[G1-Sync] Manual knowledge update

2026-05-09 22:47:42 +09:00
parent 93ec7e9056
commit 21ac3ed255
56 changed files with 22043 additions and 43 deletions
@@ -0,0 +1,430 @@
+---
+id: security-phishing-defense
+title: Phishing Defense — DMARC / Phishing-resistant MFA / 교육
+category: Coding
+status: draft
+source_trust_level: B
+verification_status: conceptual
+created_at: 2026-05-09
+updated_at: 2026-05-09
+tags: [security, phishing, vibe-coding]
+tech_stack: { language: "Process", applicable_to: ["Security"] }
+applied_in: []
+aliases: [phishing, DMARC, SPF, DKIM, BIMI, phishing simulation, social engineering]
+---
+
+# Phishing Defense
+
+> 가장 흔한 attack vector. **Email auth (SPF/DKIM/DMARC) + Phishing-resistant MFA + 교육 + simulation**. Tech 만으로 X — 사람 + process.
+
+## 📖 핵심 개념
+- Email spoofing: from address 위조.
+- Credential phishing: fake login page.
+- Spear phishing: target 특정 person.
+- Vishing / Smishing: phone / SMS.
+
+## 💻 코드 패턴
+
+### SPF (Sender Policy Framework)
+```
+DNS TXT record:
+"v=spf1 include:_spf.google.com include:sendgrid.net ~all"
+
+→ Authorized mail server list.
+   ~all = soft fail. -all = hard fail.
+```
+
+### DKIM (DomainKeys Identified Mail)
+```
+DNS TXT (selector._domainkey.example.com):
+"v=DKIM1; k=rsa; p=MIGfMA0G..."
+
+→ Public key. Server 가 sign email.
+   Receiver 가 verify.
+```
+
+### DMARC (정책 + 보고)
+```
+DNS TXT (_dmarc.example.com):
+"v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100"
+
+p:
+  none — monitor only
+  quarantine — spam folder
+  reject — block
+
+→ p=reject 가 강. Email server 가 spoofed email reject.
+```
+
+### DMARC report
+```xml
+<!-- 매 일 받음 -->
+<feedback>
+  <report_metadata>
+    <org_name>google.com</org_name>
+    <date_range>...</date_range>
+  </report_metadata>
+  <record>
+    <row>
+      <source_ip>1.2.3.4</source_ip>
+      <count>1</count>
+      <policy_evaluated>
+        <disposition>reject</disposition>
+        <dkim>fail</dkim>
+        <spf>fail</spf>
+      </policy_evaluated>
+    </row>
+  </record>
+</feedback>
+```
+
+→ Tools: dmarcian, Postmark, Valimail.
+
+### BIMI (logo in inbox)
+```
+DMARC p=quarantine 또는 p=reject 필수.
+Verified Mark Certificate (VMC, paid).
+
+DNS TXT (default._bimi.example.com):
+"v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/cert.pem"
+
+→ Inbox 안 logo 표시. Trust signal.
+```
+
+### Phishing-resistant MFA
+```
+Phishable:
+- SMS OTP (SIM swap, MITM)
+- TOTP code (real-time MITM)
+- Push notification (fatigue attack)
+
+Phishing-resistant:
+- WebAuthn / Passkey
+- FIDO2 hardware key (YubiKey)
+- Smart card (PIV)
+
+→ Origin verification 자동.
+```
+
+→ [[Security_2FA_TOTP_WebAuthn]].
+
+### 사용자 교육
+```
+Training (정기):
+- 매 분기 module
+- 새 employee onboarding
+- Real example (회사 의 사고 + 산업)
+
+Topics:
+- Email red flags (urgent, threat, link)
+- Sender check (full email address)
+- Hover over link
+- Don't input password from email
+- Suspicious attachment
+- Verify by phone (different channel)
+```
+
+### Phishing simulation
+```
+회사 가 자체 phishing email 보냄:
+- Click rate 측정
+- 누가 click?
