Cisco Email Security Solutions 11 Lab v1.2: About This Demonstration

Cisco dCloud
Cisco Email Security Solutions 11 Lab v1.2

Last Updated: 05-APRIL-2018
About This Demonstration

This guide for this preconfigured demonstration includes:
• Requirements
• About This Solution
• Supporting Files
• Topology
• Get Started
• Case Study
• Scenario 1: Protecting Against Malicious or Undesirable URLs Beneath Shortened URLs
• Scenario 2: Protecting Against Malicious or Undesirable URLs inside Attachments
• Scenario 3: Intelligently Handle the Unscannable Messages
• Scenario 4: Leverage AMP Cloud Intelligence via Pre-Classification Enhancement
• Scenario 5: ESA integrate into AMP Console
• Scenario 6: DomainKeys Identified Mail (DKIM)
• Scenario 7: Sender Policy Framework (SPF)
• Scenario 8: Domain-based Message Authentication, Reporting and Conformance (DMARC)
• Appendix A: Troubleshooting
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
● Laptop ● Cisco AnyConnect®
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 98
Cisco dCloud
About This Solution

Cisco Email Security formerly Cisco IronPort Email Security, delivers industry-leading inbound and outbound email cleansing and
control, offering high availability email protection against the constant, dynamic, rapidly changing threats affecting email today in a
variety of form factors to fit customer needs.
Read the Email Security Overview for detailed information on Cisco Email Security features and benefits, available form factors,
Cisco differentiators, and more.
Supporting Files
This lab uses supporting files within various scenarios, these are all located in the dCloud Files folder on the desktop of the
Workstation.
NOTE: In some scenarios Security warnings may be presented warning the user to exercise caution when executing certain
supporting files, these are perfectly safe.
All files that are classified as malicious are in fact benign and present no harm to any environment.
Cisco dCloud
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.
Figure 1. dCloud Topology
Cisco dCloud
Logical Topology
The logical topology for all lab scenarios are based on the following:
Alan represents an internal user and uses Microsoft Outlook as his mail client. The corporate mail servers are Microsoft Exchange
which in turn forwards to the Cisco Email Security solution for policy control and email hygiene before routing messages.
Ben represents an external user located anywhere on the internet, Ben also uses the Microsoft Outlook client for managing his
mailbox, and coincidentally adopted Cisco Email Security solution to improve spoofing protection for outgoing emails sent from his
email domain.
Alan Alpha- alan@dcloud.cisco.com Ben Bravo - ben@dcloud-out.cisco.com
Cisco dCloud
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front
of a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.
Follow the steps to schedule a session of the content and configure your presentation environment.
1. Initiate your dCloud session. [Show Me How]
NOTE: It may take up to 10 minutes for your session to become active.
2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]
• Workstation 1: 198.18.133.36, Username: administrator, Password: C1sco12345
NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.
Cisco dCloud
Case Study
Voyage Corp
Voyage Corp has used Cisco Email Security AsyncOS for over a year and has seen the volume of email containing spam and
malicious threat significantly decreased as a result. Cisco announced that new version of the operating system, version 11.1 will be
generally available do all customers. The new version continues to improve the scanning engines present in the current solution
and adds industry leading features that address common uses cases. Such features include, integration with the Unity for
Advanced Malware Protection visibility across multiple places, support for scanning URLs that been modified by shorter services,
scanning URLs within documents and many improvements in the AMP engine for file analysis.
Despite their email security posture being in good working and controllable order, Voyage Corp have decided to upgrade their
messaging platform in order to take advantage of these additional security features and ensure they have the best of bread
security in place for the present and future.
Finally, following continuous discussions with key strategic business partner over the past 18 months a Voyage have also decided
to implement additional technologies including SPF, DKIM and DMARC to enhance their anti-spoofing defences.
Security Solution
Voyage Corp continue invest Cisco Email Security Solution as the primary technology to secure the email infrastructure with few
enhancements deployed after the AsyncOS upgrade to version 11.1:
• URL Filtering Enhancement – Shortened URL and inside attachment
• File Unscannable Behaviour Monitoring
• AMP Reputation Enhancement – Incremental of Support File Type
• AMP Pre-Classification Enhancement
• ESA integrate with AMP for Endpoint Cloud Console
Objective
This lab will run the through a series of exercises to implement the necessary security controls to defend against todays
sophisticated attacks. Email remains a primary attack vector and given its importance to Voyage Corp its vital that all avenues are
sufficiently defended.
Though not strictly required, it is however advisable that all scenarios are run in sequence.
Cisco dCloud
Protecting Against Malicious or Undesirable URLs Beneath

Shortened URLs
Use Case
There is been a steady increase in the number of hyperlinks entering the company via emails sent to multiple users. The Cisco
Email Security has done a good job in managing these URLs, either by enforcing user acceptance control or buy providing click
time URL scanning to ensure end users are not directed to websites that host malware activity that may compromise an end users
workstation.
Recently a user in the production services department received an email that contained a shortened URL, however when clicking
this she was re-directed to a different site that was initially requested and malware was downloaded to her machine. As the
workstation in question also had the AMP for Endpoints client installed no damage was done.
Despite this multi-layer defence, the InfoSec department have instructed the Cisco Email Security administrators to implement the
necessary controls immediately to prevent this from happening again.
Security Control
The Cisco Email Security solution with AsyncOS version 11.1 now includes an additional option to query a shortened URL to
identify the destination of the HTTP request for up to ten levels.
Objective
This scenario will walk through the configuration of URL Filtering for shortened URLs that reference sites that host malware.
Cisco dCloud
Steps
Sending an email with shortened URL (Estimated time to complete: 5 min)
For this scenario, an external user Ben will send an email with a shortened URL to an internal user Alan, with and without the
shortened URL filterings policy configured to see the effect on the end results.
1. Launch Microsoft Outlook from the taskbar of Workstation 1 (known henceforth as workstation) and prepare an email with the
following parameters: -
From: ben@dcloud-out.cisco.com
To: alan@dcloud.cisco.com
Subject: New plugin for cloud backup application tool
Body: Hi Alan,
Please click the link below to download the latest plug-in for your cloud backup application tool.
http://bit.ly/1gCJ3bf
Cisco dCloud
3. Send the email - Force the synchronization process by clicking Send/Receive Folder or by pressing the F9 key.
4. Navigate back to Alan’s inbox and synchronize the mail client by clicking the Send/Receive Folder button or pressing the F9
key 2-3 times.
5. As there is no shortened URLs filtering policy present, the email will be delivered to Alan’s mailbox without any change occurs
to the shortened hyperlink, this is expected behaviour. Click the shortened hyperlink within the message once. It will then
launch a browser with the site accessible.
6. Click the shortened hyperlink within the message once, it will then launch a browser with the site accessible, if this was a site
that contained malicious content the end user that clicked the link would be exposed and the damage could potentially spread
quickly between across interconnected devices.
7. The next task configures the Cisco Email Security solution with the Shortened URL filtering feature to implement the
necessary controls to keep the end user protected from the malicious content.
Cisco dCloud
Enable URL filtering for Shortened URLs (Estimated time to complete: 15 min)
This task will enable the shortened URL option in the advanced web security setting via CLI session.
1. From the workstation launch Putty located on the taskbar and select ESA from the Saved Sessions and click Open,
acknowledge any security warning presented.
2. Log in using the following credentials: Username: admin, password: C1sco12345
Cisco dCloud
3. Once logged in, issue the command websecurityconfig and press enter. Please verify the URL Filtering is in Enabled
condition. Otherwise, type Y to the Enable URL Filtering? option to activate the URL Filtering service.
4. Remain in the same CLI session, issue the command websecurityadvancedconfig and press enter. Press few more [Enter]
buttons on the keyboard to keep all options with default setting, and making sure the Do you want to enable URL filtering
for shortened URLs? option is configured as Y.
Cisco dCloud
5. Next, issue the command outbreakconfig and press enter. Make sure the Outbreak Filters is already Enabled. All other
options can remain at the default value and type Y to the Do you wish to enable logging of URLs?. This setting will provide
more details about URL Filtering rules activities in the mail log.
6. Once verified the settings, ensure the changes are applied by issue the command commit and adding optional comments if
desired.
Cisco dCloud
Configuring a Content Filter (Estimated time to complete: 10 min)
This task will create a new content filter to identify potentially malicious URLs that has been rewritten as shortened hyperlink and
take an appropriate action on that message – direct it through the Cisco Security Proxy, which in turn will determine if the revealed
URL is in fact potentially dangerous.
1. From the workstation launch Google Chrome. Click the bookmark ESA and acknowledge the warning that connection is
unsafe by clicking Advanced and then Proceed to esa.dcloud.cisco.com (unsafe) and the default page will automatically
load, this will be the Cisco Email Security GUI page. Log in with the following credentials: Username: admin, Passphrase
C1sco12345
2. Upon successful authentication, the Cisco Email security landing page, My Dashboard will be presented.
3. From the workstation access the GUI and navigate to Mail Policy > Incoming Content Filters and click Add Filter.
4. Using the following settings configure the Conditions and Actions.

