Antigravity Agent
8.9 KiB
8.9 KiB
id, title, category, status, source_trust_level, verification_status, created_at, updated_at, tags, tech_stack, applied_in, aliases
| id | title | category | status | source_trust_level | verification_status | created_at | updated_at | tags | tech_stack | applied_in | aliases | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| security-phishing-defense | Phishing Defense — DMARC / Phishing-resistant MFA / 교육 | Coding | draft | B | conceptual | 2026-05-09 | 2026-05-09 |
|
|
|
Phishing Defense
가장 흔한 attack vector. Email auth (SPF/DKIM/DMARC) + Phishing-resistant MFA + 교육 + simulation. Tech 만으로 X — 사람 + process.
📖 핵심 개념
- Email spoofing: from address 위조.
- Credential phishing: fake login page.
- Spear phishing: target 특정 person.
- Vishing / Smishing: phone / SMS.
💻 코드 패턴
SPF (Sender Policy Framework)
DNS TXT record:
"v=spf1 include:_spf.google.com include:sendgrid.net ~all"
→ Authorized mail server list.
~all = soft fail. -all = hard fail.
DKIM (DomainKeys Identified Mail)
DNS TXT (selector._domainkey.example.com):
"v=DKIM1; k=rsa; p=MIGfMA0G..."
→ Public key. Server 가 sign email.
Receiver 가 verify.
DMARC (정책 + 보고)
DNS TXT (_dmarc.example.com):
"v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100"
p:
none — monitor only
quarantine — spam folder
reject — block
→ p=reject 가 강. Email server 가 spoofed email reject.
DMARC report
<!-- 매 일 받음 -->
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<date_range>...</date_range>
</report_metadata>
<record>
<row>
<source_ip>1.2.3.4</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>reject</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
</record>
</feedback>
→ Tools: dmarcian, Postmark, Valimail.
BIMI (logo in inbox)
DMARC p=quarantine 또는 p=reject 필수.
Verified Mark Certificate (VMC, paid).
DNS TXT (default._bimi.example.com):
"v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/cert.pem"
→ Inbox 안 logo 표시. Trust signal.
Phishing-resistant MFA
Phishable:
- SMS OTP (SIM swap, MITM)
- TOTP code (real-time MITM)
- Push notification (fatigue attack)
Phishing-resistant:
- WebAuthn / Passkey
- FIDO2 hardware key (YubiKey)
- Smart card (PIV)
→ Origin verification 자동.
사용자 교육
Training (정기):
- 매 분기 module
- 새 employee onboarding
- Real example (회사 의 사고 + 산업)
Topics:
- Email red flags (urgent, threat, link)
- Sender check (full email address)
- Hover over link
- Don't input password from email
- Suspicious attachment
- Verify by phone (different channel)
Phishing simulation
회사 가 자체 phishing email 보냄:
- Click rate 측정
- 누가 click?
- 추가 training
Tools:
- KnowBe4
- Microsoft Attack Simulator
- Gophish (open source)
Email examples:
- "Urgent: Your password expires"
- "HR: Updated benefits — review attached"
- "CEO: Quick question, please reply"
- "Your package delivery"
- "Bank account suspended"
Click rate metric
Initial: 30-50% click (untrained)
After training: 5-10%
Goal: < 2%
Repeat offender → mandatory training → manager 알림.
Email warning banner
External email = banner:
"⚠️ This email originated outside your organization. Be cautious of links and attachments."
→ Microsoft 365 / Google Workspace built-in.
Anti-phishing toolbar
Browser extensions:
- 1Password 가 fake login detect (URL match)
- Password manager 가 password 안 fill (다른 도메인)
→ Password manager = phishing 방어.
Domain similar (typosquatting)
example.com → exarnple.com (rn = m)
example.com → examp1e.com (1 = l)
example.com → example.co (TLD)
example.com → example-secure.com
→ 자체 monitoring:
- DNS Twist tool
- 등록 watch
- 자체 register (defensive)
Url shortener
bit.ly / tinyurl — phishing 자주.
해결:
- 회사 내부 URL 만 shortener
- Link expansion (preview)
- 외부 shortener block
Cloud (Microsoft Defender / Google)
- Inbound email scan (link, attachment)
- Sandbox (safe link click)
- Anomaly detect
- Email tracking
Sender Authentication 체크 (받는 사람)
Email body 안 sender domain:
- example@example-billing.com (가짜)
- example@example.com (진짜)
→ Hover + read carefully.
