Cisco Email Security

Deep Dive & Best Practices

Usman Din, Product Manager Email Security

BRKSEC-2131
Agenda

• Introduction
• Terminology and understanding the Email Pipeline
• Configuration and Best Practices for Anti-Spam Tuning
• Configuration and Best Practices for Spoofing and Phishing detection
• Attachment Control and Defense
• Summary
Introduction – About Me
Trust Me – I’ve been around forever!
• Joined Cisco through IronPort acquisition in 2007.
• On-site SE for Research in Motion, then CSE for Content
Security
• Global Lead for the Email Security Advisory Group
• Cisco Live Speaker in US, LATAM and EU
• Distinguished Speaker, Cisco Live Berlin (2016)
• Now part of the Product Management team for Email Security
• Based out of Toronto, Canada

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
The Email Pipeline
The Email Pipeline
SMTP SERVER WORKQUEUE SMTP CLIENT

Host Access Table (HAT) LDAP RCPT Accept (WQ) Encryption

Received Header Masquerading (Table / LDAP) Virtual Gateways

Default Domain LDAP Routing Delivery Limits

Domain Map Message Filters Received: Header

Recipient Access Table (RAT) Anti-Spam Domain-Based Limits

Alias Table Anti-Virus Domain-Based Routing

Per-Policy Scanning
LDAP RCPT Accept Advanced Malware (AMP) Global Unsubscribe

SMTP Call-Ahead Graymail, Safe Unsubscribe S/MIME Encryption

DKIM / SPF Verification Content Filtering DKIM Signing

DMARC Verification Outbreak Filtering Bounce Profiles

S/MIME Verification DLP Filtering (Outbound) Message Delivery

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Anti-Spam Tuning : HAT, Mail Flow
Policies and Workqueue settings
A note about Best Practices…
• Throughout the material we will present
options for tuning your environment
• These are meant to be general guidelines,
and as each environment is unique, it is
recommended that settings be set in monitor
mode first
• After a determined time, perform analysis
and tuning of rules and settings to achieve
the desired result

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Host Access Table (HAT) Structure
SMTP SERVER
• HATs are associated per listener, defined as being
Public or Private. Once a listener is defined they cannot Host Access Table (HAT)

be changed. Received Header

• Private listeners have no Recipient Access Table - best Default Domain

used for outbound facing mail traffic. No restrictions for Domain Map
domains Recipient Access Table (RAT)

• The structure of the HAT is defined by the listener type, Alias Table
once created a default configuration is loaded. LDAP RCPT Accept

• Mail Flow Policies (MFP) are also created based on the SMTP Call-Ahead
listener type, thus a MFP such as Relayed would not be DKIM / SPF Verification
created until a Private Listener is defined, or created
DMARC Verification
manually
S/MIME Verification

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Host Access Table Structure

• IPs and Hosts are evaluated in the HAT Top Down, First Match
• SenderGroups are containers that define the policy based on match
• Inclusion into a SenderGroup is defined by Reputation Score, DNS, or explicit match

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
SenderGroup Options
• SenderBase score can be attached to the
SenderGroups, ensure that the neutral and
no score ranges are addressed
• Within the settings you define the Name,
Mail Flow Policy
• Nomenclature is important as it will be
displayed in logs and reports
• SBRS scores can be assigned to the group
• RBLs can be leveraged if required.
Thu Jun 9 13:40:34 2016 Info: New SMTP ICID 8 interface Management (10.10.10.90) address 94.46.249.12
Thu Jun 9 13:40:34 2016 Info: ICID 8 ACCEPT SG SUSPECTLIST match sbrs[-3.0:-1.0] SBRS -2.1
Thu Jun 9 13:40:34 2016 Info: Start MID 410 ICID 8

Note that SBRS uses multiple sources including honeypots and DNSBLs

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
SenderGroup Options

• Connecting host PTR record does not exist in DNS.

• Connecting host PTR record lookup fails due to temporary DNS failure.
• Connecting host reverse DNS lookup (PTR) does not match the forward DNS
lookup (A).

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Understanding Email Reputation

Complaint IP Blacklists Geo-Location • Breadth and quality of

Spam Traps
Reports and Whitelists data
data makes the
difference

Message Website • Real-time insight into

Compromised
Composition Composition Host Data
Data
Host Lists
Data
this data that allows us
to see threats before
anyone else in the
Domain industry to protect our
Global Volume
Blacklist and Other Data DNS Data customers
Data
Safelists

IP Reputation Score

-10 0 +10

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Customizing Reputation on the ESA
Default Settings: Moderate Blocking

• Reputation Score determined

when connection initiated
Custom Settings: Aggressive Throttling
• Sender Groups and actions are
defined by the administrator
• Reputation can block 80-90%
connections on the ESA

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
OK, that's nice. How do I figure out what to set?

