brksec-3770
DESCRIPTION
Mail FishingTRANSCRIPT
-
5/21/2018 BRKSEC-3770
1/83
-
5/21/2018 BRKSEC-3770
2/83
Dont Be A Phish Deep Dive Into E-maAuthentication TechniquesBRKSEC-3770
Hrvoje Dogan, Security Solutions Architect
-
5/21/2018 BRKSEC-3770
3/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Agenda
Introduction to Phishing
Hardening Your E-mail Infrastructure With Message Authentication
Sender Policy Framework (SPF)
Domain Keys Identified Mail (DKIM)
Domain-based Message Authentication, Reporting & Conformance (DMA
Q&A
-
5/21/2018 BRKSEC-3770
4/83 2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Content Aids
Anything in blueRelates to
Sender / Signer
Anything in magentaRelates to
Recipient / Verifier
Note: Some of the concepts laid out will be abstracted/simplified for easier delivery. I will make the best effo
point out when there is more happening behind the scenes but is not practical to deliver in this session.
The curious fish that wants to know moreAdorns the slides that are For Your Reference
The caught fish is our Progress Indicator
-
5/21/2018 BRKSEC-3770
5/83
Introduction to Phishing
-
5/21/2018 BRKSEC-3770
6/83
phishing noun \fi-shi\
a scam by which an e-mail user is duped into revpersonal or confidential information which the scacan use illicitly
Merriam-Webster On
What Is Phishing?
-
5/21/2018 BRKSEC-3770
7/83 2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
A Short History of Phishing
First use: 1996, alt.online-service.america-online
2001 Moved to wider Internet, targeting payment systems Easy to spot messages, spelling errors
2003 Legitimate site opens in the background, phisher runs a fake login windo Gartner reports global cost of phishing in 2003 at 2.4 billion US$.
2004 Implemented data validation with real sites Creating completely fake Websites of imaginary banks and financial firm
-
5/21/2018 BRKSEC-3770
8/83 2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Phishing Today
Source: APWG Phishing Attack Trends Report 2Q2013, http://docs.apwg.org/reports/apwg_trends_report_q2_2013.pdf
Country hosting mossites: USA
Top 5 countries by abrands: USA, UK, In
Australia, France
Most phishing attacklaunched on Fridays
Worldwide cost of P2012: >1.5 billion U
Source: RSA Online Fraud Report,http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-0
-
5/21/2018 BRKSEC-3770
9/83 2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Who Is Attacked?
Energy sector target An oil and gas explor
operations in Africa, MBrazil;
A company that ownselectric plants througRepublic and Bulgari
A natural gas power A gas distributor loca
An industrial suppliernuclear and aerospac Various investment a
that specialize in the
Source: Cisco TRAC Q1 2014 Quarterly Threat Briefing
-
5/21/2018 BRKSEC-3770
10/83
Hardening Your E-mail Infrastructure: SPF
-
5/21/2018 BRKSEC-3770
11/83 2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Sender Policy Framework
Specified in RFC4408(bis)
In a nutshell: Allows recipients to verify sender IP addresses by loorecords listing authorized Mail Gateways for a particular domain
Uses DNS TXT(16) or SPF (Type 99) Resource Records SPF RR will be obsoleted due to low use
Can verify HELO and MAIL FROM identity (FQDN)
A Short Introduction
-
5/21/2018 BRKSEC-3770
12/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
SPF Operation
DNS TXTand/or
SPF RR
Work out whichmachines send
Outgoing msg Just forward it
G
Par
Deli
CheHM
-
5/21/2018 BRKSEC-3770
13/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
SPF Record Semantics
acmilan.com IN TXT v=spf1 ip4:77.92.66.4 -a
SPF version
Verification mech
-
5/21/2018 BRKSEC-3770
14/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
SPF Record SemanticsMechanisms and Qualifiers
IP4
IP6
A
MX
INCLUDE
PTR
EXISTS
ALL
PASS (+)
NE
SOFTFAIL (~)
-
5/21/2018 BRKSEC-3770
15/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
SPF Record Examples
cisco.com IN TXT v=spf1 ip4:173.37.147.224/27ip4:173.37.142.64/26 ip4:173.38.212.128/27 ip4:173.38.2ip4:64.100.0.0/14 ip4:72.163.7.160/27 ip4:72.163.197.0/ip4:144.254.0.0/16 ip4:66.187.208.0/20 ip4:173.37.86.0/ip4:64.104.206.0/24 ip4:64.104.15.96/27 ip4:64.102.19.1ip4:144.254.15.96/27 ip4:173.36.137.128/26 ip4:173.36.1mx:res.cisco.com ~all
amazon.com IN TXT v=spf1 include:spf1.amazon.com
include:spf2.amazon.com include:amazonses.com allamazon.ses.com IN TXT v=spf1 ip4:199.255.192.0/22ip4:199.127.232.0/22 ip4:54.240.0.0/18 ~all
openspf.org IN TXT v=spf1 all
-
5/21/2018 BRKSEC-3770
16/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
SPF Record Nesting
google.com IN TXT v=spf1 include:_spf.google.com ip4:216.73.93.70/31ip4:216.73.93.72/31 ~all
_spf.google.com IN TXT v=spf1 include:_netblocks.google.cominclude:_netblocks2.google.com include:_netblocks3.google.com ~all
_netblocks.google.com IN TXT v=spf1 ip4:216.239.32.0/19 ip4:64.233.16ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.
