Integrating the Email Gateway with Cisco Advanced Phishing Protection

This chapter contains the following sections:

Overview of Cisco Advanced Phishing Protection

Cisco Advanced Phishing Protection provides Business Email Compromise (BEC) and phishing detection capabilities. It detects identity deception-based threats by performing reputation checks on sender address by using advanced machine learning techniques and added intelligence. This intelligence continuously adapts to drive a real-time understanding of senders and provides enhanced protection.

The Advanced Phishing Protection engine on the email gateway checks the unique behavior of all legitimate senders, based on the historic email traffic to your organization. The cloud service interface of the Cisco Advanced Phishing Protection provides risk analysis to distinguish good messages from potentially malicious messages.

The Cisco Advanced Phishing Protection cloud service relies on the email gateway as a sensor engine to receive a copy of the message metadata sent inbound into your organization. This sensor engine collects metadata such as message headers from the email gateway and relay them to the Cisco Advanced Phishing Protection cloud service for analysis. After the analysis, potentially malicious messages are remediated from the recipient mailbox automatically, based on the pre-configured policies on the Advanced Phishing Protection cloud service.

The ability to use the email gateway as a sensor engine helps an organization to:

  • Identify, investigate, and remediate threats observed on the message headers, from the recipient mailbox.

  • View the reporting data of the metadata of the message from multiple email gateways in your organization.

Benefits of Cisco Advanced Phishing Protection

The following are the benefits of deploying Cisco Advanced Phishing Protection on the email gateway:

  • The Sensor-based solution can be rapidly deployed to ensure that your users are fully protected from damaging breaches.

  • Provides another layer of defense to more effectively secure your email environment.

  • Gain a real-time understanding of senders, learn, and authenticate email identities and behavioral relationships to protect against BEC attacks.

  • Automatically remove malicious emails from the recipient’s inbox and calls out identity deception techniques to prevent wire fraud or other advanced attacks.

  • Get detailed visibility into email attack activity, including total messages secured and attacks prevented.

  • Prevents the following:

    • Attacks that use compromised accounts and social engineering.

    • Phishing, ransomware, zero-day attacks and spoofing.

    • BEC with no malicious payload or URL.

Workflow

  1. Activate the license to access the Cisco Advanced Phishing Protection cloud service.

  2. Set up the email gateway as a sensor engine on the Cisco Advanced Phishing Protection cloud service. This deploys the email gateway as a lightweight sensor via the cloud or on-premise.

  3. Register the sensor engine on the email gateway with the Cisco Advanced Phishing Protection cloud service.

  4. The sensor engine on the email gateway forwards the metadata of messages considered clean, to the Cisco Advanced Phishing Protection cloud service.

  5. The Cisco Advanced Phishing Protection cloud service determines if the message metadata is malicious.

  6. Pre-configured policies on the Cisco Advanced Phishing Protection cloud service, when configured with an 'Enforcement' sensor, blocks or redirects the message for further incident investigation.

How to Integrate Email Gateway with the Cisco Advanced Phishing Protection Cloud Service

Perform these steps in the following order:

Procedure

  Command or Action Purpose
Step 1

Review the prerequsites.

Prerequisites

Step 2

Obtain the provisioning key from Cisco Advanced Phishing Protection cloud service.

Obtaining the Provisioning Key from the Cisco Advanced Phishing Protection Cloud Service

Step 3

Register your email gateway as a sensor engine with the Cisco Advanced Phishing Protection cloud service.

Registering the Cisco Advanced Phishing Protection Sensor on the Email Gateway

Step 4

Enable Advanced Phishing Protection on the email gateway.

Enabling Advanced Phishing Protection on the Email Gateway

Step 5

Configure incoming mail policies to enable forwarding of message metadata.

Configuring Incoming Mail Policies to Enable Forwarding of Message Metadata

Step 6

Monitor metadata of message forwarded to the Advanced Phishing Protection Cloud Service.

Monitoring Message Metadata on the Cisco Advanced Phishing Protection Cloud Service

Prerequisites

Activating the Account for Cisco Advanced Phishing Protection Cloud Service

Make sure that you have:

  • Obtained a license to access the Cisco Advanced Phishing Protection cloud service from the following URL - https://www.cisco.com/c/en/us/buy.html.

  • Activated your account using the activation link that you receive through an email notification to get provisioned with the Cisco Advanced Phishing Protection cloud service.

Installing Sensors on the Cisco Advanced Phishing Protection Cloud Service

Make sure that you have setup your email gateway as sensor engine as per your organizational requirements. For more information, see User Guide for Cisco Advanced Phishing Protection.

Obtaining the Provisioning Key from the Cisco Advanced Phishing Protection Cloud Service

Before you begin

Make sure that you have access to Cisco Advanced Phishing Protection cloud service with admin access rights. For more information, see Prerequisites. If you are unable to access the Cisco Advanced Phishing Protection cloud service, contact Cisco TAC for assistance.

Procedure


Step 1

Log in to the Cisco Advanced Phishing Protection cloud service.

Step 2

Choose Manage > Sensors.

Step 3

Select Installation > Download Sensor Installer.

Step 4

From the drop-down, select the sensor installation script configured as per your organizational requirements. For example: Cisco SEG.

For more information, see Installing Sensors on the Cisco Advanced Phishing Protection Cloud Service.

Step 5

Copy the 6-word provisioning key.

Use this provisioning key to configure the Cisco Email Security Gateway as a sensor.

Note 

To register the email gateway as a sensor, you must use the provisioning key within 7 days of generation.


What to do next

Register your email gateway with the Cisco Advanced Phishing Protection cloud service. For more information, see Registering the Cisco Advanced Phishing Protection Sensor on the Email Gateway.

Registering the Cisco Advanced Phishing Protection Sensor on the Email Gateway

Before you begin

Make sure that you have:

Procedure


Step 1

Log in to the email gateway.

Step 2

Go to Security Services > Advanced Phishing Protection.

Step 3

Click Register.

Step 4

From the URL drop-down, select the region of the Cisco Advanced Phishing Protection cloud service.

Step 5

Enter the 6-word provisioning key obtained from the Advanced Phishing Protection cloud service.

Step 6

Click Register to submit your changes.

The Cisco Advanced Phishing Protection cloud service generates a Universally Unique ID (UUID) after you register your email gateway with the sensor.

Note 

After successful registration, the Cisco Advanced Phishing Protection cloud service identifies the email gateway's hostname in the cloud service.


What to do next

Enable Cisco Advanced Phishing Protection engine on the email gateway. For more information, see Enabling Advanced Phishing Protection on the Email Gateway.

Enabling Advanced Phishing Protection on the Email Gateway

Before you begin

Make sure that you have registered your email gateway as a sensor on the Cisco Advanced Phishing Protection cloud service. For more information, see Registering the Cisco Advanced Phishing Protection Sensor on the Email Gateway.

Procedure


Step 1

Log in to the email gateway.

Step 2

Go to Security Services > Advanced Phishing Protection.

Step 3

Click Enable.

Step 4

Commit your changes.


What to do next

Enable forwarding of message metadata to the Cisco Advanced Phishing Protection cloud service. For more information, see Configuring Incoming Mail Policies to Enable Forwarding of Message Metadata.

Configuring Incoming Mail Policies to Enable Forwarding of Message Metadata

You can configure mail policies to enable forwarding of message metadata to the Cisco Advanced Phishing Protection cloud service.

When you enable the Cisco Advanced Phishing Protection cloud service on your email gateway, the following message headers are shared with the Cisco Advanced Phishing Protection Cloud service :
  • dkim_selector

  • last_hop_ip_address

  • helo_domain

  • dkim_result

  • dkim_domain

  • dmarc_result

  • dkim_signatures

  • to_header

  • header_subject

  • header_from

  • message_id

  • spf_result

  • rcpt_to

  • full_header_from

  • mail_from

  • Received-SPF

  • Received-Header

  • Authentication-Results

  • reply_to

  • original_sender

  • received-timestamps

  • Authentication-Results-original

  • X-originating-ip

Before you begin

Make sure that you have:

Procedure


Step 1

Log in to the email security gateway.