Name: Shortened_URL_CF
Description: Redirect Bad Reputation URLs within email messages
Action 1: URL Reputation > Redirect to Cisco Security Proxy
Cisco dCloud
5. Click OK.
6. Click Submit to apply the actions.
7. Once complete, ensure the changes are applied by clicking the Commit Changes button, adding optional comments if
desired.
NOTE: Learn more about Content Filters work and how flexible they can be here: Content Filters.
Cisco dCloud
Edit Incoming Mail Policy (Estimated time to complete: 3 min)
Once the necessary content filter has been configured it must be enabled to a Mail Policy to be effective.
1. From the workstation access the GUI of ESA and navigate to Mail Policy > Incoming Mail Policies and click within the
Content Filters box of the Default Policy.
2. Place a checkmark against the content filter Shortened_URL_CF created in the previous step to enable it.
3. Click Submit to create the content Filter and verify the policy.
4. Once complete, ensure the changes are applied by clicking the Commit Changes button - top right of screen, adding optional
comments if desired.
NOTE: Learn more about Mail Policies here: Mail Policies
Cisco dCloud
Testing URL Filtering (Estimated time to complete: 15 min)
With the pre-requisite configuration in place, the URL Filtering feature can be tested by sending an email to Alan from external user
Ben with a potentially malicious URL within the body of the message.
1. From the workstation launch Putty located on the taskbar and select ESA from the Saved Sessions and click Open,
acknowledge any security warning presented.
2. Log in using the credentials listed earlier in this document. Once logged in, issue the command tail mail_logs and press
enter. Leave this running in the background and proceed to the next step.
NOTE: The tail command is used to print the last few lines from the logs mail logs on the terminal, this especially useful to read
the last few lines to know about the error messages or events as they happen. This can be used against any of the 30+ log files
available on the Cisco Email Security solution, type tail on its own and press enter to view the list of logs.
Cisco dCloud
3. From the workstation launch Microsoft Outlook and from Ben’s inbox, prepare a new message with the following parameters.
Subject: New plugin for cloud backup application tool
Body: Hi Alan,
Please click the link below to download the latest plug-in for your cloud backup
application tool.
http://bit.ly/1gCJ3bf
Cisco dCloud
5. Switch back to the CLI session of ESA and notice how the Shortened_URL_CF rule handled the message, it reveals the
original URL (http://ihaveabadreputation.com) which rewritten as shortened hyperlink and was redirecting it to the Cisco
Security Proxy which will determine based on web reputation if the URL within the message is potentially dangerous.
6. Navigate back to Alan’s inbox, notice how the URL has now changed, with the hyperlink much longer as it contains a
redirection to the Cisco Security Proxy.
Cisco dCloud
NOTE: URL reputation and category are provided by cloud-based Cisco Web Security Services. The Email Security Solution
connects to the Cisco Web Security Services either directly or through a web proxy, using the port specified for URL filtering
services in Firewall Information Communication is over HTTPS with mutual certificate authentication.
7. Click the Cisco proxy redirected URL once to access it within a browser and note that based on reputation access to the URL
is strictly prohibited as per the policy configured earlier.
NOTE: Learn more about Protecting Against Malicious or Undesirable URLs here: Protecting Against Malicious or Undesirable
URLs
Cisco dCloud
Protecting Against Malicious or Undesirable URLs inside

Attachments
Use Case
Use of email as a primary method for communication between business partners has increased and furthermore in an effort to
reduce the unnecessary printing of documents as parts of the state wide green initiative, the exchange of contracts is now done via
email messages. These documents often contain links to terms and conditions of business that are often hosted on external web
servers in multiple geographical locations.
Recently a legal representative received an email with a Portable Document Format (PDF) attachment that contained hyperlinks to
such sites, upon clicking one of the hyperlinks re-directed the end user to a site that downloaded a script that contained malicious
payload, thus infecting the user’s web browser.
Security Control
The Cisco Email Security solution with AsyncOS version 11.1 now includes an additional option to scan URLs within documents
and redirect them via the Cisco Web Proxy to check for malicious content.
Objective
This scenario will demonstrate how to protect against malicious URLs within email attachments by leveraging the Cisco Security
Proxy service to ensure end users are not accessing websites that are prohibited by company policy or those that may be a source
of malware of viruses.
Steps
Accessing URLs within Messages (Estimated time to complete: 5 min)
The first task will demonstrate how potentially dangerous links within emails attachment could be if mechanisms are not in place to
advise users of the dangers of URL within the attachments content.
Subject: New supplier report
Body: Hi Alan,
Please find attached the file contain information for the new suppliers who have contacted us in
this quarter.
Attachment: URL-Inside.doc - located on the desktop under the Attachment_URL sub-folder
Cisco dCloud
Cisco dCloud
3. Examine inbox to verify receipt of the message. It should appear arrive exactly as sent with the potentially malicious hyperlink
present.
As there is no URL Filtering for Attachment policy present, the email with attachment will be delivered to Alan’s mailbox, this is
expected behaviour. Open the attachment to view the content of the Microsoft Word file, the content should be clearly visible and
the email message unaltered.
Though the message has been delivered to its intended recipient it still has been processed by the multiple Cisco Email Security
solution engines, and if at point any one of these engines deemed the message or attachment to contain something that may be
untoward, such as a viral attachment then the configured action would have been applied.
The next task configures the Cisco Email Security solution with the URL Filtering for Attachment feature to implement the
necessary controls to prohibit internal user from reaching out the un-authorized websites.
Configuring a Content Filter (Estimated time to complete: 10 min)
Content Filters are used to customize handling of messages beyond the standard routine handling by the other content security
features such as anti-virus scanning.
This task will create a new content filter to identify potentially malicious or undesirable URLs within emails attachment and take an
appropriate action on that message.
1. From the workstation access the GUI of ESA and navigate to Mail Policy > Incoming Content Filters and click Add Filter.
Using the following settings configure the Conditions and Actions.
Name: Attachment_URL_CF
Description: Prepend header if found prohibited URL inside file attachment
Condition 1: URL Category > Selected Categories > News | Select > Include Attachments
Action 1: Add / Edit Header > Header Name: Subject > Prepend to the Value of Existing Header: [Prohibited URL Found]
Cisco dCloud
Cisco dCloud
2. Click OK.
Cisco dCloud
3. Click OK.
4. Click Submit to apply the actions.
5. Once complete, ensure the changes are applied by clicking the Commit Changes button, adding optional comments if
desired.
Cisco dCloud
Once the necessary content filter has been configured it must be enabled to a Mail Policy to be effective.
2. Place a checkmark against the content filter Attachment_URL_CF created in the previous step to enable it.
Cisco dCloud
Testing URL Filtering for Attachment (Estimated time to complete: 3 min)
With the pre-requisite configuration in place, the URL Filtering for attachment feature can be tested by sending an email to Alan
from external user Ben with a potentially dangerous URL within the message attachments content.
Prior to preparing the message, initiate a connection to the ESA from the CLI in order to view, using the tail command, the mail
logs to see the message being processed and the actions being applied as it works its way through the email messaging pipeline.
Subject: New supplier report
Body: Hi Alan,
Please find attached the file contain information for the new suppliers who have contacted us in this
quarter.
Attachment: URL-Inside.doc - located on the desktop under the Attachment_URL sub-folder
Cisco dCloud
3. Switch back to the CLI of ESA and notice how the Attachment_URL_CF content filter rule handled the emails attachment, it
will add [Prohibited URL Found] in front of the emails original subject header which will determine based on web categories
selected in the content filters condition.
4. Navigate back to Alan’s inbox, notice how the subject has now changed, prepended with the additional texts - [Prohibited URL
Found] to make the messages recipient aware immediately that something is prohibited inside the attached document(s).
Cisco dCloud
Intelligently Handle the Unscannable Messages
Use Case
The IT department perform regular reviews of all logs to quickly identify potential issues that may not be logged by the various
systems in place. A junior email administrator was tasked with performing a review of all email related logs, this starts with the on
premise messaging servers in the form of Microsoft Exchange up to the Cisco Email Security solution.
During one routine review, the administrator noticed the mail logs listing a message that he had not seen before; the log line was
MID 274 was marked Unscannable due to RFC violation. As this was the first time, it was seen he immediately advised a more
experienced email administrator who immediately was concerned that this message may bypass the Cisco Email Security
scanning engines and compromise internal systems.
Following an internal team meeting to discuss outstanding issues, a decision was made to enable the Unscannable feature in
Cisco AsyncOS v11.1.
Security Control
Email with malformed headers or claimed as multipart message but missing subparts and boundary will be considered to in
violation of the Request for Comments (RFC) for email messaging.
Cisco Email Security can take precautions to identify the email message due to the Unscannable condition and take an action as
specified by the administrator.
Objective
This scenario will demonstrate how the Cisco Email Security incorporates a feature directly into the base operating system to
intelligently detect the email message that are in violation of the RFC.
Configure Scan Behaviour (Estimated time to complete: 1 min)
This task will enable the additional Unscannable settings based on Extraction Failure and RFC violation condition inside the Scan
Behaviour global setting.
1. From the workstation access the GUI of ESA and navigate to Security Services and click Scan Behavior. Click Edit Global
Setting and using the following settings configure the Actions for unscannable message due to Extraction Failures and RFC
Violations.
Name: Action for Unscannable Messages due to Extraction Failures
Action 1: Yes > Deliver As Is
Click Prepend Message Subject > [WARNING: UNSCANNABLE EXTRACTION FAILED]

