You are on page 1of 242

Cisco Email Security:

Bootcamp

Dragan Novaković, Security Consulting Systems Engineer


dnovakov@cisco.com
Agenda

• Short History of SMTP


• Email Security Architecture
• Routing Email, Bounces, MIME
• The Email Pipeline - Mail Flow Policies, Incoming vs. Outgoing Mail
• Security engines and their parameters - Configuration and Best Practice
• Encryption
• Authentication - Anti-Spoofing and Anti-phishing
Short History of SMTP
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
ARPANET in 1971

Source: Heart, F., McKenzie, A., McQuillian, J., and Walden, D., ARPANET Completion Report, Bolt, Beranek and Newman, Burlington, MA, January 4, 1978

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
The First Email System: SNDMSG & CPYNET

BBN-TENEXB BBN-TENEXA
DEC PDP-10 DEC PDP-10
216 KB memory 288 KB memory

Teletype KSR-33
The First Email Reader!

Source: http://openmap.bbn.com/~tomlinso/ray/ka10.html, retrieved 01 Dec 2014. Photograph courtesy of Dan Murphy,

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
1981: RFC788, Simple Mail Transfer Protocol

Source: http://mercury.lcs.mit.edu/~jnc/tech/arpageo.html, retrieved 01 December 2014.

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
1978: The First Spammer, Gary Thuerk!
Mail-from: DEC-MARLBORO rcvd at 3-May-78 0955-PDT
Date: 1 May 1978 1233-EDT
From: THUERK at DEC-MARLBORO
Subject: ADRIAN@SRI-KL
To: DDAY at SRI-KL, DAY at SRI-KL, DEBOER at UCLA-CCN,
To: WASHDC at SRI-KL, LOGICON at USC-ISI, SDAC at USC-ISI,
To: DELDO at USC-ISI, DELEOT at USC-ISI, DELFINO at USC-ISI,
To: DENICOFF at USC-ISI, DESPAIN at USC-ISI, DEUTSCH at SRI-KL,
To: DEUTSCH at PARC-MAXC, EMY at CCA-TENEX, DIETER at USC-ISIB,
To: DINES at AMES-67, MERADCON at SRI-KL, EPG-SPEC at SRI-KA,
To: DIVELY at SRI-KL, DODD at USC-ISI, DONCHIN at USC-ISIC,
To: JED at LLL-COMP, DORIN at CCA-TENEX, NYU at SRI-KA,
To: DOUGHERTY at USC-ISI, PACOMJ6 at USC-ISI,
To: DEBBY at UCLA-SECURITY, BELL at SRI-KL, JHANNON at SRI-KA,
To: DUBOIS at USC-ISI, DUDA at SRI-KL, POH at USC-ISI,
To: LES at SU-AI, EAST at BBN-TENEX, DEASTMAN at USC-ECL,
To: EBISU at I4-TENEX, NAC at USC-ISIE, ECONOMIDIS at I4-TENEX,
To: WALSH at SRI-KL, GEDWARDS at SRI-KL, WEDWARDS at USC-ISI,
To: NUSC at SRI-KL, RM at SU-AI, ELKIND at PARC-MAXC,
To: ELLENBY at PARC-MAXC, ELLIS at PARC-MAXC, ELLIS at USC-ISIB,
To: ENGELBART at SRI-KL, ENGELMORE at SUMEX-AIM,
To: ENGLISH at PARC-MAXC, ERNST at I4-TENEX,
To: ESTRIN at MIT-MULTICS, EYRES at USC-ISIC,
To: FAGAN at SUMEX-AIM, FALCONER at SRI-KL,
To: DUF at UCLA-SECURITY, FARBER at RAND-UNIX, PMF at SU-AI,
To: HALFF at USC-ISI, RJF at MIT-MC, FEIERBACH at I4-TENEX,
To: FEIGENBAUM at USC-ISI, FEINLER at SRI-KL,
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
1978: The First Spammer, Gary Thuerk!
To: FELDMAN at SUMEX-AIM, FELDMAN at SRI-KL, FERNBACH at LLL-COMP,
To: FERRARA at RADC-MULTICS, FERRETTI at SRI-KA,
To: FIALA at PARC-MAXC, FICKAS at USC-ISIC, AFIELD at I4-TENEX,
To: FIKES at PARC-MAXC, REF at SU-AI, FINK at MIT-MULTICS,
To: FINKEL at USC-ISIB, FINN at USC-ISIB, AFGWC at BBN-TENEX,
To: FLINT at SRI-KL, WALSH at SRI-KL, DRXAN at SRI-KA,
To: FOX at SRI-KL, FRANCESCHINI at MIT-MULTICS,
To: SAI at USC-ISIC, FREDRICKSON at RAND-RCC, ETAC at BBN-TENEXB,
To: FREYLING at BBN-TENEXE, FRIEDLAND at SUMEX-AIM,
To: FRIENDSHUH at SUMEX-AIM, FRITSCH at LLL-COMP, ME at SU-AI,
To: FURST at BBN-TENEXB, FUSS at LLL-COMP, OP-FYE at USC-ISIB,
To: SCHILL at USC-ISIC, GAGLIARDI at USC-ISIC,
To: GAINES at RAND-UNIX, GALLENSON at USC-ISIB,
To: GAMBLE at BBN-TENEXE, GAMMILL at RAND-UNIX,
To: GANAN at USC-ISI, GARCIA at SUMEX-AIM,
To: GARDNER at SUMEX-AIM, MCCUTCHEN at SRI-KL,
To: GARDNER at MIT-MULTICS, GARLICK at SRI-KL,
To: GARVEY at SRI-KL, GAUTHIER at USC-ISIB,
To: USGS-LIA at BBN-TENEX, GEMOETS at I4-TENEX,
To: GERHART at USC-ISIB, GERLA at USC-ISIE, GERLACH at I4-TENEX,
To: GERMAN at HARV-10, GERPHEIDE at SRI-KA, DANG at SRI-KL,
To: GESCHKE at PARC-MAXC, GIBBONS at CMU-10A,
To: GIFFORD.COMPSYS at MIT-MULTICS, JGILBERT at BBN-TENEXB,
To: SGILBERT at BBN-TENEXB, SDAC at USC-ISI,
To: GILLOGLY at RAND-UNIX, STEVE at RAND-UNIX,
To: GLEASON at SRI-KL, JAG;BIN(1525) at UCLA-CCN,
To: GOLD at LL-11, GOLDBERG at USC-ISIB, GOLDGERG at SRI-KL,
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
1978: The First Spammer, Gary Thuerk!
To: GROBSTEIN at SRI-KL, GOLDSTEIN at BBN-TENEXB,
To: DARPM-NW at BBN-TENEXB, GOODENOUGH at USC-ISIB,
To: GEOFF at SRI-KL, GOODRICH at I4-TENEX, GOODWIN at USC-ISI,
To: GOVINSKY at SRI-KL, DEAN at I4-TENEX, TEG at MIT-MULTICS,
To: CCG at SU-AI, EPG-SPEC at SRI-KA, GRISS at USC-ECL,
To: BJG at RAND-UNIX, MCCUTCHEN at SRI-KL, GROBSTEIN at SRI-KL,
To: MOBAH at I4-TENEX, GUSTAFSON at USC-ISIB, GUTHARY at SRI-KL,
To: GUTTAG at USC-ISIB, GUYTON at RAND-RCC,
To: ETAC-AD at BBN-TENEXB, HAGMANN at USC-ECL, HALE at I4-TENEX,
To: HALFF at USC-ISI, DEHALL at MIT-MULTICS,
To: HAMPEL at LLL-COMP, HANNAH at USC-ISI,
To: NORSAR-TIP at USC-ISIC, SCRL at USC-ISI, HAPPY at SRI-KL,
To: HARDY at SRI-KL, IMPACT at SRI-KL, KLH at SRI-KL,
To: J33PAC at USC-ISI, HARRISON at SRI-KL, WALSH at SRI-KL,
To: DRCPM-FF at BBN-TENEXB, HART at AMES-67, HART at SRI-KL,
To: HATHAWAY at AMES-67, AFWL at I4-TENEX, BHR at RAND-UNIX,
To: RICK at RAND-UNIX, DEBE at USC-ISIB, HEARN at USC-ECL,
To: HEATH at UCLA-ATS, HEITMEYER at BBN-TENEX, ADTA at SRI-KA,
To: HENDRIX at SRI-KL, CH47M at BBN-TENEXB, HILLIER at SRI-KL,
To: HISS at I4-TENEX, ASLAB at USC-ISIC, HOLG at USC-ISIB,
To: HOLLINGWORTH at USC-ISIB, HOLLOWAY at HARV-10,
To: HOLMES at SRI-KL, HOLSWORTH at SRI-KA, HOLT at LLL-COMP,
To: HOLTHAM at LL, DHOLZMAN at RAND-UNIX, HOPPER at USC-ISIC,
To: HOROWITZ at USC-ISIB, VSC at USC-ISI, HOWARD at LLL-COMP,
To: HOWARD at USC-ISI, PURDUE at USC-ISI, HUBER at RAND-RCC,
To: HUNER at RADC-MULTICS, HUTSON at AMES-67, IMUS at USC-ISI,
To: JACOBS at USC-ISIE, JACOBS at BBN-TENEXB,
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
1978: The First Spammer, Gary Thuerk!
To: JACQUES at BBN-TENEXB, JARVIS at PARC-MAXC,
To: JEFFERS at PARC-MAXC, JENKINS at PARC-MAXC,
To: JENSEN at SRI-KA, JIRAK at SUMEX-AIM, NICKIE at SRI-KL,
To: JOHNSON at SUMEX-AIM, JONES at SRI-KL, JONES at LLL-COMP,
To: JONES at I4-TENEX, RLJ at MIT-MC, JURAK at USC-ECL,
To: KAHLER at SUMEX-AIM, MWK at SU-AI, KAINE at USC-ISIB,
To: KALTGRAD at UCLA-ATS, MARK at UCLA-SECURITY, RAK at SU-AI,
To: KASTNER at USC-ISIB, KATT at USC-ISIB,
To: UCLA-MNC at USC-ISI, ALAN at PARC-MAXC, KEENAN at USC-ISI,
To: KEHL at UCLA-CCN, KELLEY at SRI-KL, BANANA at I4-TENEX,
To: KELLOGG at USC-ISI, DDI at USC-ISI, KEMERY at SRI-KL,
To: KEMMERER at UCLA-ATS, PARVIZ at UCLA-ATS, KING at SUMEX-AIM,
To: KIRSTEIN at USC-ISI, SDC at UCLA-SECURITY,
To: KLEINROCK at USC-ISI, KLEMBA at SRI-KL, CSK at USC-ISI,
To: KNIGHT at SRI-KL, KNOX at USC-ISI, KODA at USC-ISIB,
To: KODANI at AMES-67, KOOIJ at USC-ISI, KREMERS at SRI-KL,
To: BELL at SRI-KL, KUNZELMAN at SRI-KL, PROJX at SRI-KL,
To: LAMPSON at PARC-MAXC, SDL at RAND-UNIX, JOJO at SRI-KL,
To: SDC at USC-ISI, NELC3030 at USC-ISI,
To: LEDERBERG at SUMEX-AIM, LEDUC at SRI-KL, JSLEE at USC-ECL,
To: JACOBS at USC-ISIE, WREN at USC-ISIB, LEMONS at USC-ISIB,
To: LEUNG at SRI-KL, J33PAC at USC-ISI, LEVIN at USC-ISIB,
To: LEVINTHAL at SUMEX-AIM, LICHTENBERGER at I4-TENEX,
To: LICHTENSTEIN at USC-ISI, LIDDLE at PARC-MAXC,
To: LIEB at USC-ISIB, LIEBERMAN at SRI-KL, STANL at USC-ISIE,
To: LIERE at I4-TENEX, DOCB at USC-ISIC, LINDSAY at SRI-KL,
To: LINEBARGER at AMES-67, LIPKIS at USC-ECL, SLES at USC-ISI,
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
1978: The First Spammer, Gary Thuerk!
To: LIS at SRI-KL, LONDON at USC-ISIB, J33PAC at USC-ISI,
To: LOPER at SRI-KA, LOUVIGNY at SRI-KL, LOVELACE at USC-ISIB,
To: LUCANIC at SRI-KL, LUCAS at USC-ISIB, DCL at SU-AI,
To: LUDLAM at UCLA-CCN, YNGVAR at SRI-KA, LYNCH at SRI-KL,
To: LYNN at USC-ISIB, MABREY at SRI-KL, MACKAY at AMES-67,
To: MADER at USC-ISIB, MAGILL at SRI-KL, KMAHONEY at BBN-TENEX,
To: MANN at USC-ISIB, ZM at SU-AI, MANNING at USC-ISI,
To: MANTIPLY at I4-TENEX, MARIN at I4-TENEX, SCRL at USC-ISI,
To: HARALD at SRI-KA, GLORIA-JEAN at UCLA-CCN, MARTIN at USC-ISIC,
To: WMARTIN at USC-ISI, GRM at RAND-UNIX, MASINTER at USC-ISI,
To: MASON at USC-ISIB, MATHIS at SRI-KL, MAYNARD at USC-ISIC,
To: MCBREARTY at SRI-KL, MCCALL at SRI-KA, MCCARTHY at SU-AI,
To: MCCLELLAND at USC-ISI, DORIS at RAND-UNIX, MCCLURG at SRI-KL,
To: JOHN at I4-TENEX, MCCREIGHT at PARC-MAXC, MCCRUMB at USC-ISI,
To: DRXTE at SRI-KA
cc: BPM at SU-AI

