Email Security Hands-On Lab

Ehsan A. Moghaddam Consulting Systems Engineer

Nicole Wajer Consulting Systems Engineer
LTRSEC-2009
Ehsan & Nicole

Ehsan Moghaddam
Consulting Systems Engineer
@MoghaddamE
EMEAR (ME)
Joined Cisco Aug 2015
Content Security

Nicole Wajer
Consulting Systems Engineer
@vlinder_nl
EMEAR (North)
Joined Cisco Dec 2007
Now Content Security & IPv6

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda

SMTP Overview
Cisco Email Security Pipeline
Lab Exercise 0: Introduction & Installation (Mandatory)
Lab Exercise 1: End User Message Flow, ISQ Notifications and Graymail
Management
Lab Exercise 2: Preventing Phishing Attacks with Anti-Spam and Outbreak
Filters
Lab Exercise 3: Preventing Advanced Persistent Attacks with AMP
Lab Exercise 4: Using URL Categorization and URL Reputation
Agenda - Continued

Lab Exercise 5: Envelope Encryption

Lab Exercise 6: Preventing External Domain Spoofing with DMARC
Lab Exercise 7: Preventing Internal Domain Spoofing
Lab Exercise 8: High Volume Mail Flow Management
For Your Reference
There are (many...) slides in your print-outs that will not be presented.
They are there For your Reference

For Your
Reference

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
SMTP Overview
SMTP Conversation Overview
MX Records

presidentclinton.com IN MX mx.presidentclinton.com
DNS mx.presidentclinton.com IN A 209.165.202.159

mail.trump.com
209.165.200.225
mx. presidentclinton.com
209.165.202.159
MTA Internet
MTA

Cisco IronPort
Envelope
C-Series
Header
Body

To: hillary@presidentclinton.com

exchange.presidentclinton.com

donald@trump.com

hillary@exchange.presidentclinton.com
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
 Sample: SMTP Conversation
mail.trump.com 1. SYN
mx.presidantclinton.com
SYN/ACK
209.165.200.225 2. 209.165.202.159
3. ACK
4. << 220 mx.presidentclinton.com ESMTP
>> HELO mail.trump.com
Envelope << 250 mx.presidentclinton.com
>> MAIL FROM: <donald@trump.com>
<< 250 sender <donald@trump.com> ok
>> RCPT TO: <hillary@presidentclinton.com>
<< 250 recipient <hillary@presidentclinton.com> ok
>> DATA
<< 354 go ahead
Headers >> From: Donald <donald@trump.com>
>> To: Hillary <hillary@presidentclinton.com>
>> Subject: Banned From Traveling! :-(
>> Date: Tue, 21 February 2017 06:57:13 -0700
>>
>>
>> Hillary!!
>> I have signed a new executive order
Body >> That bans you from traveling to Germany!
>> -Trump
>> .
<< 250 ok
>> QUIT
<< 221 mx.presidentclinton.com 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Why DNS is important?
MX records tell us the next hop.
A and PTR gives us the real hostname and
we can compare with the greeting.
SPF, DKIM and DMARC records.
RBL and Reputation

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco Email Security Pipeline
Cisco Talos AMP for EndPoint
FirePower Appliance
(Centralized Threat Intelligence)
Update: URL Intelligence

File Reputation Check Unknown files uploaded to VRT Sand

Update: Outbreak Filters Rules Retrospection Behavioral analysis uploaded
File Reputation Check
Retrospection
Update: Sophos & McAfee
ThreatGrid
File Reputation Sandbox
SBRS
Updates Update: DLP Update: File Reputation

Update: IPAS, IMS, Graymail

SBRS Servers Known File Reputation
Retrospection data (downloaded)
Unknown files are uploaded to VRT sandboxing