Advanced:
Name: Action for Unscannable Messages due to RFC Violations
Cisco dCloud
Action 1: Yes > Deliver As Is
Click Prepend Message Subject > [WARNING: UNSCANNABLE RFC NON-COMPLIANT]

Advanced:
2. Click Submit.
Testing Unscannable Message Detection (Estimated time to complete: 5 min)
To demonstrate how Cisco Email Security handling unscannable file or malformed message, send an email from Ben to Alan, this
simulates a message coming into the organization from an external user as per our earlier topology.
1. Prior to preparing the message, initiate a connection to the ESA from the CLI in order to view, using the tail command, the mail
logs to see the message being processed and the actions being applied as it works its way through the pipeline.
Cisco dCloud
2. From the workstation launch Outlook from the desktop and from Ben’s mailbox, create an email with the following parameters:
Subject: The Photos
Body: Here are the photos of the new product design mentioned on our call. I have compressed them into single zip
file.
Attach: unscannable.zip - located on the desktop under the Unscannable sub folder.
Cisco dCloud
4. Navigate to the CLI shell opened previously and look for the message that implies the file is unscannable. Note, the
attachment has been marked as unscannable due to extraction failure with detailed reason given in the mail log.
5. Return to the workstation, synchronize the messages once more and the message will now appear in Alan’s mailbox, note the
additional text has been added to the subject header as configured in the Scan Behavior setting.
Cisco dCloud
Leverage AMP Cloud Intelligence via Pre-Classification