+- 추가 training
+
+Tools:
+- KnowBe4
+- Microsoft Attack Simulator
+- Gophish (open source)
+```
+
+```
+Email examples:
+- "Urgent: Your password expires"
+- "HR: Updated benefits — review attached"
+- "CEO: Quick question, please reply"
+- "Your package delivery"
+- "Bank account suspended"
+```
+
+### Click rate metric
+```
+Initial: 30-50% click (untrained)
+After training: 5-10%
+Goal: < 2%
+
+Repeat offender → mandatory training → manager 알림.
+```
+
+### Email warning banner
+```
+External email = banner:
+"⚠️ This email originated outside your organization. Be cautious of links and attachments."
+```
+
+→ Microsoft 365 / Google Workspace built-in.
+
+### Anti-phishing toolbar
+```
+Browser extensions:
+- 1Password 가 fake login detect (URL match)
+- Password manager 가 password 안 fill (다른 도메인)
+
+→ Password manager = phishing 방어.
+```
+
+### Domain similar (typosquatting)
+```
+example.com → exarnple.com (rn = m)
+example.com → examp1e.com (1 = l)
+example.com → example.co (TLD)
+example.com → example-secure.com
+
+→ 자체 monitoring:
+   - DNS Twist tool
+   - 등록 watch
+   - 자체 register (defensive)
+```
+
+### Url shortener
+```
+bit.ly / tinyurl — phishing 자주.
+
+해결:
+- 회사 내부 URL 만 shortener
+- Link expansion (preview)
+- 외부 shortener block
+```
+
+### Cloud (Microsoft Defender / Google)
+```
+- Inbound email scan (link, attachment)
+- Sandbox (safe link click)
+- Anomaly detect
+- Email tracking
+```
+
+### Sender Authentication 체크 (받는 사람)
+```
+Email body 안 sender domain:
+- example@example-billing.com (가짜)
+- example@example.com (진짜)
+
+→ Hover + read carefully.
+```
+
+### Internal communication norms
+```
+- "We will never ask for your password by email"
+- "We will never request gift cards"
+- "Always verify wire transfers by phone (separate channel)"
+
+→ Default norm 가 explicit.
+```
+
+### Incident response (phishing 발견)
+```
+1. User reports → security team (1-click "Report Phish")
+2. Email pull (모든 mailbox 에서 같은 email 제거)
+3. Sender block (domain block)
+4. URL block (proxy block)
+5. Notification (모든 user)
+6. Investigation (누가 click? credential 입력?)
+7. Password reset (compromised)
+8. 2FA 강제
+9. Forensic (다른 device 로 access?)
+```
+
+### Tools
+```
+Email: Microsoft Defender, Google Advanced Protection, Proofpoint, Mimecast
+Simulation: KnowBe4, Microsoft Attack Sim, Gophish
+DMARC: dmarcian, Valimail, Postmark
+Domain monitor: DNSTwist, dnstwist.it, BrandShield
+```
+
+### Vishing / Smishing
+```
+Vishing (voice phishing):
+- Caller ID spoof
+- 은행 사칭
+- IT support 사칭
+
+Defense:
+- 회사 가 절대 password 묻지 X
+- Suspicious call → hang up + call back (verified number)
+- Internal directory
+
+Smishing (SMS):
+- Bank, package delivery
+- Click link → fake site
+
+Defense:
+- 회사 SMS gateway 일관
+- "Verify URL" rule
+```
+
+### Business Email Compromise (BEC)
+```
+Attacker 가 CEO 가짜 email:
+"Quick task: send wire transfer to ..."
+
+Most expensive phishing.
+
+Defense:
+- 큰 transfer = phone verify
+- Dual control (2 명 approve)
+- Vendor change verify (out-of-band)
+```
+
+### CEO fraud / impersonation
+```
+"From: CEO <ceo.example@gmail.com>"
+(real domain != gmail.com)
+
+→ DMARC + banner.
