mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-05 23:38:57 +03:00
efca3ec611
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
107 lines
4.1 KiB
Markdown
107 lines
4.1 KiB
Markdown
---
|
|
name: implementing-email-sandboxing-with-proofpoint
|
|
description: Email sandboxing detonates suspicious attachments and URLs in isolated environments to detect zero-day malware
|
|
and evasive phishing payloads. Proofpoint Targeted Attack Protection (TAP) is an industry
|
|
domain: cybersecurity
|
|
subdomain: phishing-defense
|
|
tags:
|
|
- phishing
|
|
- email-security
|
|
- social-engineering
|
|
- dmarc
|
|
- awareness
|
|
- sandboxing
|
|
- proofpoint
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
nist_csf:
|
|
- PR.AT-01
|
|
- DE.CM-09
|
|
- RS.CO-02
|
|
- DE.AE-02
|
|
---
|
|
# Implementing Email Sandboxing with Proofpoint
|
|
|
|
## Overview
|
|
Email sandboxing detonates suspicious attachments and URLs in isolated environments to detect zero-day malware and evasive phishing payloads. Proofpoint Targeted Attack Protection (TAP) is an industry-leading solution that uses multi-stage sandboxing, URL rewriting, and predictive analysis. This skill covers configuring Proofpoint TAP, integrating with email flow, analyzing sandbox reports, and tuning detection policies.
|
|
|
|
|
|
## When to Use
|
|
|
|
- When deploying or configuring implementing email sandboxing with proofpoint capabilities in your environment
|
|
- When establishing security controls aligned to compliance requirements
|
|
- When building or improving security architecture for this domain
|
|
- When conducting security assessments that require this implementation
|
|
|
|
## Prerequisites
|
|
- Proofpoint Email Protection license with TAP add-on
|
|
- Admin access to Proofpoint admin console
|
|
- Understanding of email delivery architecture (MX records, mail flow rules)
|
|
- SIEM integration capability
|
|
|
|
## Key Concepts
|
|
|
|
### Proofpoint TAP Capabilities
|
|
1. **Attachment sandboxing**: Detonates files in virtual machines (Windows, macOS, Android)
|
|
2. **URL Defense**: Rewrites URLs, detonates at time-of-click
|
|
3. **Threat Intelligence**: Proofpoint's NexusAI threat intelligence integration
|
|
4. **TAP Dashboard**: Real-time visibility into threats targeting the organization
|
|
5. **Campaign correlation**: Groups related attacks into campaigns
|
|
6. **Very Attacked People (VAP)**: Identifies most-targeted individuals
|
|
|
|
### Sandbox Evasion Techniques Detected
|
|
- Delayed execution (time-bomb malware)
|
|
- VM detection bypass
|
|
- User interaction requirements (click-to-enable macros)
|
|
- Sandbox-aware malware that checks for analysis environment
|
|
- Encrypted/password-protected attachments
|
|
- Multi-stage payloads with delayed C2 retrieval
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Configure TAP in Proofpoint
|
|
- Enable TAP for inbound email policy
|
|
- Configure sandbox profiles (attachment types to detonate)
|
|
- Set URL Defense rewriting policy
|
|
- Configure quarantine actions for malicious verdicts
|
|
|
|
### Step 2: Tune Attachment Policies
|
|
```
|
|
Recommended attachment policy:
|
|
- Detonate: .exe, .dll, .scr, .doc(m), .xls(m), .ppt(m), .pdf, .zip, .rar, .7z, .iso
|
|
- Block without detonation: .bat, .cmd, .ps1, .vbs, .js, .wsf, .hta
|
|
- Password-protected archives: Attempt common passwords, then quarantine
|
|
- Dynamic delivery: Deliver email body, hold attachment until verdict
|
|
```
|
|
|
|
### Step 3: Configure URL Defense
|
|
- Enable URL rewriting for all inbound email
|
|
- Set time-of-click detonation
|
|
- Block access to malicious URLs
|
|
- Show warning page for suspicious (not confirmed malicious) URLs
|
|
- Configure allowed domains bypass list
|
|
|
|
### Step 4: Set Up TAP Dashboard Monitoring
|
|
- Configure daily threat digest emails to security team
|
|
- Set up real-time alerts for targeted attacks
|
|
- Monitor VAP report for high-risk users
|
|
- Review campaign clusters for coordinated attacks
|
|
|
|
### Step 5: Integrate with SIEM
|
|
- Configure syslog/API export to SIEM
|
|
- Create correlation rules for TAP alerts
|
|
- Set up automated response workflows
|
|
|
|
## Tools & Resources
|
|
- **Proofpoint TAP**: https://www.proofpoint.com/us/products/advanced-threat-protection
|
|
- **Proofpoint TAP Dashboard**: https://threatinsight.proofpoint.com/
|
|
- **Proofpoint API**: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation
|
|
- **Proofpoint Community**: https://community.proofpoint.com/
|
|
|
|
## Validation
|
|
- Attachment detonation catches EICAR test file and macro-enabled document
|
|
- URL Defense rewrites and blocks known phishing URLs
|
|
- TAP Dashboard displays threat summary
|
|
- SIEM receives and alerts on TAP events
|