DNS and Attack Surface Management - Paul Guido

Paul Guido going over DNS and attack surface management um I'd like to say thank you to one of our sponsors USAA for making all of this possible and um everyone give a great Round of Applause for Paul

Guido uh thank you all very much USAA is looking for employers uh employment out there so if you're looking for a job or you're looking to change jobs they got a big list of jobs available right now um so there you go uh yeah own your domain if not somebody else is going to do it for you uh I guarantee it um ATT Tax Service management email in 2024 a lot of people want to do email like it's 2008 uh without doing anything else and that is just like the most horrible way to do that so we're going to kind of go over the latest stuff there my name is Paul Guido uh until I

was in my early 30s I was a carpenter at construction I did all the trades I grew up in a family that had Hobbies like boating and electronics and all kinds of weird stuff I built Heath kits when I was in junior high and soldered things together um but when I got my hand radio license immediately I started doing something called packet radio uh basically I was learning how to do frame tracing at night while I was doing carpentry during the day um finally I changed jobs in 1993 I went to work for for a small value added reseller uh that sold computers and services and stuff and in uh that 1993 I became certified almost 20 I'm sorry 20

30 years ago uh in in this year uh uh it got my first novel CN uh back then uh I ended up finally got five cnes Microsoft certification IBM certifications uh and U one of the things I'm most proud of is my compact certifications because those are very ult to get at the time there were only about 2500 people with that particular compact certification that I had um I was hired in 1998 by financial institution here in San Antonio as part of a Y2K upgrade um there was a lot of concerns about that but what we did is we created a lab and we ran all our software through and we found problems problems that the people did not even

realize that they had with their software uh that was Y2K problems so that was a good thing that we did that and one of the reasons why Y2K was a nothing Burger is because a lot of people did a lot of work prior to that um so while I was there I worked with active directory and Noel directory services and tying all that stuff together the storage area network uh internet banking uh ATMs uh you know I moved the ATMs from sna protocol to TCP IP but I didn't just plug them into the network at the brand Branch created another Network form created access list form made sure that they couldn't talk to anything they weren't supposed to

that they couldn't that nothing could talk to them except what was authorized by the way saved all kinds of headaches uh I know of people that have actually gotten ATMs infected with viruses because they didn't do any isolation or any segmentation at all so yeah shake your head but it happened Carl it really did um so weeks before the pandemic in 2020 I got hired at the local credit union here in San Antonio to uh work with the operations team uh I have uh security operations uh and I do a lot of other stuff with uh audit and responses to audit policies paperwork planning I seem to be typing a lot and I guarantee you my English teacher from high school

is rolling over in his grave uh because of all the stuff that I didn't learn then that I really have to know now to type and type type and type so oh uh always learning that's a big deal once again I was a carpenter and at night I did frame tracing so I learned like wire shark type stuff for fun so one of those deals so initial access Brokers are after you are they so do you have a website uh do you have customers or members or people that log into that website any way shape or form uh do you have MFA for those users to get into that website or you just relying on usernames passwords or heaven

forbid the deprecated uh SMS texts um you have a VPN for you to get into remotely a lot of people are doing work from home still and uh I'm blessed we do work from home still with the organization I'm working for at least 4 days a week um and it looks like that's the way it's going to be forever uh no one's even talking about changes we became more productive our least productive day is the day we go in the office that's the way it is do you have Microsoft as your intro ID exchange online if you have any of this stuff I guarantee you you're getting hacked right now people are trying to break into

those accounts right now every single one of those is an attack me they're trying to log into the local radio club's website website why because they can use that as a platform to spread malware or other problems um the more that they own those kind of things the more they do things with doesn't matter right so the same thing about your user base they're credential stuffing those accounts as well but here's the deal how are you mitigating credential stuffing what are you doing about it right how are you trying to make sure that that's not a problem um it it's a mess one do you have Fidelity in your logs that you can spot it that's really key importance you got

to be able to see what these things are doing and all the failures that these logins are providing even if you have the logs if you don't have the people that are checking those logs building those alerts and putting those controls in place to make sure that they're mitigating the stuff you're lost great I got a log that says it's happening but I'm not doing anything to put a control in place to make it stop so all of this stuff matters are you getting logs for everything that anyone can log into and making sure that those logs have some kind of alert to tell you when bad things are happening so cuz if you don't