MCKINLEY@USC-ISIB
MMCM@SRI-KL
OT-ITS@SRI-KA
BELL@SRI-KL
MEADE@SRI-KL
MARTIN@USC-ISI
MERRILL@BBN-TENEX
METCALFE@PARC-MAXC
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
1978: The First Spammer, Gary Thuerk!
JMETZGER@USC-ISIB
MICHAEL@USC-ISIC
CMILLER@SUMEX-AIM
MILLER@USC-ISI
SCI@USC-ISI
MILLER@USC-ISIC
MITCHELL@PARC-MAXC
MITCHELL@USC-ISI
MITCHELL@SUMEX-AIM
MLM@SU-AI
JPDG@TENEXB
MOORE@USC-ISIB
WMORE@USC-ISIB
JAM@SU-AI
MORAN@PARC-MAXC
ROZ@SU-AI
MORGAN@USC-ISIB
MORRIS@PARC-MAXC
MORRIS@I4-TENEX
OT-ITS@SRI-KA
LISA@USC-ISIB
MOSHER@SRI-KL
MULHERN@USC-ISI
MUNTZ;BIN(1529)@UCLA-CCN
MYERS@USC-ISIC
MYERS@RAND-RCC
DRCPM-FF-FO@BBN-TENEXB
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
1978: The First Spammer, Gary Thuerk!
NAGEL@USC-ISIB
NAPKE@SRI-KL
NARDI@SRI-KL
NAYLOR@USC-ISIE
LOU@USC-ISIE
NESBIT@RAND-RCC
NEUMANN@SRI-KA
NEVATIA@USC-ECL
NEWBY@USC-ISI
NEWEKK@SRI-KA
NIELSON@SRI-KL
NLL@SUMEX-AIM
NILSSON@SRI-KL
NITZAN@SRI-KL
NOEL@USC-ISIC
NORMAN@PARC-MAXC
NORTON@SRI-KL
JOAN@USC-ISIB
NOURSE@SUMEX-AIM
PDG@SRI-KL
OMALLEY@SRI-KA
OCKEN@USC-ISIC
OESTREICHER@USC-ISIB
OGDEN@SRI-KA
OKINAKA@USC-ISIE
OLSON@I4-TENEX
ORNSTEIN@PARC-MAXC
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
1978: The First Spammer, Gary Thuerk!
PANKO@SRI-KL RANDALL@USC-ISIB ROTHENBERG@USC-ISIB
TED@SU-AI RANDALL@SRI-KA RUBIN@SRI-KL
PARK@SRI-KL RAPHAEL@SRI-KL JBR@SU-AI
PBARAN@USC-ISI RAPP@RAND-RCC RUBINSTEIN@BBN-TENEXD
PARKER@USC-ISIB RASMUSSEN@USC-ISIC RUDY@USC-ECL
PEARCE@USC-ISI RATTNER@SRI-KL RUGGERI@SRI-KA
PEPIN@USC-ECL RAY@ILL-NTX RULIFSON@PARC-MAXC
PERKINS@USC-ISIB FNWC@I4-TENEX DALE@USC-ISIB
PETERS@SRI-KL BRL@SRI-KL SACERDOTI@SRI-KL
AMPETERSON@USC-ISI RETZ@SRI-KL SAGALOWICZ@SRI-KL
ASLAB@USC-ISIC SKIP@USC-ISIB ALS@SU-AI
EPG-SPEC@SRI-KA RICHARDSON@USC-ISIB SANTONI@USC-ISIC
PEZDIRTZ@LLL-COMP RICHES@USC-ECL SATTERTHWAITE@PARC-MAXC
CHARLIE@I4-TENEX GWEN@USC-ECL SAWCHUK@USC-ECL
UCLA-DOC@USC-ISI OP-RIEDEL@USC-ISIB CPF-CC@USC-ISI
WPHILLIPS@USC-ISI RIES@LLL-COMP SCHELONKA@USC-ISI
PIERCY@MOFFETT-ARC RINDFLEISCH@SUMEX-AIM SCHILL@USC-ISIC
PINE@SRI-KL OP-ROBBINS@USC-ISIB SCHILLING@USC-ISI
PIPES@I4-TENEX ROBINSON@SRI-KL SCHULZ@SUMEX-AIM
PIRTLE@SRI-KL JROBINSON@SRI-KL SCOTT@SUMEX-AIM
POGGIO@USC-ISIC RODRIQUEZ@SRI-KL CPF-CC@USC-ISI
POH@USC-ISI MARTIN@USC-ISI OP-SEATON@USC-ISIB
POOL@BBN-TENEX ROM@USC-ISIC SENNE@LL
POPEK@USC-ISI ROMIEZ@I4-TENEX NORM@RAND-UNIX
POSTEL@USC-ISIB ROSE@USC-ISI AFWL@14-TENEX
POWER@SRI-KL ROSEN@SRI-KL SHEPPARD@LL-ASG
PRICE@USC-ECL BARBARA@I4-TENEX SHERWIN@USC-ISI
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
1978: The First Spammer, Gary Thuerk!
SHERWOOD@SRI-KL STEPHENS@SRI-KA TIPPIT@USC-ISIE
SHORT@SRI-KL CFD@I4-TENEX TOBAGI@USC-ISIE
SHORTLIFE@SUMEX-AIM STOCKHAM@SRI-KA TOGNETTI@SUMEX-AIM
SHOSHANI@BBN-TENEX STOTZ@USC-ISIB TORRES@SRI-KL
MARTIN@USC-ISI ALLEN@UCLA-SECURITY TOWNLEY@HARV-10
UCLA-NMC@USC-ISIE STOUTE@MIT-ML ELINA@UCLA-ATS
SDL@USC-ISIC STRADLING@SRI-KL TUCKER@SUMEX-AIM
SKOCYPEC@USC-ISI STROLLO@PARC-MAXC TUGENDER@USC-ISIB
SLES@USC-ISI UCLA-0638@UCLA-CCN LLLSRG@MIT-MC
SLOTTOW@UCLA-CCN CRT@SRI-KA UNCAPHER@USC-ISIB
NOAA@14-TENEX SUNSHINE@RAND-UNIX NOSC@SRI-KL
SMALL@USC-ISI SUTHERLAND@SRI-KL UNTULIS@SRI-KL
DAVESMITH@PARC-MAXC SUTHERLAND@RAND-UNIX MIKE@UCLA-SECURITY
DSMITH@RAND-UNIX SUTHERLAND@PARC-MAXC AARDVARK@UCLA-ATS
SMITH@SUMEX-AIM SUTTON@USC-ISIC UZGALIS;BIN(0836)@UCLA-CCN
SMITH@USC-ECL SWEER@SUMEX-AIM VANGOETHEM@UCLA-CCN
MARCIE@I4-TENEX TAFT@PARC-MAXC VANMIEROP@USC-ISIB
USARSGEUR@USC-ISI TAYLOR@USC-ISIB VANNOUHUYS@SRI-KL
LOGICON@USC-ISI TAYLOR@PARC-MAXC VEIZADES@SUMEX-AIM
EPA@SRI-KL TAYNAI@SUMEX-AIM VESECKY@USC-ISI
SONDEREGGER@USC-ISIB TEITELMAN@PARC-MAXC AV@MIT-DMS
SPEER@LL TENENBAUM@SRI-KL VICTOR@USC-ISIC
AMICON-RN@USC-ISI GREEP@RAND-UNIX VIDAL@UCLA-SECURITY
SPROULL@PARC-MAXC TERRY@SUMEX-AIM OP-VILAIN@USC-ISIB
PROJX@SRI-KL TESLER@PARC-MAXC RV@RAND-UNIX
STEF@SRI-KA THACKER@PARC-MAXC SDL@USC-ISIC
STEFIK@SUMEX-AIM PWT@RAND-UNIX VOLPE@SRI-KL
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
1978: The First Spammer, Gary Thuerk!
VONNEGUT@I4-TENEX WHITE@SUMEX-AIM
VU@SRI-KL WIEDERHOLD@SUMEX-AIM
WACTLAR@CMU-10A WILBER@SRI-KL
WAGNER@USC-ISI EPG-SPEC@SRI-KA
WAHRMAN@RAND-UNIX WILCOX@SUMEX-AIM
WALDINGER@SRI-KL WILCZYNSKI@USC-ISIB
WALKER@UCLA-SECURITY WILE@USC-ISIB
WALKER@SRI-KL OP-WILLIAMS@USC-ISIB
WALLACE@PARC-MAXC WILSON@USC-ISIB
EVE@UCLA-SECURITY TW@SU-AI
LOGICON@USC-ISI SCI@USC-ISI
DON@RAND-UNIX WISNIEWSKI@RAND-UNIX
WATSON@USC-ISIC WOLF@SRI-KL
WEIDEL@USC-ECL PAT@SU-AI
WEINBERG@SRI-KL NELC3030@USC-ISI
JLW@MIT-AI WYATT@HARV-10
LAUREN@UCLA-SECURITY LEO@USC-ISIB
WEISSMAN@I4-TENEX YEH@LLL-COMP
WELLS@USC-ISIC YONKE@USC-ISIB
GERSH@USC-ISI YOUNGBERG@SRI-KA
WETHEREL@LLL-COMP ZEGERS@SRI-KL
RWW@SU-AI ZOLOTOW@SRI-KL
SCRL@USC-ISI ZOSEL@LLL-COMP
TWHELLER@SRI-KA
MABREY@SRI-KL
WHITE@PARC-MAXC

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
1978: The First Spammer, Gary Thuerk!
DIGITAL WILL BE GIVING A PRODUCT PRESENTATION OF THE NEWEST MEMBERS OF THE
DECSYSTEM-20 FAMILY; THE DECSYSTEM-2020, 2020T, 2060, AND 2060T. THE
DECSYSTEM-20 FAMILY OF COMPUTERS HAS EVOLVED FROM THE TENEX OPERATING SYSTEM
AND THE DECSYSTEM-10 <PDP-10> COMPUTER ARCHITECTURE. BOTH THE DECSYSTEM-2060T
AND 2020T OFFER FULL ARPANET SUPPORT UNDER THE TOPS-20 OPERATING SYSTEM.
THE DECSYSTEM-2060 IS AN UPWARD EXTENSION OF THE CURRENT DECSYSTEM 2040
AND 2050 FAMILY. THE DECSYSTEM-2020 IS A NEW LOW END MEMBER OF THE
DECSYSTEM-20 FAMILY AND FULLY SOFTWARE COMPATIBLE WITH ALL OF THE OTHER
DECSYSTEM-20 MODELS.

WE INVITE YOU TO COME SEE THE 2020 AND HEAR ABOUT THE DECSYSTEM-20 FAMILY
AT THE TWO PRODUCT PRESENTATIONS WE WILL BE GIVING IN CALIFORNIA THIS
MONTH. THE LOCATIONS WILL BE:

TUESDAY, MAY 9, 1978 - 2 PM


HYATT HOUSE (NEAR THE L.A. AIRPORT)
LOS ANGELES, CA

THURSDAY, MAY 11, 1978 - 2 PM


DUNFEY'S ROYAL COACH
SAN MATEO, CA
(4 MILES SOUTH OF S.F. AIRPORT AT BAYSHORE, RT 101 AND RT 92)

A 2020 WILL BE THERE FOR YOU TO VIEW. ALSO TERMINALS ON-LINE TO OTHER
DECSYSTEM-20 SYSTEMS THROUGH THE ARPANET. IF YOU ARE UNABLE TO ATTEND,
PLEASE FEEL FREE TO CONTACT THE NEAREST DEC OFFICE
FOR MORE INFORMATION ABOUT THE EXCITING DECSYSTEM-20 FAMILY.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
The First Anti-Spam
ON 2 MAY 78 DIGITAL EQUIPMENT CORPORATION (DEC) SENT OUT AN ARPANET
MESSAGE ADVERTISING THEIR NEW COMPUTER SYSTEMS. THIS WAS A FLAGRANT
VIOLATION OF THE USE OF ARPANET AS THE NETWORK IS TO BE USED FOR
OFFICIAL U.S. GOVERNMENT BUSINESS ONLY. APPROPRIATE ACTION IS BEING
TAKEN TO PRECLUDE ITS OCCURRENCE AGAIN.
IN ENFORCEMENT OF THIS POLICY DCA IS DEPENDENT ON THE ARPANET
SPONSORS, AND HOST AND TIP LIAISONS. IT IS IMPERATIVE YOU INFORM YOUR
USERS AND CONTRACTORS WHO ARE PROVIDED ARPANET ACCESS THE MEANING
OF THIS POLICY.
THANK YOU FOR YOUR COOPERATION.
MAJOR RAYMOND CZAHOR
CHIEF, ARPANET MANAGEMENT BRANCH, DCA

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
SMTP Design Specifics

Hop-by-hop

Store-and-forward

Always try to deliver!

7-bit ASCII

Implicit authentication

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
A Simple SMTP conversation
Connected to alln-mx-01.cisco.com.
Escape character is '^]’.
220 alln-inbound-a.cisco.com ESMTP
HELO rcub.bg.ac.rs
250 alln-inbound-a.cisco.com
MAIL FROM:<cupavi@rcub.bg.ac.rs>
250 sender <cupavi@rcub.bg.ac.rs> ok Envelope
{
RCPT TO:<dnovakov@cisco.com>
250 recipient <dnovakov@cisco.com> ok
DATA
354 go ahead {
Subject: The simplest email message
From: Dragan <cupavi@rcub.bg.ac.rs> Headers
To: Dragan Novakovic (dnovakov) <dnovakov@cisco.com>
Body
Just basic headers and a short body.
{
.
250 ok: Message 5395042 accepted
QUIT
221 alln-inbound-a.cisco.com
Connection closed by foreign host.

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Routing Email: DNS MX Records
What Are MX Records?
• DNS RR defined in RFC5321
• Defines a mailhost – an SMTP gateway – for a zone (domain or FQDN)
• Also defines a preference value (“priority”)
– Lowest-numbered mail exchangers will be contacted first
– Mail exchangers with same preference values will be contacted round-robin
• Usually, spammers will contact the highest preference mail exchanger first
• DNS MX records provide
– Failover (different preference)
– (Good enough) load balancing (same preference)

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
MX Examples
$ host -t mx cisco.com
cisco.com mail is handled by 10 alln-mx-01.cisco.com.
cisco.com mail is handled by 20 rcdn-mx-01.cisco.com.
cisco.com mail is handled by 30 aer-mx-01.cisco.com.
$ host -t mx yahoo.com
yahoo.com mail is handled by 1 mta5.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta7.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta6.am0.yahoodns.net.
$ host -t mx mtv.com
mtv.com mail is handled by 10 mail.viacom.com.
mtv.com mail is handled by 50 mailw.viacom.com.
mtv.com mail is handled by 10 mail1.viacom.com.

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Bounces: The Control Protocol of Email
What Are Bounces?
• Sender notifies recipient about different error conditions using bounces
• In essence, numeric error codes transmitted to the sender (and optionally some
text to accompany the error code)
• It is up to the recipient to take action on bounce
• Spambots usually lack capabilities to understand bounces
– Simple way for spammer detection
– Greylisting
• Bounce spam: rare but deadly
• Although it sounds compelling, bounces should never be
rejected/dropped/ignored

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Bounces By Severity
Soft Bounces Hard Bounces

421 Please Try Again Later 500 No Such User

• Temporary errors • Permanent errors


• Sender will requeue • Sender will drop the
messages and try again later message and notify sending
• Default retry period: 4 hours person via email
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Bounces By Origin
Inline (In-Conversation) Out-of-band (Delayed)
Bounces Bounces
MAIL FROM: <>
From: Mail Delivery Subsystem <MAILER-DAEMON@cisco.com>
To: <dnovakov@cisco.com>
220 alln-inbound-i.cisco.com ESMTP Subject: Returned mail: see transcript for details
EHLO rcub.bg.ac.rs
The original message was received at Wed, 19 Nov 2014
250-alln-inbound-i.cisco.com
08:42:04 -0600
250-8BITMIME from localhost.localdomain [127.0.0.1]
250-SIZE 33554432
250 STARTTLS ----The following addresses had permanent fatal errors ----
MAIL FROM: provocateur@internet.org -
<asdfg@cisco.com>
250 sender <provocateur@internet.org> ok
(reason: 550 5.1.1 <asdfg@cisco.com>... User unknown)
RCPT TO: ren.zhengfei@huawei.com
550 #5.1.0 Address rejected. ----- Transcript of session follows -----
... while talking to outbound.cisco.com.:
DATA
<<< 550 5.1.1 <asdfg@cisco.com>... User unknown
550 5.1.1 <asdfg@cisco.com>... User unknown

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Examples of Bounces

To: <dnovakov@cisco.com>
From: Mail Delivery System <MAILER-DAEMON@rcdn-
iport-2.cisco.com> 220 mx1.hc4-93.c3s2.smtpi.com ESMTP
Subject: Delivery Status Notification (Failure) EHLO rcub.rs
250-mx1.hc4-93.c3s2.smtpi.com
The following message to <mshademan@hr- 250-8BITMIME
communication.com> was undeliverable. 250-SIZE 10485760
250 STARTTLS
The reason for the problem: MAIL FROM: cupavi@rcub.bg.ac.rs
250 sender <cupavi@rcub.bg.ac.rs> ok
5.4.7 - Delivery expired (message too old) RCPT TO: dnovakov@cisco.com
'timeout’ 452 Too many recipients received this hour

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Examples of Bounces

220 mx1.hc4-93.c3s2.smtpi.com ESMTP To: <dnovakov@cisco.com>


ehlo bla From: Mail Delivery System <MAILER-DAEMON@rcdn-iport-
6.cisco.com>
250-mx1.hc4-93.c3s2.smtpi.com
Subject: Delivery Status Notification (Failure)
250-8BITMIME
250-SIZE 10485760 The following message to
250 STARTTLS <Basheer/Bahrain/GBM/NBR@d06ml300.ports.uk.ibm.com> was
mail from: spammer@spamspam.spam undeliverable.
The reason for the problem:
250 sender <spammer@spamspam.spam> ok
5.1.2 - Bad destination host 'DNS Hard Error looking up
RCPT TO: cupavi@ibm.com d06ml300.portsmouth.uk.ibm.com (MX): NXDomain'
550 #5.7.1 Your access to submit messages to
this e-mail system has been rejected.