Incoming Email Flow

SBRS DNS
Query/Response

Clean emails delivered

SBRS Dual Spam Engines Content Filters Outbreak Filters

Signature-Based Malware Scanners Advanced Malware Protection
Reputation New CASE 3.5 Sophos, Webroot, McAfee URL Category On-board Phishing DB
(With URL Intelligence) URL WBRS Reputation URL Intelligence
Graymail & Graymail Safe UnSubscribe Outbreak Rules from Talos & Contextual Data from CASE
Drop or Quarantine, etc
SPF, DKIM, DMARC Outbreak Quarantine
Replace URL with Text
Deny:: 88-93% of All Rewrite URL to redirect to CWS
Attempted Email Defang URL
***Web InteractionTracking
Rewrite URL to redirect to CWS

***Web Interaction Tracking

Drop: Emails with known

Deny: Bad Reputation Senders Drop: Spam and Marketing Drop: Signature-based malware bad file reputation

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Cisco Email Security is backed by unrivaled global
threat intelligence
100 TB
Of Data Received Daily
1.5 MILLION
Daily Malware Samples
600 BILLION
Daily Email Messages
16 BILLION
Daily Web Requests
Deploy the world's largest email
traffic monitoring network
250+
with SenderBase Full Time Threat Intel
III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00 Researchers
III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I
00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00 MILLIONS
II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00 Of Telemetry Agents
II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0 00
00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0 4
00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I Global Data Centers
Over 100
24 7 365 Operations Threat Intelligence Partners
Leverage industry-leading
threat analytics
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
 Block fraudulent senders
DMARC, DKIM and SPF

Cisco Email Security

Delete
TrustedPartner.com Signed

SPF DMARC
Checks if mail from a Ties SPF and DKIM
TrustedPartner.com Fraudulent Send
domain is being sent from
an authorized host
DNS results to 'From' header Verified

DKIM
Matches public key to
sender domains private
key records Quarantine

Determine whether a Inspect sender details on Block invalid senders

sender is reputable inbound messages and identify next steps

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
 Its built with industry-leading spam protection

Anti-spam processing / Context Adaptive Scanning Engine (CASE)

Cisco Anti-Spam
Block

Who What How Where

sent the Is the was the does the
message? content? message call to Forward
Cisco Email Security constructed? action O365 Mail Server
take you?

Quarantine

Review sender reputation, URL Block spam with 99% accuracy with Quarantine suspicious messages
reputation, and message content fewer than 1:1M false positives for additional review

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Separate what matters from what doesnt
Graymail detection and safe unsubscribe
Mark Up Messages

Graymail Detection Modify Add

subject x-header

Add Safe
Safe unsubscribe
Unsubscribe Link
unsubscribe here
Social Unsubscribe
Bulk Network Marketing engine

Graymail warning added to

Quarantine / Block banner of email

Identify messages Categorize incoming bulk, marketing, Provide users a method

that arent spam and social networking emails to safely unsubscribe

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Block known and zero-day viruses
Anti-virus processing

Outbreak Filters

Block Block

Multiple detection methods:

Forward
Advanced
Pattern Emulation
heuristic Zero-Hour Virus
matching technology
techniques and Malware Detection
Real time security updates that
prevent new malware
.DOC .EXE .LNK .PDF
Quarantine Also receive AV Signature
Quarantine
Determine what Determine whether
Updates every 12 hours actions to take on viral updates regularly anomalies are
messages zero-day threats

Scan attachments for known Forward clean emails to Defend against zero-
viruses additional security checks day malware

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Detect and contain advanced threats quickly
Advanced Malware Protection (AMP)
File Reputation File Sandboxing File Retrospection

Advanced Analytics
? Dynamic analysis
560+ indicators

.SYS .DOC .EXE .LNK .PDF .SCR Unknown Clean Malicious

Known Fuzzy Indications of

Signatures Fingerprinting compromise

Gain visibility into

Auto-remediate
Block known malware Investigate files safely messages trying to enter
threats in O365
the network

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Control which emails cross the network
Content Filters