Internal communication norms
- "We will never ask for your password by email"
- "We will never request gift cards"
- "Always verify wire transfers by phone (separate channel)"
→ Default norm 가 explicit.
Incident response (phishing 발견)
1. User reports → security team (1-click "Report Phish")
2. Email pull (모든 mailbox 에서 같은 email 제거)
3. Sender block (domain block)
4. URL block (proxy block)
5. Notification (모든 user)
6. Investigation (누가 click? credential 입력?)
7. Password reset (compromised)
8. 2FA 강제
9. Forensic (다른 device 로 access?)
Tools
Email: Microsoft Defender, Google Advanced Protection, Proofpoint, Mimecast
Simulation: KnowBe4, Microsoft Attack Sim, Gophish
DMARC: dmarcian, Valimail, Postmark
Domain monitor: DNSTwist, dnstwist.it, BrandShield
Vishing / Smishing
Vishing (voice phishing):
- Caller ID spoof
- 은행 사칭
- IT support 사칭
Defense:
- 회사 가 절대 password 묻지 X
- Suspicious call → hang up + call back (verified number)
- Internal directory
Smishing (SMS):
- Bank, package delivery
- Click link → fake site
Defense:
- 회사 SMS gateway 일관
- "Verify URL" rule
Business Email Compromise (BEC)
Attacker 가 CEO 가짜 email:
"Quick task: send wire transfer to ..."
Most expensive phishing.
Defense:
- 큰 transfer = phone verify
- Dual control (2 명 approve)
- Vendor change verify (out-of-band)
CEO fraud / impersonation
"From: CEO <ceo.example@gmail.com>"
(real domain != gmail.com)
→ DMARC + banner.
Spear phishing (정밀 target)
Target research (LinkedIn, public):
- Name, role
- Project
- Coworkers
- Vacation plan
Email 가 매우 personal:
"Hi John, about the Project X meeting tomorrow..."
→ Generic phishing 보다 위험 — 일반 training 못 잡음.
Consumer-facing phishing (회사 brand)
Attacker 가 회사 사칭 → 사용자 phish:
- Fake login site
- Credential 입력
- Account takeover
Defense:
- DMARC reject (email)
- Domain monitor
- BIMI (logo in inbox)
- Brand monitoring
- Customer education
Customer education
공식 channel:
"We will never ask for your password.
Verify URL is exactly example.com.
Report suspicious emails to phishing@example.com."
Email signature 안 하단 banner.
Reporting (사용자 → 회사)
// "Report phishing" button (Outlook / Gmail extension)
async function reportPhish(emailRaw: string) {
await db.phishingReports.create({
raw: emailRaw,
reporterId: user.id,
reportedAt: new Date(),
});
// Auto-process
if (isObviouslyPhishing(emailRaw)) {
await blockSender(emailRaw);
await pullFromAllInboxes(emailRaw);
}
await notifySecurityTeam(emailRaw);
}
Education content
Quarterly:
- 5 min video
- 3 quiz questions
- Real example (anonymized)
Topics:
- Recognize phishing
- Password manager use
- Passkey adoption
- Social engineering
- Reporting
Risk-based authentication
Login from new device / location:
- Email confirm
- 2FA strong (Passkey)
- Session limited
- Notify user
→ Phishing 가 credential 만 — device 다름.
Industry intel (Threat Intelligence)
새 phishing campaign:
- VirusTotal
- AlienVault OTX
- IBM X-Force
- ThreatFox
→ Block lists update.
Domain reputation
회사 domain 의 reputation:
- MXToolbox
- Senderbase
- Talos
→ Spam folder 안 됨.
Continuous monitoring
- DMARC reports daily
- Phishing simulation quarterly
- Click rate monthly trend
- Reported phishing weekly
- New similar domain detected
🤔 의사결정 기준
| 영역 | 우선 |
|---|---|
| Email auth | DMARC reject ASAP |
| MFA | Passkey 강제 |
| Education | 분기마다 |
| Simulation | 분기마다 |
| Customer | DMARC + warning + report |
| Incident | 명시 process |
❌ 안티패턴
- DMARC p=none 영원: enforce 안 함.
- SMS 만 MFA: phishable.
- Education 한 번 + 영원: 잊혀짐.
- Click rate 무 metric: 발전 X.
- Repeat offender 무 action: 같은 사람 반복.
- External warning 무: 사용자 안 신호.
- Reporting 어려움: 사용자 안 report.
🤖 LLM 활용 힌트
- DMARC reject + Passkey + 분기 simulation = baseline.
- 1-click report 가 friction 작음.
- Customer 도 educate.
- Incident response process 명시.