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
The Danger of Bounces
• Bounce messages may be used to deliver spam
• Don’t fall for bounce phishing messages – bounces are a notification mechanism,
never asking for action!
• Spambots cause bounce spam with misdirected bounces
• Backscatter attack – the most profitable Email DDoS
1. Hire a botnet
2. Spoof millions of messages to non-existent recipients claiming to come from DDoS target
3. Watch their Email systems go down under the flood of bounce messages from all over the
Internet
• Effective countermeasures from all bounce-based dangers: SPF, DMARC and
BATV (all supported by Cisco Email Security Appliance and Cloud Email Security!)

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
MIME: Sending Rich Content using 7-bit
ASCII
What Is MIME?
• Multipurpose Internet Mail Extensions, defined in RFC2045-2049
• Methods to encode rich content to be transferred over 7-bit protocol (SMTP)
• Further development added support for specific content type encoding for
encrypted and signed data
• Later on, widely used in other Internet technologies: HTTP, FTP, generic data
encoding (“mime types”)

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anatomy of An Email Message

Curt@hotmail.com

Craig Johnson

Some
Some Craig Johnson

headers
headers
Craig Johnson <Craig@mailbox.com>

Curt Von <Curt@hotmail.com>


AAtext
text
message
message
(in
(inHTML)
HTML)

AAbinary
binary
attachment
attachment
(displayed
(displayed Craig
CraigJohnson cvc
Johnson.vcf

inline)
inline) AAcouple
coupleof
of
attachments
attachments
36
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anatomy of An Email Message (2)
From: Craig Johnson<Craig@mailbox.com>
Subject: Here is that jpeg
To: Curt Von <curt@hotmail.com>
MIME-version: 1.0 MIME multipart/mixed + Boundary_11111
Content-type: multipart/mixed; boundary="Boundary_11111"

This is a multi-part message in MIME format.


Preamble

--Boundary_11111
Content-type: multipart/alternative; MIME multipart/alternative + Boundary_22222
boundary="Boundary_22222"

--Boundary_22222
Content-type: text/plain; format=flowed; charset=us-ascii
Content-transfer-encoding: 7bit

Please let me know when you get this!


Alternative Text Part

--Boundary_22222
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html> Alternative HTML Part
...
</html>
Closing multipart/alternative (Boundary_22222)
--Boundary_22222--
Next container boundary
--Boundary_11111
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anatomy of An Email Message
Content-type: image/jpeg; name=AV-Options.jpg
Content-transfer-encoding: base64
Content-disposition: inline;
Inline displayed image
filename=Antivirus-Options.jpg

/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRof
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigD/9k=

--Boundary_11111
Content-type: text/plain; CHARSET=us-ascii; name="Craig Johnson.vcf"
Content-transfer-encoding: 7bit Text/plain vcard attachment
Content-disposition: inline; filename="Craig Johnson.vcf"

BEGIN:VCARD
VERSION:3.0
N:Johnson;Craig;;;
...
END:VCARD

--Boundary_11111-- Closing Boundary_11111

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Email Security Architecture
Flexible Deployment and Software subscription Options
On Premises Cloud

Deployment
Options
Appliance Virtual Hybrid Hybrid Cloud Managed

1, 3, 5 years – starting at 100 mailboxes monthly, quarterly, annual – starting at 100 mailboxes

Software Subscription Bundles


INBOUND OUTBOUND

Antivirus/Anti-spam Outbreak Filter DLP Encryption

PREMIUM = INBOUND + OUTBOUND

A La Carte Software
AMP, Graymail Safe-Unsubscribe, Image Analyzer, McAfee AV, Intelligent
Multi-Scan, ZIX
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Email Terms and Flow
• You send an email to a customer… how does it get there?

MTA Relay
DNS sends it to
Type and the server
send email
Internet
Groupware
LDAP Server
Groupware Processes it
Server
Processes it
• Groupware? SMTP? Customer
Relay if
MTA Relay • Relay? LDAP? receives it
sends it to
external
the customer
• MTA? DNS?

Where does all of this live?


© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Email Architecture Overview

LDAP
Server
Groupware
Server

Internet
ASA
Firewall

IPS
Cisco SMA – Ironport M Series

MTA Relay
Cisco WSA – IronPort S Series Cisco ESA - IronPort C Series

Internal Network DMZ


© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traffic Flow Considerations
Email is simple. We want to be the:
§ First Hop In
§ Last Hop Out

Traffic flow and installation connectivity will depend on the customer’s


security policy needs.

Create an A record that maps the appliance’s hostname to its IP address, and
MX record that maps your public domain to the appliance’s hostname.

Specify a priority for the MX record to advertise the Email Security appliance
as either a primary or backup MTA for your domain.

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Appliance Design
Protected Public Interface

§ Public interface protected by firewall


Internet
§ Can filter inbound and outbound ESA traffic
§ No inside interface filtering
§ Works well in smaller accounts
Outside
interface § Unprotected inside interface can cause heartburn
Inside
interface
with security teams

Mail Server
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Appliance Design
Dual DMZ Interfaces Best
Practice

§ Both interfaces are protected by the firewall


Internet §Traffic can be buffered during an interface failure or NIC
pairing can be applied

Outside
§ Can filter and control traffic to/from the internet and
interface
to/from the internal network
Inside
interface
§ Offers protection of all resources
§ Firewall represents a possible single point of failure or
bottleneck

Mail Server
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Appliance Design
Single Interface Best
Practice

§ System protected by firewall


Internet
§ Simplifies firewall configuration for passing traffic
§ Single interface represents a “possible” traffic
bottleneck
§ Preferred and THE most common method of
installation for customers

Mail Server
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Appliance Design
Large DMZ with Dual Firewalls Best
Practice

§ System is well protected


Internet
§ Traffic can be buffered during an interface failure
§ Configure redundant firewalls for maximum uptime
Outside
interface and to reduce single points of failure

Inside
interface

Mail Server
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Separate Management Network Best
Practice

§ Meets the most stringent customer connectivity needs


Internet § Requires a larger appliance with 3 interfaces
§ Can be done in multi-firewall DMZ or with a single
Outside interface installation
interface
§ Use the route command on CLI to configure traffic
Inside
interface
flows for the 3rd interface
Management
Network Link

Mail Server
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multiple MX Records
• The easiest and most common way to do redundancy
• Relies on the robust nature of communications on the internet.
• If one server cannot be contacted, fail over to the next on the list.
company.com MX preference = 10, mail exchanger = west.mail.company.com
company.com MX preference = 10, mail exchanger = east.mail.company.com

Internet

west.mail.company.com east.mail.company.com

West Coast
East Coast
Mail Server
Mail Server

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
High Availability
§ Use larger appliances with RAID Arrays and redundant
Internet
power supplies
§ Configure NIC teaming to help protect against network
failures
§ Use multiple appliances and MX records
L4-7 Switch
§ Appliances can be load balanced with VIPs on a L4-7 switch

Mail Server
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Clustering Appliances (Centralized Management)
• Manage a group of ESAs by making changes to one
• No Extra servers or software
• Configuration changes on one machine pushed to the other
• Can cluster up to 20 machines
• Centralized reports, message tracking and quarantining on M-Series

Internet

Cluster

West Coast East Coast


Mail Server Mail Server
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Email Pipeline
Mapping Features to Protection
Sender Connection CASE Anti-Virus File File Graymail Content Outbreak
Reputation Control (AS,GM,OF) (Sophos, McAfee) Reputation Analysis Detection Filtering Filtering

Throttling, Over 300 Control 9-12 hr lead


80-90% Multi-Verdict Block 100% of SHA based file Business and
DHAP, SPF, Behavioral marketing, time on
Block Rate scanning known viruses blocking Security Rules
DKIM, DMARC Indicators social and bulk Outbreaks

Connection Filters Spam Filter Anti-Malware Defense Marketing Filter Rules 0-day Malware

Spoof Detection URL Analysis Advanced Malware Protection (AMP) Anti-Phishing and URL Analysis

Post-Delivery Analysis & Interaction

File Data Loss Envelope Safe Web AMP Mailbox Auto


CASE Anti-Virus
Reputation Unsubscribe Remediation
(AS,GM,OF) (Sophos, McAfee) Prevention Encryption Interaction Retrospection
& Analysis

Over 300 Delete or


Outbound Block 100% of Over 140 pre- Push Based Perform unsub Track User Alerts on File
Behavioral Forward from
Spam Filters known viruses built filters Encryption for users clicks Disposition
Indicators O365

Outbound Threat Filters Outbound Data Protection Marketing URL Analysis Advanced Malware Protection (AMP)

Anti-Malware Defense

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Filtering In The Email Pipeline
SMTP SERVER WORKQUEUE SMTP CLIENT

Host Access Table (HAT) LDAP RCPT Accept (WQ) Encryption

Received Header Masquerading (Table / LDAP) Virtual Gateways

Default Domain LDAP Routing Delivery Limits

Domain Map Message Filters Received: Header

Recipient Access Table (RAT) Anti-Spam Domain-Based Limits

Alias Table Anti-Virus Domain-Based Routing

Per-Policy Scanning
LDAP RCPT Accept Advanced Malware (AMP) Global Unsubscribe

SMTP Call-Ahead Graymail, Safe Unsubscribe S/MIME Encryption

DKIM / SPF Verification Content Filtering DKIM Signing

DMARC Verification Outbreak Filtering Bounce Profiles

S/MIME Verification DLP Filtering (Outbound) Message Delivery

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SMTP Server SMTP SERVER

Host Access Table (HAT)


• Handling the SMTP Conversation and queuing
of messages Received Header

Default Domain
• First line of defense against attacks
Domain Map

• Focus on HAT, RAT, LDAP, DKIM, SPF and Recipient Access Table (RAT)
DMARC
Alias Table

LDAP RCPT Accept

SMTP Call-Ahead

DKIM / SPF Verification

DMARC Verification

S/MIME Verification

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Workqueue WORKQUEUE

LDAP RCPT Accept (WQ)


• The workqueue is where the security inspection Masquerading (Table / LDAP)
happens on the ESA
LDAP Routing
• Each of the steps here are important to determine the
Message Filters
threat and who gets a message
Anti-Spam
• Message Splintering, filtering and threat protection are
Anti-Virus
detailed next

Per-Policy Scanning
Advanced Malware (AMP)

Graymail, Safe Unsubscribe

Content Filtering

Outbreak Filtering

DLP Filtering (Outbound)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Processing Incoming Mail (Work Queue)
REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS CONTENT
FILTERS OUTBREAK
FILTERS

ASYNCOS EMAIL PLATFORM

Filtering of
External Threats

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Processing Outgoing Mail (Work Queue)

REPUTATION
FILTERS MESSAGE
OFF FILTERS ANTI-SPAM
ANTI-VIRUS
OFF CONTENT
FILTERS OUTBREAK
FILTERS DLP
OFF Engine

ASYNCOS EMAIL PLATFORM

Enforcing Corporate
Compliance

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Per Policy Scanning

• Use policies to leverage message splintering to apply rule and scanning as required
• Top down / first match wins, order is very important

62

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
63

SMTP Client flow SMTP CLIENT

Encryption

• SMTP Client is responsible for message Virtual Gateways

stamping and delivery Delivery Limits

• Controlling delivery is important to ensure Received: Header

reputation on internet is maintained Domain-Based Limits

• Queueing and bounce controls are handled Domain-Based Routing


during the client phase Global Unsubscribe

S/MIME Encryption

DKIM Signing

Bounce Profiles

Message Delivery

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Email Security Integration with Threat Intelligence
Built on Outstanding Collective Security Analytics from Cisco Talos

Cisco
100I II0I III00II 0II00II I0I000 0II0 00
I00I III0I III00II 0II00II I0I000 0110 00
Sourcefire, Cognitve,
Cisco10I000
®
101000 0II0 00 0III000 III0I00II II II0000I II0
0II0 00 0III000 II1010011 101 1100001 110
110000III000III0 I00I II0I III0011 0110011 Talos
101000 0110 00 OpenDNS, ThreatGrid
1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00

WWW
§ 180,000+ File Samples per
Email Endpoints Web Networks IPS Devices
Day
1.6 million 35% § Cisco® AMP Community
global sensors worldwide email § Advanced Microsoft
traffic
and Industry Disclosures
100 TB § Snort and ClamAV Open
of data received per 13 billion
day web requests Source Communities
§ Honeypots
150 million+ § Sourcefire AEGIS™
24x7x365 Cisco ESA
deployed endpoints
operations
Program
§ Private and Public Threat
600+ Feeds
engineers, technicians,
40+
and researchers languages § Dynamic Analysis

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Email Reputation
• Breadth and quality of
Complaint IP Blacklists Geo-Location data makes the
Spam Traps
Reports and Whitelists data difference

• Real-time insight into


Message Website this data that allows us
Compromised
Composition Composition Host Data to see threats before
Host Lists
Data Data anyone else in the
industry to protect our
customers
Domain
Global Volume
Blacklist and Other Data DNS Data
Data
Safelists

IP Reputation Score

-10 0 +10

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Email Reputation Efficiency
Threat Intelligence
§ Over 1.6 million global devices
§ Historical library of 40,000 threats
§ 35% of global email traffic seen per day
§ 13 billion+ worldwide web requests seen per
day
§ 200+ parameters tracked
§ Multivector visibility

Benefits
§ Automated updates delivered to Cisco security
devices every 3–5 minutes
§ 8M+ Rules per day

§ Understanding of vulnerabilities and exploit


technologies IP Reputation Score

-10 0 +10
§ Visibility into highest threat vehicles
§ Latest attack trends and techniques © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why is Telemetry important
• Provides Talos insight on targeted attacks
• Hidden CLI command to give more details to Talos - "fullsenderbaseconfig"