know bad things are happening cuz I guarantee you the first thing out of the gate isn't them taking a list and doing a bunch of logins and doing a bunch of lockouts on your active directory that happens weeks months days days later but it doesn't happen the first day when later they'll buy that dump for your organization call out those email addresses and then try and hit something that that you used as an old password or whatever at some site that got hacked and Linkedin whatever Facebook whatever so too many people have shared too many passwords over the years once again all of that needs to be put in place grab those logs put them in

the Sim get somebody to create rules and monitor them and do something when something happens make sure you secure what I call the big three you have to secure three things I'll be talking about them individually but just right right off the top of my head your domain registar if you don't have good control over your domain registar you don't own your domain your DNS provider if it's external if you don't have good control over that once again you don't own your domain the third one is your certificate Authority you have to be able to make sure that your certificate Authority only provides certificates on your behalf at your uh action you do it right that

nobody else can do it for you so how do we do this a lot of this stuff's going to be kind of sing songy at the end but your register holds the key to your company's brand lock it down um there should be a very limited number of people that have access to this uh make sure you audit the those users people leave organizations people that have these kind of Rights um when's the last time you check your domain register to see if anybody that's left the organization still on the list to log in a lot of these things have been around a long time and I'm talking about domain I'm sorry uh was is it U uh something

Solutions doain Solutions no Network Solutions Network Solutions is one of the oldest domain registers out there on the internet and you know I I know the prev place I used to work um we started using them in 1998 I wouldn't be surprised if there's somebody left there since 1998 uh I CED me up when I left I guarantee you that send that it logs or any kind of change information that you have once again to your sim create rules out there if some new user created or even if there's a login it should be tracked should be ided um another good reason for this uh what was it 2016 a bank in Brazil some hackers figured out that they could get

into the domain register of that bank so what did they do nothing for three months they built an identical website to that bank and then one day they went in and switched to their website and everybody logged into that while they were logging into their accounts with the same credentials and moving some money around so yeah once again this is really important stuff oh gosh um if you've ever had an MX record and received email for a domain you own it for life and I tried to get this across to multiple different marketing departments and other over the years the reason you own it for life is because if there was ever an account external to

that organization that was used to create an account you got an email back you can reset passwords you can do everything else you stop using that domain anything that that domain was used to register on the outside they own all of that email uh they be able to reset passwords get back into those accounts act as the organization and if it's something as bad as your domain register or your DNS or whatever you're in Dire Straits so don't do that um who can log in once again are they still employed it's the same kind of deal multiactor authentication um one of my favorites is to set up Federated identity so when they leave the organization it goes away with like a

MFA push and if the website had its own MFA I would add that too yeah that's like four factors of authentication but can you really be tight enough for these kind of things I really don't think so um because once again I guarantee you they're after you right now um DNS once again I mentioned this in my overview DNS same kind of um lock it down audit send those logs off make sure that if anybody was in that system that they're still with the company um if a par domain does not have an NX record create one now this kind of goes against what I said earlier but I'm not saying create an MX record so you

can get email I'm saying create an MX record so you can set a DeMark record and that DeMark record says fail what that does is if anyone sends email on behalf of part domain.com or whatever it's called uh let me think of one um just a bank.com or mortgage human.com I don't know I'll make them up um if you own that domain create an MX record and then create a DeMark record that says anything from mortgage.com goes fail what that does it's a policy that you said that when those companies let's say Yahoo Google whatever get that email from China for the Pharmaceuticals or whatever they're trying to do or sell they're going to take that email find out that your MX

record I'm sorry your Demar record says fail and drop that email they'll reject it um actually it's not oh yeah it's reject reject means fail sorry one second they have started pouring the beer if anybody wants one the cegs back there they only had a table for it uh if they only had a table for it so so once again any domain that's parked gets an MX record to fail I can't stress that enough when you do that you're going to set the U um there you go configure DeMark to go to your aggregator anybody here use an aggregator and know what an aggregator is for for Demar records cool you can set in your DNS records a

