So, to catch such attacks, we quarantine all incoming emails with protected archives in a special IronPort Quarantine. This quarantine is configured to release its contents after a chosen number of hours e.g. 3 hours. This 3-hour time window gives the SOC analyst the chance to avoid campaigns of 200+ malicious emails going through to the victim's inbox.
1) We create a new quarantine and call it "Protected_Archives_Q". Setting the "Retention Period" to 3 hours and the "Default Action" to "Release".
Monitor => "Policy, Virus and Outbreak Quarantines" => click "Add Policy Quarantine"
2) We create a new "Content Filter" and call it "Protected_Archives".
"Mail Policies" => "Incoming Content Filters" ==> "Add Filter"
3) We add new condition for compressed file types.
"Add Condition" => "Attachment File Info" => "File Type" => "Is" => "Compressed"
4) We add another condition for protected files.
"Attachment Protection" => "One or more attachments are protected."
5) In the "Apply Rule" dropbox, we select "Only if all conditions match".
"Add Action" => "Quarantine" => "Send message to quarantine:" => "Protected_Archives_Q"
Now our content filter looks like below:
"Mail Policies" => "Incoming Mail Policies" => "Content Filters" => Select "Enable" on "Protected_Archive"
This is not the end of it. Actually, SOC team has a lot to do when it comes to cases like protected archives. For example, with each false positive e.g. legit sender bank@veryimportantbank.com that happens to send protected archives to your users, the SOC analyst will have to update the filter to exempt "bank@veryimportantbank.com", like below.
Even exempting certain senders (envelope senders) from your filter is not enough, for example, there has to be another content filter to verify "SPF" of e.g. veryimportantbank.com and this SPF filter must be with a less order than "Protect_Archives" i.e. processed first. Don't worry, we will cover this later.
It is also noteworthy that SOC team should make the user aware that e.g. banks never send their customers the password for e.g. statements in the same email as the attachment.
I really like to read this fantastic post! I read your blog and do my homework online I think it is very informative for all people. Thanks for your great info.
ReplyDeleteMany organizations online will offer help with your Thesis Writing Services Uk tasks. Consider this going to the store. There will be numerous variations of one item, yet a couple of can't avoid being of top notch. Some of them will have an immense expense as a result of it, however the best items are the ones that accompany top quality and sensible cost.
ReplyDeleteUp to 60% off select brands. Ladies wearing a white tank top under a short sleeve plaid shirt with denim shorts. Go for a ladylike puff-sleeved shirt or match a tank top with high-waisted pants for NAVY BLUE WOOL BODY HOOD VARSITY JACKET an on-pattern look. Dress down with comfortable woolen clothes or a denim shirt, or layer
ReplyDeleteFurthermore, we offer a range of SOIL MODIFICATION services in USAconsultancy services to help you comprehend your options
ReplyDeletein response to the rising interest in Dubai gaming tournamente-sports for streaming and distributing video of competitions
ReplyDeleteIn the UAE, corporate bank accounts are essential for enterprises. Finding a bank that is right for your business and offers the servicesFinancial Instruments in Dubai and products you need is essential before you can establish a partnership.
ReplyDelete