Ehsan Moghaddam
Consulting Systems Engineer
@MoghaddamE
EMEAR (ME)
Joined Cisco Aug 2015
Content Security
Nicole Wajer
Consulting Systems Engineer
@vlinder_nl
EMEAR (North)
Joined Cisco Dec 2007
Now Content Security & IPv6
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
SMTP Overview
Cisco Email Security Pipeline
Lab Exercise 0: Introduction & Installation (Mandatory)
Lab Exercise 1: End User Message Flow, ISQ Notifications and Graymail
Management
Lab Exercise 2: Preventing Phishing Attacks with Anti-Spam and Outbreak
Filters
Lab Exercise 3: Preventing Advanced Persistent Attacks with AMP
Lab Exercise 4: Using URL Categorization and URL Reputation
Agenda - Continued
For Your
Reference
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
SMTP Overview
SMTP Conversation Overview
MX Records
presidentclinton.com IN MX mx.presidentclinton.com
DNS mx.presidentclinton.com IN A 209.165.202.159
mail.trump.com
209.165.200.225
mx. presidentclinton.com
209.165.202.159
MTA Internet
MTA
Cisco IronPort
Envelope
C-Series
Header
Body
To: hillary@presidentclinton.com
exchange.presidentclinton.com
donald@trump.com
hillary@exchange.presidentclinton.com
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Sample: SMTP Conversation
mail.trump.com 1. SYN
mx.presidantclinton.com
SYN/ACK
209.165.200.225 2. 209.165.202.159
3. ACK
4. << 220 mx.presidentclinton.com ESMTP
>> HELO mail.trump.com
Envelope << 250 mx.presidentclinton.com
>> MAIL FROM: <donald@trump.com>
<< 250 sender <donald@trump.com> ok
>> RCPT TO: <hillary@presidentclinton.com>
<< 250 recipient <hillary@presidentclinton.com> ok
>> DATA
<< 354 go ahead
Headers >> From: Donald <donald@trump.com>
>> To: Hillary <hillary@presidentclinton.com>
>> Subject: Banned From Traveling! :-(
>> Date: Tue, 21 February 2017 06:57:13 -0700
>>
>>
>> Hillary!!
>> I have signed a new executive order
Body >> That bans you from traveling to Germany!
>> -Trump
>> .
<< 250 ok
>> QUIT
<< 221 mx.presidentclinton.com 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why DNS is important?
MX records tell us the next hop.
A and PTR gives us the real hostname and
we can compare with the greeting.
SPF, DKIM and DMARC records.
RBL and Reputation
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco Email Security Pipeline
Cisco Talos AMP for EndPoint
FirePower Appliance
(Centralized Threat Intelligence)
Update: URL Intelligence
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Cisco Email Security is backed by unrivaled global
threat intelligence
250+
100 TB with SenderBase Full Time Threat Intel
Of Data Received Daily
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00 Researchers
III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
1.5 MILLION 00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00 MILLIONS
Daily Malware Samples II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00 Of Telemetry Agents
II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00
00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000
600 BILLION 0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0 4
Daily Email Messages 00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I Global Data Centers
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Block fraudulent senders
DMARC, DKIM and SPF
Delete
TrustedPartner.com Signed
SPF DMARC
Checks if mail from a Ties SPF and DKIM
TrustedPartner.com Fraudulent Send
domain is being sent from
an authorized host
DNS results to 'From' header Verified
DKIM
Matches public key to
sender domains private
key records Quarantine
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Its built with industry-leading spam protection
Quarantine
Review sender reputation, URL Block spam with 99% accuracy with Quarantine suspicious messages
reputation, and message content fewer than 1:1M false positives for additional review
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Separate what matters from what doesnt
Graymail detection and safe unsubscribe
Mark Up Messages
Add Safe
Safe unsubscribe
Unsubscribe Link
unsubscribe here
Social Unsubscribe
Bulk Network Marketing engine
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Block known and zero-day viruses
Anti-virus processing
Outbreak Filters
Block Block
Scan attachments for known Forward clean emails to Defend against zero-
viruses additional security checks day malware
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Detect and contain advanced threats quickly
Advanced Malware Protection (AMP)
File Reputation File Sandboxing File Retrospection
Advanced Analytics
? Dynamic analysis
560+ indicators
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Control which emails cross the network
Content Filters
Defang / Block
BLOCKEDwww.proxy.org
BLOCKED
Admin
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Protect against spoofing attacks
Forged Email Detection
Pre-processing Inspects the SMTP envelope address:
$ telnet mail-smtp-in.l.mail.com 25
Trying 74.125.206.26...
