Combat phishing and malicious Web links in email

    As many people probably know, I am running a “Business without danger” blog, which publishes various notes on information security. As an active blogger, I keep track of all the comments that users leave on my pages and, as far as possible, try to respond to them. I have no pre-moderation of comments; you only need to have a Google account so that comments are not anonymous (at one time anonymous users spammed the blog and had to include some security measures).

    And yesterday I received a notification about the publication of a blog comment from the user “ruslan ivanov”, whose name is so similar to the name of my colleague in the Russian office of Cisco. However, the comment itself was rather strange and contained links to sites with malicious content, hacker programs and hacking instructions. If I worked in a regular company with the usual approach to protecting mail only from spam or viruses, then by clicking on the link I would pick up a lot of “interesting” things on my computer. But Cisco is Cisco, and we have installed in our network the same solution for protecting e-mail Cisco E-mail Security Appliance (ESA), which worked, fully demonstrating the new functionality that appeared in the latest versions of ESA, specifically Web-control links in the email.

    So, the notification I received looked like this:



    Why such non-standard links? They are simply overwritten in accordance with a specific policy. If you click on any of the links provided, then the following page opens in my browser:



    After a short timeout, the page changes its contents to:



    Clicking on the links included in the comment on the blog post leads to the fact that access to them is blocked to protect my computer from infection and compromise (depending on the policy settings, I myself will not see the link itself and I will not be able to remember or copy it). Clicking on the link of the blog post, which contained the comment triggering the ESA, leads to the fact that the security system asks me if I am confident in my decision and whether I trust this page (namely the page, not the whole site, which allows you to build flexible access scenarios for large sites with a lot of different material - “clean” and malicious).



    How does this functionality work? Everything is quite simple. A bit of history. This functionality first appeared for emails that the ESA anti-spam engine identified as suspicious, but which were not detected as spam; however, they had certain signs that made it possible to conclude that the letter was phishing. Outbreak Filters engine was directly involved in the rewriting (substitution) of the URL, and the URL was modified so that when it was opened, the user was automatically redirected to our cloud-based security service, which displays the verdict. Such modified links started with secure-web.cisco.com <...>.

    In the next version of the E-mail Security Appliance, we integrated our mechanism for analyzing URL reputation and categorization directly into the ESA device itself, which allowed us to classify links in email messages on the fly and rewrite URLs depending on the policies defined in the organization (deleting / cutting URLs, redirecting to cloud, leaving the original link, replacing with some text, etc.). 



    And finally, as a last step, it’s the ability to track the URLs that users click on using the URL Click Tracking mechanism, differentiated for different policies and for different letters. Tracking is possible for different slices - both by malicious / suspicious domains, and by users who click on the wrong links. The latter mechanism can be used to assess the quality of the process of raising awareness in the field of information security (if it is implemented in the organization).



    Using the Message Tracking function, you can track specific messages not only by such parameters as the presence of viruses, spam, malicious or suspicious links, etc., but also by the fact of clicking on these links.



    And of course, in the reports you can see summary statistics on URL links in incoming messages, including the categories to which these links belong:



    For the described functionality to work, only the Cisco E-mail Security Appliance is needed. Neither the Cisco Web Security Appliance nor a subscription to the Cisco Cloud Web Security cloud service is required to implement link monitoring in mail messages.

    Also popular now: