is to adopt a multi-layered approach to email security. This goes beyond the technical controls that can be implemented. Technical controls should be complemented by investments in Security Awareness Training, especially to combat email threats that are "payloadless" (that is, they do not contain an attachment or link).
Whilst Security Awareness training User awareness is not 100% effective, of course, neither is such awareness an optional layer.
If you would like more information or would like StarSwift Information Security to support you with the implementation of Email Security or Security Awareness Training, please do not hesitate to get in touch.
Please contact us for more information.