_netblocks2.google.com IN TXT v=spf1 ip6:2001:4860:4000::/36ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36
ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all_netblocks3.google.com IN TXT v=spf1 ~all
Maximum of 10 mechanisms querying DNS (any other than IP4, IP
-
5/21/2018 BRKSEC-3770
17/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
What SPF Does NOT Address
Primary purpose of SPF is to validate whether a message sender ca legitimate host
Only checks Envelope Fromheaders can still be faked Complementary technology, SenderID, checks purported sender (Purpo
Responsible Address) in the headers, but has many shortcomings
Does not ensure message integrity
Does not prevent intra-domain forgery
-
5/21/2018 BRKSEC-3770
18/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
SPF Best Practices
Plan to include -all in your SPF records
Consider all legitimate servers sending e-mail on your behalf
Make it part of security policy for roaming users to use authenticated SMgateways for sending outgoing mail
Add your relay hosts HELO/EHLO identity to SPF records
Create SPF records for all of your subdomains too
Publish null SPF records for domains/hosts that dont send mail!
nomail.domain.com. IN TXT "v=spf1 -all" Only include MX mechanism if your incomingmail servers also send out
(for now) Publish both TXT and SPF DNS Resource Records with your SP
-
5/21/2018 BRKSEC-3770
19/83
Setting up SPF DNS Records andConfiguring SPF Verification on Cisc
-
5/21/2018 BRKSEC-3770
20/83
Hardening Your E-mail Infrastructure: DKIM
-
5/21/2018 BRKSEC-3770
21/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Domain Keys Identified Mail
Specified in RFC5585
Additional RFCs: RFC6376 (DKIM Signatures), RFC5863 (DKIM DeveloDeployment and Operation), RFC5617 (Author Domain Signing Practice
In a nutshell: Specifies methods for gateway-based cryptographic outgoing messages, embedding verification data in an e-mail headfor recipients to verify integrity of the messages
Uses DNS TXT records to publish public keys
A Short Introduction
-
5/21/2018 BRKSEC-3770
22/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM Operation
DNS TXT RR
Generatekeypair
Outgoing msgCanonicalize
+Sign
InsertDKIM-Signature
Re
PaS
Dela
-
5/21/2018 BRKSEC-3770
23/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM SignatureExample DKIM-Signature Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;d=gmail.com; s=20120113;h=mime-version:date:message-id:subject:from:to:
type;bh=pMD4ZYid1vn/f7RZAy6LEON+d+W+ADlVSR6I0zrYofA=b=n3EBxT5DwNbeISSYpKT6zOKHEb8ju51F4X8H2BKhDWk9Y
h
srfeFCvf+/2XEPnQaIVtKmE0h7ZTI8yvV6lDEQtJQQWqQ/RJAXPR+yF6xwLLcQqMwzsgLxC3pQAPw3Lp7py9C62nauei3nUvq6IS+qfJBOKeMby9WUsqRecg0AWX8Dfb8gxXHQH8wKFJ9ufIOTaZWMhiFnL+NHR06v0PwsCQhsSccuk0eTDu9Uqyf8bDSyGhUFeuqwxJoCJcghGf7edZ0OIgZtEcuxLMcgl+mpSje2Y
Algorithms used
Signing Domain ID
Signed Headers
Header Hash
Body Hash
-
5/21/2018 BRKSEC-3770
24/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM SignatureAlgorithms
RSA-SHA1 or RSA-SHA256
Signers MUST Signers SHOULD
Verifiers MUST Verifiers MUST
512 bits 1024 bits 2048 bits
Verifiers MUST Verifiers MUSTSigners MUST(for long-lived keys)
Verifie
Max. practicalkey length
-
5/21/2018 BRKSEC-3770
25/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM Signature
Process of adapting the message content for signing to compensa
changes by MTAs in transit
MUST NOT change the transmitted data in any way; just its presen
Two canonicalization schemes are supported for both headers and Simple (almost no modification tolerated) Relaxed (some modification, like header name case changes, line wrapp
whitespace replacement allowed)
Canonicalization
-
5/21/2018 BRKSEC-3770
26/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM Signature
Simple Header Canonicalization No changes to headers Retains order, case and whitespacing
Relaxed Header Canonicalization Header names -> lowercase Unfolds all multiline headers
Replaces sequences of WSP characters with a single WSP Deletes WSP characters at EOL Deletes WSP before and after the colon separating the field name from t
Header Canonicalization
-
5/21/2018 BRKSEC-3770
27/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM Signature
Return-Path: v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.comX-Original-To: [email protected]
Delivered-To: [email protected]: from mx1.hc4-93.c3s2.smtpi.com (esa1.hc4-93.c3s2.smtpi.com [68.232.136.98])by rotkvica.dir.hr (Postfix) with ESMTP id B08562ABC01Efor ; Thu, 26 Dec 2013 12:03:32 +0100 (CET) Received-SPF: Pass (mx