Enhancement
Use Case
As expected by the business the volume of email has increased significantly and subsequently as a result the number of files
entering the organization via email has also increased. Voyage Corp has invested heavily in multiple scanning engines and are
now noticing that certain files are not being sent to Cisco ThreatGrid (TG) for analysis.
After investing the issue, it was determined that the upload limits had been reached and this resulted in files beyond that limit not
being analysed. One option presented by the Cisco account team was to purchase additional sample packs, however this would
require funding from the business unit which can take several weeks to approve.
The email administrator offers an interim solution and that is to take advantage of the improved pre-classification engine in Cisco
AsyncOS v11.1 that will significantly reduce number of files that need to be sent for analysis be making an early decision within the
Cisco Email Security solution if the files contain any dynamic content that may compromise and end user.
Security Control
The AMP Pre-classification feature checks for properties in the metadata fields that are often present in malicious files. A common
example is scripts embedded in documents. The majority of malicious documents contain scripts or macros, while the majority of
benign documents do not. The purpose of these heuristics is to identify files that should be examined more closely (e.g. by a
sandbox) to determine if they are malicious.
Objective
This scenario demonstrates how AMP pre-classification leverage the cloud intelligence to determine any active or dynamic content
within the received email attachment, and provide the capacity to increase the number of supported file support for TG analysis yet
reduce the time of low risk file handling.
NOTE: Learn more about Advanced Malware Protection here: Advanced Malware Protection
Choose supported file types (Estimated time to complete: 1 min)
The supported file type has been extended to more than 380 selections along with improved AMP pre-classification to quickly
detect if the unknown file is embedded with scripts or macros in the metadata field or just one of the static content file that can be
safely passed to the next layer of inspection in the pipeline.
1. From the workstation access the GUI of ESA and navigate to Security Services and click File Reputation and Analysis.
Click Edit Global Settings and using the following settings to choose the supported files type inside the File Analysis section.
Name: File Analysis
Action 1: Choose Enable File Analysis
Action 2: Click Select All
Cisco dCloud
2. Click Submit.
1. Edit the default policy to modify the action that will be applied to messages which have files that have been sent for analysis to
the Cisco AMP cloud.
Advanced Malware Protection section of the Default Policy.
Cisco dCloud
3. Verify that File Analysis is enabled, this allows any qualifying file which has an unknown disposition to be redirected to the
Cisco ThreatGrid sandbox for expert analysis and a verdict.
4. Scroll down towards the Message with File Analysis Pending section and modify the Action Applied to Message to Deliver
As Is.
5. Click Submit to apply the actions. Once complete, ensure you apply the change by clicking the Commit Changes button,
adding optional comments if desired.
Send a Message with a benign file (Estimated time to complete: 3 min)
Now send a message from Ben to Alan with a text file as an attachment, this is sufficient to trigger the AMP pre-classification
engines and provide the required disposition.
Subject: New Product Brochure
Body: Hi Alan,
Attached is the latest version of the product brochure, please review it and share your thoughts.
Attach: Attach the following file Text_File.txt - located on the desktop under the AMP_Preclass > Low Risk sub folder.
Cisco dCloud
3. Send the message. Force the synchronization process by clicking Send/Receive Folder or by pressing the F9 key.
Monitor AMP Actions Against a Text File (Estimated time to complete: 15 min)
This task will demonstrate how a plain text file are handled by the Cisco Email Security Solution and specially the enhanced AMP
pre-classification engine.
1. Navigate to the CLI session of ESA and wait for the logs to scroll, it may take a few moments for the screen to refresh with
fresh activity.
2. The highlighted lines below and the one prior to that shows the file reputation verdict – LOWRISK therefore it will not be sent
for further analysis but immediately forward the remaining inspection layers in the same inbound mail policy.
Cisco dCloud
3. In the same CLI session, issue the command tail amp and press enter. The AMP log reveals the query responded from AMP
Cloud and determined no active or dynamic content exists in this text file, hence will not be uploaded for analysis.
4. Navigate back to Alan’s inbox and synchronize the mail client by clicking the Send/Receive Folder button or pressing the F9
key 2-3 times.
5. As the disposition set to LOWRISK, the email with Text_File.txt as an attachment will be delivered to Alan’s mailbox, this is
expected behaviour. Open the attachment to view the content of the text file, the content should be clearly visible and the
email message unaltered.
6. On the GUI session of ESA, navigate to Monitor > Advanced Malware Protection report and from the summary of files
handled by AMP, a LowRisk disposition incident has been recorded.
Cisco dCloud
5. Click on the incident under LowRisk disposition will launch Message Tracking where more information of the message flow
and the various actions applied to it can be viewed.
7. Click Show Details to view this specific message in detail.
Cisco dCloud
Create an Executable File (Estimated time to complete: 1 min)
An executable file is generated to stimulate a different proposition from the AMP cloud.
1. Navigate to the desktop of the workstation, locate and open the folder called dCloud Files, open the folder and then open the
sub-folder named AMP_Preclass.
2. Open the sub-folder High Risk and double clicking at the exe-generator.cmd, and acknowledging the Run button when
prompted. If run successfully a second file will be present named Exe_File.exe.
Cisco dCloud
Send a Message with an Executable File (Estimated time to complete: 3 min)
Now send a message from Ben to Alan with an executable file as an attachment, this is sufficient to trigger the AMP pre-
classification engines and provide the required disposition.
Subject: New OS Service Patch
Body: Hi Alan,
Attached is the latest OS service patch, please double click and install immediately.
Attach: Exe_File.exe - located on the desktop under the AMP_Preclass > High Risk sub folder.
3. Send the message – Microsoft Outlook will display a warning about unsafe files, click Yes to ignore this. Force the
synchronization process by clicking Send/Receive Folder or by pressing the F9 key.
Cisco dCloud
Monitor AMP Actions Against Suspicious Files (Estimated time to complete: 5 min)
This task will demonstrate how a suspicious file are handled by the Cisco Email Security Solution and specially the enhanced AMP
pre-classification engine.
1. Navigate to the CLI session of ESA and wait for the logs to scroll, it may take a few moments for the screen to refresh with
fresh activity.
2. The highlighted lines below and the one prior to that shows the file reputation verdict – UNKNOWN therefore the file will be
sent for further analysis, also note that a SHA256 has been assigned.
3. From GUI session on the workstation and navigate to Monitor > Advanced Malware Protection report and from the
summary of files handled by AMP, an Unknown disposition incident has been recorded.
Cisco dCloud
4. Click on the incident under Unknown disposition will launch Message Tracking where more information of the message flow
Cisco dCloud
ESA integrate into AMP Console
Use Case
Voyage Corp has a wide range of Cisco products in their production environments including Cisco Next Generation Firewall
(NGFW), Cisco AMP for Endpoints and Cisco Email Security. The chief technical security architect has emphasised the challenges
support teams face on a daily basis in attending to possible security breaches, citing the amount of time it takes to block malicious
activity as it enters the network. Each delay exposes the production environments that one day may lead to key systems being
rendered inactive.
A companywide project team has been set up to simplify these processes where possible and reduce the time to remediate and
during this project meeting the Email architect suggests the AMP Unity feature is used to whitelist and blacklist known malicious
files in a central location, effectively reducing the time to remediate.
Security Control
The AMP unity feature in the Cisco Email Security Solution provides the ability to share information about a files trajectory which is
available starting version 11.1 to override the verdict delivered by the AMP client from one central location This is particularly
useful well a known bad file had entered the organisation and may have moved to different workstations or part of the network.
Having visibility of that file from a central location and talking an action from that same location helps minimise the impact a
malicious file can have and provides administrators and operators a single source for these actions.
Objective
This scenario walks through the configuration of both Cisco Email Security and AMP cloud portal to configure a custom whitelist
and blacklist for known good and bad files that have entered the organization.
Learn more about the ESA unity with AMP here: Integrating the Appliance with AMP for Endpoints Console
Steps
Register with AMP for Endpoints Console (Estimated time to complete: 10 min)
Cisco Email security must register with AMP for Endpoint console to complete the integration. The integration allows Cisco Email
Security to receive custom whitelist and blacklist of SHAs from other AMP components within the same AMP for Endpoints account
and vice versa.
1. From the workstation access the GUI and navigate to Security Services > File Reputation and Analysis and click Edit
Global Settings. Click the Register Appliance with AMP for Endpoints button in the Advanced Settings panel for File
Reputation.
Cisco dCloud
2. A pop-up box appears. Click OK.
3. The AMP for Endpoints console login page appears. Log in to the console with the following credentials: Username:
unity+lab+session_number@cisco.com (Example: unity+lab+18@cisco.com), Password: C1sco12345!
Cisco dCloud
4. Upon successful authentication, click Allow green button in the AMP for Endpoints authorization page to register the
appliance.
5. The registration is now completed, and the AMP for Endpoints console redirects the UI back to the File Reputation and
Analysis of Cisco Email Security appliance, indicating the entire registration process is a SUCCESS.
6. Click Submit. No commit change is required.
7. Click the bookmark AMP Console to access the AMP for Endpoints console – https://auth.amp.cisco.com.
8. Navigate to Account > Applications to verify whether the appliance is registered appropriately. The appliance name is
displayed in the Applications section of the AMP for Endpoints console page.
Cisco dCloud
Create a Simple Custom Detection List (Estimated time to complete: 5 min)
A Simple Custom Detection list is similar to a blacklist, these are files that want to detect and quarantine. Not only will an entry in a
Simple Custom Detection list quarantine future files, but through retrospection it will quarantine instances of the file on any
endpoints in an organization that the service has already seen it on.
1. Remain on the AMP for Endpoint console. Navigate to Outbreak Control > Simple. Click Create to form a new simple
custom detection. Name it as Cisco Email Security Blacklist and click Save.
2. On the workstations desktop. Double click the file Blacklist_SHA.txt inside the dCloud Files > AMP_Unity > Blacklist sub-
folder and copy the entire string (9a3faed145178e81d3ea45384854afbd8655ee5eda2f76a786c2648b0ea56627).
Cisco dCloud
3. Return to the AMP for Endpoints console, click on Edit and add the string into the SHA-265 blank box, type Blacklist_File.txt
as the note and click Add.
Create an Application Whitelist (Estimated time to complete: 5 min)
Application whitelists allow you to list files that should not be convicted. An example of this are a custom application that is
detected by a generic engine or a standard image that you use throughout the company and is deemed to be safe for use.
1. To create an application whitelist, go to Outbreak Control > Whitelisting. Click Create to form a new whitelist. Name it as
Cisco Email Security Whitelist and click Save.
2. On the workstations desktop, double click the file Whitelist_SHA.txt inside the AMP_Unity > Whitelist sub-folder and copy the
entire string (d2f42ff780d5e2305383d410a132d83479bf1d64dac4c280ea688795249d9cde).
Cisco dCloud
3. Return to the AMP for Endpoints console, click on Edit and add the string into the SHA-265 blank box, type Whitelist_File.txt
as the note and click Add.
Create a Custom Policy (Estimated time to complete: 3 min)
The custom simple list and whitelist are combined with other settings into a policy which will effects the behaviour of the appliance
which has registered to the AMP for endpoint console.
1. To create a custom policy, go to Management > Policies. Next click on the + New Policy and select Network in the drop-
down list. Click New Policy.
Cisco dCloud