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
What is sent to Talos?
Item Sample Data
Message count at various stages within the appliance Seen by Anti-Virus engine: 100
Seen by Anti-Spam engine: 80
Sum of Anti-Spam and Anti-Virus scores and verdicts 2,000 (sum of anti-spam scores for all messages seen)
Number of messages hitting different Anti-Spam and Anti-Virus rule 100 messages hit rules A and B

When enabled, the Context


combinations 50 messages hit rule A only
• Number of Connections 20 SMTP Connections

Adaptive Scanning Engine (CASE) Number of Total and Invalid Recipients 50 total recipients
10 invalid recipients

is used to collect and report the


Hashed Filename(s): (a) A file <one-way-hash>.pif was found
inside an archive attachment called
<one-way-hash>.zip.

data (regardless of whether or not Obfuscated Filename(s): (b)


URL Hostname (c)
A file aaaaaaa0.aaa.pif was found inside a file aaaaaaa.zip.
There was a link found inside a message to www.domain.com

Cisco anti-spam scanning is Obfuscated URL Path (d) There was a link found inside a message to hostname www.domain.com, and
had path aaa000aa/aa00aaa.

enabled) Number of Messages by Spam and Virus Scanning Results 10 Spam Positive
10 Spam Negative
5 Spam Suspect
4 Virus Positive
16 Virus Negative

• The data is summarized information Number of messages by different Anti-Spam and Anti-Virus verdicts
5 Virus Unscannable

500 spam, 300 ham

on message attributes and Count of Messages in Size Ranges 125 in 30K-35K range

information on how different types Count of different extension types


Correlation of attachment types, true file type, and container type
300 “.exe” attachments
100 attachments that have a “.doc” extension but are actually “.exe”

of messages were handled by Correlation of extension and true file type with attachment size
50 attachments are “.exe” extensions within a zip
30 attachments were “.exe” within the 50-55K range

Cisco appliances. We do not collect Number of attached files uploaded to the file reputation service (AMP
cloud)
1110 files were uploaded to the file reputation service

the full body of the message Verdicts on files uploaded to the file reputation service (AMP cloud) 10 files were found to be malicious
100 files were found to be clean
1000 files were unknown to the reputation service
Reputation score of files uploaded to the file reputation service (AMP 50 files had a reputation score of 37
cloud) 50 files had a reputation score of 57
1 file had a reputation score of 61
9 files had a reputation score of 99
Names of files uploaded to the file reputation service (AMP cloud) example.pdf
testfile.doc
Names of malware threats detected by the file reputation service (AMP Trojan-Test
cloud)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
What is Reputation Security?
• Reputation Security delivers a numeric score about an object, which allows a
security device to take a policy-based action.
• Reputation is built on three things:
• Our own assessment (e.g., using TALOS data)
• Assessment by trusted 3rd parties
• Sophisticated models that produce a score in real-time

Cisco Talos
IP Address Reputation
23.24.19.29 -3
-10 -5 0 +5 +10

Black List Suspect Unknown

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Host Access Table Structure
• HATs are associated per listener, defined as being Public or Private. Once a listener is defined they
cannot be changed.
• IPs and Hosts are evaluated in the HAT Top Down, First Match
• SenderGroups are containers that define the policy based on match
• Inclusion into a SenderGroup is defined by Reputation Score, DNS, or explicit match

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
SenderGroup Options
• SenderBase score can be attached to the
SenderGroups, ensure that the neutral
and no score ranges are addressed
• Within the settings you define the Name,
Mail Flow Policy
• Nomenclature is important as it will be
displayed in logs and reports
• SBRS scores can be assigned to the
group
• RBLs can be leveraged if required.

Thu Jun 9 13:40:34 2016 Info: New SMTP ICID 8 interface Management (10.10.10.90) address 94.46.249.12
Thu Jun 9 13:40:34 2016 Info: ICID 8 ACCEPT SG SUSPECTLIST match sbrs[-3.0:-1.0] SBRS -2.1
Thu Jun 9 13:40:34 2016 Info: Start MID 410 ICID 8

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Customizing Reputation on the ESA
Default Settings: Moderate Blocking

• Reputation Score determined


when connection initiated
Custom Settings: Aggressive Throttling
• Sender Groups and actions are
defined by the administrator
• Reputation can block 80-90%
connections on the ESA

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Separating Non-Business Critical Mail

11.0
New in

• By explicitly adding hosts, IPs and Countries to a SenderGroup we can force desired
connection behavior
• Idea here is to limit the attack surface by throttling or blocking non critical emails

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
MailFlow policies: Host vs Sender Throttling
• By default the only MFP that
has any Host limiting is the
throttle policy
• By default, there are no
Envelope Sender Limits set on
the ESA
• It is recommended to use
Sender Limits in suspect
ranges

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
MailFlow policies: Security Settings
• DHAP is set high on the ESA, recommend to tune it to be lower on suspect
ranges
• SMTP Call-Ahead and LDAP enhances DHAP by performing rejection in
conservation

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
MailFlow policies: Security Settings
• TLS Settings are not by default for incoming or outgoing mail
• Three levels of checking, preferred can be set on the default mail flow policy
• Mandatory can be setup as a list or as it’s own SenderGroup

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Reputation + Sender Groups + Mail Flow Policies
Check Access Mail Flow
Concurrent Connection Reputation Query SBRS to HAT Mapping
START TCP_REFUSE -> REJECT Policy
Limit Check
Host Access

RAT
HELO \ Concurrent Connection Check Access
Reputation Query SBRS to HAT Mapping TCP_REFUSE -> REJECT
EHLO Limit Check

MAIL Max Messages per Envelope Sender


FROM TLS / SMTPAUTH
connection verification

RCPT Rate Limiting


TO Delayed Reject RAT Check (max recipients per hr, etc)

Accept and
DMARC mark values for
DATA SPF Check DKIM Data Size, Subject size
AS, AV,
S/MIME

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Sample HAT Worksheet
• Sample Host Access
Table and Mail Flow
policy sheet to help
create a layout /
strategy for connection
control
• Pre-populated with
sample values, modify
as you see fit

https://cisco.box.com/s/vd7d2p7i8k61v9zzc6k3gv7v7e8vj0zn

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Per Policy Scanning
• Top down / first match wins, order is very important

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Policy Match Conditions
• Complex conditions inside a policy using
AND/OR/NOT
• Multiple conditions can be used inside the
same policy
• Move your logic from the filter into the policy
and reduce resource consumption
• After upgrading to 10.0 , when you match a
message to a mail policy, the envelope sender
and the envelope recipient have a higher
priority over the sender header.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Policy Engine And Splintering
• If a single message matches multiple policies, it will be splintered
• Splintering only occurs if multiple policies are matched
MAIL FROM: bob@domain.com
RCPT TO: joe@remote.org MAIL FROM: bob@domain.com
RCPT TO: joe@remote.org
WORKQUEUE
SMTP CLIENT
Anti-Spam
Encryption
MAIL FROM: bob@domain.com
Anti-Virus Virtual Gateways
RCPT TO: joe@remote.org

Per-Policy Scanning
MAIL FROM: bob@domain.com RCPT TO: jane@remote.org Advanced Malware (AMP) Delivery Limits
RCPT TO: joe@remote.org
Graymail, Safe Unsubscribe Received: Header
RCPT TO: jane@remote.org
WORKQUEUE Content Filtering Domain-Based Limits

SMTP SERVER Outbreak Filtering


Domain-Based Routing


LDAP RCPT Accept (WQ) DLP Filtering (Outbound)

Host Access Table (HAT)


Masquerading (Table / LDAP) MAIL FROM: bob@domain.com
Recipient Access Table (RAT) RCPT TO: jane@remote.org MAIL FROM: bob@domain.com
RCPT TO: jane@remote.org
LDAP Routing WORKQUEUE
SMTP CLIENT

… Anti-Spam Encryption
Anti-Virus
Message Filters Virtual Gateways

Per-Policy Scanning
Advanced Malware (AMP) Delivery Limits

Graymail, Safe Unsubscribe Received: Header

Content Filtering Domain-Based Limits

Domain-Based Routing
Outbreak Filtering

DLP Filtering (Outbound)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Using Policies vs Dictionaries
• Customers often use
Dictionaries to match senders /
recipients for BlockLists / Allow
Lists
• By applying a block via content
filter + dictionary causes all
messages to be scanned, thus
using more resources
• Using Policies to splinter and
apply actions quickly

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Cisco ESA Antispam
Understanding CASE
• CASE stands for Context Adaptive Scanning
Engine
• CASE is the combination of the Anti-Spam, IPAS Interim Verdict Final Verdict
Graymail and Outbreak engines
• Each engine can provide a verdict and
depending on the action of the engine will

CASE
either pass or drop the message GrayMail Interim Verdict

• A non-final action (i.e Quarantine) will allow a


message to continue to process down the
workqueue. Threat
Outbreak Interim Verdict
• A final action such as drop will cause an Filtering
“early exit” condition
• Other scanning blades may take precedence
if another engine determines a positive
condition

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Antispam Processing
Defense in Depth
Cisco
Intelligent multiscan (IMS) Anti-
spam
Engine

Cisco
Anti-
What spam
Anti-
spam
Engine B
Engine

Anti-
spam
When
SBRS Who
Cisco
Engine
(Future)

Anti-Spam
Powered by Mail Policies
Cisco® § Normal mail is
Where How
spam filtered
Incoming mail § Suspicious emails
good, bad, and are rate limited and
unknown email spam filtered

Whitelist is spam filtered

Known bad email is § URL reputation and context


blocked before used in scoring
entering the network § > 99% catch rate
§ < 1 in 1 million false positives

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Spam Analysis by CASE
HOW?
•Message leaves trace of
spamware tool WHO?

WHAT?
• IP address recently
started sending email
• All text inside an image • Message originated
• Random dots appear from dial-up IP address
within the message • Sending IP address
• Nearly identical color located in regions known
scheme in 100,000s for attack.
spamtrap msgs

WHERE?
WWW.FASTMONEY.COM
Verdict

Positive Spam >90


Suspect Spam >50
Clean Message < = 49

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anti-Spam Scanning
• You can adjust the thresholds
for Suspect / Positive spam to
increase or decrease sensitivity
• Don’t do it, unless you really
have to
• As we tune spam rules, we use
the default thresholds as a
baseline, so this may result in
undesired results

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Enable and Tune CASE engines

Enable Antispam – and if possible (based on


hardware) increase scanning thresholds to 1M for
always scan, 2M for never to scan more

Enable Graymail – it’s a free engine which helps


with Anti-Spam efficacy. Introduced in 9.5 so
upgrade!

Enable Threat Outbreak Filters – and if possible


(based on hardware) increase scan size to 1M

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Why scan size matters
• Chart from Talos shows the volume
of spam in large message sizes is
small compared to spam overall
• Most spam is actually quite small
• However, by not increasing scan
size you could be giving larger
spam a free pass
• Majority of spam captured in the
512KB and 896KB region, capture
plateaus around 1.3MB

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Graymail - Marketing Message Detection
EDITOR'S CORNER
Securing The Web Anticipation

Gateway In The World Of


Big changes are happening at
Websense, and as a loyal subscriber

Web 2.0
to our newsletter,
WebsenseConnect, I want to share
Does Web 2.0 have legitimate business applications? If so, how can business the news with you first. Think you
take advantage of its unique capabilities? In this Q&A, Gene Hodges, CEO of know Websense? If you've been a
Websense, shares his insights on the risks, rewards, and future of Web 2.0 and Websense (or SurfControl) customer
the secure Web gateway. for years, be prepared for a big
MOREsurprise—we are way more than
BUSINESS FOCUS APPLICATION FOCUS
Web security.
Business Blogs, Vapid Web 2.0 Ready for MORE
or Vital? Prime Time? QUICK LINKS
PRODUCT TIP OF THE MONTH
With 40,000 new blogs cropping up Web 2.0 makes many promises, but
CUSTOMER TRAINING
every day, it begs the question—is there managers are stumped about how to use EVENTS
a business benefit to blogging? And with it to drive growth and profits. With SUPPORT
the blogosphere already inconceivably companies like Google, IBM, and Adobe WEBSENSE NEWS
immense, how can one company stand creating software for commercial use ofSUCCESS STORY
out? Learn how enterprises such as Furniture Seller
Web 2.0, businesses are poised to make
General Motors have made their mark, the leap. Learn more about the new Tables Threats
and how you can too, in this applications and how your business can
Furniture retailer WS Badcock
BusinessWeek story about social media get up to speed in this ChannelWeb Corporation is taking aggressive
and business. review. measures against emerging Internet
MORE MORE
threats. Awarethat current attacks
LATEST NEWS
are focused on secretly stealing
OLYMPIANS CONNECT WI TH FANS THROUGH BLOGS
information rather than the highly
visible and public "bring down the
ACQUISITION HELPS READY INTERNET SECURI TY SOFTWARE FIRM FOR WEB 2.0 network" attacks, the company
selected Websense Email Security
THE 2008 SUMMER OLYMPICS: THE MOST DIGITAL OF ALL because of its ability to stop spam
and viruses and prevent confidential
information from leaving the
MANAGING ACCESS TO FACEBOOK: A GOOD IDEA?
organization through email.

Privacy Policy
At Buy.com, your
privacy is a top priority.
Please read our privacy
policy details.

X All information collected
from you will be shared
with Buy.com and its
affiliate companies.

§ Not Spam, because of tacit opt-in and working opt-out

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Graymail management

Quarantine
Threat Defense Security Graymail Detection • Whitelist – Allow Sender
• Blacklist – Block Sender
• Release – Safe unsubscribe

Add Safe Unsubscribe Link


Verdict

Reputation Anti-virus Social


Filter Bulk Marketing Request
Network
Advanced
Anti-spam Malware
Block
Protection

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enable Graymail Scanning

• Graymail has 2 components:


Detection and Unsubscribe
• Graymail Detection is included
• It comes as part of the base email
subscription license
• The graymail engine will provide
verdicts to IPAS (final decision),
which leads to a better overall email
efficacy

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Graymail monitoring

• Separate categories for:


• Marketing
• Social Networking
• Bulk messages

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Using Graymail and Outlook Junk Folders
• 2 steps: Mark x-header in Graymail, Filter in Exchange to set the SCL value

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Graymail Unsubscribe
• Graymail Unsubscribe is an additional
license
• It provides protection against malicious
threats masquerading as unsubscribe
links
• A uniform interface for all subscription
management to end-users
• Better visibility to the email
administrators and end-users into such
emails

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Graymail Unsubscribe
• Malware agents using
Unsubscribe to deliver
payload

• Add-on license to ESA


provides unsubscribe
detection and validation

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
End User Experience

Click-time check
End-user clicks of the rewritten Cisco executes
on the rewritten link. If found un-subscription
unsubscription safe redirect to on behalf of the
link in the banner Un-Subscribe end-user
service

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ESA Anti-Virus
Anti-Virus Overview
§ IronPort supports multiple anti-virus engines
§ Choose to enable Sophos and/or McAfee anti-virus engines to scan for virus in
the work queue
§ Sophos and McAfee Anti-Virus provide a virus detection engine that scans files
for viruses, Trojan horses, and worms.

REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS CONTENT
FILTERS OUTBREAK
FILTERS

ASYNCOS™ MTA PLATFORM

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Block known viruses

• Sophos comes bundled with the licenses, enable and


block known viruses
• Encrypted => Password Protected, Signed
• Unscannable => Too large to scan, malformed
• Do you still repair? Most customers today do not have
the repair option enabled for virus infected messages.
• 10.0.1 introduces new Sophos CxMail engine

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Configuring Anti-Virus Behavior on a Mail Policy
• Mail Policies > Incoming Mail Policies > AV link in Mail Policy

Click link to edit policy

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring Anti-Virus Settings Page
Mail Policies > Incoming Mail Policies > AV link in Mail Policy

Enable AV for Mail Policy


Choose scan
behavior when a
virus is found –
Scan, or
Scan and Repair

When attachments are


dropped, the rest is delivered –
usually producing spam of
another sort

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring Anti-Virus Settings Page (cont’d)

For both Encrypted


and Unscannable,
you can’t be sure
the message is
clean

Advanced
settings let you
provide custom
headers for mail
agents to sort on,
or redirect a
message

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Malware Protection (AMP)
Enabling AMP

• AMP is an additional license on the ESA and CES


• 4 components to AMP:
• File Reputation
• File Analysis
• File Retrospection
• Mailbox Auto Remediation (v10+)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
How AMP works
File Reputation

File Reputation Query


AMP Connector AMP Cloud Retrospective
Retrospective Heartbeat
pull of
Local Cache
malicious
SBRS emails via API
Disposition Query
CASE Update the Cache with
call to O365
AV Pre-Classification disposition value
AMP feedback
loop only for
Sandbox connector Qualified File, upload Malicious
for Sandboxing Files
O365
Email Security Appliance / VM / Cloud
Local AV Scanners
Mailbox Auto
TG Pre-
Class
Cisco TG Remediation
Sandboxing

File Analysis

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
AMP File Analysis – Check your file types and settings!

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
AMP File Analysis – 11.1 increases file types

• 11.1 provides parity with


ThreatGrid file support
• New Pre-Classification
engine allows for additional
file types to be supported for
Analysis
• Pre-classification in the cloud
allows for greater intelligence
on files to be gathered
• Must be enabled after
upgrade

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
AMP Dynamic Quarantine

• Use the quarantine to delay files and wait for


analysis results
• Typically file results are returned in under 10
minutes, default setting is to wait up to 1 hr
before releasing

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
AMP Retrospection Alerts
2 styles of alerts now generated by AMP for retrospective events:
Change in disposition, message not delivered Change in disposition and message delivered
The Info message is: The Info message is:

Retrospective verdict received. Retrospective verdict received for NEW SAMPLE ORDER 1.doc.
SHA256: 7c48eb3b1fea5705fc70539f2a0539a3be794d6b70408a31c9ea461855657cd0
SHA256: ce49d65659304dcb7ae63182e17aa4b6f09740caaf77f1565a682bd2bb4e2bf4
Timestamp: 2016-09-19T19:39:13Z
Verdict: MALICIOUS Timestamp: 2016-09-19T19:39:12Z
Reputation Score: 0 Verdict: MALICIOUS
Spyname: W32.Auto:7c48eb3b1f.in05.Talos Reputation Score: 0
Spyname: RTF.CE49D65659.agent.tht.Talos
Version: 10.0.0-124
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Total users affected: 1
Timestamp: 19 Sep 2016 14:39:13 -0500
----------- Affected Messages ---------------

Message 1
MID : 20045
Subject : Sample Pictures and Letter of Intent as shown on attached files (3)
From : alfredo@comerquim.com.ec
Bcc : LAURA.LEWIS@somecustomername.com
Suppress non- File name : NEW SAMPLE ORDER 1.doc
delivered retro Parent SHA256 : ,
alerts in 11.1 Parent File name : ,
Date : 2016-09-19T05:35:48Z

---------------------------------------------------

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Mailbox Auto Remediation

PIF PIF
1. Attachments are analyzed for
2
Malicious content
2. An attachment disposition is
XLS XLS

DOC EXE DOC EXE DOC

SCR Cisco Email Security SCR


unknown and released to the end
PDF PDF user
1 3 4 x
DOC
3. A retrospective event occurs and
the file is now deemed malicious
4. An automated API call is made to
Azure and the message can be
forwarded or deleted from the end
users inbox
Cisco ThreatGrid

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Configuration of Mailbox Remediation
Step 1: Create Azure Web Application in your tenant Step 2: Link Application to ESAs / CES

Step 3: Set Policy for Remediation

https://www.cisco.com/c/dam/en/us/products/collateral/security/email-security-appliance/guide-c07-738370.pdf

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
AMP on ESA in action

• Real Life example:


• 9500 users organization
• ESA for Email Security
• AMP license activated for eval
• AMP Threat Grid appliance for
sandboxing
• On ESA AMP works after
Reputation Filtering, AS and AV

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Message and Content Filters
Filtering In The Email Pipeline
SMTP SERVER WORKQUEUE SMTP CLIENT

Host Access Table (HAT) LDAP RCPT Accept (WQ) Encryption

Received Header Masquerading (Table / LDAP) Virtual Gateways

Default Domain LDAP Routing Delivery Limits

Domain Map Message Filters Received: Header

Recipient Access Table (RAT) Anti-Spam Domain-Based Limits

Alias Table Anti-Virus Domain-Based Routing

Per-Policy Scanning
LDAP RCPT Accept Advanced Malware (AMP) Global Unsubscribe

SMTP Call-Ahead Graymail, Safe Unsubscribe S/MIME Encryption

DKIM / SPF Verification Content Filtering DKIM Signing

DMARC Verification Outbreak Filtering Bounce Profiles

S/MIME Verification DLP Filtering (Outbound) Message Delivery

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Filtering In The Email Pipeline
WORKQUEUE

LDAP RCPT Accept (WQ)

Masquerading (Table / LDAP)

LDAP Routing

Message Filters Message Filters

Anti-Spam

Anti-Virus

Per-Policy Scanning
Advanced Malware (AMP)

Graymail, Safe Unsubscribe

Content Filtering Content Filtering

Outbreak Filtering

DLP Filtering (Outbound)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
119
Message Filters

myFilter:
if (body-contains('word',1)) AND \
(attachment-filetype == 'Document') {
quarantine('Policy');
}

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Content Filters … Are Just Glorified Message Filters!

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Content Filters

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Message Filter Basics
Message Filter Syntax
Condition(s) Logical Operator(s)

Name myFilter:
if (body-contains('word',1)) AND \
(attachment-filetype == 'Document') {
quarantine('Policy');
}

Action(s)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Filter Conditions
• Can be combined using AND, OR, NOT
• != equals NOT if condition result can be evaluated
• (not (attachment-filetype == 'Document’)) equals (attachment-filetype != 'Document’)
• Mostly support regular expressions
• Least expensive conditions evaluated first
• Unneeded tests are not evaluated
• Inactive filters are evaluated!

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Filter Actions
• Executed in order specified
• Final actions: skip-filters, drop, bounce, encrypt, smime-gateway
• Just exit message filters and continue down the pipeline (except drop)
• All filter actions across all matching filters are cumulative
• If a message matches multiple filters which execute the same action, only the last
specified actions is executed WORKQUEUE

LDAP RCPT Accept (WQ)


Masquerading (Table / LDAP)
LDAP Routing
Message Filters
Anti-Spam
Anti-Virus

Per-Policy Scanning
Advanced Malware (AMP)
Graymail, Safe Unsubscribe
Content Filtering
Outbreak Filtering
DLP Filtering (Outbound)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Action Variables
$RemoteIP $MID $filenames $Date

$remotehost $EnvelopeFrom $filesizes $Timestamp

$Reputation $EnvelopeRecipients $filetypes $Time

$RecvInt $Subject $FilterName $GMTTimeStamp

$RecvListener $BodySize $MatchedContent $Hostname

$Group $AllHeaders $dropped_filename

$Policy $Header['string'] $dropped_filenames

$CertificateSigners $dropped_filetypes

Can be used in bcc(), bcc-scan(), notify(), notify-copy(), add-footer(), add-heading(),


log-entry(), insert-header() and edit-header-text().

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Dangers
of Message Filtering
128

Perils of Message Filtering


• Message Filters apply to entire mail flow (incoming AND outgoing)
• All Message Filters are evaluated for all messages
MAIL FROM: bob@domain.com
RCPT TO: joe@remote.org MAIL FROM: bob@domain.com

Message Filters occur before Splintering!


RCPT TO: joe@remote.org
• WORKQUEUE
SMTP CLIENT
Anti-Spam
Encryption
MAIL FROM: bob@domain.com
Anti-Virus Virtual Gateways
RCPT TO: joe@remote.org

Per-Policy Scanning
MAIL FROM: bob@domain.com RCPT TO: jane@remote.org Advanced Malware (AMP) Delivery Limits
RCPT TO: joe@remote.org
Graymail, Safe Unsubscribe Received: Header
RCPT TO: jane@remote.org
WORKQUEUE Content Filtering Domain-Based Limits

SMTP SERVER Outbreak Filtering


Domain-Based Routing


LDAP RCPT Accept (WQ) DLP Filtering (Outbound)

Host Access Table (HAT)


Masquerading (Table / LDAP) MAIL FROM: bob@domain.com
Recipient Access Table (RAT) RCPT TO: jane@remote.org MAIL FROM: bob@domain.com
RCPT TO: jane@remote.org
LDAP Routing WORKQUEUE
SMTP CLIENT

… Anti-Spam Encryption
Anti-Virus
Message Filters Virtual Gateways

Per-Policy Scanning
Advanced Malware (AMP) Delivery Limits

Graymail, Safe Unsubscribe Received: Header

Content Filtering Domain-Based Limits

Domain-Based Routing
Outbreak Filtering

DLP Filtering (Outbound)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
129
Perils of Message Filtering
devNoExe:
if (rcpt-to-group==“Development”) {
drop-attachments-by-filetype(“Executable”);
};
salesNoHTML:
if (rcpt-to-group==“Sales”) {
html-convert();
};

• What happens if a message is sent to two people:


One in Sales group, and one in Development?
• What happens if they are in Development and Management?
• What happens if LDAP server is unavailable?

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
130

Stuff You Can’t Look For With Content Filters


sendergroup() attachment-binary-contains()
recv-int() workqueue-count()
random() dnslist()
rcpt-count() smtp-auth-id-matches()
addr-count() valid()
attachment_size() signed()
every-attachment-contains() header-repeats()

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
131

Stuff You Can Look For Better With Message Filters


• spf-status() with Message Filters allows to check separate posture for
• HELO SPF identity - spf-status(“helo”)
• MAIL FROM identity - spf-status(“mailfrom”)
• PRA identity - spf-status(“pra”)

• spf-passed() - faster than spf-status, but less granular


• Naturally, multiple “and” and “or” conditions make rule creation much more
flexible

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
132

Stuff Exclusive to Content Filters


• Check DKIM verification results

• Workaround: Match contents of Authentication-Result header!

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
133

Stuff Exclusive to Content Filters (2)


• Match attachment filename
from a dictionary

• Workaround: Insert a header with $Filenames, use header-dictionary-


match()

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
134

Stuff Exclusive to Content Filters (3)


• Skip DKIM Signing

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
135

Actions You Can’t Take With Content Filters


no-op() skip-spamcheck()
archive() skip-marketingcheck()
bcc() skip-socialcheck()
edit-body-text() skip-bulkcheck()
html-convert() skip-viruscheck()
bounce-profile() skip-ampcheck()
skip-vofcheck()

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Content Filters
REPUTATION
FILTERS MESSAGE
OFF FILTERS ANTI-SPAM
ANTI-VIRUS CONTENT
OFF
FILTERS RSA
OUTBREAK
FILTERS
DLP
OFF Engine

Actions You Can Take


•Quarantine message (or a copy)
Things You Can Look for
•Send copy to (bcc)
•Message Body or Attachments
•Notify someone
•Message Body
•Strip attachments by type
•Message Size
•Redirect message
•Attachment Content
•Insert or Strip a header
•Attachment File Info
•Add footer
•Attachment Protected
•Skip Outbreak Filter processing
•Subject Header
AND •Other Header
•Bounce message, or •Envelope Sender
•Drop message, or •Envelope Recipient
•Skip remaining content filters •Receiving Listener
•Encrypt and Deliver •Remote IP
•Reputation Score
•DKIM Authentication
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Start By Creating a Content Filter

Remember - you get another set of


policies and content filters for incoming
mail

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2. Select the Conditions and Actions Conditions:
Message Body
-- Subject Header
-- Other Header
Attachment
Attachment File Type
(fingerprint)
Attachment Name
Attachment MIME Type
Envelope Sender
Envelope Recipient

Text comparisons:
Contains
Does not contain
Equals
Does not equal
Begins with
Does not begin with
Ends with
Does not end with
… plus a whole lot of
Multiple conditions can be combined Exists
Attachment matching
- either AND or OR choices… and more!

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
3. Apply the Content Filter to a Mail Policy
1

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
4. Test with the Trace Tool

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Block the unwanted file types
• Within either a content or message filter
an organization can define how to handle
attachments on a per policy basis.
• Commonly customers will create a content
filter to block unwanted file types
• Using the predefined libraries simplifies
the process
• The system will detect changed
extensions or attempts to hide files within
multiple zip levels in order to evade file
blocking

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Blocking early in the pipeline
• If files are being outright dropped (i.e Executables) then doing it WORKQUEUE
earlier in the pipeline would save on AV, AMP and OF cycles
LDAP RCPT Accept (WQ)

strip_all_exes: if (true) { Masquerading (Table / LDAP)


drop-attachments-by-filetype ('Executable', “Removed attachment:
$dropped_filename”);} LDAP Routing

Message Filters
• A non-final action such as quarantine will allow the file to continue
processing the file and any other verdict will apply Anti-Spam

Anti-Virus

Per-Policy Scanning
Advanced Malware (AMP)

Graymail, Safe Unsubscribe

Content Filtering

Outbreak Filtering

DLP Filtering (Outbound)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Macro Detection (Version 10.0.2+)
Macro enabled document detection allows the
Email Administrator set Message or Content Filters
policies for email attachments containing macros or
scripts and take the actions of:
• Quarantine the message
• Strip the attachment
• Strip the attachment and add notification text to
the message body
• Modify the subject
• Add header
• Forward to another address

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Combine factors for effective blocking
• X-headers that were stamped
• Verdicts from other engines
• Reputation Score of the Sender
• Reputation score of the URL
• Geo-location
• Etc..

