Fighting phishing and malicious Web links in email
As probably many people know, I run a “Business without Danger” blog, which publishes various information security notes. As an active blogger, I track all the comments that users leave on my pages and, if possible, I try to respond to them. I have no premoderating comments; you only need to have a Google account so that comments are non-anonymous (at one time, anonymous users started a blog and had to include some protection measures).
And yesterday I received a notification about the publication of a blog comment from the user “ruslan ivanov”, whose name is so similar to the name of my colleague in the Russian office of Cisco. However, the comment itself was rather strange and contained links to sites with malicious content, hacker programs, and hacking instructions. If I worked in a normal company with the usual approach to protecting mail only from spam or viruses, then clicking on the link would pick up a lot of “interesting” things on my computer. But Cisco has Cisco, and we’ve installed our own Cisco Email Security Appliance (ESA) email protection solution, which worked by fully demonstrating the new functionality that appeared in recent versions of ESA, and specifically, Web control. links in email.
So, the notification I received looked like this:
')
Why such non-standard links? Simply, they are overwritten in accordance with certain policies. If you click on any of the presented links, then the following page opens in my browser:
After a short timeout, the page changes its contents to:
Clicking on the links included in the comment to the blog's note means that access to them is blocked to protect my computer from infection and compromise (depending on the policy settings, I will not see the link itself and will not be able to remember or copy it). Clicking on the link notes on the blog, which contained the comment that caused the ESA to fire, causes the security system to ask me if I am sure of my decision and whether I trust this page (it’s the page and not the whole site that allows you to build flexible access scenarios for large sites with a variety of different materials - “clean” and malicious).
How does this functionality work? Everything is quite simple. A bit of history. For the first time, this functionality appeared for letters that were detected by the ESA engine as suspicious, but which were not detected as spam; however, they had certain signs that allowed to conclude that the letter is phishing. Directly rewriting (replacing) the URL was done by the Outbreak Filters engine, and the URL was modified so that when it was opened, the user was automatically redirected to our cloud-based security service, which displays the verdict. Such modified links begin with secure-web.cisco.com <...>.
In the next version of the E-mail Security Appliance, we integrated our reputation analysis and URL categorization mechanism directly into the ESA device itself, which allowed us to classify links in emails on the fly and rewrite URLs depending on the policies defined in the organization (deleting / cutting URLs, redirecting to cloud, leaving the original link, replacing some text, etc.).
And finally, as the last step, it is the ability to track those URLs that users will click on using the URL Click Tracking mechanism, differentiated for different policies and for different emails. Tracking is possible for different cuts - both for malicious / suspicious domains, and for users who switch to incorrect links. The latter mechanism can be used to assess the quality of the process of raising awareness in the field of information security (if it is implemented in the organization).
Using the Message Tracking feature, you can track specific messages not only by parameters such as the presence of viruses, spam, malicious or suspicious links, etc., but also by clicking on these links.
And of course, in reports you can see summary statistics on URL links in incoming messages, including the categories to which these links belong:
For the functionality described, only a Cisco E-mail Security Appliance is needed. To implement the link monitoring feature in email messages, neither a Cisco Web Security Appliance, nor a subscription to Cisco Cloud Web Security cloud service is required.
And yesterday I received a notification about the publication of a blog comment from the user “ruslan ivanov”, whose name is so similar to the name of my colleague in the Russian office of Cisco. However, the comment itself was rather strange and contained links to sites with malicious content, hacker programs, and hacking instructions. If I worked in a normal company with the usual approach to protecting mail only from spam or viruses, then clicking on the link would pick up a lot of “interesting” things on my computer. But Cisco has Cisco, and we’ve installed our own Cisco Email Security Appliance (ESA) email protection solution, which worked by fully demonstrating the new functionality that appeared in recent versions of ESA, and specifically, Web control. links in email.
So, the notification I received looked like this:
')
Why such non-standard links? Simply, they are overwritten in accordance with certain policies. If you click on any of the presented links, then the following page opens in my browser:
After a short timeout, the page changes its contents to:
Clicking on the links included in the comment to the blog's note means that access to them is blocked to protect my computer from infection and compromise (depending on the policy settings, I will not see the link itself and will not be able to remember or copy it). Clicking on the link notes on the blog, which contained the comment that caused the ESA to fire, causes the security system to ask me if I am sure of my decision and whether I trust this page (it’s the page and not the whole site that allows you to build flexible access scenarios for large sites with a variety of different materials - “clean” and malicious).
How does this functionality work? Everything is quite simple. A bit of history. For the first time, this functionality appeared for letters that were detected by the ESA engine as suspicious, but which were not detected as spam; however, they had certain signs that allowed to conclude that the letter is phishing. Directly rewriting (replacing) the URL was done by the Outbreak Filters engine, and the URL was modified so that when it was opened, the user was automatically redirected to our cloud-based security service, which displays the verdict. Such modified links begin with secure-web.cisco.com <...>.
In the next version of the E-mail Security Appliance, we integrated our reputation analysis and URL categorization mechanism directly into the ESA device itself, which allowed us to classify links in emails on the fly and rewrite URLs depending on the policies defined in the organization (deleting / cutting URLs, redirecting to cloud, leaving the original link, replacing some text, etc.).
And finally, as the last step, it is the ability to track those URLs that users will click on using the URL Click Tracking mechanism, differentiated for different policies and for different emails. Tracking is possible for different cuts - both for malicious / suspicious domains, and for users who switch to incorrect links. The latter mechanism can be used to assess the quality of the process of raising awareness in the field of information security (if it is implemented in the organization).
Using the Message Tracking feature, you can track specific messages not only by parameters such as the presence of viruses, spam, malicious or suspicious links, etc., but also by clicking on these links.
And of course, in reports you can see summary statistics on URL links in incoming messages, including the categories to which these links belong:
For the functionality described, only a Cisco E-mail Security Appliance is needed. To implement the link monitoring feature in email messages, neither a Cisco Web Security Appliance, nor a subscription to Cisco Cloud Web Security cloud service is required.
Source: https://habr.com/ru/post/260693/
All Articles