• Before tuning, it is recommended to use the default (moderate) settings to understand

the mail flow for your environment.
• Objective of tuning is to block or throttle more messages at the connection level,
saving resources for processing legitimate mail.
• The first step is to create content filters to flag messages that are being passed
through the default reputation filters with the SBRS and any scanning verdict info
• Evaluate reporting of Content Filters and adjust HAT settings are required

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Reputation: DNS and caching
• DNS is the most critical external service for the ESA
• By default there are 4 DNS lookups per connection: Reverse DNS, 2 SBRS
lookups and ASN Number (informational)
• With SPF, DKIM and DMARC – 3 or more DNS TXT record lookups
• At least 7 possible DNS lookups per connection (excluding any caching)
• Now factor in outbound destination DNS resolution, LDAP, internal hosts, etc.
• More resolvers in high connection environments
• Look into logs for “SBRS Not Available” to identify possible issues with DNS
timeouts

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Reputation: Delayed HAT Rejection

• Delayed HAT Rejection allows for additional logs for Reputation based blocks
• 2 additional log lines are added to each connection with details of from and to addresses
esa.teamnorthwind.com> listenerconfig

Currently configured listeners:

1. SMTP-AGRESSIVE (on Management, 10.10.10.20) SMTP TCP Port 25 Public

[]> setup

By default connections with a HAT REJECT policy will be closed with a banner message at the start
of the SMTP conversation. Would you like to do the rejection at the

message recipient level instead for more detailed logging of rejected mail? [Y]>

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117960-qa-esa-00.html

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Understanding Connections

• Global limits: Total IPv4 and IPv6 entire appliance, maximum should
not exceed 400 concurrent connections (default is 300)
• Per listener limits: Each listener on the appliance should be configured
to match your maximum global limit
• Mail Flow Policy limits: Per policy limits are used to rate limit senders,
use concurrent connections in conjunction with host and sender rate
limits

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Understanding Connections

• Limit guidance per model – Model type makes no difference in the

number of connections per appliance. Connection limits are based on
OS, throughputs between appliances do vary
• In environments that require high number of concurrent connections,
recommendation is to increase the number of appliances
Enter the global limit for concurrent connections to be allowed across all listeners.

[300]>

Listener SMTP-POV Policy $RELAYED max concurrency value of 600 will be limited to 300 by
this concurrency setting.

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
MailFlow policies: Host vs Sender Throttling
• By default the only MFP
that has any Host limiting is
the throttle policy
• By default, there are no
Envelope Sender Limits set
on the ESA
• It is recommended to use
Sender Limits in suspect
ranges

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
MailFlow policies: Security Settings
• DHAP is set high on the ESA, recommend to tune it to be lower on
suspect ranges
• LDAP enhances DHAP by performing rejection in conservation

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
MailFlow policies: Security Settings
• TLS Settings are not by default for incoming or outgoing mail
• Three levels of checking, preferred can be set on the default mail flow
policy
• Mandatory can be setup as a list or as it’s own SenderGroup

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Per Policy Scanning

• Per domain policies take place after message filtering and LDAP
rewrites
• Triggering Inbound and Outbound policies via Mail Flow policies
• A message is determined to be outbound because of relay mail flow
policies (think of the HAT)
• SMTP authentication also triggers outbound regardless of accept
policy set.

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Policy Engine And Splintering
• If a single message matches multiple policies, it will be splintered
• Splintering only occurs if multiple policies are matched
MAIL FROM: [email protected] MAIL FROM: [email protected]
RCPT TO: [email protected] RCPT TO: [email protected]
WORKQUEUE
SMTP CLIENT
Anti-Spam Encryption
MAIL FROM: [email protected]
Anti-Virus
RCPT TO: [email protected] Virtual Gateways

Per-Policy Scanning
MAIL FROM: [email protected] RCPT TO: [email protected] Advanced Malware (AMP) Delivery Limits
RCPT TO: [email protected]
Received: Header
RCPT TO: [email protected] Graymail, Safe Unsubscribe

WORKQUEUE Content Filtering Domain-Based Limits

SMTP SERVER Outbreak Filtering

Domain-Based Routing

…
LDAP RCPT Accept (WQ) DLP Filtering (Outbound)

Host Access Table (HAT)

