mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
886658219f
- Add mitre_f3 frontmatter block to 94 fraud-relevant skills (phishing, account takeover, banking malware, BEC, identity/KYC, payment/card fraud, money-mule/cash-out, ransomware extortion, DFIR, threat intel) - Map each skill to F3 v1.1 tactics + precise technique IDs, including the two F3-specific tactics ATT&CK lacks: Positioning (FA0001) and Monetization (FA0002) - All 123 F3 v1.1 technique IDs validated against the upstream STIX bundle (github.com/center-for-threat-informed-defense/fight-fraud-framework): 0 invalid IDs, 0 invalid tactics, 0 name mismatches, no placeholder IDs - mitre_f3 kept as a separate block from mitre_attack (F3 redefines several ATT&CK tactics for the fraud context) - Add docs/mitre-f3-mapping.md schema reference - Update README: F3 as the 6th framework, dedicated F3 section + badge
166 lines
6.9 KiB
Markdown
166 lines
6.9 KiB
Markdown
---
|
|
name: implementing-proofpoint-email-security-gateway
|
|
description: Deploy and configure Proofpoint Email Protection as a secure email gateway
|
|
to detect and block phishing, malware, BEC, and spam before messages reach user
|
|
inboxes.
|
|
domain: cybersecurity
|
|
subdomain: phishing-defense
|
|
tags:
|
|
- email-security
|
|
- proofpoint
|
|
- secure-email-gateway
|
|
- phishing
|
|
- anti-spam
|
|
- anti-malware
|
|
- bec
|
|
- email-filtering
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
nist_csf:
|
|
- PR.AT-01
|
|
- DE.CM-09
|
|
- RS.CO-02
|
|
- DE.AE-02
|
|
mitre_attack:
|
|
- T1566
|
|
- T1598
|
|
- T1534
|
|
- T1036
|
|
- T1027
|
|
mitre_f3:
|
|
version: '1.1'
|
|
tactics:
|
|
- reconnaissance
|
|
- initial-access
|
|
- stealth
|
|
- positioning
|
|
techniques:
|
|
- id: T1598
|
|
name: Phishing for Information
|
|
tactic: reconnaissance
|
|
source: attack
|
|
- id: T1660
|
|
name: Phishing
|
|
tactic: initial-access
|
|
source: attack
|
|
- id: T1672
|
|
name: Email Spoofing
|
|
tactic: stealth
|
|
source: attack
|
|
- id: F1032
|
|
name: Impersonate Official
|
|
tactic: initial-access
|
|
source: f3
|
|
- id: F1029
|
|
name: Gather Customer Information
|
|
tactic: reconnaissance
|
|
source: f3
|
|
- id: F1005.006
|
|
name: 'Account Manipulation: Change of Payment Details'
|
|
tactic: positioning
|
|
source: f3
|
|
---
|
|
# Implementing Proofpoint Email Security Gateway
|
|
|
|
## Overview
|
|
Proofpoint Email Protection is a cloud-native secure email gateway (SEG) that acts as a security checkpoint where all inbound and outbound mail traffic routes through the gateway before reaching user inboxes. It combines signature-based detection for known malware, machine learning algorithms for emerging threats, real-time threat intelligence feeds, URL rewriting with time-of-click sandboxing, and behavioral analysis for BEC detection. Proofpoint processes over 2.8 billion emails daily and blocks over 1 million extortion attempts per day.
