This week I hopped on a Zoom call with several of my co-workers in the Customer Success department. They had diligently collected 14 samples of various phishing and malicious spam attacks recently reported by our customers. These messages got through Paubox Inbound Security and our customers weren't happy about it. Upon closer inspection, they had one thing in common:
- The bad actors used American tech companies to send the email: Amazon SES, Sendinblue, and Mailgun.
In addition, if we look at what's in the headlines, we see headlines like this: White House Weighs New Cybersecurity Approach After Failure to Detect Hacks (NY Times)
"Both hacks exploited the same gaping vulnerability in the existing system: They were launched from inside the United States — on servers run by Amazon, GoDaddy and smaller domestic providers — putting them out of reach of the early warning system run by the National Security Agency. The agency, like the C.I.A. and other American intelligence agencies, is prohibited by law from conducting surveillance inside the United States, to protect the privacy of American citizens."
In a nutshell, we can no longer trust email sent from American hosting and infrastructure companies. A new system must be devised by us. And quickly. This post explains what we at Paubox are doing about it.
Zero Trust SecurityAs context, we'll first cover the concept of zero trust security. Zero trust security is an IT security framework that requires strict identity verification for every person and device trying to access resources on a private network. The philosophy behind zero trust security assumes there are attackers both within and outside of the network, therefore no one and nothing should automatically be trusted. It should be noted no single technology is associated with zero trust architecture. Instead, it's a comprehensive approach to network security that incorporates several different principles and technologies. Here are the guiding principles behind zero trust security:
- Nothing is automatically trusted. Assume attackers are both within and outside of the network.
- Least-privilege access. Users only get as much access as they need, thereby limiting users' exposure to sensitive parts of the network.
- Microsegmentation. This is the practice of breaking up security perimeters into small zones to maintain separate access for separate parts of the network.
- Multi-factor authentication (MFA). A core value of zero trust security, MFA simply means more than one piece of evidence is required to authenticate a user.
- Strict controls on device access. Zero trust security systems monitor how many different devices are trying to access their network and ensure every device is authorized.
Zero Trust Security for EmailNow that we've covered an overview of zero trust security, let's circle back to how American tech companies are being abused by nation state attackers to send sophisticated phishing campaigns and malicious email. As a recap, these campaigns are successfully passing:
- Real-time Blackhole List (RBLs). This frontline defense system checks whether a sending IP address is on a blacklist of IP addresses reputed to send malicious email.
- Sender Policy Framework (SPF). An email authentication method that specifies the mail servers authorized to send email for your domain.
- DomainKeys Identified Mail (DKIM). Another email authentication system that uses digital signatures to allow the receiver to check an email claimed to have come from a specific domain was indeed authorized by the owner of that domain.
- Domain-based Message Authentication, Reporting and Conformance (DMARC). Yet another authentication protocol that uses SPF and DKIM to determine the authenticity of an email message.
- DomainAge. A custom tool we built to check the age of a domain name. Newly registered domain names sending email are a red flag and are quarantined.
They pass these checks of course, because the bad actors hide behind American companies like AWS, Mailgun, and Sendinblue that took the time to configure and maintain them correctly. In short, what's now needed in the United States is a zero trust security stance for email. If email servers were people, here's how I see them talking: "It's great that you sent me this email that passes all known authentication checks like RBL, SPF, DKIM, DMARC, and DomainAge, but I still don't trust you. I need more proof." That proof is precisely what we're working on now. We believe our dataset, domain expertise, and new approach will yield a unique form of MFA, an additional piece of evidence required to authenticate an email. We've done it before with ExecProtect, whereby we shut down Display Name Spoofing attacks. I think we can do it again.
See Related: Zero Trust Email added to Paubox Email Suite