mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 04:35:18 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,37 @@
|
||||
# Standards & References: Implementing Proofpoint Email Security Gateway
|
||||
|
||||
## Industry Standards
|
||||
- **NIST SP 800-177 Rev.1**: Trustworthy Email - guidelines for email security deployment
|
||||
- **RFC 7208**: Sender Policy Framework (SPF) for authorizing use of domains in email
|
||||
- **RFC 6376**: DomainKeys Identified Mail (DKIM) Signatures
|
||||
- **RFC 7489**: Domain-based Message Authentication, Reporting & Conformance (DMARC)
|
||||
- **CIS Controls v8 Control 9**: Email and Web Browser Protections
|
||||
|
||||
## MITRE ATT&CK References
|
||||
- **T1566.001**: Phishing: Spearphishing Attachment
|
||||
- **T1566.002**: Phishing: Spearphishing Link
|
||||
- **T1566.003**: Phishing: Spearphishing via Service
|
||||
- **T1534**: Internal Spearphishing
|
||||
- **T1598**: Phishing for Information
|
||||
- **T1114.003**: Email Collection: Email Forwarding Rule
|
||||
|
||||
## Proofpoint-Specific References
|
||||
- **Proofpoint Email Protection (PPS)**: On-premises protection platform
|
||||
- **Proofpoint on Demand (PoD)**: Cloud-hosted email security service
|
||||
- **Proofpoint TAP (Targeted Attack Protection)**: Advanced threat detection
|
||||
- **Proofpoint TRAP (Threat Response Auto-Pull)**: Post-delivery remediation
|
||||
- **Proofpoint Nexus Threat Graph**: Cross-customer threat intelligence
|
||||
|
||||
## Compliance Alignment
|
||||
| Framework | Control | Description |
|
||||
|---|---|---|
|
||||
| SOC 2 | CC6.1 | Logical and physical access controls |
|
||||
| HIPAA | 164.312(a)(1) | Access control for ePHI |
|
||||
| PCI DSS 4.0 | 5.2 | Anti-malware solutions |
|
||||
| NIST CSF 2.0 | PR.DS-1 | Data-at-rest and data-in-transit protection |
|
||||
| ISO 27001 | A.8.23 | Web filtering |
|
||||
|
||||
## Email Security Gateway Market
|
||||
- Proofpoint processes 2.8+ billion messages daily (2024)
|
||||
- Gartner Magic Quadrant Leader for Email Security (2019-2024)
|
||||
- Over 50% of Fortune 100 companies use Proofpoint
|
||||
@@ -0,0 +1,107 @@
|
||||
# Workflows: Implementing Proofpoint Email Security Gateway
|
||||
|
||||
## Workflow 1: Inbound Mail Processing Pipeline
|
||||
|
||||
```
|
||||
External sender sends email
|
||||
|
|
||||
v
|
||||
[DNS MX lookup resolves to Proofpoint]
|
||||
|
|
||||
v
|
||||
[Connection-level filtering]
|
||||
+-- IP reputation check (Proofpoint Nexus)
|
||||
+-- Rate limiting and connection throttling
|
||||
+-- REJECT if known-bad IP
|
||||
|
|
||||
v
|
||||
[Authentication checks]
|
||||
+-- SPF validation
|
||||
+-- DKIM signature verification
|
||||
+-- DMARC policy evaluation
|
||||
+-- FAIL actions: quarantine or reject per policy
|
||||
|
|
||||
v
|
||||
[Content analysis]
|
||||
+-- Anti-spam scoring (ML classifier)
|
||||
+-- Anti-virus scanning (multi-engine)
|
||||
+-- Impostor classifier (BEC detection)
|
||||
+-- NLP analysis for social engineering language
|
||||
|
|
||||
v
|
||||
[URL Defense]
|
||||
+-- Extract all URLs from body and attachments
|
||||
+-- Rewrite URLs through Proofpoint proxy
|
||||
+-- Pre-delivery URL reputation check
|
||||
+-- BLOCK if known malicious
|
||||
|
|
||||
v
|
||||
[Attachment Defense]
|
||||
+-- Static analysis (signatures, heuristics)
|
||||
+-- Dynamic sandbox detonation (if suspicious)
|
||||
+-- Wait for sandbox verdict (up to 7 minutes)
|
||||
+-- QUARANTINE if malicious
|
||||
|
|
||||
v
|
||||
[Policy action]
|
||||
+-- DELIVER: Clean email to mailbox
|
||||
+-- TAG: Add warning banner for external/suspicious
|
||||
+-- QUARANTINE: Hold for admin/user review
|
||||
+-- REJECT: Block with NDR to sender
|
||||
```
|
||||
|
||||
## Workflow 2: Post-Delivery Threat Response (TRAP)
|
||||
|
||||
```
|
||||
Threat intelligence update received
|
||||
|
|
||||
v
|
||||
[TRAP scans delivered messages retroactively]
|
||||
+-- URL becomes malicious after delivery
|
||||
+-- New malware signature matches delivered attachment
|
||||
|
|
||||
v
|
||||
[Auto-Pull action triggered]
|
||||
+-- Move message from user inbox to quarantine
|
||||
+-- Log retraction in TRAP dashboard
|
||||
+-- Notify SOC team of post-delivery threat
|
||||
|
|
||||
v
|
||||
[SOC investigation]
|
||||
+-- Review TRAP alert and threat details
|
||||
+-- Check if user clicked URL before retraction
|
||||
+-- If clicked: initiate incident response
|
||||
+-- If not clicked: close as contained
|
||||
|
|
||||
v
|
||||
[Update policies]
|
||||
+-- Add sender/domain to block list if needed
|
||||
+-- Create detection rule for similar campaigns
|
||||
+-- Update TAP Dashboard threat tracking
|
||||
```
|
||||
|
||||
## Workflow 3: Phishing Report and CLEAR Integration
|
||||
|
||||
```
|
||||
User receives suspicious email
|
||||
|
|
||||
v
|
||||
[User clicks "Report Phishing" button (Proofpoint CLEAR)]
|
||||
|
|
||||
v
|
||||
[Email forwarded to Proofpoint analysis pipeline]
|
||||
+-- Automated classification (phishing/spam/clean)
|
||||
+-- URL and attachment analysis
|
||||
|
|
||||
v
|
||||
[CLEAR verdict]
|
||||
+-- MALICIOUS: Auto-retract from all inboxes that received it
|
||||
+-- SPAM: Move to junk for all recipients
|
||||
+-- CLEAN: Return to inbox, thank reporter
|
||||
|
|
||||
v
|
||||
[Metrics and feedback]
|
||||
+-- Track reporter accuracy rate
|
||||
+-- Update user risk score
|
||||
+-- Feed into security awareness metrics
|
||||
```
|
||||
Reference in New Issue
Block a user