93.c3s2.smtpi.com: domain ofv-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.comdesignates 208.95.132.58 as permitted sender)identity=mailfrom; client-ip=208.95.132.58;receiver=mx1.hc4-93.c3s2.smtpi.com;envelope-from=v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.com;[email protected];
x-conformance=sidf_compatible; x-record-type="v=spf1Received-SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain of
[email protected] designates208.95.132.58 as permitted sender) identity=helo;client-ip=208.95.132.58; receiver=mx1.hc4-93.c3s2.smtpi.com;envelope-from=v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.com;x-sender="[email protected]";x-conformance=sidf_compatible; x-record-type="v=spf1
Authentication-Results: mx1.hc4-93.c3s2.smtpi.com; dkim=pass (signature verified)[email protected]
X-IronPort-Anti-Spam-Filtered: true
Header Canonicalization in Action
-
5/21/2018 BRKSEC-3770
28/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM Signature
return-path:v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.comx-original-to:[email protected]
delivered-to:[email protected]:from mx1.hc4-93.c3s2.smtpi.com (esa1.hc4-93.c3s2.smtpi.com [68.232.136.98]) by rotkvwith ESMTP id B08562ABC01E for ; Thu, 26 Dec 2013 12:03:32 +0100 (CET)received-spf:Pass (mx1.hc4-93.c3s2.smtpi.com: domain of v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@designates 208.95.132.58 as permitted sender) identity=mailfrom; client-ip=208.95.132.58; rec93.c3s2.smtpi.com; envelope-from=v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.com; [email protected]; x-conformance=sidf_compatible; x-recorreceived-spf:Pass (mx1.hc4-93.c3s2.smtpi.com: domain of [email protected] as permitted sender) identity=helo; client-ip=208.95.132.58; receiver=mx1.hc4-9envelope-from=v-hcjblh_lhnfmmhee_lcnjocf_lcnjocf_a@bounce.mkt1970.com; [email protected]; x-conformance=sidf_compatible; x-record-type="
authentication-results:mx1.hc4-93.c3s2.smtpi.com; dkim=pass (signature verified)header.i=email@ecklers.messages1.comx-ironport-anti-spam-filtered:true
Header Canonicalization in Action
-
5/21/2018 BRKSEC-3770
29/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM Signature
Simple Body Canonicalization
No changes to the message, except: removes any empty lines at the end of the message body adds CRLF at the end of the message body, if not already there
Relaxed Body Canonicalization Simple Canonicalization, plus:
Ignores all WSP characters at EOL
Replaces sequences of WSP characters in a line into a single WSP
Body Canonicalization
-
5/21/2018 BRKSEC-3770
30/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM SignatureExample DKIM-Signature Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;d=gmail.com; s=20120113;h=mime-version:date:message-id:subject:from:to:
type;bh=pMD4ZYid1vn/f7RZAy6LEON+d+W+ADlVSR6I0zrYofA=b=n3EBxT5DwNbeISSYpKT6zOKHEb8ju51F4X8H2BKhDWk9Y
h
srfeFCvf+/2XEPnQaIVtKmE0h7ZTI8yvV6lDEQtJQQWqQ/RJAXPR+yF6xwLLcQqMwzsgLxC3pQAPw3Lp7py9C62nauei3nUvq6IS+qfJBOKeMby9WUsqRecg0AWX8Dfb8gxXHQH8wKFJ9ufIOTaZWMhiFnL+NHR06v0PwsCQhsSccuk0eTDu9Uqyf8bDSyGhUFeuqwxJoCJcghGf7edZ0OIgZtEcuxLMcgl+mpSje2Y
Algorithms used
Signing Domain ID
Signed Headers
Header Hash
Body Hash
-
5/21/2018 BRKSEC-3770
31/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM Signature
Signing Domain ID (SDID)
Identifies the entity claiming responsibility for the signed message Must correspond to a valid DNS name under which a DKIM key is publis
Selector Enables publishing of multiple keys per signing domain Use cases:
Periodic key rotations Delegating/splitting signing authority for different OUs Delegating signing authority to 3rdparties Allowing roaming users to sign their own messages
Signing Domain ID and Selector
-
5/21/2018 BRKSEC-3770
32/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM SignatureExample DKIM-Signature Header
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;d=gmail.com; s=20120113;h=mime-version:date:message-id:subject:from:to:
type;bh=pMD4ZYid1vn/f7RZAy6LEON+d+W+ADlVSR6I0zrYofA=b=n3EBxT5DwNbeISSYpKT6zOKHEb8ju51F4X8H2BKhDWk9Y
h
srfeFCvf+/2XEPnQaIVtKmE0h7ZTI8yvV6lDEQtJQQWqQ/RJAXPR+yF6xwLLcQqMwzsgLxC3pQAPw3Lp7py9C62nauei3nUvq6IS+qfJBOKeMby9WUsqRecg0AWX8Dfb8gxXHQH8wKFJ9ufIOTaZWMhiFnL+NHR06v0PwsCQhsSccuk0eTDu9Uqyf8bDSyGhUFeuqwxJoCJcghGf7edZ0OIgZtEcuxLMcgl+mpSje2Y
Algorithms used
Signing Domain ID
Signed Headers
Header Hash
Body Hash
-
5/21/2018 BRKSEC-3770
33/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM Public Key Retrieval
DNS query:
._domainkey.