Masquerading (Table / LDAP) MAIL FROM: [email protected]
Recipient Access Table (RAT) MAIL FROM: [email protected]
RCPT TO: [email protected] RCPT TO: [email protected]
LDAP Routing WORKQUEUE
SMTP CLIENT

… Anti-Spam Encryption
Anti-Virus
Message Filters Virtual Gateways

Per-Policy Scanning
Advanced Malware (AMP) Delivery Limits

Graymail, Safe Unsubscribe Received: Header

Content Filtering Domain-Based Limits

Domain-Based Routing
Outbreak Filtering
…
DLP Filtering (Outbound)

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Per Policy Scanning

• Use policies to leverage message splintering to apply rule and scanning as required
• Top down / first match wins, order is very important

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
• Complex conditions
inside a policy using
AND/OR/NOT
• Multiple conditions
can be used inside the
same policy
• Move your logic from
the filter into the policy
and reduce resource
consumption

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Understanding CASE

• CASE stands for Context Adaptive Scanning Engine

• CASE is the combination of the Anti-Spam, Graymail and Outbreak engines
• Each engine can provide a verdict and depending on the action of the engine
will either pass or drop the message
• A non-final action (i.e Quarantine) will allow a message to continue to process
down the workqueue. A final action such as drop will cause an “early exit”
condition
• Other scanning blades may take precedence if another engine determines a
positive condition

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Upgrade, Enable, and Tune!

Enable Antispam – and if possible (based

on hardware) increase scanning
1 thresholds to 1M for always scan, 2M for
never to scan more

Enable Graymail – it’s a free engine

2 which helps with Anti-Spam efficacy.
Introduced in 9.5 so upgrade!

Enable Outbreak Filters – and if possible

(based on hardware) increase scan size
3 to 1M

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Adjusting Thresholds

• You can adjust the

thresholds for Suspect /
Positive spam to increase
or decrease sensitivity
• Don’t do it, unless you
really have to
• As we tune spam rules, we
use the default thresholds
as a baseline, so this may
result in undesired results

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Enable Graymail Scanning

• Graymail has 2 components:

Detection and Unsubscribe
• Detection is free. It comes as part of
the base email subscription license
• The graymail engine will provide
verdicts to IPAS (final decision),
which leads to a better overall email
efficacy

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Enabling Outbreak Filters
• By default, only Virus Outbreak
is enabled
• Enabling Threat Outbreak
(Message Modification) you get
additional intelligence being fed
into CASE
• In order to use URL functionality
(covered later) Outbreak Filters
must be turned on and
configured

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Anti-Spam Tuning Checklist
• Assess your Host Access Table – still • Use the new granular policies to
using the defaults? Time to adjust the create better Incoming Mail Policies
scores
• Move the logic from the filter to the
• Create more SenderGroups and get
policy to create more efficient
gradually more aggressive in your
settings settings

• Check you WhiteLists - entries could be • Turn on Graymail, Threat Outbreak

years old, ip changed, etc. Use the Filtering to get more insight and
comments to keep track and prune better efficacy
regularly
• Upgrade, Upgrade, Upgrade!
• Check you Mail Flow Policies and
turn on Sender limits, Sender
Verification, etc.

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Anti-Phishing : Content Filters and
Outbreak Filtering
Understanding where URLs are evaluated
• As of version 8.5.6 the ESA can evaluate URLs inside a WORKQUEUE

message – both for Reputation and Categorization LDAP RCPT Accept (WQ)

• URL filtering is not enabled by default, you must enable the Masquerading (Table / LDAP)
service and have a valid Outbreak Filter license to perform URL LDAP Routing
inspection
Message Filters
• Once enabled, URLs are evaluated in three scanning blades: Anti-Spam
1. During IPAS Scan, a URL is used to factor into SPAM scores
2. Inside a Content Filter for Reputation Score and Category Anti-Virus

Per-Policy Scanning
3. As part of the Threat Outbreak Filter URL Rewrite function Advanced Malware (AMP)

Graymail, Safe Unsubscribe

• 9.7 introduced Web Interaction Tracking for Clicked URLs,
Content Filtering
which must be enabled after upgrade
Outbreak Filtering

DLP Filtering (Outbound)

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
URL Evaluation and options

• Enable URL Filtering globally under

security settings:
• The Web Reputation Score (WBRS)
uses the same -10 to +10 score,
however it means something very
different than SBRS
-10 -6 0 +6 +10

Malicious Neutral Good

• Based on you organizations security posture you can determine how aggressive you wish to
be with URL entering your organization

