creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 07:53:18 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-email-sandboxing-with-proofpoint/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

4.1 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, nist_csf
name description domain subdomain tags version author license nist_csf
implementing-email-sandboxing-with-proofpoint Email sandboxing detonates suspicious attachments and URLs in isolated environments to detect zero-day malware and evasive phishing payloads. Proofpoint Targeted Attack Protection (TAP) is an industry cybersecurity phishing-defense
phishing
email-security
social-engineering
dmarc
awareness
sandboxing
proofpoint
1.0 mahipal Apache-2.0
PR.AT-01
DE.CM-09
RS.CO-02
DE.AE-02

Implementing Email Sandboxing with Proofpoint

Overview

Email sandboxing detonates suspicious attachments and URLs in isolated environments to detect zero-day malware and evasive phishing payloads. Proofpoint Targeted Attack Protection (TAP) is an industry-leading solution that uses multi-stage sandboxing, URL rewriting, and predictive analysis. This skill covers configuring Proofpoint TAP, integrating with email flow, analyzing sandbox reports, and tuning detection policies.

When to Use

  • When deploying or configuring implementing email sandboxing with proofpoint capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Proofpoint Email Protection license with TAP add-on
  • Admin access to Proofpoint admin console
  • Understanding of email delivery architecture (MX records, mail flow rules)
  • SIEM integration capability

Key Concepts

Proofpoint TAP Capabilities

  1. Attachment sandboxing: Detonates files in virtual machines (Windows, macOS, Android)
  2. URL Defense: Rewrites URLs, detonates at time-of-click
  3. Threat Intelligence: Proofpoint's NexusAI threat intelligence integration
  4. TAP Dashboard: Real-time visibility into threats targeting the organization
  5. Campaign correlation: Groups related attacks into campaigns
  6. Very Attacked People (VAP): Identifies most-targeted individuals

Sandbox Evasion Techniques Detected

  • Delayed execution (time-bomb malware)
  • VM detection bypass
  • User interaction requirements (click-to-enable macros)
  • Sandbox-aware malware that checks for analysis environment
  • Encrypted/password-protected attachments
  • Multi-stage payloads with delayed C2 retrieval

Workflow

Step 1: Configure TAP in Proofpoint

  • Enable TAP for inbound email policy
  • Configure sandbox profiles (attachment types to detonate)
  • Set URL Defense rewriting policy
  • Configure quarantine actions for malicious verdicts

Step 2: Tune Attachment Policies

Recommended attachment policy:
- Detonate: .exe, .dll, .scr, .doc(m), .xls(m), .ppt(m), .pdf, .zip, .rar, .7z, .iso
- Block without detonation: .bat, .cmd, .ps1, .vbs, .js, .wsf, .hta
- Password-protected archives: Attempt common passwords, then quarantine
- Dynamic delivery: Deliver email body, hold attachment until verdict

Step 3: Configure URL Defense

  • Enable URL rewriting for all inbound email
  • Set time-of-click detonation
  • Block access to malicious URLs
  • Show warning page for suspicious (not confirmed malicious) URLs
  • Configure allowed domains bypass list

Step 4: Set Up TAP Dashboard Monitoring

  • Configure daily threat digest emails to security team
  • Set up real-time alerts for targeted attacks
  • Monitor VAP report for high-risk users
  • Review campaign clusters for coordinated attacks

Step 5: Integrate with SIEM

  • Configure syslog/API export to SIEM
  • Create correlation rules for TAP alerts
  • Set up automated response workflows

Tools & Resources

Validation

  • Attachment detonation catches EICAR test file and macro-enabled document
  • URL Defense rewrites and blocks known phishing URLs
  • TAP Dashboard displays threat summary
  • SIEM receives and alerts on TAP events
Reference in New Issue View Git Blame Copy Permalink