For our example:
20120113._domainkey.gmail.com IN TXT k=rsa\;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJbFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yxcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD0" "7y2+08svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghkx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+Yqd0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiLUTD21MycBX5jYchHjPY/wIDAQAB
-
5/21/2018 BRKSEC-3770
34/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM SignatureAnatomy of the DKIM-Signature Header
Mandatory tags
V A D S H B BH
Optional tags
C I L Z
Recommended tags
T X
-
5/21/2018 BRKSEC-3770
35/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM Public KeyAnatomy of the DKIM DNS Record
Mandatory tags
P
Recommended tags
V=DKIM1
Optional tags
H=SHA1 K=RSA NS=EMAIL GT=Y T=S
-
5/21/2018 BRKSEC-3770
36/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM Public Key Examples
iport._domainkey.cisco.com IN TXT v=DKIM1\; s=email\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCctxGhJnvNpdcQL
pzFIJuo73OYFuw6/8bXcf8/p5JG/iME1r9fUlrNZs3kMn9ZdPYvTyRbUyMrsM3ZN2JAIop3M7sitqHgp8pbORFgQyZxq+L23I2cELq+qwtbanjvrvbuz9QL8CUtS+V5N5ldq8L/lwIDAQAB\;
lufthansa3._domainkey.lufthansa.com IN TXT g=*\; k=rsan="Contact [email protected] with any questions this signing"\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg
WF9kW/HY6ppS6g3U6Be0JRfu59Iv3oYgW+ztDJK1HsLf/hmah4buPBtCagDNN7wK12uhs6ko6f4SulZpwqVdtp1R6jujvW56hcNhx4RJ0E17meDhQmE8lkUzJR4BXWuKsPSSSy/pT3rM+LusuTAbFWKsMQIDAQAB\;
Ch i Y DKIM P
-
5/21/2018 BRKSEC-3770
37/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Choosing Your DKIM Parameters
Make the best use of selectors Periodic key rotation
Delegation of signing authority
Sacrificing security for performance If you must, consider weakening your signatures in the following order:
Reduce the signing key size (and combine with selector rotation) Use simple for body canonicalization Use simple for headers canonicalization
Change signing algorithm to sha-1However, RFC6376 says: Signers MUST implement and SHOULD sign usin
-
5/21/2018 BRKSEC-3770
38/83
Configuring DKIM Signing and VerifiUsing Cisco ESA
DKIM Ad ti t P bl d ADSP
-
5/21/2018 BRKSEC-3770
39/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM Advertisement Problem and ADSP
The biggest problem of DKIM is that there is no straightforward adv Unsigned messages can come in unverified
ADSP (Author Domain Signing Practices, RFC5617) is an extensio A DNS-based method for sender domains to advertise that they are sign A simple TXT record at _adsp._domainkey., containing just:
dkim=unknown|all|discardable
ADSP is obsoleted as of November 2013 due to lack of deployme
_adsp._domainkey.yahoo.com IN TXT dkim=unknown
-
5/21/2018 BRKSEC-3770
40/83
Hardening Your E-mail Infrastructure: DMA
-
5/21/2018 BRKSEC-3770
41/83
DMARC is designed to prevent bad actors fromsending mail which claims to come from legitimasenders, particularly senders of transactional emOne of the primary uses of this kind of spoofed mphishing
draft-kucherawy-
IETF Network W
Moving Towards DMARC
-
5/21/2018 BRKSEC-3770
42/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Moving Towards DMARC
Both DKIM and SPF have shortcomings, not because of bad desigbecause of different nature of each technology
DKIM policy advertising was addressed by ADSP, but: There was no visibility by spoofed parties into offending traffic Even though a receiver implemented both SPF and DKIM verification, th
requirement of the two technologies being in sync A smart attacker might make use of this to push illegitimate messages through
SPF checks HELO/MAILFROM identity, but no verification or align
Header From is ensured
Thus, DMARC was born: Leveraging great existing technologies, providing a glue to keep them in
allowing sendersto mandate rejection policies and have visibility of offen
DMARC Operation
-
5/21/2018 BRKSEC-3770
43/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DMARC Operation
SPF (or TXT)DNS RR
Publish SPF
Outgoing msg
Publish DMARC
InsertDKIM-Signature
Check SPF
Check SPF onHeader From
Fetch DMARCPolicy
Publish DKIM Check DKIMDKIM (TXT)
DNS RR
DMARC (TXT)DNS RR
DMARC Policy
-
5/21/2018 BRKSEC-3770
44/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DMARC PolicyExample of a DMARC DNS Record
_dmarc.amazon.com IN TXT v=DMARC1\; p=quarantpct=100\; rua=mailto:[email protected]=mailto:[email protected]
Version
Sampling rate
Failure Reports URI Aggre
Failure polic
DMARC Policy
-
5/21/2018 BRKSEC-3770
