mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 05:05:16 +03:00
cb8d79e068
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct techniques), verified against MITRE ATT&CK v19.1 via the official mitreattack-python library: 0 revoked, deprecated, or invalid IDs - Curate precise per-skill technique IDs for forensics, malware-analysis, threat-intel, and red-team skills (e.g. DCSync -> T1003.006, Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003) - Reconcile v19.1 tactic restructuring: Defense Evasion split into Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.* family and T1070.001/.002 remapped to active equivalents (T1685.*) - Normalize word-split tags across 35 skills (remove filename-derived stopword tags, add semantic cybersecurity tags) - Add api-reference.md for 3 skills that were missing it - Update README ATT&CK section with accurate v19.1 tactic distribution
4.2 KiB
4.2 KiB
name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack
| name | description | domain | subdomain | tags | version | author | license | nist_csf | mitre_attack | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| implementing-email-sandboxing-with-proofpoint | Email sandboxing detonates suspicious attachments and URLs in isolated environments to detect zero-day malware and evasive phishing payloads. Proofpoint Targeted Attack Protection (TAP) is an industry | cybersecurity | phishing-defense |
|
1.0 | mahipal | Apache-2.0 |
|
|
Implementing Email Sandboxing with Proofpoint
Overview
Email sandboxing detonates suspicious attachments and URLs in isolated environments to detect zero-day malware and evasive phishing payloads. Proofpoint Targeted Attack Protection (TAP) is an industry-leading solution that uses multi-stage sandboxing, URL rewriting, and predictive analysis. This skill covers configuring Proofpoint TAP, integrating with email flow, analyzing sandbox reports, and tuning detection policies.
When to Use
- When deploying or configuring implementing email sandboxing with proofpoint capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Proofpoint Email Protection license with TAP add-on
- Admin access to Proofpoint admin console
- Understanding of email delivery architecture (MX records, mail flow rules)
- SIEM integration capability
Key Concepts
Proofpoint TAP Capabilities
- Attachment sandboxing: Detonates files in virtual machines (Windows, macOS, Android)
- URL Defense: Rewrites URLs, detonates at time-of-click
- Threat Intelligence: Proofpoint's NexusAI threat intelligence integration
- TAP Dashboard: Real-time visibility into threats targeting the organization
- Campaign correlation: Groups related attacks into campaigns
- Very Attacked People (VAP): Identifies most-targeted individuals
Sandbox Evasion Techniques Detected
- Delayed execution (time-bomb malware)
- VM detection bypass
- User interaction requirements (click-to-enable macros)
- Sandbox-aware malware that checks for analysis environment
- Encrypted/password-protected attachments
- Multi-stage payloads with delayed C2 retrieval
Workflow
Step 1: Configure TAP in Proofpoint
- Enable TAP for inbound email policy
- Configure sandbox profiles (attachment types to detonate)
- Set URL Defense rewriting policy
- Configure quarantine actions for malicious verdicts
Step 2: Tune Attachment Policies
Recommended attachment policy:
- Detonate: .exe, .dll, .scr, .doc(m), .xls(m), .ppt(m), .pdf, .zip, .rar, .7z, .iso
- Block without detonation: .bat, .cmd, .ps1, .vbs, .js, .wsf, .hta
- Password-protected archives: Attempt common passwords, then quarantine
- Dynamic delivery: Deliver email body, hold attachment until verdict
Step 3: Configure URL Defense
- Enable URL rewriting for all inbound email
- Set time-of-click detonation
- Block access to malicious URLs
- Show warning page for suspicious (not confirmed malicious) URLs
- Configure allowed domains bypass list
Step 4: Set Up TAP Dashboard Monitoring
- Configure daily threat digest emails to security team
- Set up real-time alerts for targeted attacks
- Monitor VAP report for high-risk users
- Review campaign clusters for coordinated attacks
Step 5: Integrate with SIEM
- Configure syslog/API export to SIEM
- Create correlation rules for TAP alerts
- Set up automated response workflows
Tools & Resources
- Proofpoint TAP: https://www.proofpoint.com/us/products/advanced-threat-protection
- Proofpoint TAP Dashboard: https://threatinsight.proofpoint.com/
- Proofpoint API: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation
- Proofpoint Community: https://community.proofpoint.com/
Validation
- Attachment detonation catches EICAR test file and macro-enabled document
- URL Defense rewrites and blocks known phishing URLs
- TAP Dashboard displays threat summary
- SIEM receives and alerts on TAP events