couple of parameters for dmar you can set your Ruf and Rua parameters in dmark to go to someone that takes all of that information Aggregates it puts it in a nice readable format because the forensic records are gzipped I believe the a records are just uh the audit bare Header information but the rufs are really handy because they'll tell you everything about the email that you sent um so those go to the aggregator the aggregator can go ahead and display it to you in a nice consumable format aggregators have names like algari minecast proof Point uh I think there's is called email fraud defense they vary in amount of what they provide you and how much they cost by

far the Cadillac Mercedes-Benz of it is algari but they want crazy money okay I found this on the web for cat check it out I really appreciate that have a good day so uh that it's it's it's crazy I've asked for quotes from them a number of times and I've heard the same insane number for an annual cost regardless of the size the organization I work for or asked the question by the way yeah they're owned by fortra and fortra is out there and I have talk to fortra about this problem so um and I love fortra uh they have ay called fish Labs awesome they do takedowns like you would not believe big time love their takedowns they do the

fish Labs group but algari oh awful crazy money so once again look at minecast look at proof Point look at somebody else audit all your C Name Records a c name record inside of DNS says Fred do just a bank.com points to something at uh marketing company selling campaign 29.com well if that domain that it's pointed to ever gets sold dropped Whatever by that marketing company a bad actor can pick it up what will they own they will own fred. just another bank.com they'll own that entire section at that point can get certificates for it from let's encrypt they can do all kinds of other craziness if you don't have other things locked down so getting back to that audit your C

Name Records are you still using those cames um it's difficult to do but you have to do it any questions about that cuz that's really important to audit your C Name Records in DNS that's what you're talking about there is dangling DNS DL dangling the RIS oh that yeah yeah dangling DNS yeah uh so somebody will once again if you're see name points to a marketing company and the marketing company either goes out of business or quits paying for whatever that domain name is that it points to then that actor buys that domain and then they own everything that happens of all the places that the cames point from so so if you have something bad

your organization that points at a c name that could be the issue and I hope that help clears it up some so last but not least is your certificate Authority and uh thank you very much Carl for the uh push this morning uh the the bump the the certificate Authority uh is also one of the big things that you need to be careful with because once again they own your domain your DNS and everything else they can own your certificate Authority um lock it down uh audit the users access certificates once again if they're not employed with the company kill them off um now this is the part that Carl was talking about earlier today the ca record CA record is

a DNS record that you need to publish you must publish please go out and publish write it down right now if you don't have one and you'll if you want to find out if you have one I'll show you in a minute how to find that what you say in your dcaa record is what certificate Authority is authorized to provide certificates for your company so if it's diger or what or or let's encrypt or whatever you publish that information in your ca record no other certificate Authority can provide certificates if you publish that in there only what you state if they happen to uh issue a certificate for uh from what is it kodo or one of these other certificate

authorities and they weren't in the ca record they could be in a lot of trouble they could be actually kicked out of the browsers which is basically the death nail that kills their Cash Cow and if you are wondering what that looks like look up the history of verisign.com anyone Carl's laughing you know what I'm talking about verine used to print money they printed money and it was easy and they broke the rules when it came to being a certificate Authority and they were basically kicked out they were repeatedly told not to do it and they ignored the the being told and they were basically all the browser manufacturers said we can't trust you anymore and kill

them off so create a c record for your DNS say who is authorized to do that TLS posture this is one way we can find out unfortunately I didn't have it where that graphic didn't show up I'm not that great with power point I'm I'm I'm pretty good with security though so this is a report that you get from a place called SSL Labs what's your external security posture look like for let's say your website go to SSL labs.com and do a test your server um uh I I'll I'll be happy to call people out go chest USAA I guarantee you they're spot on um not only that I use them as a reference for

how to do things generally um their TLS 1.3 and 1.2 parameters they pretty much always rate as an A+ um they have almost everything where this comes up completely green across the board um so check not just your primary website check your apis check your whatever check any site that you publish that that's a 443 and it's secured by a TLS certificate send that over there and have them take a look at it and if any of them look bad do something about it try and make it better um so one of the things that this is going to tell you is if you have a CA record um it's going to tell you if you're running a deprecated