45/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DMARC Policy
Policies requested by senders:
None Quarantine Reject
Receivers MAY deviate from requested policies, but SHOULD infosender why (through Aggregate Report)
Sampling rate (p tag) instructs the receiver to only apply policy tomessages
Policy Specification and Slow Start
DMARC Policy
-
5/21/2018 BRKSEC-3770
46/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DMARC Policy
mailto: and http:// URIs supported
Two distinct report types: Aggregate report
Sent on an interval Summary of all incidents from a particular sender domain
Failure report Sent on (every) failure
Detailed report on individual failures
Reporting URIs
DMARC Policy
-
5/21/2018 BRKSEC-3770
47/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DMARC PolicyAnatomy of the DMARC DNS Record
Mandatory tags
V=DMARC1
Optional tags
PCT FOSP RIADKIM RF
P
ASPF RUFRUA
DMARC Policy
-
5/21/2018 BRKSEC-3770
48/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DMARC Policy
Sender can request Strict (s) or Relaxed (r, default) adherence
SPF DKIM (adkim):
Relaxed: Header From FQDN can be a subdomain of d tag of DKIM sig Strict: Header From FQDN must completely match the d tag of DKIM
SPF (aspf):
Relaxed: Header From domain can be a subdomain of SPF-AuthenticateFROM) domain Strict: Header From domain must match MAIL FROM domain
Adherence to SPF/DKIM
DMARC Policy
-
5/21/2018 BRKSEC-3770
49/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DMARC Policy
Two supported Report Formats (rf):
afrf Authentication Failure Reporting Format, defined in RFC6591, and extended by d
dmarc-base (default)
iodef Incident Object Description Exchange Format, defined in RFC5070
Failure reporting options (fo), separated by colons in the Policy R
0: generate a report if allunderlying mechanisms fail to align and pass ( 1: generate a report if anyunderlying mechanisms fail to align and pass d: generate a DKIM failure report if DKIM verification fails, regardless of s: generate an SPF failure report for failed SPF verification, regardless o
Failure Reporting
DMARC Reporting
-
5/21/2018 BRKSEC-3770
50/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DMARC Reporting
_dmarc.facebook.com IN TXT "v=DMARC1\; p=reject\; pct=1rua=mailto:[email protected],mailto:[email protected]=mailto:[email protected]\;
Delegating Reporting Authority
DMARC Reporting
-
5/21/2018 BRKSEC-3770
51/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DMARC Reporting
_dmarc.facebook.com IN TXT "v=DMARC1\; p=reject\; pct=1rua=mailto:[email protected],mailto:[email protected]=mailto:[email protected]\;"
Delegating Reporting Authority
facebook.com._report._dmarc.ruf.agari.com
DMARC Reporting
-
5/21/2018 BRKSEC-3770
52/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
_dmarc.facebook.comIN TXT "v=DMARC1\; p=reject\; pct=1rua=mailto:[email protected],mailto:[email protected]=mailto:[email protected]\;"
facebook.com._report._dmarc.ruf.agari.comfacebook.com._report._dmarc.ruf.agari.com
DMARC ReportingDelegating Reporting Authority
DMARC Reporting
-
5/21/2018 BRKSEC-3770
53/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DMARC Reporting
_dmarc.facebook.comIN TXT "v=DMARC1\; p=reject\; pct=1rua=mailto:[email protected],mailto:[email protected]=mailto:[email protected]\;"
Delegating Reporting Authority
facebook.com._report._dmarc.ruf.agari.com
DMARC Reporting
-
5/21/2018 BRKSEC-3770
54/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DMARC Reporting
_dmarc.facebook.comIN TXT "v=DMARC1\; p=reject\; pct=1rua=mailto:[email protected],mailto:[email protected]=mailto:[email protected]\;"
Delegating Reporting Authority
facebook.com._report._dmarc.ruf.agari.com IN TXT v=DMARC1
DMARC Record Examples
-
5/21/2018 BRKSEC-3770
55/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
p
_dmarc.google.com IN TXT v=DMARC1\; p=quarantine\;
rua=mailto:[email protected]
_dmarc.cs.helsinki.fi IN TXT v=DMARC1\; p=reject\; sp=
pct=100\; aspf=r\; rua=mailto:[email protected]
_dmarc.microsoft.com IN TXT v=DMARC1\; p=none\; pct=10
rua=mailto:[email protected]\; ruf=mailto:[email protected]
_dmarc.dk-hostmaster.dk IN TXT v=DMARC1\; p=none\;rua=mailto:[email protected]\; ruf=mailto:d
[email protected]\; adkim=r\; aspf=r\; rf=afrf
DMARC Identifier Alignment
-
5/21/2018 BRKSEC-3770
56/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
g
DMARC authenticates the domain from Header From
DKIM authenticates the domain from DKIM-Signature (d tag)
SPF authenticates domains from MAIL FROM or HELO identities
Identifier Alignment is a concept of alignment between Header Fidentifiers checked by DKIM and SPF