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
URL Evaluation and options

• URL Reputation is assessed inside of the CASE engine and used as

part of the decision for Anti-Spam
• If not stopped as Spam the URL can be evaluated inside a content
filter for both Category and Reputation

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
URL Evaluation and options
Recommendations:
• Block URL: -10 to -6
• URL Remove: -5.9 to -5.8
• Leave the rest for Outbreak
Filters
• Use in condition when you want
to take an action on the whole
message
• Use in action to act on URL only

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
URL Categorization
• URL Categorization on the
ESA leverages the same
data as the Web Security
Appliance (WSA) and
Cloud Web Security
(CWS)
• Use this to compliment
Acceptable Use Policies to
prevent inappropriate
URLs in email

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
URL Logging & Tracking

• Logging of URLs can be seen in the mail logs and only if

the outbreakconfig command is run

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
URL Evaluation and options

• With the 10.0 release, URL information can be shown in

message tracking if enabled by role

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Graymail Unsubscribe

• Graymail Unsubscribe is an additional

license
• It provides protection against
malicious threats masquerading as
unsubscribe links
• A uniform interface for all subscription
management to end-users
• Better visibility to the email
administrators and end-users into
such emails

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Graymail Unsubscribe

Click-time check of the rewritten link.

End-user clicks on the rewritten un- Cisco executes un-subscription on
If found safe redirect to Un-
subscription link in the banner behalf of the end-user
Subscribe service

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Web Interaction Tracking & Reporting

• On box reporting (batch) can

provide valuable insight into who
clicked on certain URLs
• More valuable as a training tool
and understanding who is being
targeted inside your environment
• Reporting and Tracking pages
will show the URLs (Tracking in
10.0 for URL details)

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Phishing is not just URLs

• Other scams such as Banking,

Money Mules, Dating, 419, etc are
also used to get information from
targets
• Blended threats combine spoofing
and phishing in an attempt to look
more legitimate to the target
• Threat Outbreak Filters must be
enabled in order to help detect and
stop these threats

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Threat Outbreak Filters

• Enable Threat Outbreak Filters

(not enabled by default) by
enabling Message Modification
• URL Rewriting allows for
suspicious urls to be analyzed
by Cisco Cloud Web Security
(Reputation, AV/AM, AMP)

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Anti-Spoofing: HAT, Filters and
Forged Email Detection
Anti-Spoofing Overview
Simple Spoof Simple spoof is where the attacker attempts to change or manipulate the envelope from in the headers
of an email. This spoof is relatively easy to detect using SPF or DMARC as well as other header
validation checks

Reply-To Spoof Reply-To spoof is where the sending address does not match the reply-to address. This is a low spoof
indicator and can lead to high false positives.

Cousin Domain / Typo Squatting Attacks become more sophisticated by relaying on minor changes to the suffix and / or prefix of the
email addresses to trick users. High probability of success and hard to detect due to large number of
variations

Display Name Modification Also called Business Email Compromise (BEC) is the most complex attack involves the use of
legitimate domains (either hijacked or created) with the manipulating message headers to show an
accurate Display Name and a Cousin domain/typo in the email address to trick targets into releasing
information. This is the most common attack today with a high success rate.

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Impact of Social Engineering
• Social Engineering has added to the success
rate for spoofing attacks. Attackers will follow
targets for months, on social media, news, etc.
• Will craft messages with “history” to add
legitimacy to the request being made
• They will look for an event – i.e travel abroad,
large deals, vendor agreements and use it to
express urgency
• Along with technical controls, user education is
key to prevent financial lost, brand damage, or
legal ramifications.

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
MailFlow policies: DKIM/SPF/DMARC
• During connection, the HAT can be configured to validate SPF, DKIM
and DMARC records
• No checks are enabled by default in the Mail Flow Policies
• DMARC has the ability to stop / block mail via policy settings, SPF
and DKIM mark headers for further action via Content Filters or
Message Filters

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
How it works: SPF
• Sender Policy Framework, specified in RFC4408
• Allows recipients to verify sender IP addresses by looking up DNS records listing
authorized Mail Gateways for a particular domain
• Uses DNS TXT Resource Records
• Can verify HELO/EHLO and MAIL FROM identity (FQDN)
• Upon evaluation of SPF records, the following can these results:
Result Explanation Intended action
Pass The SPF record designates the host to be allowed to send accept
Fail The SPF record has designated the host as NOT being allowed to send reject
SoftFail The SPF record has designated the host as NOT being allowed to send but is in transition accept but mark
Neutral The SPF record specifies explicitly that nothing can be said about validity accept
None The domain does not have an SPF record or the SPF record does not evaluate to a result accept
PermError A permanent error has occurred (eg. badly formatted SPF record) unspecified
TempError A transient error has occurred accept or reject

