mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-15 15:34:56 +03:00
mukul975
efca3ec611
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
127 lines
6.2 KiB
Markdown
127 lines
6.2 KiB
Markdown
---
|
|
name: implementing-proofpoint-email-security-gateway
|
|
description: Deploy and configure Proofpoint Email Protection as a secure email gateway to detect and block phishing, malware,
|
|
BEC, and spam before messages reach user inboxes.
|
|
domain: cybersecurity
|
|
subdomain: phishing-defense
|
|
tags:
|
|
- email-security
|
|
- proofpoint
|
|
- secure-email-gateway
|
|
- phishing
|
|
- anti-spam
|
|
- anti-malware
|
|
- bec
|
|
- email-filtering
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
nist_csf:
|
|
- PR.AT-01
|
|
- DE.CM-09
|
|
- RS.CO-02
|
|
- DE.AE-02
|
|
---
|
|
# Implementing Proofpoint Email Security Gateway
|
|
|
|
## Overview
|
|
Proofpoint Email Protection is a cloud-native secure email gateway (SEG) that acts as a security checkpoint where all inbound and outbound mail traffic routes through the gateway before reaching user inboxes. It combines signature-based detection for known malware, machine learning algorithms for emerging threats, real-time threat intelligence feeds, URL rewriting with time-of-click sandboxing, and behavioral analysis for BEC detection. Proofpoint processes over 2.8 billion emails daily and blocks over 1 million extortion attempts per day.
|
|
|
|
|
|
## When to Use
|
|
|
|
- When deploying or configuring implementing proofpoint email security gateway capabilities in your environment
|
|
- When establishing security controls aligned to compliance requirements
|
|
- When building or improving security architecture for this domain
|
|
- When conducting security assessments that require this implementation
|
|
|
|
## Prerequisites
|
|
- Proofpoint Email Protection license (PPS on-premises or Proofpoint on Demand cloud)
|
|
- Administrative access to DNS management for MX record changes
|
|
- Microsoft 365 or Google Workspace email environment
|
|
- Understanding of mail flow architecture and SPF/DKIM/DMARC
|
|
- Network firewall rules permitting Proofpoint IP ranges
|
|
|
|
## Key Concepts
|
|
|
|
### Deployment Models
|
|
1. **MX-Based Gateway (Traditional SEG)**: All mail routes through Proofpoint via MX record changes; intercepts threats before delivery
|
|
2. **API-Based Integration**: Connects directly to Microsoft 365 or Google Workspace via API; no MX changes required; can be operational within 48 hours
|
|
3. **Hybrid Deployment**: Combines gateway and API for layered protection
|
|
|
|
### Core Detection Technologies
|
|
- **Impostor Classifier**: ML model detecting BEC/impersonation with no malicious URLs or attachments
|
|
- **URL Defense**: Rewrites URLs and performs real-time sandboxing at time of click
|
|
- **Attachment Defense**: Sandboxes suspicious attachments in virtual environments
|
|
- **Nexus Threat Graph**: Cross-customer threat intelligence correlation engine
|
|
- **Supplier Threat Detection**: Identifies compromised vendor email accounts
|
|
|
|
### Protection Layers
|
|
| Layer | Technology | Threat Type |
|
|
|---|---|---|
|
|
| Connection | IP reputation, rate limiting | Spam botnets |
|
|
| Authentication | SPF, DKIM, DMARC enforcement | Spoofing |
|
|
| Content | ML classifiers, NLP analysis | BEC, phishing |
|
|
| URL | Rewriting + time-of-click sandbox | Credential theft |
|
|
| Attachment | Static + dynamic sandboxing | Malware, ransomware |
|
|
| Post-delivery | TRAP (auto-retraction) | Weaponized after delivery |
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Plan Mail Flow Architecture
|
|
- Document current MX records and mail flow path
|
|
- Identify all legitimate sending sources (marketing platforms, CRM, ticketing systems)
|
|
- Map inbound connectors and transport rules in Microsoft 365 or Google Workspace
|
|
- Plan IP allowlisting for Proofpoint egress IPs on receiving infrastructure
|
|
- Configure SPF record to include Proofpoint: `v=spf1 include:spf.protection.outlook.com include:spf-a.proofpoint.com -all`
|
|
|
|
### Step 2: Configure Proofpoint Policies
|
|
- Create organizational units matching business structure
|
|
- Define inbound mail policies: anti-spam, anti-virus, impostor detection
|
|
- Configure Smart Search quarantine with end-user digest notifications
|
|
- Set up Proofpoint Encryption for sensitive outbound messages
|
|
- Enable Targeted Attack Protection (TAP) for URL and attachment sandboxing
|
|
|
|
### Step 3: Deploy Email Authentication
|
|
- Configure DKIM signing through Proofpoint for outbound messages
|
|
- Set DMARC policy to monitor mode initially: `v=DMARC1; p=none; rua=mailto:dmarc@company.com`
|
|
- Enable inbound DMARC enforcement to reject spoofed messages
|
|
- Configure anti-spoofing rules for executive impersonation protection
|
|
|
|
### Step 4: Enable Advanced Threat Protection
|
|
- Activate URL Defense with rewriting enabled for all inbound messages
|
|
- Configure Attachment Defense sandbox policies (safe attachment mode)
|
|
- Enable Threat Response Auto-Pull (TRAP) for post-delivery remediation
|
|
- Set up TAP Dashboard alerts for targeted attack campaigns
|
|
- Configure Supplier Risk monitoring for vendor email compromise
|
|
|
|
### Step 5: Migrate MX Records
|
|
- Lower MX record TTL to 300 seconds 48 hours before cutover
|
|
- Update MX records to point to Proofpoint: `company-com.mail.protection.proofpoint.com`
|
|
- Configure connector restrictions in Microsoft 365 to accept mail only from Proofpoint IPs
|
|
- Monitor mail flow through Proofpoint Message Trace for 48-72 hours
|
|
- Verify no legitimate mail is being blocked or delayed
|
|
|
|
### Step 6: Tune and Optimize
|
|
- Review quarantine and false positive/negative rates weekly for first month
|
|
- Adjust spam thresholds based on organizational tolerance
|
|
- Add approved senders and safe lists for legitimate bulk mail
|
|
- Configure data loss prevention (DLP) rules for outbound sensitive content
|
|
- Enable email warning banners for external sender identification
|
|
|
|
## Tools & Resources
|
|
- **Proofpoint TAP Dashboard**: Real-time threat visibility and campaign tracking
|
|
- **Proofpoint TRAP**: Automated post-delivery email retraction
|
|
- **Proofpoint SER (Spam/End-user Release)**: Self-service quarantine management
|
|
- **Proofpoint Closed-Loop Email Analysis (CLEAR)**: Phishing report button integration
|
|
- **MX Toolbox**: DNS record verification and mail flow testing
|
|
|
|
## Validation
|
|
- All inbound email routes through Proofpoint (verify MX records and message headers)
|
|
- TAP Dashboard shows threat detections and blocked campaigns
|
|
- URL Defense rewrites links in test messages and sandboxes at click time
|
|
- Attachment Defense detonates test malware samples in sandbox
|
|
- TRAP successfully retracts test phishing message from inboxes post-delivery
|
|
- False positive rate below 0.1% after initial tuning period
|
|
- DMARC/SPF/DKIM authentication passes for all legitimate outbound mail
|