Connected to mail-smtp-in.l.mail.com. Recipient Domain
Compare against
Escape character is '^]'. Company directory
SMTP Envelope
220 mx.mail.com ESMTP i11si22058766wmh.67 - gsmtp
HELO mail.outside.com Allison Johnson
Sending Domain Barry Smith
From: Chuck 250 mx.mail.com at your service Chuck Robbins
From: adam@outside.com
<chuck.robbins@mail.com> Dave Tucker
MAIL FROM:<adam@outside.com> Actual Sender Subject: {Possibly Forged}
Subject: [URGENT] Need help 250 2.1.0 OK i11si22058766wmh.67 - gsmtp [URGENT] Need help
transferring funds RCPT TO:<alan@mail.com> transferring funds
250 2.1.5 OK i11si22058766wmh.67 gsmtp
Data
Post-processing
Inspect SMTP envelope Match sender address Send appended mail to warn Record a log of attempts
for sender address against company directory users of potential forgery and actions taken
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Detect targeted or blended attacks automatically
Outbreak Filters
Outbreak Filters
Rewritten message
Site validated
From: Bank.com Cisco Cloud Web Proxy
To: Bob Smith
Subject: Suspicious mail
Rewrite URLs
Dynamic Block
Block quarantine
Block all known Quarantine emails with Modify emails to Redirect traffic to protect
threats with Talos suspicious URLs protect end-user from malicious links
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Lab Exercise 0: Introduction &
Installation (Mandatory)
Gold Lab Access
https://labops-out.cisco.com/labops/ilt
Class Name: niwajer_v20652
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Lab Exercise 0: Introduction & Installation (Mandatory)
Background: Your lab pod topology is composed of resources both inside and outside of
the enterprise domain alpha.com. The email gateway, Email Security Appliance or ESA,
controls the mail flow between the outside and inside mailboxes. In this Lab 0 you will be
familiarizing yourself with these resources and performing an installation via the System
Setup Wizard and LDAP configuration wizard.
You will access the following devices :
o XP Management Client (via RDP)
o ESA (via PuTTY telnet and web based login)
o Outside Mail Client
o Exchange Mail Client
o Notes Mail Client
Note: Following the completion of Lab 0, you can perform any of the other labs 1 9
independently or in series without interference.
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Lab Topology
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Lab Exercise 1: End User Message
Flow, ISQ Notifications and
Graymail Management
Lab Exercise 1: End User Message Flow, ISQ Notifications and Graymail
Management
Lab 1 goals are:
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Lab Exercise 2: Preventing Phishing
Attacks with Anti-Spam and
Outbreak Filters
Lab Exercise 2: Preventing Phishing Attacks with Anti-Spam and
Outbreak Filters
Lab 2 goals are:
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Lab Exercise 3: Preventing
Advanced Persistent Attacks with
AMP
Lab Exercise 3: Preventing Advanced Persistent Attacks with AMP
Lab 3 goals are:
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Lab Exercise 4: Using URL
Categorization and URL Reputation
Lab Exercise 4: Using URL Categorization and URL Reputation
Lab 4 goals are:
o Import a Text Record that details the corporate Anti-Gambling Policy so that recipients can be
warned.
o Use URL Categorization and Web Interaction Tracking to track recipient click activity on gambling
sites.
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Lab Exercise 5: Envelope
Encryption
Lab Exercise 5: Envelope Encryption
Lab 5 goals are:
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Lab Exercise 6: Preventing External
Domain Spoofing with DMARC
Lab Exercise 6: Preventing External Domain Spoofing with DMARC
Lab 6 goals are:
o Identify what domains have DMARC records published and how to interpret them
o Configure DMARC verification for incoming messages.
o Send legitimate and illegitimate messages through the ESA and see how they are remediated by
DMARC
o Recognize the limitations of DMARC
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Lab Exercise 7: Preventing Internal
Domain Spoofing
Lab Exercise 7: Preventing Internal Domain Spoofing
Lab 7 goals are:
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Lab Exercise 8: High Volume Mail
Flow Management
Lab Exercise 8: High Volume Mail Flow Management
Lab 8 goals are:
o Use scripts to deliver a flood of messages inbound from multiple mail domains to simulate a DOS
attack.
o Use scripts to deliver a flood of messages outbound from multiple internal mail servers.
o Selectively rate limit both inbound and outbound mail flows
o Create reports on domains being rate limited.
o Use message tracking to determine if a message was dropped due a rate limiting policy.
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Complete Your Online Session Evaluation
Please complete your Online
Session Evaluations after each
session
Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
All surveys can be completed via
the Cisco Live Mobile App or the
Dont forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Continue Your Education
Demos in the World of Solutions Security Area
Meet the Expert 1:1 meetings
Meet Nicole Wajer / Ehsan A. Moghaddam
Tweet/Follow @vlinder_nl & @moghaddame #CLEUR
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Ask Questions, Get Answers, Continue the Experience
The Spark Room will be open for 2 weeks after Cisco Live
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Thank You