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
SPF Record Semantics
SPF version

acmilan.com IN TXT v=spf1 ip4:77.92.66.4 -all

Verification mechanisms

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
How it works: SPF
• Mechanisms: all, ip4, ip6, a, mx, ptr, exists, include
• Qualifiers: "+" Pass, "-" Fail, "~" SoftFail, "?" Neutral
• Modifiers: redirect, modifier
• Examples:
• “v=spf1 mx –all” is allow MX to send mail, but no other domain
• “v=spf1 +all” Nullifies any usefulness of SPF
• “v=spf1 ip4:192.168.0.1/16 –all” Allow any IP address between 192.168.0.1 and
192.168.255.255
• “v=spf1 mx/24 mx:offsite.domain.com/24 -all” Domain's MX servers receive mail on
one IP address, but send mail on a different

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
SPF on the ESA
• When SPF is enabled, the ESA will
stamp headers in the message

• Use the results inside message or

content filters to determine the action

• PRA identities are evaluated in the

message filters only

• SPF vs SIDF, an interesting read:

http://www.openspf.org/SPF_vs_Sender_ID

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
SPF Best Practices (Sending)
• Plan to include “-all” in your SPF records
• Consider all legitimate servers sending e-mail on your behalf
• Make it part of security policy for roaming users to use authenticated SMTP on your
gateways for sending outgoing mail
• Add your relay hosts’ HELO/EHLO identity to SPF records
• Create SPF records for all of your subdomains too
• Publish null SPF records for domains/hosts that don’t send mail!
nomail.domain.com. IN TXT "v=spf1 -all"

• Only include “MX” mechanism if your incoming mail servers also send outgoing mail
• (for now) Publish both TXT and SPF DNS Resource Records with your SPF record data.

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
How it works: DKIM
• Domain Keys Identified Mail, Specified in RFC5585
• Additional RFCRFC6376 (DKIM Signatures), RFC5863 (DKIM Development,
Deployment and Operation), RFC5617 (Author Domain Signing Practices (ADSP))
• In a nutshell: Specifies methods for gateway-based cryptographic signing of
outgoing messages, embedding verification data in an e-mail header, and ways
for recipients to verify integrity of the messages
• Uses DNS TXT records to publish public keys
20120113._domainkey.gmail.com IN TXT “k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabg
bFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD
0""7y2+07wlNWwIt8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIhkx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz
8BZeTWbf41fbNhte7Y+YqZOwq1Sd0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04BLUTD21MycBX5jYchHjPY/
wIDAQAB”

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
 DKIM Operation
Generate
Receive msg
keypair

DNS TXT RR
Parse DKIM-
Canonicalize Signature
Outgoing msg +
Sign
Verify
b and bh

Insert
DKIM-Signature Deliver/Drop/Qu
arantine…

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
How it works: DKIM Signature
Algorithm used, Canonicalization scheme
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

Domain ID and Selector

d=gmail.com; s=20120113;

h=mime-version:date:message-id:subject:from:to:content-type; Signed Headers

bh=pMD4ZYid1vn/f7RZAy6LEON+d+W+ADlVSR6I0zrYofA=; Header Hash

b=n3EBxT5DwNbeISSYpKT6zOKHEb8ju51F4X8H2BKhDWk9YpOk8DuU4zgLh Body Hash

srfeFCvf+/2XEPnQaIVtKmE0h7ZTI8yvV6lDEQtJQQWqQ/RA7WsN4Tjg4B
JAXPR+yF6xwLLcQqMwzsgLxC3pQAPw3Lp7py9C62nauei3nLEm0gLnXYsh
Uvq6IS+qfJBOKeMby9WUsqRecg0AWX8Dfb8gxXHQH8wKFJ96KitB6iPFq
ufIOTaZWMhiFnL+NHR06v0PwsCQhsSccuk0eTDu9Uqyf8bDn4opkhg7tZ
SyGhUFeuqwxJoCJcghGf7edZ0OIgZtEcuxLMcgl+mpSje2YIfeXgFRg==