Message passesDMARC check if one or more of the authenticatmechanisms (DKIM and/orSPF) pass with proper alignment
When Does A Message Pass?
DMARC Policy
-
5/21/2018 BRKSEC-3770
57/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
yAnatomy of the DMARC DNS Record
Mandatory tags
V=DMARC1
Optional tags
PCT FOSP RIADKIM RF
P
ASPF RUFRUA
DMARC Policy
-
5/21/2018 BRKSEC-3770
58/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
y
Sender can request Strict (s) or Relaxed (r, default) adherence
SPF DKIM (adkim):
Relaxed: Header From FQDN can be a subdomain of d tag of DKIM sig Strict: Header From FQDN must completely match the d tag of DKIM
SPF (aspf):
Relaxed: Header From domain can be a subdomain of SPF-AuthenticateFROM) domain Strict: Header From domain must match MAIL FROM domain
Adherence to SPF/DKIM
DMARC Identifier Alignment: SPF
-
5/21/2018 BRKSEC-3770
59/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
g
MAIL FROM:
From: Hrvoje Dogan (hrdogan)
To: Hrvoje Dogan Subject: DMARC test
DMARC Identifier Alignment: SPF
-
5/21/2018 BRKSEC-3770
60/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
g
MAIL FROM:
From: Hrvoje Dogan (hrdogan)
To: Hrvoje Dogan Subject: DMARC test
DMARC Identifier Alignment: SPF
-
5/21/2018 BRKSEC-3770
61/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
MAIL FROM:
From: Hrvoje Dogan (hrdogan)
To: Hrvoje Dogan Subject: DMARC test
DMARC Identifier Alignment: SPF
-
5/21/2018 BRKSEC-3770
62/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
MAIL FROM:
From: Hrvoje Dogan (hrdogan)
To: Hrvoje Dogan Subject: DMARC test
MAIL FROM:
From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
DMARC Identifier Alignment: SPF
-
5/21/2018 BRKSEC-3770
63/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
MAIL FROM:
From: Hrvoje Dogan (hrdogan)
To: Hrvoje Dogan Subject: DMARC test
MAIL FROM:
From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
DMARC Identifier Alignment: SPF
-
5/21/2018 BRKSEC-3770
64/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
MAIL FROM:
From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
MAIL FROM:
From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
MAIL FROM:
From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
DMARC Identifier Alignment: SPF
-
5/21/2018 BRKSEC-3770
65/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
MAIL FROM:
From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
MAIL FROM:
From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
MAIL FROM:
From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
DMARC Identifier Alignment: DKIM
-
5/21/2018 BRKSEC-3770
66/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM-Signature: v=1; [] d=cisco.com;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan
Subject: DMARC test
DMARC Identifier Alignment: DKIM
-
5/21/2018 BRKSEC-3770
67/83
2014 Cisco and/or its affiliates All rights reservedBRKSEC-3770 Cisco Public
DKIM-Signature: v=1; [] d=cisco.com;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan
Subject: DMARC test
adk
DMARC Identifier Alignment: DKIM
-
5/21/2018 BRKSEC-3770
68/83
2014 Cisco and/or its affiliates All rights reservedBRKSEC-3770 Cisco Public
DKIM-Signature: v=1; [] d=cisco.com;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan
Subject: DMARC test
DKIM-Signature: v=1; [] d=cisco.com;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
adk
DMARC Identifier Alignment: DKIM
-
5/21/2018 BRKSEC-3770
69/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM-Signature: v=1; [] d=cisco.com;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan
Subject: DMARC test
DKIM-Signature: v=1; [] d=cisco.com;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
adk
DMARC Identifier Alignment: DKIM
-
5/21/2018 BRKSEC-3770
70/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM-Signature: v=1; [] d=cisco.com;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan
Subject: DMARC test
DKIM-Signature: v=1; [] d=cisco.com;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
DKIM-Signature: v=1; [] d=linux.hr;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
adk
DMARC Identifier Alignment: DKIM
-
5/21/2018 BRKSEC-3770
71/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DKIM-Signature: v=1; [] d=cisco.com;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan
Subject: DMARC test
DKIM-Signature: v=1; [] d=cisco.com;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
DKIM-Signature: v=1; [] d=linux.hr;[]From: Hrvoje Dogan (hrdogan) To: Hrvoje Dogan Subject: DMARC test
adk
Multiple DKIM signatures? Anymust validate and align.