Content Filters Rewrite URL

Cisco Cloud Web
Proxy

Defang / Block

BLOCKEDwww.proxy.org
BLOCKED

Replace with Text

URL reputation
and categorization This URL is blocked by
policy

Admin

Customize filters in three different ways Easily enforce business and

for additional security compliance policies

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
 Protect against spoofing attacks
Forged Email Detection
Pre-processing
From: Chuck
<chuck.robbins@mail.com>
Subject: [URGENT] Need help
transferring funds
Inspect SMTP envelope
for sender address
Inspects the SMTP envelope address:
$ telnet mail-smtp-in.l.mail.com 25
Trying 74.125.206.26...
Connected to mail-smtp-in.l.mail.com. Recipient Domain
Compare against
Escape character is '^]'. Company directory
SMTP Envelope
220 mx.mail.com ESMTP i11si22058766wmh.67 - gsmtp
HELO mail.outside.com Allison Johnson
Sending Domain Barry Smith
250 mx.mail.com at your service Chuck Robbins
From: adam@outside.com
Dave Tucker
MAIL FROM:<adam@outside.com> Actual Sender Subject: {Possibly Forged}
250 2.1.0 OK i11si22058766wmh.67 - gsmtp [URGENT] Need help
RCPT TO:<alan@mail.com> transferring funds
250 2.1.5 OK i11si22058766wmh.67 gsmtp
Data
Post-processing
Match sender address Send appended mail to warn Record a log of attempts
against company directory users of potential forgery and actions taken
LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Detect targeted or blended attacks automatically
Outbreak Filters
Outbreak Filters
Rewritten message
Site validated
From: Bank.com Cisco Cloud Web Proxy
To: Bob Smith
Subject: Suspicious mail

Warning! This email contains Prepend

Forward subject line
suspicious content

Hello John, Add threat

warning Site blocked
Access your account here.

Rewrite URLs
Dynamic Block
Block quarantine

Block all known Quarantine emails with Modify emails to Redirect traffic to protect
threats with Talos suspicious URLs protect end-user from malicious links

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Lab Exercise 0: Introduction &
Installation (Mandatory)
Gold Lab Access

https://labops-out.cisco.com/labops/ilt
Class Name: niwajer_v20652

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Lab Exercise 0: Introduction & Installation (Mandatory)
Background: Your lab pod topology is composed of resources both inside and outside of
the enterprise domain alpha.com. The email gateway, Email Security Appliance or ESA,
controls the mail flow between the outside and inside mailboxes. In this Lab 0 you will be
familiarizing yourself with these resources and performing an installation via the System
Setup Wizard and LDAP configuration wizard.
You will access the following devices :
o XP Management Client (via RDP)
o ESA (via PuTTY telnet and web based login)
o Outside Mail Client
o Exchange Mail Client
o Notes Mail Client

Note: Following the completion of Lab 0, you can perform any of the other labs 1 9
independently or in series without interference.

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Lab Topology

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Lab Exercise 1: End User Message
Flow, ISQ Notifications and
Graymail Management
Lab Exercise 1: End User Message Flow, ISQ Notifications and Graymail
Management
Lab 1 goals are:

o Drop positive spam

o Quarantine suspect spam
o Detect and Classify Graymail
o Provide a safe method for users to Unsubscribe from Graymail
o Use LDAP groups to define which recipients will receive Spam Quarantine Notifications,
and those that do not.
o Create a mail policy for messages from a trusted sender to bypass the Anti-spam
engine when destined to a specific recipient

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Lab Exercise 2: Preventing Phishing
Attacks with Anti-Spam and
Outbreak Filters
Lab Exercise 2: Preventing Phishing Attacks with Anti-Spam and
Outbreak Filters
Lab 2 goals are:

o Demonstrate remediation of messages with suspicious URLs by anti-spam engine

o Demonstrate remediation of phish attacks by outbreak filters.
o Using WBRS, Identify messages with URLs that must be rewritten for redirection
through the web proxy.
o Identify messages with URL categories that must be blocked.
o Use Drill-Down reporting to identify remediation of phishing attacks.
o Enable Web Interaction Tracking to track malicious URLs in emails, and the recipients
who clicked on them