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
DKIM Public Key Retrieval
• DNS query:
<selector>._domainkey.<SDID>
• For our example:
20120113._domainkey.gmail.com IN TXT “k=rsa\;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Kd87/UeJjenpabg
bFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyo
xcTUGCQs8g3FgD2Ap3ZB5DekAo5wMmk4wimDO+U8QzI3SD0" "7y2+07wlNWwIt
8svnxgdxGkVbbhzY8i+RQ9DpSVpPbF7ykQxtKXkv/ahW3KjViiAH+ghvvIh
kx4xYSIc9oSwVmAl5OctMEeWUwg8Istjqz8BZeTWbf41fbNhte7Y+YqZOwq1S
d0DbvYAD9NOZK9vlfuac0598HY+vtSBczUiKERHv1yRbcaQtZFh5wtiRrN04B
LUTD21MycBX5jYchHjPY/wIDAQAB”

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
DKIM on the ESA

• DKIM Settings in the HAT can be set

to verify signatures
• Use a content filter to enforce policy
based on DKIM auth result
• Use an action to Policy quarantine to
be able to review spoofs

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
How it works: DMARC
• Both DKIM and SPF have shortcomings, not because of bad design, but
because of different nature of each technology
• Thus, DMARC was born:
• Leveraging great existing technologies, providing a glue to keep them in sync, and
allowing senders to mandate rejection policies and have visibility of offending traffic
• Domain-based Message Authentication, Reporting And Conformance
• Defined in RFC 7489
• Provides:
• DKIM verification
• SPF authentication
• Synchronization between the two and all sender identities (Envelope From, Header From)
• Reporting back to the spoofed entity

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
 DMARC Operation
SPF (or TXT) Align
Publish SPF Check SPF
DNS RR Identifiers

DKIM (TXT) Apply DMARC

Publish DKIM Check DKIM
DNS RR Policy

DMARC (TXT) Fetch DMARC Send DMARC

Publish DMARC
DNS RR Policy Report(s)

Insert Check SPF on

Outgoing msg
DKIM-Signature Header From
BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
How it works: DMARC Record Structure

TXT Record for Domain amazon.com Version of DMARC Action on Auth Failure % of messages to apply policy

_dmarc.amazon.com IN TXT “v=DMARC1\; p=quarantine\; pct=100\;

rua=mailto:[email protected]\; ruf=mailto:dmarc-
[email protected]
Aggregate Feedback report URI Forensic Feedback report URI

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
 DMARC Policy Specification
Version Failure policy

_dmarc.amazon.com IN TXT “v=DMARC1\; p=quarantine\;

Sampling rate
pct=100\; rua=mailto:[email protected]\;
ruf=mailto:[email protected]”

Forensic Reports URI Aggregate Reports URI

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
How to enable DMARC (inbound)

• DMARC is configured via by creating a profile

and then applying the profile to a Mail Flow
Policy
• By default the profile is set to Monitor for DMARC
violations, however it needs to be applied to a
policy for it to evaluate DMARC records
• Monitor and Tune settings and SenderGroups
and move to blocking when ready

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
DMARC Policy
• Policies requested by senders:
• None
• Quarantine
• Reject

• Receivers MAY deviate from requested policies, but SHOULD inform the sender
why (through Aggregate Report)
• Sampling rate (“p” tag) instructs the receiver to only apply policy to a fraction of
messages

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
How to Start With DMARC (Sending)
1. Correctly deploy DKIM and SPF
2. Make sure that your identifiers will align
3. Publish a DMARC record with “p=none”, gather rua and ruf reports for a while
4. Analyze the data and modify your mail streams (or DKIM/SPF parameters)
5. Eventually apply “reject” or “quarantine” policy after running in Monitor
mode

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Allowed Spoofing & Sender Verification Table
• Before you begin to block any messages, determine
who is allowed to spoof; external marketing firms,
vendors, SaaS tools and notifications

• Use a filter to mark and track addresses that match

your domains or copy messages into a quarantine for
review

• In your HAT create a SPOOF_ALLOW (or similar) to

add the host addresses for vendors that are allowed.
Use the SPOOF_ALLOW as part of the filter to
ensure that those messages are not flagged or
stopped

• The Sender Verification Table is enabled within the

Mail Flow Policy and can be used to evaluate the mail
from is exists and resolvable

• Use the SVT table to set your domains to block and

apply to the policies

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Quick Review: Message Filters
• High-performance scriptable filtering capability
• Accessible from CLI only (filters command)
• Allowing complex logical operators between conditions
• All Message Filters are evaluated for all messages
• Executed serially
• Apply to entire mail flow, incoming and outgoing!
• Message Filters occur before Policy Engine! Filter matches if any recipient
matches, and all actions are executed for all recipients!

