Security Hands-On Lab

Size: px

Start display at page:

Download "Security Hands-On Lab"

Melvin Simpson
5 years ago
Views:

2 Security Hands-On Lab Ehsan A. Moghaddam Consulting Systems Engineer Nicole Wajer Consulting Systems Engineer LTRSEC-2009

3 Ehsan & Nicole Ehsan Moghaddam Consulting Systems EMEAR (ME) Joined Cisco Aug 2015 Content Security Nicole Wajer Consulting Systems EMEAR (North) Joined Cisco Dec 2007 Now Content Security & IPv6 LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 3

6 Agenda SMTP Overview Cisco Security Pipeline Lab Exercise 0: Introduction & Installation (Mandatory) Lab Exercise 1: End User Message Flow, ISQ Notifications and Graymail Management Lab Exercise 2: Preventing Phishing Attacks with Anti-Spam and Outbreak Filters Lab Exercise 3: Preventing Advanced Persistent Attacks with AMP Lab Exercise 4: Using URL Categorization and URL Reputation

7 Agenda - Continued Lab Exercise 5: Envelope Encryption Lab Exercise 6: Preventing External Domain Spoofing with DMARC Lab Exercise 7: Preventing Internal Domain Spoofing Lab Exercise 8: High Volume Mail Flow Management

8 For Your Reference There are (many...) slides in your print-outs that will not be presented. They are there For your Reference For Your Reference LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 SMTP Overview

10 SMTP Conversation Overview DNS MX Records presidentclinton.com IN MX mx.presidentclinton.com mx.presidentclinton.com IN A mail.trump.com MTA Internet mx. presidentclinton.com MTA Envelope Header Body Cisco IronPort C-Series To: hillary@presidentclinton.com exchange.presidentclinton.com donald@trump.com LTRSEC-2009 hillary@exchange.presidentclinton.com 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Sample: SMTP Conversation mail.trump.com Envelope Headers Body SYN ACK SYN/ACK << 220 mx.presidentclinton.com ESMTP >> HELO mail.trump.com << 250 mx.presidentclinton.com >> MAIL FROM: << 250 sender ok >> RCPT TO: << 250 recipient ok >> DATA << 354 go ahead >> From: Donald >> To: Hillary >> Subject: Banned From Traveling! :-( >> Date: Tue, 21 February :57: >> >> >> Hillary!! >> I have signed a new executive order >> That bans you from traveling to Germany! >> -Trump >>. << 250 ok >> QUIT << 221 mx.presidentclinton.com mx.presidantclinton.com Cisco and/or its affiliates. All rights reserved. Cisco Public

12 Why DNS is important? MX records tell us the next hop. A and PTR gives us the real hostname and we can compare with the greeting. SPF, DKIM and DMARC records. RBL and Reputation LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Cisco Security Pipeline

Cisco Talos (Centralized Threat Intelligence) Update: URL Intelligence FirePower Appliance AMP for EndPoint SBRS Updates Update: Outbreak Filters Rules Update: Sophos & McAfee Update: DLP File

Servers Update: IPAS, IMS, Graymail Known File Reputation Retrospection data (downloaded) Unknown files are uploaded to VRT sandboxing Incoming Email Flow SBRS DNS Query/Response Clean emails

5 Sophos, Webroot, McAfee (With URL Intelligence) Graymail & Graymail Safe UnSubscribe Advanced Malware Protection Content Filters Outbreak Filters URL Category On-board Phishing DB URL WBRS