|
|
|
|
|
|
## When to Use
|
|
|
|
- When deploying or configuring implementing proofpoint email security gateway capabilities in your environment
|
|
- When establishing security controls aligned to compliance requirements
|
|
- When building or improving security architecture for this domain
|
|
- When conducting security assessments that require this implementation
|
|
|
|
## Prerequisites
|
|
- Proofpoint Email Protection license (PPS on-premises or Proofpoint on Demand cloud)
|
|
- Administrative access to DNS management for MX record changes
|
|
- Microsoft 365 or Google Workspace email environment
|
|
- Understanding of mail flow architecture and SPF/DKIM/DMARC
|
|
- Network firewall rules permitting Proofpoint IP ranges
|
|
|
|
## Key Concepts
|
|
|
|
### Deployment Models
|
|
1. **MX-Based Gateway (Traditional SEG)**: All mail routes through Proofpoint via MX record changes; intercepts threats before delivery
|
|
2. **API-Based Integration**: Connects directly to Microsoft 365 or Google Workspace via API; no MX changes required; can be operational within 48 hours
|
|
3. **Hybrid Deployment**: Combines gateway and API for layered protection
|
|
|
|
### Core Detection Technologies
|
|
- **Impostor Classifier**: ML model detecting BEC/impersonation with no malicious URLs or attachments
|
|
- **URL Defense**: Rewrites URLs and performs real-time sandboxing at time of click
|
|
- **Attachment Defense**: Sandboxes suspicious attachments in virtual environments
|
|
- **Nexus Threat Graph**: Cross-customer threat intelligence correlation engine
|
|
- **Supplier Threat Detection**: Identifies compromised vendor email accounts
|
|
|
|
### Protection Layers
|
|
| Layer | Technology | Threat Type |
|
|
|---|---|---|
|
|
| Connection | IP reputation, rate limiting | Spam botnets |
|
|
| Authentication | SPF, DKIM, DMARC enforcement | Spoofing |
|
|
| Content | ML classifiers, NLP analysis | BEC, phishing |
|
|
| URL | Rewriting + time-of-click sandbox | Credential theft |
|
|
| Attachment | Static + dynamic sandboxing | Malware, ransomware |
|
|
| Post-delivery | TRAP (auto-retraction) | Weaponized after delivery |
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Plan Mail Flow Architecture
|
|
- Document current MX records and mail flow path
|
|
- Identify all legitimate sending sources (marketing platforms, CRM, ticketing systems)
|
|
- Map inbound connectors and transport rules in Microsoft 365 or Google Workspace
|
|
- Plan IP allowlisting for Proofpoint egress IPs on receiving infrastructure
|
|
- Configure SPF record to include Proofpoint: `v=spf1 include:spf.protection.outlook.com include:spf-a.proofpoint.com -all`
|
|
|
|
### Step 2: Configure Proofpoint Policies
|
|
- Create organizational units matching business structure
|
|
- Define inbound mail policies: anti-spam, anti-virus, impostor detection
|
|
- Configure Smart Search quarantine with end-user digest notifications
|
|
- Set up Proofpoint Encryption for sensitive outbound messages
|
|
- Enable Targeted Attack Protection (TAP) for URL and attachment sandboxing
|
|
|
|
### Step 3: Deploy Email Authentication
|
|
- Configure DKIM signing through Proofpoint for outbound messages
|
|
- Set DMARC policy to monitor mode initially: `v=DMARC1; p=none; rua=mailto:dmarc@company.com`
|
|
- Enable inbound DMARC enforcement to reject spoofed messages
|
|
- Configure anti-spoofing rules for executive impersonation protection
|
|
|
|
### Step 4: Enable Advanced Threat Protection
|
|
- Activate URL Defense with rewriting enabled for all inbound messages
|
|
- Configure Attachment Defense sandbox policies (safe attachment mode)
|
|
- Enable Threat Response Auto-Pull (TRAP) for post-delivery remediation
|
|
- Set up TAP Dashboard alerts for targeted attack campaigns
|
|
- Configure Supplier Risk monitoring for vendor email compromise
|
|
|
|
### Step 5: Migrate MX Records
|
|
- Lower MX record TTL to 300 seconds 48 hours before cutover
|
|
- Update MX records to point to Proofpoint: `company-com.mail.protection.proofpoint.com`
|
|
- Configure connector restrictions in Microsoft 365 to accept mail only from Proofpoint IPs
|
|
- Monitor mail flow through Proofpoint Message Trace for 48-72 hours
|
|
- Verify no legitimate mail is being blocked or delayed
|
|
|
|
### Step 6: Tune and Optimize
|
|
- Review quarantine and false positive/negative rates weekly for first month
|
|
- Adjust spam thresholds based on organizational tolerance
|
|
- Add approved senders and safe lists for legitimate bulk mail
|
|
- Configure data loss prevention (DLP) rules for outbound sensitive content
|
|
- Enable email warning banners for external sender identification
|
|
|
|
## Tools & Resources
|
|
- **Proofpoint TAP Dashboard**: Real-time threat visibility and campaign tracking
|
|
- **Proofpoint TRAP**: Automated post-delivery email retraction
|
|
- **Proofpoint SER (Spam/End-user Release)**: Self-service quarantine management
|
|
- **Proofpoint Closed-Loop Email Analysis (CLEAR)**: Phishing report button integration
|
|
- **MX Toolbox**: DNS record verification and mail flow testing
|
|
|
|
## Validation
|
|
- All inbound email routes through Proofpoint (verify MX records and message headers)
|
|
- TAP Dashboard shows threat detections and blocked campaigns
|
|
- URL Defense rewrites links in test messages and sandboxes at click time
|
|
- Attachment Defense detonates test malware samples in sandbox
|
|
- TRAP successfully retracts test phishing message from inboxes post-delivery
|
|
- False positive rate below 0.1% after initial tuning period
|
|
- DMARC/SPF/DKIM authentication passes for all legitimate outbound mail
|