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Message Filters

Condition(s) Logical Operator(s)

Name myFilter:
if (body-contains('word',1)) AND \
(attachment-filetype == 'Document') {
quarantine('Policy');
}
Action(s)

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Filter Conditions
• Can be combined using AND, OR, NOT
• != equals NOT if condition result can be evaluated
(not (attachment-filetype == 'Document’)) equals (attachment-filetype != 'Document’)

• Mostly support regular expressions

• Least expensive conditions evaluated first
• Unneeded tests are not evaluated
• Inactive filters are evaluated!

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Message Filter Actions
• Actions are executed in order specified
• Final actions: skip-filters, drop, bounce, encrypt, smime-gateway
• Just exit message filters and continue down the pipeline (except drop)
• All filter actions across all matching filters are cumulative
• If a message matches multiple filters which execute the same action, only the last
specified action is executed

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Filtering & Quarantine Spoofs
quarantine_spoof_copy:
if sendergroup != "RELAYLIST" AND (
mail-from-dictionary-match("No_Spoof_Domains", 1) OR
header-dictionary-match("No_Spoof_Domains","From", 1) OR
header-dictionary-match("Execs","From", 1))
{
duplicate-quarantine("All_Spoofs");
notify-copy (“[email protected]");}

• Above is an example of a message filter that will look to see if the IP is

not in the RELAYLIST and is trying to send a message that matches a
dictionary of names in the dictionary
• It will duplicate the message and place in quarantine for review
• Modify to include SPOOF_ALLOW list and domains in the From
header

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Forged Email Detection (New for 10.0)

• Forged Header Detection will look for

permutations in the Display Name
and the prefix of the email address in
the From Header
• Use this rule to look for matches
against a dictionary of names that are
exact or some form of typo squatting
• i.e: Han S0lo, Han Slo, Han So1o

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Forged Email Filters
• In this example, we took the from header and
stripped it from the message if the match was 70
or above
• Combined with a warning disclaimer this would
expose the bad sender while warning the end
user
• Idea here is that for names that are low threshold
matches, you can use the strip header to expose
envelope sender – if it is legitimate, it won’t
disrupt mail flow
• If all else fails, warn the user of a potential issue
by using a disclaimer text on top of the message

Info: MID 2089 Forged Email Detection on the From: header with score of 100, against the dictionary entry Han Solo

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Phish & Spoofing Checklist
• Enable URL Filtering on the ESA • Make a plan to enable SPF, DKIM and
DMARC
• Enable Web Interaction Tracking (if permitted
by policy) • Know who your allowed external spoofs are by
tracking them via filters and policies
• Enable certain admin users URL visibility in
Message Tracking if permitted by policy) • Build the list as the exception, trap all others
• Enable Threat Outbreak Filtering and message • With 10.0 use the Forged Email Detection
modification – warn your users! Feature to look for matches on the display
name, if too close to call, drop the From
• Whitelist your partner URLS, use the scores to header
create filter for others
• Send a copy of suspected spoofs to a
• Combine the reputation rules and leverage quarantine for review and then tune your rules
language detection as part of the logic to start blocking messages
• Use the policies to define the level of
aggression for rule sets

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Attachment Handling
Block the unwanted file types
• Within either a content or message filter
an organization can define how to
handle attachments on a per policy
basis.
• Commonly customers will create a
content filter to block unwanted file types
• Using the predefined libraries simplifies
the process
• The system will detect changed
extensions or attempts to hide files
within multiple zip levels in order to
evade file blocking

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Blocking early in the pipeline
• If files are being outright dropped (i.e Executables) then doing WORKQUEUE

it earlier in the pipeline would save on AV, AMP and OF cycles LDAP RCPT Accept (WQ)

strip_all_exes: if (true) { Masquerading (Table / LDAP)

drop-attachments-by-filetype ('Executable', “Removed attachment:
$dropped_filename”);} LDAP Routing

Message Filters
• A non-final action such as quarantine will allow the file to
Anti-Spam
continue processing the file and any other verdict will apply
Anti-Virus

Per-Policy Scanning
Advanced Malware (AMP)

Graymail, Safe Unsubscribe

Content Filtering

Outbreak Filtering

DLP Filtering (Outbound)

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Block the known viruses

• Sophos comes bundled with the licenses,

enable and block known viruses
• Encrypted => Password Protected, Signed
• Unscannable => Too large to scan, malformed
• Do you still repair? Most customers today do not
have the repair option enabled for virus infected
messages.