+```
+
+### Spear phishing (정밀 target)
+```
+Target research (LinkedIn, public):
+- Name, role
+- Project
+- Coworkers
+- Vacation plan
+
+Email 가 매우 personal:
+"Hi John, about the Project X meeting tomorrow..."
+
+→ Generic phishing 보다 위험 — 일반 training 못 잡음.
+```
+
+### Consumer-facing phishing (회사 brand)
+```
+Attacker 가 회사 사칭 → 사용자 phish:
+- Fake login site
+- Credential 입력
+- Account takeover
+
+Defense:
+- DMARC reject (email)
+- Domain monitor
+- BIMI (logo in inbox)
+- Brand monitoring
+- Customer education
+```
+
+### Customer education
+```
+공식 channel:
+"We will never ask for your password.
+Verify URL is exactly example.com.
+Report suspicious emails to phishing@example.com."
+
+Email signature 안 하단 banner.
+```
+
+### Reporting (사용자 → 회사)
+```ts
+// "Report phishing" button (Outlook / Gmail extension)
+async function reportPhish(emailRaw: string) {
+  await db.phishingReports.create({
+    raw: emailRaw,
+    reporterId: user.id,
+    reportedAt: new Date(),
+  });
+  
+  // Auto-process
+  if (isObviouslyPhishing(emailRaw)) {
+    await blockSender(emailRaw);
+    await pullFromAllInboxes(emailRaw);
+  }
+  
+  await notifySecurityTeam(emailRaw);
+}
+```
+
+### Education content
+```
+Quarterly:
+- 5 min video
+- 3 quiz questions
+- Real example (anonymized)
+
+Topics:
+- Recognize phishing
+- Password manager use
+- Passkey adoption
+- Social engineering
+- Reporting
+```
+
+### Risk-based authentication
+```
+Login from new device / location:
+- Email confirm
+- 2FA strong (Passkey)
+- Session limited
+- Notify user
+
+→ Phishing 가 credential 만 — device 다름.
+```
+
+### Industry intel (Threat Intelligence)
+```
+새 phishing campaign:
+- VirusTotal
+- AlienVault OTX
+- IBM X-Force
+- ThreatFox
+
+→ Block lists update.
+```
+
+### Domain reputation
+```
+회사 domain 의 reputation:
+- MXToolbox
+- Senderbase
+- Talos
+
+→ Spam folder 안 됨.
+```
+
+### Continuous monitoring
+```
+- DMARC reports daily
+- Phishing simulation quarterly
+- Click rate monthly trend
+- Reported phishing weekly
+- New similar domain detected
+```
+
+## 🤔 의사결정 기준
+| 영역 | 우선 |
+|---|---|
+| Email auth | DMARC reject ASAP |
+| MFA | Passkey 강제 |
+| Education | 분기마다 |
+| Simulation | 분기마다 |
+| Customer | DMARC + warning + report |
+| Incident | 명시 process |
+
+## ❌ 안티패턴
+- **DMARC p=none 영원**: enforce 안 함.
+- **SMS 만 MFA**: phishable.
+- **Education 한 번 + 영원**: 잊혀짐.
+- **Click rate 무 metric**: 발전 X.
+- **Repeat offender 무 action**: 같은 사람 반복.
+- **External warning 무**: 사용자 안 신호.
+- **Reporting 어려움**: 사용자 안 report.
+
+## 🤖 LLM 활용 힌트
+- DMARC reject + Passkey + 분기 simulation = baseline.
+- 1-click report 가 friction 작음.
+- Customer 도 educate.
+- Incident response process 명시.
+
+## 🔗 관련 문서
+- [[Security_2FA_TOTP_WebAuthn]]
+- [[Security_OWASP_Top_10_Practical]]
+- [[Security_Login_Flows]]