DEF CON 29 Blue Team Village - Karl Lovink, - Use DNS to detect domains abused for phishing

As a high-profile public-sector organization, the Dutch Tax and Customs Administration deals with criminals claiming to be representatives of the organization and contacting the public with phishing e-mails every day. By using Splunk and RFC’s like, RFC7208 – Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, we have developed a technique to identify phishing attacks that are carried out under the disguise of the Dutch Tax and Customs Administration.

We start with a short introduction to protocols available to secure e-mail. Securing e-mail means making it more difficult to intercept e-mails in transport and perform phishing attacks. After that, we present some real-life phishing examples pointing to how finding the phishers would have been much easier. The same applies to the Notice and Take Downs for the phishing sites. We continue by introducing the secure e-mail standards like STARTTLS, Sender Policy Framework (SPF), Domain Identified Keys (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE), SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) on which the technique detecting phishing attacks is based on. Here we present how all secure e-mail protocols work together to be able to monitor e-mail traffic for potential phishing attacks. You can get information about the senders' e-mail address, sender’s MTA and the recipient’s MTA. Both the receiving and the sending MTAs are not located within your infrastructure. Passive DNS intelligence and Shodan are used for the enrichment of the IP addresses. We have implemented these techniques in Splunk, including various dashboards, searches, and lookups. But the implementation can be done in either which log management system, for instance, ElasticSearch. Also, a wizard has been created to facilitate the generation of the TXT records for your DNS zone file. The implementation we have created in Splunk is downloadable from GitHub for free. The Splunk App contains all necessary dashboards, searches, lookups to get a quick start. Also, a wizard is included to create the DNS TXT records, which can be complicated. In principle, an e-mail track-and-trace system has been built using Splunk and DNS logs.