DMARCHow to start
-
5/21/2018 BRKSEC-3770
72/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
1. Correctly deploy DKIM and SPF
2. Make sure that your identifiers will align
3. Publish a DMARC record with p=none, gather ruaand rufrepowhile
4. Analyze the data and modify your mail streams (or DKIM/SPF pa
5. Apply reject or quarantine policy
How to start
DMARCHow to Delegate
-
5/21/2018 BRKSEC-3770
73/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Create a subdomain for your 3rdparty mailers
Provide them with your DKIM signing key Make sure adkimis set to strict, and aspfset to relaxedif needed
How to Delegate
Received: from mta3.e.tripadvisor.com ([66.231.81.9]) by mx1.hc4-93.c3s2.smtpi.comJan 2014 21:16:36 +0100
Received-SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain ofbounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvisor.com designaas permitted sender) identity=mailfrom; client-ip=66.231.81.9; receiver=mx1.hc4-envelope-from="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvi
x-sender="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvisor.cx-conformance=sidf_compatible; x-record-type="v=spf1
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com;h=From:To:Subject:Date:List-Unsubscribe:MIME-Version:Reply-To:Message-ID:[email protected]; bh=ZNcj7Ir0D/Hc0M9uybYZydUdcZQ=; b=afqcdGZ2Vg8z38JB+c8vp3q89JcMLPtRfO1OtRV21UjsQgW1fKCFBZglZxnyQuE8TLGQJy2AkaCaV2YiiZPogw6PhNmmDMmxQ/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ=
From: "TripAdvisor"
DMARCHow to Delegate
-
5/21/2018 BRKSEC-3770
74/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Create a subdomain for your 3rdparty mailers
Provide them with your DKIM signing key Make sure adkimis set to strict, and aspfset to relaxedif needed
How to Delegate
Received: from mta3.e.tripadvisor.com ([66.231.81.9]) by mx1.hc4-93.c3s2.smtpi.comJan 2014 21:16:36 +0100
Received-SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain ofbounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvisor.com designaas permitted sender) identity=mailfrom; client-ip=66.231.81.9; receiver=mx1.hc4-envelope-from="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvi
x-sender="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvisor.cx-conformance=sidf_compatible; x-record-type="v=spf1
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com;h=From:To:Subject:Date:List-Unsubscribe:MIME-Version:Reply-To:Message-ID:[email protected]; bh=ZNcj7Ir0D/Hc0M9uybYZydUdcZQ=; b=afqcdGZ2Vg8z38JB+c8vp3q89JcMLPtRfO1OtRV21UjsQgW1fKCFBZglZxnyQuE8TLGQJy2AkaCaV2YiiZPogw6PhNmmDMmxQ/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ=
From: "TripAdvisor"
DMARCHow to Delegate
-
5/21/2018 BRKSEC-3770
75/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Create a subdomain for your 3rdparty mailers
Provide them with your DKIM signing key Make sure adkimis set to strict, and aspfset to relaxedif needed
How to Delegate
Received: from mta3.e.tripadvisor.com ([66.231.81.9]) by mx1.hc4-93.c3s2.smtpi.comJan 2014 21:16:36 +0100
Received-SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain ofbounce-891195_HTML-783170676-35558060-77825-258@ bounce.e.tripadvisor.comdesignaas permitted sender) identity=mailfrom; client-ip=66.231.81.9; receiver=mx1.hc4-envelope-from="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvi
x-sender="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvisor.cx-conformance=sidf_compatible; x-record-type="v=spf1
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com;h=From:To:Subject:Date:List-Unsubscribe:MIME-Version:Reply-To:Message-ID:[email protected]; bh=ZNcj7Ir0D/Hc0M9uybYZydUdcZQ=; b=afqcdGZ2Vg8z38JB+c8vp3q89JcMLPtRfO1OtRV21UjsQgW1fKCFBZglZxnyQuE8TLGQJy2AkaCaV2YiiZPogw6PhNmmDMmxQ/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ=
From: "TripAdvisor"
DMARCHow to Delegate
-
5/21/2018 BRKSEC-3770
76/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Create a subdomain for your 3rdparty mailers
Provide them with your DKIM signing key Make sure adkimis set to strict, and aspfset to relaxedif needed