14 Cisco Talos (Centralized Threat Intelligence) Update: URL Intelligence FirePower Appliance AMP for EndPoint SBRS Updates Update: Outbreak Filters Rules Update: Sophos & McAfee Update: DLP File Reputation Check Retrospection File Reputation File Reputation Check Retrospection Update: File Reputation ThreatGrid Sandbox Unknown files uploaded to VRT Sand Behavioral analysis uploaded SBRS Servers Update: IPAS, IMS, Graymail Known File Reputation Retrospection data (downloaded) Unknown files are uploaded to VRT sandboxing Incoming Flow SBRS DNS Query/Response Clean s delivered SBRS Reputation Deny:: 88-93% of All Attempted SPF, DKIM, DMARC Dual Spam Engines Signature-Based Malware Scanners New CASE 3.5 Sophos, Webroot, McAfee (With URL Intelligence) Graymail & Graymail Safe UnSubscribe Advanced Malware Protection Content Filters Outbreak Filters URL Category On-board Phishing DB URL WBRS Reputation URL Intelligence Outbreak Rules from Talos & Contextual Data from CASE Drop or Quarantine, etc Outbreak Quarantine Replace URL with Text Rewrite URL to redirect to CWS Defang URL ***Web InteractionTracking Rewrite URL to redirect to CWS ***Web Interaction Tracking Deny: Bad Reputation Senders Drop: Spam and Marketing Drop: Signature-based malware Drop: s with known bad file reputation LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Cisco Security is backed by unrivaled global threat intelligence 100 TB Of Data Received Daily 1.5 MILLION Daily Malware Samples 600 BILLION Daily Messages with SenderBase III00II 0II00II 0I0I0I0I 0I I0 I00 000II0 I0I0 0II0 00 III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00 III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0I0I 00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0 00 II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00 II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 000 0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0I0 00I0I0 0I0I0I0 I0I0I00I 0I0I 0I0I 0I0I I0I0I 0I00I0I 250+ Full Time Threat Intel Researchers MILLIONS Of Telemetry Agents 4 Global Data Centers 16 BILLION Daily Web Requests Operations Over 100 Threat Intelligence Partners Deploy the world's largest traffic monitoring network Leverage industry-leading threat analytics LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Block fraudulent senders DMARC, DKIM and SPF Cisco Security TrustedPartner.com Signed Delete TrustedPartner.com Fraudulent SPF Checks if mail from a domain is being sent from an authorized host DNS DMARC Ties SPF and DKIM results to 'From' header Send Verified DKIM Matches public key to sender domain s private key records Quarantine Determine whether a sender is reputable Inspect sender details on inbound messages Block invalid senders and identify next steps LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 It s built with industry-leading spam protection Anti-spam processing / Context Adaptive Scanning Engine (CASE) Cisco Anti-Spam Block Cisco Security Who sent the message? What Is the content? How was the message constructed? Where does the call to action take you? Forward O365 Mail Server Quarantine Review sender reputation, URL reputation, and message content Block spam with 99% accuracy with fewer than 1:1M false positives Quarantine suspicious messages for additional review LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Separate what matters from what doesn t Graymail detection and safe unsubscribe Mark Up Messages Graymail Detection Modify subject Add x-header Add Safe Unsubscribe Link Safe unsubscribe unsubscribe here Bulk Social Network Marketing Unsubscribe engine Quarantine / Block Graymail warning added to banner of Identify messages that aren t spam Categorize incoming bulk, marketing, and social networking s Provide users a method to safely unsubscribe LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Block known and zero-day viruses Anti-virus processing Outbreak Filters Block Block Multiple detection methods: Pattern matching Emulation technology Advanced heuristic techniques Forward Zero-Hour Virus and Malware Detection.DOC.EXE.LNK Updates every 12 hours.pdf Quarantine Determine what actions to take on viral messages Real time security updates that prevent new malware Also receive AV Signature updates regularly Quarantine Determine whether anomalies are zero-day threats Scan attachments for known viruses Forward clean s to additional security checks Defend against zeroday malware LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Detect and contain advanced threats quickly Advanced Malware Protection (AMP) File Reputation File Sandboxing File Retrospection? Advanced Analytics Dynamic analysis 560+ indicators.sys.doc.exe.lnk.pdf.scr Unknown Clean Malicious Known Signatures Fuzzy Fingerprinting Indications of compromise Block known malware Investigate files safely Auto-remediate threats in O365 Gain visibility into messages trying to enter the network LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Control which emails cross the network Content Filters Content Filters Rewrite URL Cisco Cloud Web Proxy Defang / Block BLOCKEDwww.proxy.