protocol it's going to tell you if you're running tls1.0 or SSL 2.0 or you're running uh Diffy Helman or uh Shaw one or anything else that's deprecated out there it's going to tattle on you but here's the deal the bad guys already do this stuff and if you're not taking care of business on your website what you're doing is you're telling all of them hey come hack me I don't pay attention to detail cuz this is all easy stuff to do so get out there and do it would you like a free security scan by the way it's an Old Chestnut you get them all the time you just don't get a report they've been saying that for

years and it is so God true I mean uh I can't tell you how many times I have to you know endure that we're we're get another scan and they won't stop and the we talked to the uh the hosting company that's hosting the stuff they're not bringing it down um so what do we do block them but yeah we're getting scans all the time but we're not getting reports for whoever's scanning us so if you'd like a scan that you do get a report from I got to talk to him unfortunately he's not here right now he had to take off to go uh take his kid to a u soccer game the U Darren from C dis

sisa and the Department of Homeland Security was here sisa will do a scan of your external name space or IP address space and provide you a report on it on a weekly basis um free they do this for free they use all the standard tools like nessus and everything else they put this report together and they'll say you have X number of sites that are in your class C that are exposed to the internet um we're seeing this many types of protocols that are out there we're seeing that you have something that's deprecated either it's TLS or you have something that's vulnerable or has a problem if you see if they see a medium or a high I believe it is they will

contact you by email every 4 hours until you get that cleaned up um they want you to be strong s wants you to have a good place to uh be on the internet so I truly recommend start using their services they will come in with a red team and hack your internal Network for you as well that is another service they provide they will do social engineering tests and they will do them the same way for every single organization that they work so they can kind of rate you in your industry and overall on how well you're doing use their services they're free so that's what I'm sing about they will contact you until uh everything's

resolved especially if it's high get control of your email I I can't tell you how many times I'm on a phone call with a vendor um and they just don't seem to be able to take care of business one for when it comes to email frankly I'm happy uh that Google and Yahoo and everybody else got together and said no more unless you follow dmark um protocols and you have your um uh SPF records and you have your decm signatures done then we'll accept your email but if you send over 5,000 email a month to us I'm sorry a day 5,000 emails a day to us um we'll we'll just stop receiving your emails at gmail or Yahoo that's it we're

not going to we're not going to play around anymore you're going to have to follow these protocols so [Music] that's the deal with that why should you set all these particular things up you should set them up because it's brand protection do you care about your brand on the internet um I'll pick up my buddies over at USAA um so USAA is usaa.com I don't even have to look it up I don't got to Google it or nothing else it I just know they have a pen over there for jobs USAA jobs.com why dilute your brand why isn't a jobs. usaa.com I don't know marketing try and talk to marketing people about it it's like talking to the wall sometimes and I

would imagine these conversations happen but you know somebody gets it in their head that they have to spin up a whole another domain for something just because so um and I'm sure these conversations happen I know I had them at my old job they just wouldn't listen they wanted to spend up new domains for everything instead of us a subzone so brand protection if your brand is usa.com you're going to do your best to protected uh I know I protect the brand at my organization and why do you do or how do you do that with the files of this Demar stuff man I really could use a table there we go about nine years ago I found evidence

by these Rua and Ruf records somebody was using at the company I was at our brand to sell Pharmaceuticals from China they were using it for spam campaigns and the only way to stop them is to make sure that this stuff that I'm going to tell you about is set up you have Demar and dmar is set to fail marketing should be demanding they should be coming to you and demanding that you set up Demar records why because it is the best way to assure that the emails they want people's eyeballs on is actually being seen by the people they want to send it to it's the most reliable way to get the emails out there is if you had DeMark set up

and DeMark set up to fail I can guarantee that the organization I work for receives the email that I send out that our organization sends out and that they're not getting it from a pharmaceutical spam campaign on our our brand out of China so that's what I was talking about Google and and Yahoo and others have basically said you do DeMark if you send more than 5,000 emails a day and if you don't we're going to just say no and they have the ability to do so so how do we set this up in review or or in preview there are three things you have to have you have to have the source of the email you have

to sign the email you have to have a policy associated with the email so how do we do those three things those just three things sign a source sign policy SPF that's your Source basically it says where does this email originate from what is the outside relay where's it coming from right how do you do that you create an SPF record that SPF record could have includes that say uh a particular domain but you have to be careful with those and I'll tell you why in a moment or it could have a bunch of IP addresses that have or IPv6 addresses nonetheless it specifically states where that email is coming from um see what else do I need to talk