How to Delegate
Received: from mta3.e.tripadvisor.com ([66.231.81.9]) by mx1.hc4-93.c3s2.smtpi.comJan 2014 21:16:36 +0100
Received-SPF: Pass (mx1.hc4-93.c3s2.smtpi.com: domain ofbounce-891195_HTML-783170676-35558060-77825-258@ bounce.e.tripadvisor.comdesignaas permitted sender) identity=mailfrom; client-ip=66.231.81.9; receiver=mx1.hc4-envelope-from="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvi
x-sender="bounce-891195_HTML-783170676-35558060-77825-258@bounce.e.tripadvisor.cx-conformance=sidf_compatible; x-record-type="v=spf1
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608; d=e.tripadvisor.com;h=From:To:Subject:Date:List-Unsubscribe:MIME-Version:Reply-To:Message-ID:[email protected]; bh=ZNcj7Ir0D/Hc0M9uybYZydUdcZQ=; b=afqcdGZ2Vg8z38JB+c8vp3q89JcMLPtRfO1OtRV21UjsQgW1fKCFBZglZxnyQuE8TLGQJy2AkaCaV2YiiZPogw6PhNmmDMmxQ/gNPFkJeUFSHRpJriV0017gsGVmV3t72fv25kS0kKbtvvhjZCyQ=
From: "TripAdvisor"
-
5/21/2018 BRKSEC-3770
77/83
DMARC deployment using Cisco ES
Dont Be A PhishDeploy DMARC!
-
5/21/2018 BRKSEC-3770
78/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
DMARC provides Easy, simple and powerful existing-standards-based message authentic Flexibility and gradual deployment A chance to clean up your mail flows and tighten up messaging security Easy protection from most phishing attacksboth as phish and as bait!
and endless opportunities for corny fish jokes.
Deploy DMARC!
DONT BE A PHISH.ITS SIMPLE.
For More Information
-
5/21/2018 BRKSEC-3770
79/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
http://www.openspf.org
http://www.dkim.org
http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishcloud/
https://support.google.com/mail/answer/3070163?hl=en
http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02
http://dmarc.org
http://dmarcian.com
Presentation videos: http://bitly.com/bundles/hrvojedogan/1
Image credits
http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/https://support.google.com/mail/answer/3070163?hl=enhttp://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://dmarc.org/http://dmarcian.com/http://bitly.com/bundles/hrvojedogan/1http://bitly.com/bundles/hrvojedogan/1http://dmarcian.com/http://dmarc.org/http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02http://tools.ietf.org/html/draft-kucherawy-dmarc-base-02https://support.google.com/mail/answer/3070163?hl=enhttps://support.google.com/mail/answer/3070163?hl=enhttp://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/http://blogs.cisco.com/security/big-data-in-security-part-v-anti-phishing-in-the-cloud/ -
5/21/2018 BRKSEC-3770
80/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Most photography on title slides courtesy of Novi List, http://www.novilist.hrpermission of the Editor of Photography. Authors of photography: Sergej DFabijan, Marko Gracin, Roni Brmalj, Damir komrlj, Silvano Jeina, Livio
Original artwork for icons and progress indicator done in ink on paper by Ivhttp://www.medri.uniri.hr/~imatic/
Special credits go to Helenka, for her relentless work on producing these sl
Call to Action
Visit the World of Solutions:
-
5/21/2018 BRKSEC-3770
81/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Visit the World of Solutions:-
Cisco CampusCisco E-mail Security
Walk-in Labs Technical Solutions Clinics
Hrvoje Dogan, Dan Griffin, Tom Foucha, Scott Bower
Meet the Engineer
Lunch Time Table Topics, held in the main Catering Hall
Recommended Reading: For reading material and further resourcsession, please visit www.pearson-books.com/CLMilan2014
Complete Your Online Session Evaluation
http://www.pearson-books.com/CLMilan2014http://www.pearson-books.com/CLMilan2014http://www.pearson-books.com/CLMilan2014http://www.pearson-books.com/CLMilan2014 -
5/21/2018 BRKSEC-3770
82/83
2014 Cisco and/or its affiliates. All rights reserved.BRKSEC-3770 Cisco Public
Complete your online sessionevaluation
Complete four session evaluationsand the overall conference evaluationto receive your Cisco Live T-shirt
-
5/21/2018 BRKSEC-3770
83/83