21 Control which s cross the network Content Filters Content Filters Rewrite URL Cisco Cloud Web Proxy Defang / Block BLOCKEDwww.proxy.org BLOCKED URL reputation and categorization Replace with Text This URL is blocked by policy Admin Customize filters in three different ways for additional security Easily enforce business and compliance policies LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 SMTP Envelope Protect against spoofing attacks Forged Detection Pre-processing Inspects the SMTP envelope address: $ telnet mail-smtp-in.l.mail.com 25 Trying Connected to mail-smtp-in.l.mail.com. Escape character is '^]'. Recipient Domain Compare against Company directory 220 mx.mail.com ESMTP i11si wmh.67 - gsmtp From: Chuck <chuck.robbins@mail.com> Subject: [URGENT] Need help transferring funds HELO mail.outside.com Sending Domain 250 mx.mail.com at your service MAIL FROM:<adam@outside.com> Actual Sender OK i11si wmh.67 - gsmtp RCPT TO:<alan@mail.com> Allison Johnson Barry Smith Chuck Robbins Dave Tucker From: adam@outside.com Subject: {Possibly Forged} [URGENT] Need help transferring funds OK i11si wmh.67 gsmtp Data Post-processing Inspect SMTP envelope for sender address Match sender address against company directory Send appended mail to warn users of potential forgery Record a log of attempts and actions taken LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Detect targeted or blended attacks automatically Outbreak Filters Outbreak Filters Rewritten message From: Bank.com To: Bob Smith Subject: Suspicious mail Cisco Cloud Web Proxy Site validated Forward Warning! This contains suspicious content Prepend subject line Hello John, Access your account here. Add threat warning Site blocked Rewrite URLs Block Dynamic quarantine Block Block all known threats with Talos Quarantine s with suspicious URLs Modify s to protect end-user Redirect traffic to protect from malicious links LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Lab Exercise 0: Introduction & Installation (Mandatory)

26 Lab Exercise 0: Introduction & Installation (Mandatory) Background: Your lab pod topology is composed of resources both inside and outside of the enterprise domain alpha.com. The gateway, Security Appliance or ESA, controls the mail flow between the outside and inside mailboxes. In this Lab 0 you will be familiarizing yourself with these resources and performing an installation via the System Setup Wizard and LDAP configuration wizard. You will access the following devices : o XP Management Client (via RDP) o ESA (via PuTTY telnet and web based login) o Outside Mail Client o Exchange Mail Client o Notes Mail Client Note: Following the completion of Lab 0, you can perform any of the other labs 1 9 independently or in series without interference. LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

28 Lab Exercise 1: End User Message Flow, ISQ Notifications and Graymail Management

Lab Exercise 1: End User Message Flow, ISQ Notifications and Graymail Management Lab 1 goals are: o Drop positive spam o Quarantine suspect spam o Detect and Classify Graymail o Provide a safe method

29 Lab Exercise 1: End User Message Flow, ISQ Notifications and Graymail Management Lab 1 goals are: o Drop positive spam o Quarantine suspect spam o Detect and Classify Graymail o Provide a safe method for users to Unsubscribe from Graymail o Use LDAP groups to define which recipients will receive Spam Quarantine Notifications, and those that do not. o Create a mail policy for messages from a trusted sender to bypass the Anti-spam engine when destined to a specific recipient LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Lab Exercise 2: Preventing Phishing Attacks with Anti-Spam and Outbreak Filters

31 Lab Exercise 2: Preventing Phishing Attacks with Anti-Spam and Outbreak Filters Lab 2 goals are: o Demonstrate remediation of messages with suspicious URLs by anti-spam engine o Demonstrate remediation of phish attacks by outbreak filters. o Using WBRS, Identify messages with URLs that must be rewritten for redirection through the web proxy. o Identify messages with URL categories that must be blocked. o Use Drill-Down reporting to identify remediation of phishing attacks. o Enable Web Interaction Tracking to track malicious URLs in s, and the recipients who clicked on them LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Lab Exercise 3: Preventing Advanced Persistent Attacks with AMP