2. Name it as Cisco Email Security Policy and choose the custom detection simple list and application whitelist which we have
created in previous tasks from the drop-down lists. Click Save.
Create a Custom Group (Estimated time to complete: 7 min)
A custom group is required to apply the custom policy specifically to registered appliances.
1. To create a custom policy, go to Management > Groups. Next click on the Create Group and name it as Cisco Email
Security Group. On the Network Policy. Select the custom policy which we created in previous task in the drop-down list. Click
Save.
Cisco dCloud
2. Next, move the registered appliance from the default group to this custom group. Go to Management > Computers. Click the
[+] icon to expand the appliance detail and click Move to Group.
3. Choose the custom group from the Existing Group drop-down list and click Move.
4. Click the [+] icon to expand the appliance detail again to verify the move. The appliance has joined the Cisco Email Security
Group managed by Cisco Email Security Policy.
Cisco dCloud
Testing AMP unity (Whitelist) (Estimated time to complete: 15 min)
With all the configuration in place, the AMP unity feature can be tested by sending an email to Alan from external user Ben which
contains attachments that have been blacklisted and whitelisted respectively in the AMP for Endpoints console.
Subject: Latest File Attached
Body: Hi,
Please find attached document as per our discussion.
Attachment: Whitelist_File.txt - located on the desktop under the AMP_Unity > Whitelist sub-folder.
3. End the email - Force the synchronization process by clicking Send/Receive Folder or by pressing the F9 key.
Cisco dCloud
4. Switch to the CLI session of ESA, issue the command tail amp and press enter. The AMP log reveals the query responded
from AMP Cloud and quickly determined the disposition of this file is CLEAN.
5. Notice the message makes it into Alan’s mailbox. This is expected behaviour as the attachment – Whitelist_File.txt is already
whitelisted in the AMP console. Open the attachment to view the content of the text file, the content should be clearly visible
and the email message unaltered.
6. From GUI session of ESA, navigate to Monitor > Advanced Malware Protection report and from the summary of files
handled by AMP, a Clean disposition incident has been recorded.
7. Click on the incident under Clean disposition will launch Message Tracking where more information of the message flow and
the various actions applied to it can be viewed.
Cisco dCloud
Testing AMP unity (Custom Detection List) (Estimated time to complete: 20 min)
Subject: Latest File Attached – Custom List
Body: Hi,
Please find attached document as per our discussion.
Attachment: Blacklist_File.txt- located on the desktop under the AMP_Unity > Blacklist sub-folder.
Cisco dCloud
4. Switch to the CLI session of ESA, issue the command tail amp and press enter. The AMP log reveals the query responded
from AMP Cloud and quickly determined the disposition of this file as MALICIOUS due to Simple Custom Detection.
Cisco dCloud
5. From GUI session of ESA, navigate to Monitor > Advanced Malware Protection report and from the summary of files
handled by AMP, a Malicious disposition incident has been recorded.
6. Click on the incident under Malicious disposition will launch Message Tracking where more information of the message flow
7. Click Show Details to view this specific message in detail. Notice that the message has been dropped by AMP as last event.
Cisco dCloud
8. Return to Monitor > Advanced Malware Protection and scroll down towards the new section – Incoming Malware Files by
Category to view the percentage of blacklisted file SHAs received from the AMP for Endpoints console that are displayed as
Custom Detection.
9. The threat name of a blacklisted file SHA is displayed as Simple Custom Detection in the Incoming Malware Threat Files
section of the report. Click the SHA256 string in the first column.
10. In the AMP file analysis report page, scroll down toward the More Details section of the report to view the file trajectory
details of a blacklisted file SHA in the AMP for Endpoints console.
Cisco dCloud
11. The AMP for Endpoints console login page appears. Log in to the console with the following credentials:
Username:unity+lab+session_number@cisco.com, (Example: unity+lab+18@cisco.com), Password: C1sco12345!
12. The file trajectory details for this file are displayed and file trajectory shows the life cycle of each file from the first time it was
seen to the last time, as well as all computers in the network that had it. Scroll down toward the Trajectory section and click
the Observed icon for more details.
Cisco dCloud
DomainKeys Identified Mail (DKIM)
Use Case
Jacob is a Chief InfoSec Officer (CISO) for Voyage Corp and his department conducted a thorough security assessment of their
communications infrastructure. One area of concern was the number of phishing attempts over a 3-month period, targeting specific
employees. End user awareness and training has increased and employees are in a better position to spot potentially spoofed
messages, however a decision was made to further enhance security by deploying additional technologies namely, Sender Policy
Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance
(DMARC).
Despite SPF being the most straightforward technology to deploy, the messaging team have concerns that given how vast their
messaging infrastructure is that they may not be fully aware of all legitimate sources of email for the companys domains.
The messaging infrastructure consists of multiple 3rd party affiliates sending email on behalf of Voyage Corp, these messages are
typically newsletters, special promotions and even confidential email that may be encrypted. Given this wide spread use and to
prevent mail flows from breaking a decision is made to implement DKIM, which does not require any external dependencies. Unlike
SPF which is a path-based technology, DKIM allows for messages to be signed thus vouching for their authenticity.
Security Control
In brief, DKIM uses a cryptographic stamp to authenticate message senders. With DKIM a digital signature is inserted into the
message headers of an email message, this is in the form of a public and private key pair.
The public key from the pair is published in a DNS text record that is publicly accessible and the Cisco Email Security
authenticates the message by extracting the sending domain from the email, retrieving the public key from the DNS text record and
validating the signature against the messages contents. Cisco Email Security allows administrator take actions based on the result
such as to drop, quarantine, notify administrator.
Objective
This scenario will demonstrate how DKIM signing can protect against spoofing of the email content (both body and headers) by
adding a cryptographic hash the entire email. If the outgoing email passes the DKIM verification, the email recipient can be
confident has not been modified for fraudulent purpose whilst in transit.
NOTE: Learn more about DKIM here: Email Authentication
Configuring DKIM Key Pair (Sender) (Estimated time to complete: 3 min)
The first task is to generate a public and private key pair to be used for signing outgoing messages. The public key is published in
the DNS TXT record and the private key is stored and made available in Cisco Email Security to sign the outgoing messages.
1. From the workstation, access to the GUI of ESA2 with the following credentials: Username: admin, Passphrase: C1sco12345
Cisco dCloud
2. Navigate to Mail Policies > Signing Keys and click Add Key. Name the key as DKIM_Key. Choose Generate and select key
size – 1024 Bits.
3. Click Submit.
4. Ensure the changes are applied by clicking the Commit Changes button - top right of screen, adding optional comments if
desired.
Cisco dCloud
Create DKIM Signing Profile (Sender) (Estimated time to complete: 7 min)
This task identifies which parts of the email are to be included in the signing process, this can be either the whole message body or
just specific field of the email headers. The key pair created on the previous task will be referenced by a “selector” so DKIM
verifiers can differentiate between keys. All outgoing messages that match the domain defined in the profile will be signed and
have a DKIM signature inserted into them.
1. Remain on the GUI from previous task. Create a domain profile and associate the key with the domain profile. Navigate to
Mail Policies > Signing Profiles and click Add Profile. Enter a name for this profile as DKIM_Profile and choose Domain
Key Type as DKIM. Additional options will appear on the page.
2. Enter the Domain Name as dcloud-out.cisco.com and enter the Selector as lab. Keep both headers and bodys
canonicalization options as Simple and select the custom signing key DKIM_Key in the drop-down list.
Cisco dCloud
3. Remain other options as default setting. Type dcloud-out.cisco.com in the Add Users box and click Add to join this domain to
this profile.
4. Click Submit and ensure changes are applied by clicking the Commit Changes button, adding optional comments if desired.
5. In the DNS Text Record column of the new signing profile, click the Generate link to show the DNS text record.
6. Copy the DNS Text Record. You will need to use it to create a new TXT record on DNS server that belongs to the sending
domain which we will conduct in the following task.
7. After copied the record, click Done.
Cisco dCloud
Create a DKIM Record (Sender) (Estimated time to complete: 20 min)
DKIM record contain the public part of the cryptographic key used to sign the email. The recipient will use this record to confirm
that an incoming message which came from the sending server is valid.
1. From the workstation launch RDC located on the taskbar. Type the Computer as ad-out.dcloud-out.cisco.com and click
Connect to remotely access the DNS server.
2. Log in using the following credentials, acknowledge any security warning presented. Once logged in, click the DNS icon to
launch the DNS manager interface: Username: DCLOUD-OUT\Administrator, Password: C1sco12345.
Cisco dCloud
3. Double-click Forward Lookup Zones and select dcloud-out.cisco.com. On the right column, right-click on the blank area
and choose Other New Records from the list.
4. Scroll the drop-down list to the end, select Text (TXT) and click on Create Record …
Cisco dCloud
5. Enter the Record Name as lab._domainkey and paste the string v=DKIM1; p=MIGf … AQAB; which you have copied from the
ESA2 into the Text box. Click OK.
6. Click Done.
7. Once complete, click Start menu and Log Off Administrator to exit the remote desktop session.
Cisco dCloud
8. On the workstation, launch Command Prompt location on the desktop, and type the following command line: nslookup –q=txt
lab._domainkey.dcloud-out.cisco.com to verify the DKIM record.
9. Return to GUI of ESA2. In the Test Profile column of the new signing profile, click the Test to make sure the DKIM record was
created appropriately.
10. You should notice a text message Success – Published public key matches domain profile prompted above the profile.
Enable DKIM Signing (Sender) (Estimated time to complete: 1 min)
At this point, the sender should be ready to enable DKIM signing on an outgoing mail flow policy. This functionality allows for the
email to be signed by a DKIM private key and sent out as to email receivers.
1. Log into GUI of ESA2. Navigate to Mail Policies > Mail Flow Policies and choose the listener Private 198.18.133.147:2525.
Click on the RELAYED mail flow policy name.
Cisco dCloud
2. Scroll the page down towards the Security Features section, enable DomainKeys/DKIM Signing by selecting On.
3. Click on the Submit at the bottom of this page and ensure changes are applied by clicking the Commit Changes button,
Enable DKIM Verification (Recipient) (Estimated time to complete: 1 min)
Now that we have DKIM signing working, its time to enable DKIM verification. The receiving Cisco Security Email solution will
retrieve the public key from the DNS record of the domain taken from the signature and use that key to test the messages DKIM
signature to determine its validity. If the DKIM signature passes the verification test, the message will continue on to the next step
in the regular delivery process. This feature helps to ensure not only that a message is coming from the purported sender, but that
it hasnt been modified between the time it was signed and when it was delivered to recipient.
1. On the workstation, access the GUI of ESA. Navigate to Mail Policies > Mail Flow Policies and choose the listener Public
198.18.133.146:25. Click on the Default Policy Parameters mail flow policy name.
Cisco dCloud
2. Scroll the page down towards the Security Features section, enable DKIM Verification by selecting On. Please be note that
a pre-defined DKIM verification profile (DEFAULT) is already available on the Cisco Email Security.
3. Click on the Submit at the bottom of this page and ensure changes are applied by clicking the Commit Changes button,
Configuring a Content Filter (Recipient) (Estimated time to complete: 8 min)
In this task, a new content filter will be created to apply an action based on the result of the DKIM signature test in the receiving
email server. For example, the DKIM signed message might be dropped or quarantined if the signature found not match during the
DKIM verification process.
1. Remain on the GUI from previous task and navigate to Mail Policy > Incoming Content Filters and click Add Filter.
2. Using the following settings configure the Conditions and Actions.