• Use a combination of source and content to create security rules that fit your organizations security
posture
• Can be done inside a message or content filter
• Combine actions to quarantine and notify or send the message without the attachment to user

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Outbreak Filters
Outbreak Filters Overview
• Outbreak Filters Use the three points of defending against phishing attacks:
• Targeted attack Heuristics
• Dynamic Quarantine Capability
• URL filtering with Cloud web redirection

• The Traditional method of comparing incoming messages to published Outbreak


Filter rules to detect new virus outbreaks.
REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS:
FILTERS CONTENT
McAfee FILTERS
Sophos OUTBREAK
AMP FILTERS

ASYNCOS™ Email PLATFORM

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Outbreak Filtering

• Think of Outbreak Filters as your safety net – the catch all


• 2 levels of scanning
• By default the ESA has only viral threat detection enabled

147

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enabling Virus Outbreak Filters

• VOF is enabled by default


and provides a dynamic
quarantine (also called
DELAY quarantine) and
based on rules can continue
to hold or release back
though AV and AMP for
additional scans

http://www.senderbase.org/static/malware/#tab=0

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
LDAP Recipient Acceptance
(Work Queue time)

Taking Action with Virus Outbreak Filter Masquerading or


LDAP Masquerading

LDAP Routing

Talos Message Filters

Anti-Spam

Per-Policy Scanning
Anti-Virus

Content Filters

VirusVirus
Outbreak Filter
Outbreak Filters

“I normally see Outbreak Filters


Work Queue

10 .pif files per hour” apply SenderBase


Got threat level 1 Low
“I see 90% increase
it information to
in .pif files” 2 Low / Med
incoming mail
3 Med

Watch 4 High
out for
.pif files” 5 Extreme

Threat =
3
Calculate
change in threat
level SenderBase data collection allows statistical
analysis to spot virus outbreak trends - on average
13 hours before the signature is released!

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Working with Virus Outbreak Filter Updates

Outbreak Filter
V3R
: Zu
R
RIP
le
uu(.le Quarantine
le
V
E1X
V
V:E42Q
),::5ID
uZ0aIP
<E
rsa(iz
n
#
.E
e1
ti<1
n57eE5)r,n
X Z,>
eIP
ale
3m(a6.E
esK=eX
*spEri)ce*
B
Sophos McAfee Virus Outbreak
AMP Filters

Anti-Virus 7
t t er n #11
Pa

Message passes through Anti-Virus because it did not match a signature.

Talos releases RULE-V1 raising threat level for all ZIP files containing .EXE parts. Message
hits Outbreak Filters and is quarantined.
Talos releases RULE-V2, matching only ZIP files with .EXE parts that are larger than 36KB.
Any message quarantined by RULE-V1 but not by RULE-V2 is released and delivered.

Talos releases RULE-V3, matching ZIP files with .EXE parts that are between 50 & 55KB with
“price” in the filename match. Any message quarantined by RULE-V2 but not by RULE-V3 is
released and delivered.
Sophos & McAfee release patterns matching virus. Talos releases RULE-V4, directing all files
to be released (and rescanned) after rule updates are loaded.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Benefits of Virus Outbreak Filters
• Provides a significant catch
rate for outbreaks over
traditional scanning engines
as it provides the “human”
element after signature,
heuristics and hash based
scanning
• On average it provides a 9+
hr lead time over AV
engines for 0-day Outbreaks

https://www.talosintelligence.com/reputation_center/malware_rep#mal-outbreaks

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Threat Outbreak Filters

• Enable Threat Outbreak Filters


(not enabled by default) by
enabling Message Modification
• URL Rewriting allows for
suspicious urls to be analyzed
by Cisco Cloud Web Security
(Reputation, AV/AM, AMP)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Understanding where URLs are scanned
• As of version 8.5.6 the ESA can evaluate URLs inside a WORKQUEUE
message – both for Reputation and Categorization LDAP RCPT Accept
(WQ deferred)

• URL filtering is not enabled by default, you must enable the Masquerading
service and have a valid Outbreak Filter license to perform
(TABLE / LDAP)

LDAP Routing
URL inspection
Message Filters
• Once enabled, URLs are evaluated in three scanning blades: CASE (Anti-Spam)
1. During IPAS Scan, a URL is used to factor into SPAM scores Anti-Virus
Inside a Content Filter for Reputation Score and Category

Per-Policy Scanning
2. Advanced Malware (AMP)
3. As part of the Threat Outbreak Filter URL Rewrite function
Graymail Detection
Content Filtering
• 9.7 introduced Web Interaction Tracking for Clicked URLs, DLP filtering (Outbound)
which must be enabled after upgrade
Outbreak Filtering

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
URL Evaluation and options

• As of version 8.5.6 the ESA can evaluate URLs inside a message – both for Reputation
and Categorization
• URL filtering is not enabled by default, you must enable the service and have a valid
Outbreak Filter license to perform URL inspection
• 9.7 introduced Web Interaction Tracking for Clicked URLs, which must be enabled after
upgrade

154

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
URL Evaluation and options

• The Web Reputation Score (WBRS) uses the same -10 to +10 score,
however it means something very different than SBRS
• Based on you organizations security posture you can determine how
aggressive you wish to be with URL entering your organization

-10 -6 0 +6 +10

Malicious Neutral Good

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
URL evaluation and options in the message body

• URL Reputation is assessed inside of the CASE engine and used


as part of the decision for Anti-Spam
• If not stopped as Spam the URL can be evaluated inside a content
filter for both Category and Reputation

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
URL Evaluation and options
• Recommendations:
• Block URL: -10 to -6
• URL Remove: -5.9 to -5.8
• Leave the rest for Outbreak
Filters
• Use in condition when you want
to take an action on the whole
message
• Use in action to act on URL only

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Understanding URL Modification
• URL modification can happen in two places depending on policy settings, inside a filter
(Message or Content) and as part of an Outbreak Filter verdict
• URLs modified by a Filter with a Re-Direct action will only do a reputation check at click time
• URLs modified by Outbreak Filters will go through deeper inspection, including Malware
scanning and AMP in the cloud

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Clean URL Re-writes
• In version 9.7 we introduced an option to do “clean” URL rewrites where only the
HREF tag would be re-written leaving the email looking unmodified
• Option is enabled only through the CLI – All URLs refer to both href and text, by
saying N, it only targets HREF tag
websecurityadvancedconfig > Do you want to rewrite all URLs with secure proxy URLs? [Y]> n

Before Clean URL Rewrites: After Clean URL Rewrites:

Hi, Hi,

Click on the link below for your special offer! Click on the link below for your special offer!
https://secure-web.cisco.com/1adjW1InNsH83UFDjLDFTjer5nJId9J- http://randomofferurl.com
HjqKlbAcaLQ74EH5ViYEStC5jPZqvg_weQJeocAQeEryL5b1JR6T0JgzXkjk1P
UMCBb_eQApCXS6ZsoujzgNvwt9UqN27SN1zcMVjmIpWQN__lTmALmHdG https://secure-web.cisco.com/1adjW1InNsH83UFDjLDFTjer5nJId9J-
MZ_PaFf9FTUvmMc7UjRZBhvHzDvGJ0Lm5uh9evj_C_OemBAy44xbXwmYu HjqKlbAcaLQ74EH5ViYEStC5jPZqvg_weQJeocAQeEryL5b1JR6T0J
gzXkjk1PUMCBb_eQApCXS6ZsoujzgNvwt9UqN27SN1zcMVjmIpW
A3uRPqKrf7T6ZNepA0MlcszDFPwufWUB7bbmS8Ziqh_- QN__lTmALmHdGMZ_PaFf9FTUvmMc7UjRZBhvHzDvGJ0Lm5uh9e
CyjG8KI6fJU33qjnInxHsjOBq98VxQUT- vj_C_OemBAy44xbXwmYuA3uRPqKrf7T6ZNepA0MlcszDFPwufWU
B7bbmS8Ziqh_-CyjG8KI6fJU33qjnInxHsjOBq98VxQUT-
vMf_2U_OlpguXStzGTlj3U__yBZlLZsS9W1xLZpcGUKpdUp8Q_SBBq9HknQ/h vMf_2U_OlpguXStzGTlj3U__yBZlLZsS9W1xLZpcGUKpdUp8Q_SBB
ttp%3A%2F%randomofferurl.com q9HknQ/http%3A%2F%randomofferurl.com
Click or tap to follow

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
URL Categorization
• URL Categorization on the
ESA leverages the same
data as the Web Security
Appliance (WSA) and
Cloud Web Security
(CWS)
• Use this to compliment
Acceptable Use Policies to
prevent inappropriate
URLs in email

160

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
URLs in Attachments (11.1)
• Enable lookups in attachments via a Content or Multiple URLS in a document

Message Filter to perform URL reputation of http://website.com


https://newssite.com
links in documents http://malicioussite.com
http://sportsnews.com
• Office / OLE objects can be analyzed (i.e doc,
docx, xls, ppt, pdf)
• If a malicious URL is found, action is taken on
the message, not just the attachment
• Default limit of URLs scanned is 25, can be
configured via CLI
• URLs in attachment will not be re-written

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Enabling Shortened URL Expansion (11.1)
• This feature will allow for URLs that are using a Malicious URL behind a shortener service

shortening service will be pre-expanded to get http://bit.ly/xyz123s34


base the URLs
• The ESA will query the service directly to get the http://www.badsite.com
base URL
Services supported (23):
• Up to 10 redirections / queries will be supported • post.ly
• bit.ly • tl.gd
before the URL is marked as malicious • tiny.cc
• tinyurl.com • plurk.com
• ustre.am
• Must be enabled via the CLI • ow.ly • url4.eu
• tumblr.com • j.mp • tr.im
websecurityadvancedconfig > Do you want to enable URL filtering for shortened URLs? [Y]> Y • formspring.me • goo.gl • ur.ly
• ff.im • yfrog.com • fb.me
• youtu.be • su.pr • alturl.com
• chatter.com • wp.me

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Structuring effective rules for URLs in Attachments
• Reputation lookups are low on
resources, however care should
still be taken when crafting rules
• Target attachments from untrusted
/ unknown sources for further
analysis
• Use message filters to eliminate
globally unwanted / restricted file
types to reduce the number of files
being analyzed

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Web Interaction Tracking & Reporting
• On box reporting (batch) can provide
valuable insight into who clicked on
certain URLs
• More valuable as a training tool and
understanding who is being targeted
inside your environment
• Reporting and Tracking pages will
show the URLs (Tracking in 10.0 for
URL details)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Quarantines
• Quarantines are places to hold emails that violate policies: Anti-Spam, Anti-Virus, AMP,
email policy, and that contain outbreaks
• Spam Quarantine, Outbreak, Policy, and Virus quarantines are enabled by default
• Can create other quarantines as needed or desired to fit company policy
• The system has finite space for quarantines on box. For more Spam Quarantine space,
use an M-series appliance. Policy quarantines are not yet able to be centralized on the M
Series

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encryption
TLS Setup

§ TLS is not enabled by default on the ESA for inbound or outbound


§ TLS / SSH uses weak ciphers by default on the ESA
§ Change ciphers: http://www.cisco.com/c/en/us/support/docs/security/email-security-
appliance/117855-technote-esa-00.html
§ Destination Controls can enforce TLS on outbound messages and Mail Flow Policies

167

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enforce TLS on outbound messages - Destination controls
• TLS Settings for outgoing connections for specific domains/partners
• Bounce verification and profile settings

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
End-to-End Email Encryption
Cisco Registered Envelope Service turnkey email encryption
§ The only cloud-based encryption key server flexible enough to meet the evolving
secure-communications requirements of businesses today

§ Hosted key service Encryption key is


§ Uses federated identity gateway stored in the cloud
Integrated MTA to
§ Push technology with intuitive MTA TLS enforced
policy management security with
§ We make encryption easy for end advanced end to
users – a key adoption barrier end encryption to
§ Supports SAML for federated meet evolving
identity customer
requirements
§ Technology independent – use
your inbox or mail server of choice

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
End user experience

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Guaranteed Secure Delivery
Secure Envelope when you must, TLS when you can

PUBLIC RECIPIENT

SUE
TO:SUE
Internet
TO: SUE and BOB TLS C
ON NECT
ION
TLS
CON
NECT
ION
BOB

PARTNER RECIPIENT
TO: BOB

Destination-Sensitive Email Encryption


§ Use TLS if available
§ Otherwise, encrypt using PXE Secure Envelope

§ Enable in Message and Content Filters, and DLP Policies

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Setting Up Email Encryption
1. Enable Email Encryption
2. Configure Encryption Profile (multiple profiles may be configured)
3. Provision with Cisco Registered Envelope Service
4. Define policy via Content Filter(s)
5. Reference the Content Filter in a Mail Policy

6. Test using the trace and sample outbound emails


Encryption
Profile Provision

CRES

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CRES Setup

§ CRES requires that the serial and


admin account be added to the back
end systems before enabling CRES
§ If new appliances (including VMs) or
net new service is being set up there
is one additional step before
provisioning will
§ Email stg-cres-
provisioning@cisco.com to have
serial # provisioned

173

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1. Enable Email Encryption

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2. Configure the Encryption Profile
Key Server Settings

Key Server Type


§ Hosted Key Service: Use Cisco Registered Envelope
Service *, a managed service by Cisco/IronPort
§ Local (IronPort Encryption Appliance):use a key server
managed by customer and running locally on an IEA

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2. Configuring the Encryption Profile
Envelope Settings Security Services > IronPort Email Encryption > Add Encryption Profile

§ Message Security
§ Control if Recipient can
cache credentials in
browser
§ Or Remove the need for
Recipients to register

§ Read Receipts
§ If enabled, sender gets
read receipt when msg is
opened
§ Guaranteed—can’t be
blocked by recipient

§ Encryption Algorithm
§ ARC4: industry standard, secure algorithm. Appropriate
for most applications.
§ AES: ultra-secure, used mainly by governments and
banks. Results in slower envelope opening for recipients.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2. Configure the Encryption Profile
Message & Notification

§ Message Settings
Enable Secure
Reply All and Forward
buttons for recipients

§ Notification Settings
(Optional) Define custom notifications using Text
Resources.
§ Mail Policies > Text Resources > Add Text
Resource
Select them here, using drop downs.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Commit Your Changes!

• Must Commit before you can provision!

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Provision the Profile With
Cisco Registered Envelope Service
Security Services > IronPort Email Encryption

• Registers the appliance with the Cisco Registered Envelope Service


•Authenticates the appliance and associates with an existing account
•Allows keys to be registered when messages sent

• Must happen before encrypted messages can be sent


• Does not apply to local key server
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Initiate Encryption with Content Filters

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Define the Encrypt Condition
Message Policies > Outgoing Content Filters > Add Content Filter > Add Condition

The "\" is an escape for regex Meta characters


Remember to put a
"\" in front of Meta characters in the GUI
"\\" in front of Meta characters in the CLI

Meta characters include: ^ $ * \ . ? | + [ and ]


© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Define The Encrypt Action
Message Policies > Outgoing Content Filters > Add Content Filter>Add Action

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Email Encryption
Zix Gateway with Cisco Technology

Automate encryption Automate delivery to Exchange encrypted Provide the optimal


for employees the most secure, most email transparently mobile experience
convenient method

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Zix Gateway with Cisco Encryption
• BMOD enables automatic External Recipients
transparent secure delivery Secure
Pull
• Send-to-Any Email Address (HTTPS)
via push or pull Zix ZCT Transparent Secure Delivery
• Encryption triggered via ESA Zix Cloud Directory Secure hosted portal
by keywords | policies | To |
Other Zix
From | etc. Customer Premises Users
• Automated Key Management
• No Desktop Software
Required Cisco ZCT TLS users
• ZixPort allows message Mail Server ESA
attachments up to 50MB
PU
SH
PXE
Senders Push
(employees)

External DB
(PXE keys)
Regular
Outbound Email

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ZixPort Secure Portal Delivery
• Very user-friendly and customizable.
Click ‘Open Message’ …Enter password … that’s it!