33 Lab Exercise 3: Preventing Advanced Persistent Attacks with AMP Lab 3 goals are: o o o o o Verify licensing and operation of Advanced Malware Protection Verify connectivity to the reputation service Use scripts to deliver both known and unknown viral attacks Deliver both well known and unknown viral files (APTs) through the ESA Observe remediation of (APTs) LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Lab Exercise 4: Using URL Categorization and URL Reputation

35 Lab Exercise 4: Using URL Categorization and URL Reputation Lab 4 goals are: o o Import a Text Record that details the corporate Anti-Gambling Policy so that recipients can be warned. Use URL Categorization and Web Interaction Tracking to track recipient click activity on gambling sites. LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Lab Exercise 5: Envelope Encryption

Lab Exercise 5: Envelope Encryption Lab 5 goals are: o o o o Auto Registration of CRES administrator Create No Auth Envelope and enable Secure Reply Create Content

37 Lab Exercise 5: Envelope Encryption Lab 5 goals are: o o o o Auto Registration of CRES administrator Create No Auth Envelope and enable Secure Reply Create Content Filter using Attachment Filename dictionary match Demonstrate the Undo Commit feature LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Lab Exercise 6: Preventing External Domain Spoofing with DMARC

39 Lab Exercise 6: Preventing External Domain Spoofing with DMARC Lab 6 goals are: o o o o Identify what domains have DMARC records published and how to interpret them Configure DMARC verification for incoming messages. Send legitimate and illegitimate messages through the ESA and see how they are remediated by DMARC Recognize the limitations of DMARC LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Lab Exercise 7: Preventing Internal Domain Spoofing

41 Lab Exercise 7: Preventing Internal Domain Spoofing Lab 7 goals are: o Remediate mail from Argument Abuse o Remediate From Header Abuse o Remediate Cousin Domain Abuse o Remediate Free Account Abuse LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Lab Exercise 8: High Volume Mail Flow Management

43 Lab Exercise 8: High Volume Mail Flow Management Lab 8 goals are: o o o o o Use scripts to deliver a flood of messages inbound from multiple mail domains to simulate a DOS attack. Use scripts to deliver a flood of messages outbound from multiple internal mail servers. Selectively rate limit both inbound and outbound mail flows Create reports on domains being rate limited. Use message tracking to determine if a message was dropped due a rate limiting policy. LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday)

44 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Continue Your Education Demos in the World of Solutions Security Area Meet the Expert 1:1 meetings Meet Nicole Wajer / Ehsan A. Moghaddam Tweet/Follow @vlinder_nl & @moghaddame #CLEUR www.

45 Continue Your Education Demos in the World of Solutions Security Area Meet the Expert 1:1 meetings Meet Nicole Wajer / Ehsan A. Moghaddam #CLEUR you can watch all recordings BRKSEC How to make spam your best friend on your appliance Tuesday 11:15 BRKSEC I wonder where that Phish has gone Tuesday at 16:45 LALSEC Lunch and Learn - Cisco Security - Wednesday 22 February 13:00-14:30 BRKSEC AMP Threat Grid integrations with Web, and Endpoint Security - Thursday 11:30 LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark Ask Questions, Get Answers, Continue the Experience Use Cisco Spark to

Spark app from itunes or Google Play 1. Go to the Cisco Live Berlin 2017 Mobile app 2.

Enter the room, room name = LTRSEC-2009 5. Join the conversation!

46 Cisco Spark Ask Questions, Get Answers, Continue the Experience Use Cisco Spark to communicate with the Speaker and fellow participants after the session Download the Cisco Spark app from itunes or Google Play 1. Go to the Cisco Live Berlin 2017 Mobile app 2. Find this session 3. Click the Spark button under Speakers in the session description 4. Enter the room, room name = LTRSEC Join the conversation! The Spark Room will be open for 2 weeks after Cisco Live LTRSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Thank You

Secure solutions for advanced threats

Secure solutions for advanced email threats Threat-centric email security Cosmina Calin Virtual System Engineer November 2016 Get ahead of attackers with threat-centric security solutions In our live Security