Name: DKIM_Verification
Description: DKIM verification for specific sender (Optional)
Conditions: DKIM authentication > Is not > Pass
Action 1: Add / Edit Header > Header Name Subject > Prepend to the Value of Existing Header > [DKIM FAIL]
Cisco dCloud
3. Click OK
Cisco dCloud
4. Click OK
5. Click Submit to create the content Filter. Once complete, ensure you apply the change by clicking the Commit Changes
button, adding optional comments if desired.
Edit Incoming Mail Policy (Recipient) (Estimated time to complete: 15 min)
The final task is to modify the default incoming mail policy so the content filter comes into effect.
1. Navigate to Mail Policy > Incoming Mail Policies and click Add Policy … to create a new policy.
Cisco dCloud
2. Name the Policy as DKIM_Verification_Policy and click Add User ….
3. On the left side of the box, select Following Senders and add @dcloud-out.cisco.com into the Email Address: box.
4. Click OK and click Submit
5. Click within the Content Filters box of the new policy DKIM_Verification_Policy.
Cisco dCloud
6. Select Enable Content Filters (Customize settings). Place a checkmark against the content filter DKIM_Verification
created in the previous task to enable it.
8. Once complete, ensure the change is applied by clicking the Commit Changes button, adding optional comments if desired.
Cisco dCloud
Testing DKIM (Sender and Recipient) (Estimated time to complete: 10 min)
With all the configuration in place, both DKIM signing and verification features can be tested by sending an email to Alan from an
external user with email address ending with @dcloud-out.cisco.com.
1. Prior to preparing the message, initiate a connection to both ESA and ESA2 from the CLI in order to view, using the tail
command, the mail logs to see the message being processed and the actions being applied as it works its way through the
pipeline.
Subject: DKIM Testing
Body: Hi Alan,
I am sending this email for DKIM testing only.
Cisco dCloud
3. Send the email - Force the synchronization process by clicking Send/Receive Folder or by pressing the F9 key
4. Switch to the CLI of ESA2. Notice how the DKIM profile found the sender matched the email domain and signs the message
before initiate the delivery to destination host.
5. Next, take a look at the CLI of ESA, note the message has been received with DKIM verification as Pass as the result.
Cisco dCloud
6. Return to the workstation, synchronize the messages once more and the message will now appear in Alan’s mailbox, note
there is no modification to the Subject header.
Cisco dCloud
Sender Policy Framework (SPF)
Use Case
Following on from the previous scenario, by the time DKIM was rolled out across all of Jacobs company gateways, the messaging
team have successfully completed collecting data on legitimate senders from all stakeholders. Since SPF adds an additional layer
of protection, listing all IP addresses allowed to send email on behalf of his company, Jacob decides to proceed with implementing
SPF in conjunction with DKIM to further enhance their ant-spoofing defences.
Security Control
Send Policy Framework (SPF) is still considered an effective tool to detect and block forged or spoofed emails by verifying the
senders email server before delivering the email to the receiving mail server. When an incoming email is received by the receiving
email gateway with SPF checking enabled, the Cisco Email Security solution helps administrator to validate the senders domain
against the published SPF record in DNS. Cisco Email Security confirms that the sending server IP address is on the allowed list
for that domain, otherwise verification fails if there is no match.
Objective
This scenario will demonstrate how SPF protects the envelope sender address by comparing the sending mail servers IP address
to the SPF record published in the DNS for the senders email domain. If an email and the sender is not listed in the DNS record, it
fails the SPF check.
NOTE: Learn more about SPF here:: Overview of SPF and SIDF Verification
Steps
Task – Create a SPF Record (Sender) (Estimated time to complete: 15 min)
An SPF record is a list of servers that are allowed to send e-mail from the sending domain. The purpose of an SPF record is to
detect and prevent spammers from sending messages with forged From addresses on the sending domain.
Cisco dCloud
2. Log in using the following credentials, acknowledge any security warning presented. Once logged in, click the DNS icon to
launch the DNS manager interface: Username: DCLOUD-OUT\Administrator, Password: C1sco12345
Cisco dCloud
4. Scroll the drop-down list to the end, select Text (TXT) and click on Create Record ….
5. Leave the Record Name blank and enter this string v=spf1 mx –all into the Text box. Click OK
Cisco dCloud
6. Click Done.
dcloud-out.cisco.com to verify the SPF record.
Task – Enable SPF Verification (Recipient) (Estimated time to complete: 1 min)
Once SPF verification is enabled, the receiving Cisco Security Email solution will assess the sending IP address in the public DNS
to confirm it is permitted to send the email from the sender. The SPF verifies the HELO identity (the sending mail server) and the
MAIL FROM identity (the email address the message is sent from).
Cisco dCloud
2. Scroll the page down towards the Security Features section, enable SPF/SIDF Verification by selecting On. Choose
Downgrade PRA verification result if Resent-Sender: or Resent-From: where used: to Yes and choose HELO Test to On.
3. Click Submit and ensure the changes are applied by clicking the Commit Changes button - top right of screen, adding
optional comments if desired.
Task - Configuring a Content Filter (Recipient) (Estimated time to complete: 5 min)
In this task, a new content filter will be created to apply an action based on the result of the SPF verification test in the receiving
email server. For example, if the message delivered from an unknown IP address, it can be considered as an illegitimate message
based on the sender.
1. Remain on the GUI from previous task and navigate to Mail Policy > Incoming Content Filters and click Add Filter.
Using the following settings configure the Conditions and Actions.
Name: SPF_Verification
Description: SPF verification for selected domains
Conditions: SPF Verification > Is > SoftFail, Fail
Action 1: Add / Edit Header > Header Name Subject > Prepend to the Value of Existing Header > [SPF FAIL]
Cisco dCloud
2. Click OK
3. Click OK
Cisco dCloud
Task - Edit Incoming Mail Policy (Recipient) (Estimated time to complete: 3 min)
The final task is to modify the default incoming mail policy so the content filter comes into effect.
2. Place a checkmark against the content filter SPF_Verification created in the previous task to enable it.
3. For lab testing purpose, please remove the DKIM_Verification_Policy in the Incoming Mail Policy section by clicking the
delete icon.
Cisco dCloud
4. Click Submit. Ensure the change is applied by clicking the Commit Changes button, adding optional comments if desired.
Task - Testing SPF Verification (Estimated time to complete: 5 min)
With all the configuration in place, the SPF verification features can be tested by sending an email to Alan from an external user
with email address ending with dcloud-out.cisco.com.
Subject: SPF Testing
Body: Hi Alan,
I am sending this email for SPF testing only.
Cisco dCloud
3. Switch to the CLI of ESA, note the SPF feature has identified the mail-from address is matching the SPF record from public
DNS. The SPF final result is Pass.
4. Return to the workstation, synchronize the messages once more and the message will now appear in Alan’s mailbox, note
there is no tampering to the Subject header.
Cisco dCloud
Domain-based Message Authentication, Reporting and Conformance