Step 2

Go to Mail Policies > Incoming Mail Policies.

Step 3

Click the link below APP Filter.

Step 4

Select Enable Advanced Phishing Protection (Customize Settings) from the drop-down list.

Step 5

Select the check box for Enable Forwarding.

Step 6

Click Submit and commit your changes.


Monitoring Message Metadata on the Cisco Advanced Phishing Protection Cloud Service

You can monitor metadata of the message that your email security gateway forwards to the Cisco Advanced Phishing Protection cloud service. The Analyze > Messages page of the cloud service provides insights on the source of the message and the risk associated with the message and the senders.

The metadata of the message on the Cisco Advanced Phishing Protection cloud service receives a trust score based on the following:

  • Message Authenticity

  • Domain Reputation

  • Sender Legitimacy

Advanced Phishing Protection and Clusters

If you use centralized management, you can enable the Advanced Phishing Protection at the cluster, group, and machine level. If you have registered your email gateway with the Cisco Advanced Phishing Protection cloud service in standalone mode, you can choose to join a cluster registered with the Cisco Advanced Phishing Protection cloud service.


Note

When you disable the Advanced Phishing Protection at the machine level, the same is disabled on the group and cluster levels.


Advanced Phishing Protection Report Page

The Monitor > Advanced Phishing Protection report page displays the following:

  • Total number of messages successfully forwarded to the Cisco Advanced Phishing Protection cloud service.

  • Total number of messages that are not forwarded to the Cisco Advanced Phishing Protection cloud service.


    Note

    If the forwarding of message metadata has failed, you must validate the configurations of the Advanced Phishing Protection feature. For more information, see How to Integrate Email Gateway with the Cisco Advanced Phishing Protection Cloud Service.


You can use the Advanced Phishing Protection report page to view:

  • Total number of messages attempted to be forwarded to the Cisco Advanced Phishing Protection cloud service, in a graphical format.

  • Summary of messages forwarded to the Cisco Advanced Phishing Protection cloud service in a graphical format.

To view the detailed information on the metadata of the message that is forwarded to the Cisco Advanced Phishing Protection cloud service, click on the link and login to the Cisco Advanced Phishing Protection cloud service. For more information, see Monitoring Message Metadata on the Cisco Advanced Phishing Protection Cloud Service.

Monitoring Message Metadata on the Cisco Advanced Phishing Protection Cloud Service

You can monitor metadata of the message that your email security gateway forwards to the Cisco Advanced Phishing Protection cloud service. The Analyze > Messages page of the cloud service provides insights on the source of the message and the risk associated with the message and the senders.

The metadata of the message on the Cisco Advanced Phishing Protection cloud service receives a trust score based on the following:

  • Message Authenticity

  • Domain Reputation

  • Sender Legitimacy

Displaying Messages Submitted to the Cisco Advanced Phishing Protection Cloud Service

You can view the metadata of the message that you forward to the Cisco Advanced Phishing Protection cloud service corresponding to the success and failure.

Before you begin

Make sure that you enable the Message Tracking feature on the email gateway. To enable Message Tracking, go to Security Services > Centralized Services > Message Tracking page in the web interface.

Procedure


Step 1

Log in to the email security gateway.

Step 2

Go to Monitor > Message Tracking.

Step 3

Click Advanced.

Step 4

Check Advanced Phishing Protection Forwarding under Message Event.

Step 5

(Optional) Select Select Successful to view messages that are forwarded successfully to the Cisco Advanced Phishing Protection cloud service.

Step 6

(Optional) Select Failed to view messages that are not forwarded to the Cisco Advanced Phishing Protection cloud service.

Step 7

Click Search.