Cisco Email Security

Question 1

SenderBase Reputation Filters

Answer 1

SenderBase scores are assigned to IP addresses based on a combination of factors, including email volume and reputation.

Reputation scores in SenderBase may range from -10 to +10, reflecting the likelihood that a sending IP address is trying to send spam. Highly negative scores indicate senders who are very likely to be sending spam; highly positive scores indicate senders who are unlikely to be sending spam.

SenderBase is designed to help email administrators better manage incoming email streams by providing objective data about the identity of senders. SenderBase is akin to a credit reporting service for email, providing data that ISPs and companies can use to differentiate legitimate senders from spam sources. SenderBase provides objective data that allows email administrators to reliably identify and block IP addresses originating unsolicited commercial email (UCE) or to verify the authenticity of legitimate incoming email from business partners, customers or any other important source. What makes SenderBase unique is that it provides a global view of email message volume and organizes the data in a way that it is easy to identify and group related sources of email. SenderBase combines multiple sources of information to determine a “reputation score” for any IP address. This information includes:

Email volume information provided by tens of thousands of organizations that regularly receive Internet email
Spam complaints received by the SpamCop service
Information on other DNS-based blacklists

Question 2

ESA

Answer 2

Email Security Appliance

Question 3

CSM

Answer 3

Cisco Security Manager.

Question 4

Anti-Spam

Answer 4

1. False Positive rate of less than 1 in 1,000,000.
2. Uses CASE.
3. Industry Leading Accuracy.

Question 5

CASE

Answer 5

Context Adaptive Scanning Engine.
Uses Complete Context of the Message.
1. Message content.
2. Message construction.
3. Sender
4. Where does the call to action take you.
This adds up to industry-leading accuracy.

Question 6

Forged Email Detection

Answer 6

Protects against BEC attacks focused on executives. Provides detailed logs of all attempts and actions taken.

Question 7

BEC

Answer 7

Business Email Compromise

Question 8

Benefits of Global Threat Intelligence (TALOS)

Answer 8

Uses TALOS that combines data from below sources and changes the rules in CES every 3 to 5 minutes.

1. 600 billion emails per day.
2. 16 billion web requests per day.
3. 1.5 million malware samples.

Question 9

CDP

Answer 9

Cisco Domain Protection

1. Automates the process of implementing DMARC.

Question 10

Graymail Detection and Safe Unsubscribe

Answer 10

1. Precisely classifies and monitors graymail coming in.
2. Safe Unsubscribe protects from threats masquerading as unsubscribe links.
3. Uniform interface for managing all subscriptions.

Question 11

Graymail

Answer 11

Marketing
Social Networking
Bulk Messages

Question 12

AMP

Answer 12

Advanced Malware Protection.

Question 13

AMP and Cisco Threat Grid

Answer 13

1. File reputation scoring and blocking.
2. Sandboxing
3. File Retrospection
4. Mailbox auto-remediation
5. Integrates with AMP for endpoints to correlate files, telemetry data, behavior and activity to proactively defend against advanced threats from all possible vectors.

Question 14

File retrospection

Answer 14

Being able to see what has happened with a file and

Question 15

SPF

Answer 15

Sender Policy Framework

Question 16

DKIM

Answer 16

Domain Keys Identified Mail

Question 17

How does DKIM publish keys?

Answer 17

Through DNS

Question 18

What is DKIM in a nutshell for sender?

Answer 18

1. You generate a keypair.
2. Public key is published in DNS as a txt record.
3. Private key is stored on all outgoing mail gateways.
4. As message is sent out, it is cannonicalized then signed.
5. Signature is inserted in header call DKIM SIGNATURE.
6. Message is sent out.

Question 19

Cannonicalized

Answer 19

Modified for easier signing.

Question 20

What is DKIM in a nutshell for receiver?

Answer 20

1. Receive message.
2. Parse DKIM signature header.
3. Fetch public key.
4. Verify hash for body and hash for header.
5. Determine what to do with message if it fails.

Question 21

What are the 9 parts of the DKIM-Signature Header

Answer 21

1. DKIM-Signature: Header field name.
2. v=1 Version: DKIM Version
3. a=rsa-sha256: Algorythm used for Signing and Hashing
4. c=relaxed/simple: Canonicalization Scheme
5. d=ietf.org: Who is signing the message, doesn’t have to match sending domain, anyone can sign a message.
6. s=ietf1: Selector, for multiple versions of a key
7. h=To:From:Date:Subject:List-ID:List-Unsubscribe:List-Archive:List-Post:List-Hellp:List-Subscribe: THIS OF HEADERS THAT ARE SIGNED
8. bh=+Imgidla2peicjdls5jfi?jfiJDi:9fis: HEADER HASH
9. b=DmDxUUN1XBQDUFb930490VjkdQjfolij9d09f0s…: BODY HASH

Question 22

Sender Group

Answer 22

Contains list of sender ip addresses or domains.

Question 23

Mail Flow Policy

Answer 23

Tells sender group what to do with connection.

Question 24

CASE non-final action

Answer 24

Allows message to continue to process down the workqueue.

Question 25

CASE “early exit”

Answer 25

Final action of “drop” will exit immediately and not continue on down the workqueue.

Question 26

What are the 3 types of spoofing attacks?

Answer 26

1. Simple Spoof
2. Cousin Domain / Typo Squatting
3. Display Name Modification

Question 27

Simple Spoof

Answer 27

Who are they spoofing?:External Parties
Target:Your Users
Description:Attacker attempts to change or manipulate the envelope from in the headers of an email, or change the reply-to to redirect email.

Question 28

Cousin Domain / Typo Squatting

Answer 28

Who are they spoofing?:Your Brand
Target:Your Customers
Description:Relies on minor changes to the suffix and/or prefix of your domain. They register a domain that is very close to yours and then using various techniques to get past controls.

Question 29

Display Name Modification

Answer 29

AKA (Business Email Compromise or BEC):

1. Using legitimate domains that are either hijacked or created.
2. Manipulate message headers to show:
   a. An accurate display name.
   b. Cousin Domain / Typo in the email address
3. Most common attack with a high success rate.

Question 30

CES Disclaimers and Action Variables

Answer 30

We can display a message that says WARNING: Replies to this message will go to $EnvelopeFrom. If you are unsure this is correct please contact the helpdesk.

We can set this policy to not apply to messages from trusted senders that we do want to spoof.

Question 31

Define the 6 parts of a DMARC record.

Answer 31

1. _dmarc.cinbell.com: TXT Record for cinbell.com
2. v=DMARC1: DMARC version
3. p=quarantine: p tag, Action to take on auth failure.
4. pct=100: Percentage of messages to apply policy to.
5. rua=mailto:dmarc-rua@cinbell.com: Aggregate Feedback report URI
6. ruf=mailto:dmarc-ruf@cinbell.com: Forensic Feedback report URI.

Question 32

What 3 technologies does CASE use?

Answer 32

1. IronPort Anti-Spam
2. Graymail Detection
3. Threat Outbreak Filter