about here I think that's about it for that really so nonetheless you create on your DNS these SPF records let's talk about be on the lookout for SPF has a limit of 10 lookups if you have more than 10 includes you have broken What's called the RFC the rules of how these SPF records are designed to be used so how does that happen let's say I'm in an organization that has six lookups some organization it's a uh thoughtless will give me an include that has six more lookups this Thoughtless and people will break that 10 rule right they add up they additive how can I fix that problem use subzones so wc.org is the San Antonio radio club's website if I

wanted to send events out I could actually send that in the Sub Zone I could say no reply at events. wc.org why would I want to do that because every single Sub Zone that resets the counter I can have 10 lookups and what that does is takes pressure off my root domain of w5s sc.org where I don't have more than 10 lookups so uh you can go to Radio Fiesta at event. wc.org oh by the way I am a ham radio operator and uh we have our Big Field Day event coming up on the uh 23rd and 24th uh and uh it's at the city shavo park come on out uh and then in July

19th we're going to be doing our big radio Fiesta come on out we're going to have cps's trailer there where they're going to be demonstrating why you don't want to touch 6,000 volts uh and they do that with a hot dog and it doesn't take long um so every vendor if every vendor has a subdomain it'd be easy to track um when there's a problem I almost said when you're stupid um because that's basically what you find out if somebody makes a mistake and it's a DNS record to break what you have set up and you have it set up for fail you're ddosing your email if the people that are sending the email on your

behalf send it from someplace that's not in your SPF record or they don't sign it anymore with the same dein key and they changed it or they don't sign it at all they break dmark and they're and those emails will not be received that's why you need some kind of alert from your aggregator when they see excessive failures so um just FYI this is very exacting stuff it's got to line up perfectly or it doesn't go out so be on the lookout that SPF 10 lookup limit is really something to bite you in the butt put everybody in their own Sub Zone that sends on your behalf and your life is going to be so much

simpler oh so let's we'll talk about that in a minute oh God plus place my beer thank you so DM dkm is the signing part of it we talked about the source let's talk about the sign so the messageer signed cryptographically so if the header is modified it will say this header has been modified and I will not accept it um that happens sometimes when emails get automatically forwarded I'm so sorry don't automatically forward them just send them where they need to go people um yeah I don't have a way to fix that problem but what we can do is say cryptographically sign that email to show that that person is in control of that private key that signed that

email um so what have we done we've said where the source comes from we've also published the decm key of our public key that's being signed with the private key the email is so we can validate that that is our email that's being sent out for the longest time those are the only two things people cared about then they came up with [Music] Demar Demar is the policy what does the receiving organization do when they receive an email that does not follow the Pol the the the DeMark uh um what it said so if your SPF is off you don't say the source correctly if the DM's not signed it's not signed correctly what does the

policy state you need to [Music] do there are three things you can set it to none which basically I recommend to do that at first for any domain while you're creating all your aggregator information that says don't do anything don't reject it but don't throw it into quarantine next you can say throw it oh I went too far uh you can throw it in the quarantine which throw it in your spam folder last you can say reject if you say reject it's going to throw that email away at the relay so that email goes out to somebody at google.com and it doesn't match and you have it to reject the relay is going to throw it away that's just the way it is

so you want to make sure all this stuff works before you cut it Loose um once again aggregator so um if you have a problem you can flip it back to none the email out try and work out whatever the problem is um I recommend that absolutely but you don't leave it at none this is something that sisa I believe and the FBI recently put out a warning about people were creating Demar policies thinking they were done but they were set to none and what that does it lets you monitor things but it doesn't let you do anything what you need to do is finish the job set it to reject all right discovery if you know everything that sends email

on behalf of your company you are so lucky I mean really lucky the organization I work for is big but it's not that big but even we had problems finding everything that was sending email on our behalf so you use these Ruf and Rua Demar parameters they say go to minecast go to Pro Pro Point go to algari to say aggregate that information put it in something that we can digest and pull that information back out once again aggregator aggregators turn data into actions what do we need to fix to continue moving forward what do we need to take out of the root domain put in their subdomain and keep moving forward level one clean up what you can control your