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Lab Exercise 3: Preventing
Advanced Persistent Attacks with
AMP
Lab Exercise 3: Preventing Advanced Persistent Attacks with AMP
Lab 3 goals are:

o Verify licensing and operation of Advanced Malware Protection

o Verify connectivity to the reputation service
o Use scripts to deliver both known and unknown viral attacks
o Deliver both well known and unknown viral files (APTs) through the ESA
o Observe remediation of (APTs)

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Lab Exercise 4: Using URL
Categorization and URL Reputation
Lab Exercise 4: Using URL Categorization and URL Reputation
Lab 4 goals are:

o Import a Text Record that details the corporate Anti-Gambling Policy so that recipients can be
warned.
o Use URL Categorization and Web Interaction Tracking to track recipient click activity on gambling
sites.

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Lab Exercise 5: Envelope
Encryption
Lab Exercise 5: Envelope Encryption
Lab 5 goals are:

o Auto Registration of CRES administrator

o Create No Auth Envelope and enable Secure Reply
o Create Content Filter using Attachment Filename dictionary match
o Demonstrate the Undo Commit feature

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Lab Exercise 6: Preventing External
Domain Spoofing with DMARC
Lab Exercise 6: Preventing External Domain Spoofing with DMARC
Lab 6 goals are:

o Identify what domains have DMARC records published and how to interpret them
o Configure DMARC verification for incoming messages.
o Send legitimate and illegitimate messages through the ESA and see how they are remediated by
DMARC
o Recognize the limitations of DMARC

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Lab Exercise 7: Preventing Internal
Domain Spoofing
Lab Exercise 7: Preventing Internal Domain Spoofing
Lab 7 goals are:

o Remediate mail from Argument Abuse

o Remediate From Header Abuse
o Remediate Cousin Domain Abuse
o Remediate Free Email Account Abuse

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Lab Exercise 8: High Volume Mail
Flow Management
Lab Exercise 8: High Volume Mail Flow Management
Lab 8 goals are:

o Use scripts to deliver a flood of messages inbound from multiple mail domains to simulate a DOS
attack.
o Use scripts to deliver a flood of messages outbound from multiple internal mail servers.
o Selectively rate limit both inbound and outbound mail flows
o Create reports on domains being rate limited.
o Use message tracking to determine if a message was dropped due a rate limiting policy.

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Complete Your Online Session Evaluation
Please complete your Online
Session Evaluations after each
session
Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
All surveys can be completed via
the Cisco Live Mobile App or the
Dont forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Continue Your Education
Demos in the World of Solutions Security Area
Meet the Expert 1:1 meetings
Meet Nicole Wajer / Ehsan A. Moghaddam
Tweet/Follow @vlinder_nl & @moghaddame #CLEUR

www.ciscolive365.com you can watch all recordings

BRKSEC-2325 - How to make spam your best friend on your e-mail appliance Tuesday 11:15
BRKSEC-3540 - I wonder where that Phish has gone Tuesday at 16:45
LALSEC-2005 - Lunch and Learn - Cisco Email Security - Wednesday 22 February 13:00 - 14:30
BRKSEC-2890 - AMP Threat Grid integrations with Web, Email and Endpoint Security - Thursday 11:30

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Cisco Spark
Ask Questions, Get Answers, Continue the Experience

Use Cisco Spark to communicate with the Speaker and fellow

participants after the session

Download the Cisco Spark app from iTunes or Google Play

1. Go to the Cisco Live Berlin 2017 Mobile app
2. Find this session
3. Click the Spark button under Speakers in the session description
4. Enter the room, room name = LTRSEC-2009
5. Join the conversation!

The Spark Room will be open for 2 weeks after Cisco Live

LTRSEC-2009 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Thank You