• Many useful features and configuration options:


• Custom branding
• Very simple two-step registration
• Multi-language interface
• Fully customizable feature set
• Reply/Reply All/Forward
• Compose feature
• Password rules
• Message expiry … and more

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anti-Spoofing and Anti-phishing
Impact of Social Engineering
• Social Engineering has added to the
success rate for spoofing attacks.
Attackers will follow targets for months, on
social media, news, etc.
• Will craft messages with “history” to add
legitimacy to the request being made
• They will look for an event – i.e travel
abroad, large deals, vendor agreements
and use it to express urgency
• Along with technical controls, user
education is key to prevent financial lost,
brand damage, or legal ramifications.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
Think Before You Click

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Think Before You Click

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Addressing the Simple Spoof
Mon Jun 26 16:48:31 2018 Info: New SMTP ICID 238970 interface Data 1 (216.71.129.13) address
72.142.13.157 reverse dns host unallocated-static.rogers.com verified no
Mon Jun 26 16:48:31 2018 Info: ICID 238970 ACCEPT SG SUSPECTLIST match sbrs[none] SBRS None country
Canada
Mon Jun 26 16:48:54 2018 Info: Start MID 137251 ICID 238970
Mon Jun 26 16:48:54 2018 Info: MID 137251 ICID 238970 From: <ceo@dinconsulting.com>
Mon Jun 26 16:49:09 2018 Info: MID 137251 ICID 238970 SMTP Call-Ahead bypass applied to
<bob@dinconsulting.com>
Mon Jun 26 16:49:09 2018 Info: MID 137251 ICID 238970 RID 0 To: <bob@dinconsulting.com>
Mon Jun 26 16:49:40 2018 Info: MID 137251 Subject 'Re: Please pay this...'
Mon Jun 26 16:49:40 2018 Info: MID 137251 ready 202 bytes from <ceo@dinconsulting.com>
Mon Jun 26 16:49:40 2018 Info: MID 137251 matched all recipients for per-recipient policy
DINCONSULTING in the inbound table
<scan results> …

• Typically will be a compromised host, on a hosting service or dynamic IP


• In this example, an obvious spoof of a domain that owned by the target
• Without any connection level verification, little info to use to help convict the message

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
How it works: SPF
• Allows recipients to verify sender IP addresses by looking up DNS records listing
authorized Mail Gateways for a particular domain
• Uses DNS TXT Resource Records
• Can verify HELO/EHLO and MAIL FROM identity (FQDN)
• Upon evaluation of SPF records, the following can these results:
Result Explanation Intended action
Pass The SPF record designates the host to be allowed to send accept
Fail The SPF record has designated the host as NOT being allowed to send reject
SoftFail The SPF record has designated the host as NOT being allowed to send but is in transition accept but mark
Neutral The SPF record specifies explicitly that nothing can be said about validity accept
None The domain does not have an SPF record or the SPF record does not evaluate to a result accept
PermError A permanent error has occurred (eg. badly formatted SPF record) unspecified
TempError A transient error has occurred accept or reject

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
SPF Operation
Work out which Get incoming
machines send connection

DNS TXT
Parse SPF record
RR

Check remote IP,


Outgoing msg Just forward it HELO/EHLO,
MAIL FROM

Deliver/Drop/
Quarantine…

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
Enable SPF Verification
• Configured in Mail Flow Policy

• When SPF is enabled, the ESA will


stamp headers in the message

• Use the results inside message or


content filters to determine the action

• PRA identities are evaluated in the


message filters only

• SPF vs SIDF, an interesting read:


http://www.openspf.org/SPF_vs_Send
er_ID

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
After enabling SPF
Mon Jun 26 16:48:31 2018 Info: New SMTP ICID 238970 interface Data 1 (216.71.129.13) address 72.142.13.157
reverse dns host unallocated-static.rogers.com verified no
Mon Jun 26 16:48:31 2018 Info: ICID 238970 ACCEPT SG SUSPECTLIST match sbrs[none] SBRS None country Canada
Mon Jun 26 16:48:54 2018 Info: Start MID 137251 ICID 238970
Mon Jun 26 16:48:54 2018 Info: MID 137251 ICID 238970 From: <ceo@dinconsulting.com>
Mon Jun 26 16:49:09 2018 Info: MID 137251 ICID 238970 SMTP Call-Ahead bypass applied to
<bob@dinconsulting.com>
Mon Jun 26 16:49:09 2018 Info: MID 137251 ICID 238970 RID 0 To: <bob@dinconsulting.com>
Mon Jun 26 16:49:18 2018 Info: MID 137251 SPF: helo identity postmaster@dinconsulting.com Fail (v=spf1)
Mon Jun 26 16:49:18 2018 Info: MID 137251 SPF: mailfrom identity ceo@dinconsulting.com Fail (v=spf1)
Mon Jun 26 16:49:40 2018 Info: MID 137251 SPF: pra identity None headers None
Mon Jun 26 16:49:40 2018 Info: MID 137251 Subject 'Re: Please pay this...'
Mon Jun 26 16:49:40 2018 Info: MID 137251 ready 202 bytes from <ceo@dinconsulting.com>
Mon Jun 26 16:49:40 2018 Info: MID 137251 matched all recipients for per-recipient policy DINCONSULTING in
the inbound table
<scan results> …

SPF Record: TXT="v=spf1 include:spf.protection.outlook.com -all"

• By enabling SPF, you gain additional intelligence on the sender


• We still accepted the message, but can use the verdict later to make a decision to convict the message
• Effectiveness is bound by participation – you need to invest time to ensure SPF records are up to date
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
How it works: DKIM
• Domain Keys Identified Mail, Specified in RFC5585
• In a nutshell: Specifies methods for gateway-based cryptographic signing of outgoing
messages, embedding verification data in an e-mail header, and ways for recipients to
verify integrity of the messages
• Additional RFCRFC6376 (DKIM Signatures), RFC5863 (DKIM Development, Deployment
and Operation), RFC5617 (Author Domain Signing Practices (ADSP))
• Uses DNS TXT records to publish public keys
20120113._domainkey.gmail.com IN TXT “k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabg
bFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD
0""7y2+07wlNWwIt8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz
8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/
wIDAQAB”

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
DKIM Operation
Generate
Receive msg
keypair

DNS TXT RR
Parse DKIM-
Canonicalize Signature
Outgoing msg +
Sign
Verify
b and bh

Insert
DKIM-Signature Deliver/Drop/
Quarantine…

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
DKIM Signature
Example DKIM-Signature Header

Algorithms used Canonicalization scheme


DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
Signing Domain ID Selector
d=ietf.org; s=ietf1;
Signed Headers
h=To:From:Date:Subject:List-Id:List-Unsubscribe:List-Archive:
List-Post:List-Help:List-Subscribe;
Header Hash bh=+ImqGr4kx/dtZpQKjmcWyVJtHFzo8kD6dIgqvZvk2gY=;
Body Hash b=DmDxUUN1XBQTWb99003VdnQn5ntUmK6kvuF6Iu/ZFmIHjoo/r5B85Cu8u4
xHlZF2gh664WyOb2ffYJ9bcfwb3JvT6d3bndL8/bvYtOXUR7g1MqMc32Zn/d
60pXWbQOa16+ZW6KwwWF+mDlhpztNwFsG6oRprrLUUzBSupVx7s74=

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Enable DKIM Verification

1 2

1. Create profile for action on DKIM (Default is


Monitor)
2. Enable DKIM Verification in Mail Flow Polices
3. Act on failures via a content filter. Use an action
to Policy quarantine to be able to review spoofs

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
Logging additional headers

Sat Jun 17 05:29:54 2018 Info: MID 94398 ICID 188033 From: <bob@gmail.com>
Sat Jun 17 05:29:54 2018 Info: Message done DCID 1496 MID 94399 to RID [0] [('from', 'Uncle Bob <bob@gmail.com>')]

• Under Log Subscriptions Settings or the logconfig command in the CLI, you can
configure additional headers to be logged
• These will be displayed in the mail_logs and message tracking output upon
creation of a DCID (Delivery Connection ID)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
Disclaimers and Action Variables

• You can create a wide variety of text resources that can be used in filters as actions for
suspected messages
• Action Variables can be used inside the text resource as well as content / message filters

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
Detecting a Reply-To Mismatch

Reply-To Header

From Header

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
Cousin Domains and Typo-Squatting

• Typically targeted to a specific well known brand Example: cisco.com


• Uses various techniques in the attempt to fool the end Addition: ciscoo.com
user into trusting the sender
Bitsquatting: cicco.com
• Will register the domain and create SPF, DKIM and
DMARC records Homoglyph: c1sco.com
• Will legitimize the sending host with proper DNS and Insertion: ciseco.com
rDNS records Omission: cico.com
Repetition: cissco.com
Replacement: cizco.com
Subdomain: c.isco.com
Transposition: csico.com

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 202
Using DNS Twist
Main page: https://github.com/elceef/dnstwist

__| |_ __ ___| |___ _(_)___| |_


/ _` | '_ \/ __| __\ \ /\ / / / __| __|
| (_| | | | \__ \ |_ \ V V /| \__ \ |_
\__,_|_| |_|___/\__| \_/\_/ |_|___/\__| {1.03}

Processing 140 domain variants


....................................22%......................44%
.......65%...........85%.... 85 hits (60%)

Original* cisco.com 72.163.4.161 2001:420:1101:1::a


Addition ciscoa.com 52.7.234.86
Addition ciscob.com -
Addition ciscoc.com 103.224.182.238
Addition ciscod.com 184.168.221.45
Bitsquatting cmsco.com 50.204.65.37
Bitsquatting casco.com 208.73.210.202
Bitsquatting cysco.com 121.254.178.253
Bitsquatting circo.com 208.73.210.202
Bitsquatting cicco.com 146.112.61.107
Homoglyph cisc0.com 66.45.246.141
Homoglyph c1sco.com -
Homoglyph clsco.com 64.254.28.227
Repetition cissco.com 146.112.61.107
Replacement cisci.com 185.65.56.178
Subdomain cisc.o.com -
Transposition icsco.com 205.178.189.131
Transposition csico.com 23.236.62.147

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
How it works: DMARC
• Domain-based Message Authentication, Reporting And Conformance
• Defined in RFC 7489
• Provides:
• DKIM verification
• SPF authentication
• Synchronization between all sender identities (Envelope From, Header From)
• Reporting back to the spoofed entity

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
How it works: DMARC
• Both DKIM and SPF have shortcomings, not because of bad design, but
because of different nature of each technology
• DKIM policy advertising was addressed by ADSP, but:
• There was no visibility by spoofed parties into offending traffic
• Even though a receiver implemented both SPF and DKIM verification, there was no
requirement of the two technologies being in sync
• A smart attacker might make use of this to push illegitimate messages through

• SPF checks HELO/MAILFROM identity, but no verification or alignment of


Header From is ensured
• Thus, DMARC was born:
• Leveraging great existing technologies, providing a glue to keep them in sync, and
allowing senders to mandate rejection policies and have visibility of offending traffic

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
How it works: DMARC record structure

TXT Record for Domain amazon.com Version of DMARC Action on Auth Failure % of messages to apply policy

_dmarc.amazon.com IN TXT “v=DMARC1\; p=quarantine\; pct=100\;


rua=mailto:dmarc-reports@bounces.amazon.com\; ruf=mailto:dmarc-
reports@bounces.amazon.com
Aggregate Feedback report URI Forensic Feedback report URI

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
DMARC Operation
SPF (or TXT) Apply DMARC
Publish SPF Check SPF
DNS RR Policy

DKIM (TXT) Send DMARC


Publish DKIM Check DKIM
DNS RR Report(s)

DMARC (TXT) Fetch DMARC


Publish DMARC
DNS RR Policy

Insert Align
Outgoing msg
DKIM-Signature Identifiers
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
How to enable DMARC
1 • DMARC is configured via by
creating a profile and then
applying the profile to a Mail
Flow Policy
• By default the profile is set to
Monitor for DMARC violations,
however it needs to be applied
2 to a policy for it to evaluate
DMARC records
• Monitor and Tune settings and
SenderGroups and move to
blocking when ready

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
Honor thy tag

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_rua@yahoo.com


Tue Jun 27 00:09:24 2018 Info: MID 140370 ICID 242100 From: root@cannon.teamnorthwind.com
Tue Jun 27 00:09:24 2018 Info: MID 140370 ICID 242100 RID 0 To: usman@dinconsulting.com
Tue Jun 27 00:09:24 2018 Info: MID 140370 SPF: helo identity postmaster@cannon-master None
Tue Jun 27 00:09:24 2018 Info: MID 140370 SPF: mailfrom identity root@cannon.teamnorthwind.com None
Tue Jun 27 00:09:25 2018 Info: MID 140370 SPF: pra identity gguy@yahoo.com None headers from
Tue Jun 27 00:09:25 2018 Info: MID 140370 DMARC: Message from domain yahoo.com, DMARC fail, (SPF
aligned False, DKIM aligned False) DMARC policy is reject, applied policy is reject
Tue Jun 27 00:09:25 2018 Info: MID 140370 DMARC: Verification failed.
Tue Jun 27 00:09:25 2018 Info: MID 140370 DMARC: Message rejected by DMARC policy.
Tue Jun 27 00:09:25 2018 Info: MID 140370 rejected by DMARC policy
Tue Jun 27 00:09:25 2018 Info: Message aborted MID 140370 Receiving aborted

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 209
Use DMARC pass/fail as a factor in filters
• DMARC results are stored in the x-authentication-results header
• This can be leveraged inside a Content or Message Filter if DMARC is not
being used to block during the connection phase
• Use the header results along with other factors such as Geo-Location, Forged
Email Detection, etc. to increase accuracy of a possible threat

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 210
Tools to help get you started
DMARC Lookup Tools:
https://www.agari.com/project/dmarc/, https://www.valimail.com/dmarc/domain-
checker#/
DMARC Wizard:
https://dmarc.globalcyberalliance.org/
DMARC Aggregation Reporting Tool (FREE!)
http://dmarc.postmarkapp.com/

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 211
Forged Email Detection – Header Fuzzy Matching

1 2

MID 143464 Forged Email Detection on the From: header with score of 100
Info: Message done DCID 1570 MID 143464 to RID [0] [('From', ‘Angry Bossman <angryboss@gmail.com>']

• The idea behind Forged Email Detection is to provide a method to match the Display
Name in the From Message header to Executives or High Value Personnel
• This feature can help narrow down targeted spoofs, that can leverage any action inside a
content or message filter and can also strip the From header to expose the envelope
from.
• Using it alone is prone to false positives! Use in conjunction with other conditions

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
What are we matching?
• Forged Email Detection focuses on matching the Header From (RFC5322) and
specifically the Display Name (i.e First Last <user@domain.com>)
• Fuzzy Matching samples:

Amgry Bossman -> Forged Email Detection on the From: header with score of 93
Angerry Bossman -> Forged Email Detection on the From: header with score of 92
Angry Bosman -> Forged Email Detection on the From: header with score of 96
Angry B0ssman -> Forged Email Detection on the From: header with score of 93
Angry Bossm4n -> Forged Email Detection on the From: header with score of 92
Andry Bossman -> Forged Email Detection on the From: header with score of 92

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 213
Example Forged Email Detection Filter
Before fed() After fed()

Strip From header


Insert Disclaimer

• In this example we added the


reputation score of the
sender to focus the matches
on untrusted senders

• By leveraging Forged Email


Detection we can take an
action to strip the headers
and any additional actions
that may be required

• Use in combination with a


User Training program

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 215
Advanced Phishing Protection
Domain Protection
95% of All Successful Cyber Attacks are Caused by Phishing
Business Email Compromise
Breach-focused Attacks Customer Phishing
“BEC”

From: Bertolini, Mark (Chairman & CEO) From: cyndikane@company-a.net From: Amazon Web Services <noreply-
To: Guertin, Shawn To: jmcnamara@company-b.com aws@amazon.com>
Subject: Outgoing payment Subject: Fwd: Proforma Invoice To: srobson@informatica.com
Subject: Confirm your AWS Account

$100M 96% $9.1B


lost by Google and of breaches in global losses
Facebook communicated via email
in Sources:
partner invoicing scam
RSA Global Fraud and Cybercrime Forecast 2017, Verizon Data Breach Digest 2018.