primary relay everybody knows where the email comes out of that thing um and other things that you can figure out or find out or things that you know that marketing is doing today it's hard to figure out what they did 10 years ago that's still in place because those people don't work here anymore but you have that's where the aggregator comes in aggregator are youa and RF now you can see how deep the rabbit hole goes and you'll find that one little thing that sends a few hundred emails a month that nobody that the organization knows exists anymore and by the way you might not even need all right once again subzones every time you move something to a sub Zone

you get another reset on your 10 SPF record hups so move them as many as you can plus it's easier to manage them that way as well clean up what's not in use including your C name data once again uh getting back to cames they can bite you in the rear and with things going to Amazon those cames are just a part of doing business right level five billion some strategies for working with vendors that send email on your behalf thanks to Google and Yahoo and everybody forcing the organizations to move forward this is less of a problem it's still a problem but it's less of a problem because you can throw that at them and say this is not an option for

you to support dkm and SPF anymore let's try and work together that's a good strategy I like that strategy I love that strategy to start off with but I do like the one where I just grind them down like a you know the oyster and the sand to make a pearl call them three times a week until they get the right people on the phone or the right programmers to build the right code in their email that they're sending on your behalf or go to your organization and say we need to find people less stupid to send our email work around the problem there is a way for using wild cards and some craziness that you can have proof point

and others host your SPF records and work around the problem I don't like that because it's not a positive control um it's kind of random find fixing your out of control SPF records yeah subdomains again you got more than 10 Lookout you got it move them how many here heard of Demi B Mii fantastic wow it's getting more out there that is fantastic BMI is brand brand indicators for message identification you've probably seen this but you don't know exactly what you saw if you use Gmail in a browser you would have seen a little bubble that might have an M for MasterCard let's say or V for Visa or whatever uh maybe a u for USAA Maybe not

maybe you see USAA's logo instead H why is that logo there that logo will only show up if you have the proper DeMark information set up if you're and you have some extra sauce you buy a certificate from somebody like diger that is designed verified Mark certificate you cryptographically sign that image you put that image in a public place place and you define where that image is in your uh DNS so what happens um it's being adopted by large brands that place a high value of on email security and customer trust so and when I look through my email and Gmail what brand do you think I see there that that has a a b

icon banjo B's General Store yep banjo B has figured out how to do this why can't you so right they've done it so look at bimy and see what you can do to try and reinsure the trust of your brand with your customers with your members to show them that you're doing everything you can to do it right for email to do it right for DNS to do it right for your domain so you can control what's going on keep up with your logs create controls create roles whatever you need to do to keep things going forward keep your domain your domain and the company's domain that you deal with and manage so anybody have any

questions yes what happens so if you use a a primary like a CSP or you go through them domain registration and they switch that on the back end like that's happened before so how does that like when they're messing around with that and they're changing way just wow so you're saying like a domain regar got purchased yeah and then they like move it around and things like that you I've never really had that problem I don't know um The Domain regars that I mainly worked with was like uh once again uh domain Solutions um and um the other one I love is hover hover is cheap and and they provides privacy right off the bat

um that's where I have all my personal stuff in there they're cheap I used to use GoDaddy GoDaddy was costing me three to four times the amount of money that I'm paying for a domain it's like 16 17 bucks at at hover and and it's all inclusive including privacy one place oh the more G you own the better discount you get anyway so that's why I own uh you know mortgage.com and just another bank.com just to show people you know it's just another bank um any other questions um all of this stuff is easy enough to set up the hard part is who does it really um some people throw it over the wall and say hey security team

this sounds like security you do it this is the way email is built in 2024 if you're exchange and your email guys don't know how to do this you need to find other people to do those roles I'm sorry you know they need to learn they need to learn new things this is not something new Demar has been around since 2008 it's just time it's just time okay any other questions about any of this stuff yes sir yeah what made you pregame the AI human mortgage like that's like a total AI well no no uh I actually I got it I did I I knew the sees show over at uh a credit credit human and so I bought mortgage human.com

as a troll sorry so so yeah I own a couple things like that just for fun I I own cyber dumb.com cuz too many things for cyers smart it's just park someday I'll do something with it who knows well nonetheless thank you all very much enjoy bides grab a beer have some fun