(DMARC)
Use Case
As a final step in his anti-phishing protection strategy, Jacob makes a plan for gradual rollout of DMARC.
DMARC ties in information authenticated with SPF or DKIM (sending domain source, or signature) with what is presented to the
end-recipient in the From: header, and ascertains that SPF and/or DKIM identifiers are aligned with the FROM header identifier. It
also allows Jacob to explicitly instruct other systems on the Internet what to do with messages purported to be from domains his
company controls that fail verification. DMAR has a powerful reporting component and this allows Jacob to gain visibility into
potential phishing attempts or campaigns using his corporate identity.
Additionally, he can feed information from DMARC reports into a dedicated analytics system to provide deep insight into his brand
trustworthiness and exploitation attempts to gain a better insight into how their email domains are being used.
Security Control
The Cisco Email Security solution allows administrator to go beyond SPF and DKIM by leveraging DMARC, which helps senders
and recipients work together to create more secure email communications across the Internet.
DMARC is built on top of two existing mechanisms. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It
allows the administrative owner of a domain to publish a policy on which mechanism (DKIM, SPF or both) is employed when
sending email from that domain and how the receiver should deal with failures.
Objective
This scenario will demonstrate how DMARC verification is implemented and used. In the DMARC policy, instructions can be given
to the receiving email server to follow in the event the email fails the SPF or DKIM alignment check. The sending domain is then
able to request a report regarding the outgoing email that either passed or failed the DMARC verification.
NOTE: Learn more about DMARC here: DMARC Verification
Steps
Task – Create a DMARC Record (Sender) (Estimated time to complete: 15 min)
Once SPF and DKIM records are in place, the administrator can configure a DMARC record by adding policies to the sending
email domain. As DMARC policies are published as TXT records, it defines what an email recipient should do with non-aligned
mail it receives.
Cisco dCloud
2. Log in using the credentials below, acknowledge any security warning presented. Once logged in, click the DNS icon to
access the DNS manager interface.
Username: DCLOUD-OUT\Administrator
Password: C1sco12345
Cisco dCloud
4. Scroll the drop-down list to the end, select Text (TXT) and click on Create Record …
Cisco dCloud
5. Enter the Record Name as _dmarc and paste the string v=DMARC1; p=none; pct=100; rua=mailto:dmarc@dcloud-
out.cisco.com into the Text box. Click OK.
6. Click Done.
Cisco dCloud
lab._domainkey.dcloud-out.cisco.com to verify the DKIM record.
Task – Enable DMARC Verification (Recipient) (Estimated time to complete: 1 min)
Once DMARC verification is enabled, the receiving Cisco Security Email solution will verify if the email address that appears in the
mail-from field or the DKIM signature d=domain header is identical to the one displayed in the From header.
2. Scroll the page down towards the Security Features section, enable DMARC Verification by selecting On. Please be note
that a pre-defined DMARC verification profile (DEFAULT) is already available on the Cisco Email Security. Enable the option
send aggregate feedback reports.
3. Click Submit. Ensure the change is applied by clicking the Commit Changes button, adding optional comments if desired.
Cisco dCloud
Task - Configuring DMARC Verification Profile (Recipient) (Estimated time to complete: 2 min)
This task will modify the default DMARC verification profile on the receiving Cisco Email Security solution, and depending on the
DMARC verification result and specified verification profile, it will either accept, quarantine or reject the message. If the sending of
aggregate reports is enabled, Cisco Email Security gathers DMARC verification data and includes it in the daily report sent to the
domain owners.
1. Remain on the GUI from previous task and navigate to Mail Policy > DMARC and click the profile name DEFAULT. Using the
following settings configure the Message Action based on DMARC policys request.
When Policy in DMARC record is Reject: Choose Reject
When Policy in DMARC record is Quarantine: Choose Quarantine to > Select Policy
For Temporary Failure: Remain Accept
For Permanent Failure: Choose Reject
Cisco dCloud
Task - Testing DMARC (Estimated time to complete: 10 min)
With all the configuration in place, the DMARC verification features can be tested by sending an email to Alan from an external
user with email address ending with dcloud-out.cisco.com.
Subject: DMARC Testing
Body: Hi Alan,
I am sending this email for DMARC testing only.
3. Switch to the CLI of ESA, note the DMARC feature has identified both SPF and DKIM records are align to the DMARC policy.
The DMARC final result is Pass.
Cisco dCloud
4. Return to the workstation, synchronize the messages once more and the DMARC testing message will now appear in Alan’s
mailbox.
5. From the workstation access the GUI of ESA of ESA and navigate to Monitor > DMARC Verification to view what is being
reported.
Cisco dCloud
Appendix A. Troubleshooting
This section consists of a set of troubleshooting scenarios. You are presented with a preconfigured Cisco Email Security
Appliances and Microsoft application servers in the topology.
This section should take no more than 1 hour to complete.
1. Please DO NOT change the following configuration on the devices.
• Hostname of all devices
• User accounts password
• LDAP or AD Authentication setting
• All features inside the ESAs Network and System Administration menu list.
• System level based setting including NTP, Licenses, Configuration backup, and etc.
• Network level based setting including IP address, subnet mask, gateway, routes, and etc.
2. Do not disable any features configured in order to resolve an incident, you must resolve the misconfiguration rather than
remove the pre-configure policies.
3. The resolution of one incident may depend on the resolution of previous incident(s).
4. You have full admin access to all devices using either Remote Desktop Connection, Web UI or Command Line Interface.
5. Lab proctors are available if reachability or verification of devices is required.
Background
Ben Bravo is the messaging security administrator for dCloud-Out business unit within the Cisco Corporation. In this section, you
are responsible for providing Ben assistance in identifying the root cause of all incidents and provide the appropriate resolution.
You may refer to the Troubleshooting Guideline and further instruction if any given in the incident(s).
Incident – Macro Detection
Ben has configured an incoming mail policy to quarantine file attachments that contain Macros from the dCloud business unit on
ESA2, however Ben is still receiving email messages with file attachments with Macros within them.
Hint: This incident contains 1 fault on ESA2. With the resolution in place, you can send an email to Ben from Alan which contains
an attachment that has a macro within.
From: alan@dcloud.cisco.com
To: ben@dcloud-out.cisco.com
Subject: Macro Detection Test
Body: This is an email for macro detection test
Attachment: Macro.safe located on the desktop under the dCloud Files > Troubleshooting > Macro sub-folder
Cisco dCloud
Expectation: The message makes it into Ben’s mailbox and the subject header has been modified – prepended with [MACRO-
ENABLED-DETECTED] advising the recipient immediately. Open the message in Ben’s mailbox and confirm the attachment has
been stripped.
Incident – Virus Detection
Ben has received complaints from employees within the same business unit that virus infected files have been delivered to
mailboxes from an external sender charlie@dcloud.cisco.com. Upon investigating the incident, Ben looks into ESA2 and notices
those emails were not scanned by Sophos antivirus engine.
Hint: This incident contains 1 fault in the ESA2. With the resolution in place, please click virus-exec.bat inside the dCloud Files >
Troubleshoot > Virus sub-folder.
Expectation: The CLI session of ESA2 should indicates the virus infected file has been detected. The message is subsequently
dropped by Sophos antivirus engine.
Cisco dCloud
Incident – Graymail Detection
The Marketing team have received bulk emails from Netflix relating to new and upcoming movie releases and special events. Ben
has verified that the Graymail Detection feature has been enabled on all incoming mail policies, however the mail logs indicate that
the Netflix email messages were not classified as Bulk messages by Graymail engine.
Hint: This incident contains 1 fault on ESA2. With the resolution in place, please click graymail-exec.bat inside the dCloud Files
> Troubleshoot > Graymail sub-folder.
Expectation: The message makes it into Ben’s mailbox and the subject header has been modified – prepended with [BULK]
advising the recipient immediately.
Incident – Forged Email Detection
Ben has received a high severity case originating from the HR department. One of the HR clerks has received what appears to be
a forged message that has been received from Nicole Nelson, the HR vice president. Ben has confirmed the Forged_Email_CF
content filter rule has been enabled in the default incoming mail policies. Nicole Nelson is one of the name that already included in
the dictionary (Upper_Management) associated to the content filter rule. The From header of this forged email is displayed as:
NlcoIe N3Ison <nick.nelson@dcloud-out.cisco.com>.
Hint: This incident contains 1 fault in the ESA2. With the resolution in place, please click fed-exec.bat inside the dCloud Files >
Troubleshooting > FED sub-folder.
Expectation: The message makes it into Ben’s mailbox and the subject header has been modified prepended with [Possible
Forged Detected] to advise the mail recipient immediately. The From header has been replaced to reveal the envelope senders
email address (imposter@imposter.com).
Cisco dCloud
Incident – Message Splintering
Ben has received a change request (CR) from Joe John, initiated by the chief finance officer. The requirement is to redirect all
external emails sent to Lucy Lane, who recently left the company to his email account. An hour after the change is implemented,
Ben receives a call from Joe stating that he is also receiving messages that also includes other recipients (such as Kathy). Ben
requests your immediate assistance to review the change and make necessary change to resolve the issue.
Hint: This incident contains 1 fault on ESA2. You can send an email to Lucy and Kathy from Alan’s Outlook account.
To: lucy@dcloud-out.cisco.com; kathy@dcloud-out.cisco.com
Subject: Message Splintering Test
Body: This is an email for message splintering test
Expectation: The message makes it into Joes and Kathys mailboxes. Please use Chrome to access Kathys mailbox via Outlook
Web Application (https://mail-out.dcloud-out.cisco.com/owa) or click the bookmark Outlook Web App.
Login using the following credentials: Username: kathy@dcloud-out.cisco.com, Password: C1sco12345
With proper resolution in place, Kathy should receive the message sent from Alan.
Cisco dCloud
Incident – URL Filtering
The financial controller has received an external email that contains a link to what appears to be an unauthorized website
(http://www.casino.com), company policy mandates this is reported as soon as possible which he does. Ben is confident there is a
URL filtering rule present which he in fact created recently as part of another change request. He requires your help in identifying
the issue.
Hint: This incident contains 1 fault on ESA2. With the resolution in place, you can send an email to Ben from Alan which contains
an attachment that has a prohibited URL in the content.
Subject: URL Filtering Test
Body: This is an email for URL filtering test
Attachment: sample.doc located on the desktop under the dCloud Files > Troubleshooting > URL sub-folder
Expectation: The message makes it into Ben’s mailbox and the subject header has been modified – prepended with
[Unauthorized URL Found] advising the recipient immediately.
Cisco dCloud
Incident – DKIM Verification
The DCLOUD business unit have issued a request to perform DKIM verification for the domain dcloud.cisco.com and quarantine
any message if DKIM verification is not passed. Ben receives approval from management to enforce DKIM verification for the mail
flow policy, applying the necessary content filters. Ben confirms that ESA2 is able to query DNS for all records associated with
dcloud.cisco.com however DKIM verification is not being enforced when received incoming messages.
Hint: This incident contains 1 fault on ESA2. After troubleshooting the issue, verify this by sending a message to Ben from Alan’s
Outlook account.
Subject: DKIM Verification Test
Body: This is an email for DKIM verification test
Expectation: DKIM verification passed. Further verification can be done by utilizing Web UI Monitor > Message Tracking or CLI
command tail mail_logs (Cisco Email Security 2) to ensure DKIM verification is successful.
Cisco dCloud