21
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Advanced Phishing Attacks Use Identity Impersonation

Content Deception Identity Impersonation

Zero Day
Attacks $
Email
Malware Spear Business
Social Email Account
Spam Eng Attacks Phishing Takeover
Compromise

2000s 2015 2017 2018

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Cloud Security Solutions

Next Generation ATP Email Authentication/DMARC

Advanced Phishing Protection Domain Protection

Protects employees from BEC, ATO and other advanced


Email attacks

Trust Protect partners and customers from phishing using your


brand
Platform Identity Intelligence (AI2) model trusted behavior

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Intelligence
• Learns and authenticates
identities and behavioral
relationships for enhanced
protection

Advanced Phishing
Protection Reduces Business
Email Compromise
• Better understand which
emails carry targeted phishing
attacks so only legitimate
emails are in inboxes

22
0 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Phishing Protection

SEGs Use IP and From: Tony Nicely <trnicely@geico.com>


Looks Beyond
Content Blacklists Received: from nmail2.netsuite.com (167.216.129.208)
Sent: 10-Oct-2017 2:25:44 UTC
to Understand Identity
To: Mike Campbell <mcampbell@geico.com>
Reply-To: Tony Nicely <ceo.exec@gmail.com>
✓ IP Reputation Subject: Urgent Wire Transfer ✕ Organizational Behavior
✓ Spam & Outbreak Filters Hi Mike, ✕ Infrastructure Behavior
✓ Forged Email Detection As you know, I’m on the road today. I’d like you to set up and initiate a wire ✕ Individual Behavior
transfer with the attached details. I’ll follow up with details when I get back in
✓ Payload Analysis the office later this week. ✕ Relational Model
Cheers,
Tony

Verdict: Clean Verdict: Deceptive

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 221
BEC is an Identity Deception Problem
7% From: GIECO <support@G1ECO.com>
Look-alike Domain
Domain Received: from: mail.other.com [121.32.54.124]
12% From: Tom Nicely <ceo@GIECO.com>
Spoofing

BEC attacks
up 2370%
Over $9B in
exposed $
Display Name 81% From: Tom Nicely <ceogieco@GMAIL.com>
loss
Deception

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 222
Advanced Phishing Protect Flexible Architecture

Office 365/G-Suite
SEG

Identity IntelligenceTM

BEC APT ATO MS Exchange

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 223
224

Identity Intelligence™ (AI2) Components


Identity Mapping Behavioral Analytics Trust Modeling
Which Identity is perceived Does this message match How is the perceived
to be sending this the expected behavior for Identity related to the
message? that identity? recipient?

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
225

Example of a Blocked ATO-based Attack

Agari Identity Intelligence now blocks this new attack vector

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rapid DMARC Authenticates Inbound Own Domain Email
Inbound DMARC Authentication & Enforcement
Automatically Discovers & Builds a Sender Inventory
Immediate Protection with minimal Operational Impact

Own-Domain Inbound Email

HR
System

Payroll
Employee
System Inbox

Exec
Spoof

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 226
Protect Your Brand
• Easily analyze, update and take
action against those misusing
your domain to send malicious
email
• Validate those who use your
domain appropriately
Domain Protection
DMARC Authentication
Stopping Phishing and Brand Abuse
• Compliant with new US
Department of Homeland
Security Regulations
• Drive to DMARC Enforcement
with proven tools and services

22
7 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Email’s Fundamental Flaw – Unknown Sender Identity
SENDERS RECEIVERS
1 Unknown identity of senders
2 Infinite attacks possibilities
3 Volume – 200B emails/day

FROM: ?

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 228
Why Is There Still Phishing?
Cisco Secures 90% of DMARC email volume globally
SENDERS RECEIVERS

DMARC ENABLED DMARC ENABLED


MAILBOXES IN THE US MAILBOXES GLOBALLY

85% 70%
Source: Facebook via DMARC.org Source: DMARC.org

229 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 229
Adoption is Limited and Few Companies are at Reject
Fortune 5 0 0 D M A R C a d o p tio n rate a n d

33%
e n f o rc e m e n t status by industry
of Fortune 5 0 0 C o m p a n ie s
have a D M A R C policy. 60%
"Reject" Policy "Quarantine" Policy "None" Policy
50%

33%
40%
of FTSE 1 0 0 H a v e a
D M A R C P o l i c y. 30%

20%

10%

27% of ASX 1 0 0 have


a D M A R C policy. 0%

23 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Your Email Ecosystem

DATA ANALYTICS

THREAT &
INFRASTRUCTRE
ALERTS

209 3,908 1.2B 1.3M 194M 1.25M


Chase Chase Legitimate Spoofing Malicious Malicious
Domains Servers Emails Servers Emails URLs

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 231
Automated Prevention of Phishing
• Automates getting to DMARC enforcement (P=Reject)
• Maintains enforcement as ecosystem evolves

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 232
233

Automating Email Authentication


1. Email Cloud Intelligence – Automated
discovery and intelligence on 3rd party email
senders
2. Automation of SPF creation - streamline
implementation of SPF, DKIM, and DMARC
to protect customers and supply chain
3. Hosted SPF - Option to have Agari host
DMARC and SPF records or use Agari tools
to build self-hosted records

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Before Domain Protection

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 234
Day 1 With DP – Visibility Into Your Brand Abuse

Your Sender Locations

Protected

Malicious Senders

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 235
After DP – Stop Phishing Message From Being Delivered

Your Sender Locations

Protected

Malicious Senders

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 236
Protecting the Email Channel

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 237
Summary
In Summary
• The days of set it and forget it are long gone – continuous monitoring and tuning are required to keep
up with todays threats
• Understand what your organizations security posture is and apply it to your appliances
• Keep your appliances updated – we are constantly introducing new features that require upgrades /
updates
• Check out our Chalktalks on Youtube and Guides on Cisco.com to help with tuning and setup new
features on Cisco Email Security

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anti-Spam Tuning Checklist
q Assess your Host Access Table – still q Use the new granular policies to create
using the defaults? Time to adjust the better Incoming Mail Policies
scores
q Move the logic from the filter to the policy
q Create more SenderGroups and get to create more efficient settings
gradually more aggressive in your
settings q Turn on Graymail and Threat Outbreak
Filtering to get more insight and better
q Check your WhiteLists - entries could be efficacy
years old, ip changed, etc. Use the
comments to keep track and prune q Check your file size limits: Defaults are
regularly low and could potentially allow threat
messages through
q Check your Mail Flow Policies and turn
on Sender limits, Sender Verification, etc. q Upgrade, Upgrade, Upgrade!

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 240
File Handling Checklist
q Create a filter to block, quarantine or q Evaluate AMP if you don’t have it
strip attachment that are deemed risky already
for the organization
q AMP will hash all files and ask for file
q Use AV to block the known viruses. reputation
Cleaning / Repairing viruses from files
may be something you want to turn off q Set the File Analysis Pending action to
Quarantine to hold the message until a
q Ensure Virus Outbreak is turned on all verdict is available
your policies, it provides an average
10+ hr lead time on 0-day attacks q Macro inspection is performed by File
Analysis on AMP along with other file
q Upgrade to 10.0.1 and use the Macro types
Filter to detect and take an action on
unwanted files q Remediation is now available with
Office 365 with the Azure API

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 241
Phish & Spoofing Checklist
q Enable URL Filtering on the ESA q Make a plan to enable SPF, DKIM and
DMARC
q Enable Web Interaction Tracking (if permitted
by policy) q Know who your allowed external spoofs are
by tracking them via filters and policies
q Enable certain admin users URL visibility in
Message Tracking if permitted by policy) q Build the list as the exception, trap all others
q Enable Threat Outbreak Filtering and message q With 10.0 use the Forged Email Detection
modification – warn your users! Feature to look for matches on the display
name, if too close to call, drop the From
q Whitelist your partner URLS, use the scores to header
create filter for others
q Send a copy of suspected spoofs to a
q Combine the reputation rules and leverage quarantine for review and then tune your
language detection as part of the logic rules to start blocking messages
q Use the policies to define the level of
aggression for rule sets

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 242
Summary of Recommendations
Security Services CLI Level Changes
q IronPort Anti-Spam q Web Security SDS URL Filtering
q Always scan 1MB and Never scan 2MB • websecurityadvancedconfig >
q URL Filtering • disable_dns=1 , max_urls_to_scan=20 , num_handles=5 , default_ttl=600
q Enable URL Categorization and Reputation q URL Logging
q Enable Web Interaction Tracking • outbreakconfig> Do you wish to enable logging of URL's? [N]> y
q Graymail Detection • http://www.cisco.com/c/en/us/support/docs/security/email-security-
appliance/118775-technote-esa-00.html
q Enable and Maximum Messages size 1 MB
q Clean URL Rewrites
q Outbreak Filters
• websecurityadvancedconfig > Do you want to rewrite all URLs with secure proxy
q Enable Adaptive Rules, Max Scan size1 MB URLs? [Y]> n
q Enable Web Interaction Tracking
q Anti-Spoof Filter
q Advanced Malware Protection • https://supportforums.cisco.com/sites/default/files/attachments/discussion/forged
q Enable additional file types after enabling feature _email_detection_with_cisco_email_security.pdf
q Message Tracking q Header Stamping Filter
q Enable Rejected Connection Logging (if required) addHeaders: if (sendergroup != "RELAYLIST")
{
System Administration insert-header("X-IronPort-RemoteIP", "$RemoteIP");
insert-header("X-IronPort-MID", "$MID");
q Users insert-header("X-IronPort-Reputation", "$Reputation");
q Set password policies insert-header("X-IronPort-Listener", "$RecvListener");
q If possible leverage LDAP for authentication insert-header("X-IronPort-SenderGroup", "$Group");
q Log Subscriptions insert-header("X-IronPort-MailFlowPolicy", "$Policy");
}
q Enable Configuration History Logs
q Enable URL Filtering Logs
q Log Additional Header ‘From’

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 243
Summary of Recommendations
Host Access Table Incoming Mail Policies
q Additional SenderGroups q Anti-Spam thresholds
q SKIP_SBRS – Place higher for sources that skip reputation q Positive = 90, Suspect = 39
q SPOOF_ALLOW – Part of Spoofing Filter
q Anti-Virus
q PARTNER – For TLS Forced connections
q Don't repair, Disable Archive Message
q In SUSPECTLIST q AMP
q Include SBRS Scores on None
q Add "AMP" to Subject Prepend for Unscannable, Disable Archive Message
q Optionally, include failed PTR checks
q Graymail
q Aggressive HAT Sample q Scanning enabled for each Verdict, Prepend Subject and Deliver
q BLACKLIST [-10 to -2] POLICY: BLOCKED q Add x-header for Bulk email header = X-BulkMail, value = True
q SUSPECTLIST [-2 to -1] POLICY: HEAVYTHROTTLE
q GRAYLIST[-1 to 2 and NONE] POLICY: LIGHTTHROTTLE q Outbreak Filters
q ACCEPTLIST [2 to 10] POLICY: ACCEPTED q Enable message modification. Rewrite URL for unsigned message.
q Change Subject prepend to: [Possible $threat_category Fraud]

Mail Flow Policy (default)


q Security Settings
Outgoing Mail Policies
q Set TLS to preferred q Anti-Virus
q Enable SPF q Anti-Virus Virus Infected: Prepend Subject: Outbound Malware Detected:
q Enable DKIM $Subject.
q Enable DMARC and Send Aggregate Feedback Reports q Other Notification to Others: Order form admin contact
q Anti-virus Unscannable don't Prepend the Subject
q Uncheck Include an X-header with the AV scanning results in Message

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 244
Summary of Recommendations
Policy Quarantines Content Filters
q Pre-Create the following Quarantines q Inappropriate language Content Filter
q Inappropriate Inbound q Conditions Profanity OR Sexual dictionary match, send a copy to the
q Inappropriate Outbound Inappropriate quarantine.
q URL Malicious Inbound q URL Malicious Reputation Content Filter
q URL Malicious Outbound q Send a copy to the URL Malicious (-10 to -6) to quarantine.
q Suspect Spoof
q URL Category Content Filter with these selected
q Malware
q Adult, Pornography, Child Abuse, Gambling.
q Send a copy to the Inappropriate quarantine.
Other Settings q Forged Email Detection
q Dictionaries q Dictionary named "Executives_FED"
q Enable / Review Profanity and Sexual Terms Dictionary q FED() threshold 90 Quarantine a copy.
q Create Forged Email Dictionary with Executive Names q Macro Enabled Documents content filter
q Create Dictionary for restricted or other keywords
q if one or more attachments contain a Macro
q Destination Controls q Optional condition -> From Untrusted SBRS range
q Enable TLS for default destination q Send a copy to quarantine
q Set lower thresholds for webmail domains
q http://www.cisco.com/c/en/us/support/docs/security/email-security-
appliance/118573-technote-esa-00.html
q Attachment Protection
q if one or more attachments are protected
q Optional condition -> From Untrusted SBRS range
q Send a copy to quarantine

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 245
Resources
• ESA ChalkTalks: https://www.youtube.com/playlist?list=PLFT-9JpKjRTANXKBmLbQ611TPYLXbUL_0
• URL Best Practices:
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-
00.html?referring_site=RE&pos=2&page=http://www.cisco.com/c/en/us/products/collateral/security/ema
il-security-appliance/white_paper_c11-684611.html
• Anti-Spam Tuning Guide:
http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/white-paper-c11-
732910.html
• Other Guides:
http://www.cisco.com/c/en/us/products/security/email-security-appliance/white-paper-listing.html
• Knowledge base:
http://www.cisco.com/c/en/us/products/security/email-security-appliance/q-and-a-listing.html

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 246
Email Security Appliance – Cisco on Cisco

Emails delivered Emails / mo Emails / day Emails / employee / day %


Attempted 124 M 5.6 M 73
Blocked 77 M 3.5 M 46 63%
Delivered 37 M 1.7 M 22 30%

Delivered, marked “Marketing” 9M 0.4 M 5 7%


ESA Blocked Emails Emails* / mo Emails / day Emails / employee / day %

By reputation 73 M 3.3 M 43 94%


Malware
Spam By spam content 4.3 M 0.2 M 3 5%
By invalid receipts 0.4 M 0.02 M 0.25 1%

3.5M Emails blocked each day


© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you