SPF is not an acronym for "Spoof"! Let's utilize the most out of the next layer in Email Security! Robert Sherwin, Cisco Email Security TME BRKSEC-2327 Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Email Security specific sessions this week 250 not OK: Going on the From Zero to DMARC Hero API Integrations for Cisco Email defensive with Cisco Email • TECSEC-2310 Security Security • Monday, January 27 | 02:30 PM - 06:45 • DEVNET-2326 • TECSEC-2345 PM • Tuesday, January 28 | 10:00 AM - 10:45 • Monday, January 27 | 08:45 AM - 01:00 • Hall 8.0, Session Room D138 AM PM • Hall 6 - The Hub, DevNet Classroom 2 • Hall 8.1, CC8, Room 8.29/8.30 AsyncOS Release 13.0 - What's SPF is not an acronym for Fixing Email! - Cisco Email new in Email Security "Spoof"! Let's utilize the most Security Advanced • LTRSEC-2319 out of the next layer in Email Troubleshooting • Thursday, January 30 | 09:00 AM - Security! • BRKSEC-3265 01:00 PM • BRKSEC-2327 • Friday, January 31 | 09:00 AM - 10:30 • Hall 8.0, Session Room B110 • Thursday, January 30 | 02:45 PM - AM 04:15 PM • Hall 8.0, Session Room A104 • Hall 8.0, Session Room B115 BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Agenda Our session has 90 minutes! We have a lots to cover... • Review (or Intro) to Cisco Email Security • Email Pipeline • Acronyms • A typical message • Utilizing SPF, DKIM, DMARC on Cisco Email Security • Next-level utilization of SPF, DKIM, DMARC • Cisco Advanced Phishing • Cisco Domain Protection • Phishing Efficacy • Cisco Security Awareness Let’s get started! BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Agenda • What this session will not cover: • In-depth SPF, DKIM, DMARC record creation and understanding. (Please see TECSEC-2310, From Zero to DMARC Hero) • SPF, DKIM, DMARC troubleshooting. (Please attend BRKSEC-3265, Fixing Email! - Cisco Email Security Advanced Troubleshooting) BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 The Speaker • Technical Marketing Engineer, Email Security • Joined Cisco December 2011 • Cisco Live Speaker in US, EMEA, APJC • 18 years of combined Network, Data Center, and Security experience • 6 years in Cisco TAC, joined TME team in 2018 • Based out of Morrisville, NC (US) Robert Sherwin ([email protected]) BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 January 28, 2020 “... sent phishing emails that gave them access to the companies’ email systems — giving the fraudsters an even bigger trove of information about the victim companies.” “The two companies wired several payments to the fraudulent accounts, adding up to more than $120 million.” - US FBI News: Leader of Fraud Ring Sentenced “6.4 billion – the number of fake emails sent worldwide – every day.” - EY Global Information Security Survey 2018-19 Let’s take a different look in context at 6.4 billion and compare to something more quantifying, like, time... 6,000 minutes = 4.166667 days 6,000,000 minutes = 4166.667777 days (or 11.41 years) 6,000,000,000 minutes = 4166666.667777 days (or 11407.71 years) That is a LOT of emails! Everyday... Review of Cisco Email Security As we discuss layers of email security, our ‘layers’ are provided from the mail flow pipeline... Cisco Email Security Mail Flow Pipeline INCOMING Connection level protection Sender Reputation Filtering (SBRS) Anti-spoof, throttling & verification Connection Filtering Sending domain verdict analysis Sender Domain Reputation (SDR) * Message Filtering Spam protection, URL analysis Content Scanning (CASE) Virus protection Anti-virus Scanning (AV) Per Malware protection Advanced Malware Protection (AMP) - policy Marketing/Social/Bulk email detection Graymail Detection Content protection Content Filtering Malware, Phishing, URL threat protection Outbreak Filtering (VOF) Phishing behavioral analytics & protection Advanced Phishing Protection (APP) BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Cisco Email Security Mail Flow Pipeline OUTBOUND Connection level protection Sender Reputation Filtering (SBRS) Encryption & authentication enforcement Connection Filtering * Message Filtering Spam protection, URL analysis Content Scanning (CASE) Virus protection Anti-virus Scanning (AV) Malware protection Advanced Malware Protection (AMP) Per - Marketing/Social/Bulk email detection Graymail Detection policy Content protection Content Filtering Malware, Phishing, URL threat protection Outbreak Filtering (VOF) Sensitive data protection & encryption Data Loss Prevention (DLP) Brand protection, SPF/DKIM/DMARC administration Domain Protection (DP) BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Within these layers of email security, Cisco Email Security features and services that always come with acronyms... Typical acronyms used in email security Who loves acronyms? Cisco loves to utilize acronyms a lot... ADFS : Active Directory Federation Services HAT : Host Access Table TA : Threat Analyzer AMP : Advanced Malware Protection ICID : Incoming Connection ID TLS : Transport Layer Security API : Application Programming Interface IETF : Internet Engineering Task Force TME : Technical Marketing Engineer APPC : Advanced Phishing Protection Console IMS : Intelligent Multi-Scan TOC : Threat Operations Center AS (A/S) : Anti-spam IPAS : IronPort Anti-Spam UI : User Interface AV (A/V) : Anti-virus ISQ : IronPort Spam Quarantine vESA (ESAv/ESAV) : Virtual Email Security BATV : Bounce Address Tag Validation LDAP : Lightweight Directory Access Protocol Appliance BEC : Business Email Compromise MAR : Mailbox Auto Remediation vSMA (SMAv/SMAV) : Virtual Security BIMI : Brand Indicator Message Identification MFP: Mail Flow Policy Management Appliance CASE : Context Adaptive Scanning Engine MID : Message ID VOF : Virus Outbreak Filtering CDP (DMP) : Cisco Domain Protection MX : Mail Exchange (DNS record) WBRS : Web Base Reputation Service CES : Cloud Email Security NTP : Network Time Protocol WSA : Web Security Appliance CLI : Command Line Interface PoC : Proof of Concept XML : Extensible Markup Language CRES (see RES) PoV : Proof of Value 2FA : (2) Two Factor Authentication CTR : Cisco Threat Response PXE : PostX Encryption DCID : Delivery Connection ID RAT : Recipient Access Table DHAP : Directory Harvest Attack Prevention REPENG : Reputation Engine DKIM : DomainKeys Identified Mail RID : Recipient ID DLP : Data Loss Prevention RES : Registered Envelope Service DMARC : Domain-based Message SAML : Security Assertion Markup Language Authentication, Reporting and Conformance SBG : Security Business Group DNS : Domain Name System SBRS : Sender Base Reputation Service ESA : Email Security Appliance SDR : Sender Domain Reputation ESMTP : Extended (or Enhanced) Simple Mail SLBL : Safe List Block List Transfer Protocol SMA: Security Management Appliance ETF : External Threat Feed S/MIME : Secure/Multipurpose Internet Mail EUQ : End-user Quarantine (aka Spam Extensions Quarantine) SMTP : Simple Mail Transfer Protocol FA : File Analysis (Threat Grid) SNMP : Simple Network Management Protocol FED : Forged Email Detection SOC : Security Operations Center FR : File Reputation (AMP) SPF : Sender Policy Framework GUI : Graphical User Interface SSL : Secure Sockets Layer BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Email pipeline (what happens and where) SMTP Server Workqueue SMTP Client • Host Access Table (HAT) • LDAP RCPT Accept (WQ • Encryption • IP Reputation deferred) • Virtual Gateways System System gateway virtual or • External Threat Feeds • Masquerading • Delivery Limits (Table/LDAP) (IoC) • Received Header • LDAP Routing • Connection Throttling • Domain Based Limits • Message Filters • Sender Verification • Domain Based Routing • (Per-policy scanning) • SPF, DKIM, DMARC • Global Unsubscribe • CASE (Anti-Spam) • Sender Domain • S/MIME Encryption Reputation • Anti-Virus • DKIM Signing • Received Header • AMP listener settings • Bounce Profiles - • Default Domain • File Reputation • Message Delivery Per • Domain Map • File Analysis • Encryption • Recipient Access Table • Graymail Detection • Virtual Gateways • Alias Table • Content Filtering • LDAP RCPT Accept • DLP filtering • SMTP Call-Ahead (Outbound) • Outbreak Filtering BRKSEC-2327 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 A typical SMTP conversation $ telnet alln-mx-01.cisco.com 25 Trying 173.37.147.230... Connected to alln-mx-01.cisco.com. Escape character is '^]'. 220 alln-inbound-e.cisco.com ESMTP helo pipershark.com 250 alln-inbound-e.cisco.com Envelope From, Mail From, Envelope Sender, … MAIL FROM:<[email protected]> 250 sender <[email protected]> ok Envelope Envelope To, Envelope Recipient RCPT TO:<[email protected]> 250 recipient <[email protected]> ok DATA { Header From, 354 go ahead Subject: SMTP CONVERSATION TEST MESSAGE RFC5322.From, “Friendly B From”, … Headers From: Email Admin <[email protected]> o {To: Robert Sherwin (robsherw) <[email protected]> d Here is the email, hope you receive it. Recipient, Header To, Body { . RFC5322.To, … y 250 ok: Message 143004492 accepted { quit 221
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages138 Page
-
File Size-