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Enabling AMP

• AMP is an additional license on the ESA and CES

• 4 components to AMP:
• File Reputation
• File Analysis
• File Retrospection
• Mailbox Auto Remediation (New)

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
How AMP works

File Reputation Query

AMP Connector AMP Cloud

Retrospective Heartbeat
Local Cache

SBRS
Disposition Query
CASE Update the Cache with
AV Pre-Classification disposition value AMP feedback
loop only for
Malicious Files
Sandbox connector
Qualified File, upload
for Sandboxing

Local AV Scanners

Cisco TG Sandboxing

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Mailbox Auto Remediation
• API integration with Office 365 /
Azure for Malware Remediation

• When a retrospective alert is

received, the ESA can remove the
email from the mailbox
automatically

TALOS
3
! 1 Original message delivered with non-malicious verdict
CES
2 2 Retrospective alert of file that is now deemed malicious received by CES

3 API call to O365 to remove message from the mailbox, or forward to

1 O365 specific mailbox

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Enable Virus Outbreak Filters

• VOF is enabled by
default

• Provides a significant
catch rate for
outbreaks over
traditional scanning
engines

• It’s the human element,

after signature,
heuristics and hash
based scanning

http://www.senderbase.org/static/malware/#tab=0

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
File Handling Checklist
• Create a filter to block, quarantine or • Evaluate AMP is you don’t have it
strip attachment that are deemed already
risky for the organization
• AMP will hash all files and ask for
• Use AV to block the known viruses. file reputation
Cleaning / Repairing viruses from
• Macro inspection is performed by
files may be something you want to
turn off… File Analysis on AMP along with
other file types
• Ensure Virus Outbreak is turned on
• Retrospection alerts can now do
all your policies, it provides an
average 10+ hr lead time on 0-day remediation with Office 365
attacks

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
In Summary
• The days of set it and forget it are long gone – continuous monitoring and tuning
are required to keep up with todays threats
• Understand what your organizations security posture is and apply it to your
appliances
• Keep your appliances updated – we are constantly introducing new features that
require upgrades / updates
• We are publishing guides to help with tuning and setup new features on Cisco
Email Security

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Security Joins the Customer Connection Program
Customer User Group Program
19,000+
Members
• Who can join: Cisco customers, service Strong
providers, solution partners and training partners
• Private online community to connect with Join in World of Solutions
peers & Cisco’s Security product teams
Security zone  Customer Connection stand
• Monthly technical & roadmap briefings via
WebEx  Learn about CCP and Join
 New member thank-you gift*
• Opportunities to influence product direction  Customer Connection Member badge ribbon

• Local in-person meet ups starting Fall 2016

Join Online
• New member thank you gift*
& badge ribbon www.cisco.com/go/ccp
when you join in the Cisco Security booth
Come to Security zone to get your new member gift*
• Other CCP tracks: Collaboration & Enterprise and ribbon
Networks
* While supplies last
BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Resources
• URL Best Practices:
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-
00.html?referring_site=RE&pos=2&page=http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/white_paper_c11-
684611.html

• Anti-Spam Tuning Guide:

http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/white-paper-c11-732910.html

• Other Guides:
http://www.cisco.com/c/en/us/products/security/email-security-appliance/white-paper-listing.html

• Knowledge base:
http://www.cisco.com/c/en/us/products/security/email-security-appliance/q-and-a-listing.html

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
• Complete your session surveys
through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.

Don’t forget: Cisco Live sessions will be available

for viewing on-demand after the event at
CiscoLive.com/Online

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Thank you
Security Cisco Education Offerings
Course Description Cisco Certification
CCIE Security Expert Level certification in Security, for comprehensive understanding of security CCIE® Security
architectures, technologies, controls, systems, and risks.

Implementing Cisco Edge Network Security Solutions Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco CCNP® Security
(SENSS) Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls

Implementing Cisco Threat Control Solutions (SITCS) Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email
Security and Cloud Web Security

Implementing Cisco Secure Access Solutions (SISAS) Deploy Cisco’s Identity Services Engine and 802.1X secure network access

Implementing Cisco Secure Mobility Solutions Protect data traversing a public or shared infrastructure such as the Internet by
(SIMOS) implementing and maintaining Cisco VPN solutions

Implementing Cisco Network Security (IINS 3.0) Focuses on the design, implementation, and monitoring of a comprehensive CCNA® Security
security policy, using Cisco IOS security features

Securing Cisco Networks with Threat Detection and Designed for security analysts who work in a Security Operations Center, the Cisco Cybersecurity Specialist
Analysis (SCYBER) course covers essential areas of security operations competency, including event
monitoring, security event/alarm/traffic analysis (detection), and incident response

Network Security Product Training For official product training on Cisco’s latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances.

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact [email protected]

BRKSEC-2131 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 92