Cisco Email Security Solutions 11 Lab v1.2: About This Demonstration

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Email Security Solutions 11 Lab v1.2: About This Demonstration

Uploaded by

Copyright:

Available Formats

Cisco dCloud

Cisco Email Security Solutions 11 Lab v1.2

About This Demonstration

• About This Solution

• Scenario 1: Protecting Against Malicious or Undesirable URLs Beneath Shortened URLs

• Scenario 2: Protecting Against Malicious or Undesirable URLs inside Attachments

• Scenario 3: Intelligently Handle the Unscannable Messages

• Scenario 4: Leverage AMP Cloud Intelligence via Pre-Classification Enhancement

• Scenario 5: ESA integrate into AMP Console

• Scenario 6: DomainKeys Identified Mail (DKIM)

• Scenario 7: Sender Policy Framework (SPF)

• Scenario 8: Domain-based Message Authentication, Reporting and Conformance (DMARC)

● Laptop ● Cisco AnyConnect®

About This Solution

Figure 1. dCloud Topology

Alan Alpha- alan@dcloud.cisco.com Ben Bravo - ben@dcloud-out.cisco.com

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

1. Initiate your dCloud session. [Show Me How]

NOTE: It may take up to 10 minutes for your session to become active.

• Workstation 1: 198.18.133.36, Username: administrator, Password: C1sco12345

• URL Filtering Enhancement – Shortened URL and inside attachment

• File Unscannable Behaviour Monitoring

• AMP Reputation Enhancement – Incremental of Support File Type

• AMP Pre-Classification Enhancement

• ESA integrate with AMP for Endpoint Cloud Console

Protecting Against Malicious or Undesirable URLs Beneath

Sending an email with shortened URL (Estimated time to complete: 5 min)

Subject: New plugin for cloud backup application tool

2. Log in using the following credentials: Username: admin, password: C1sco12345

Configuring a Content Filter (Estimated time to complete: 10 min)

4. Using the following settings configure the Conditions and Actions.

Description: Redirect Bad Reputation URLs within email messages

Action 1: URL Reputation > Redirect to Cisco Security Proxy

6. Click Submit to apply the actions.

Edit Incoming Mail Policy (Estimated time to complete: 3 min)

NOTE: Learn more about Mail Policies here: Mail Policies

Testing URL Filtering (Estimated time to complete: 15 min)

Subject: New plugin for cloud backup application tool

Protecting Against Malicious or Undesirable URLs inside

Accessing URLs within Messages (Estimated time to complete: 5 min)

Configuring a Content Filter (Estimated time to complete: 10 min)

Description: Prepend header if found prohibited URL inside file attachment

4. Click Submit to apply the actions.

Edit Incoming Mail Policy (Estimated time to complete: 3 min)

Testing URL Filtering for Attachment (Estimated time to complete: 3 min)

Subject: New supplier report

Attachment: URL-Inside.doc - located on the desktop under the Attachment_URL sub-folder

Intelligently Handle the Unscannable Messages

Configure Scan Behaviour (Estimated time to complete: 1 min)

Action 1: Yes > Deliver As Is

Click Prepend Message Subject > [WARNING: UNSCANNABLE EXTRACTION FAILED]

Action 1: Yes > Deliver As Is

Click Prepend Message Subject > [WARNING: UNSCANNABLE RFC NON-COMPLIANT]

Testing Unscannable Message Detection (Estimated time to complete: 5 min)

Subject: The Photos

Leverage AMP Cloud Intelligence via Pre-Classification

Choose supported file types (Estimated time to complete: 1 min)

Action 2: Click Select All

Edit Incoming Mail Policy (Estimated time to complete: 3 min)

Send a Message with a benign file (Estimated time to complete: 3 min)

Subject: New Product Brochure

7. Click Show Details to view this specific message in detail.

Create an Executable File (Estimated time to complete: 1 min)