1

How to Guide Revision 1.1

McAfee Advanced Threat Defense Email Connector for Cisco

Email Security Appliance

Overview: This “How to Guide” provides instructions for setting up McAfee® Advanced Threat Defense (ATD) Email Connector with Cisco© Email Security Appliance (ESA). The McAfee Email Connector, when interoperating with ESA, will function as a mail transfer agent (MTA) to scan messages that contain attachments. Through the interoperation of ESA and the Email Connector, ESA scans messages using its varying security engines and if it determines the message to be delivered/clean but still needs to be scanned by ATD the message will be relayed to the ATD Email Connector for further inspection. The Email Connector receives the message from ESA via SMTP, and will begin to scan the attachment using its advanced detection capability.

Once a verdict is determined for the attachment it will be placed in an X-header of the message and relayed back to ESA, which at that point the header will be scanned by ESA. If the verdict is determined to be clean, the message can be sent forward to the intended recipient. If the verdict is determined to be malicious, then ESA can determine further action based on the policy configuration set forth on the appliance.

1 Configuring the Email Connector on ATD Advanced Threat Detection Version Compatibility:

• Version 4.0

Email Security Appliance Version Compatibility:

• Version – Any currently supported release

For the purposes of this document we shall assume that a single secure email gateway (SEG) will be used to handle both the inbound messages and the messages returned from McAfee’s Advanced Threat Defense (ATD). The assumption that administrator has base knowledge of ATD and Cisco’s Email Security Appliance (ESA) SEG. You will be required to make some configuration changes on your Cisco ESA and your McAfee ATD Email Connector.

2

ATD Email Connector settings Before ATD will accept SMTP connections from the ESA you must enable the Email Connector and provide suitable values for the following configuration

• Permitted Hosts – Add the IP address, hostname or subnet from which the ATD Email Connector is allowed to receive email (the inbound Cisco ESA).

• Smart Host – Set the IP address/hostname and port for the Cisco ESA that will receive the returned email messages, process the headers, and enforce the threat policy.

Access your ATD Appliance

a. Begin the configuration process.

Under the Manage tab, navigate to Email Connector > Configuration.

Under “Receiving Email”, check the “Enable Email Connector” box.

The Listen Port will be set to 25.

Pull down the menu for “Use TLS Connection” and choose If Available.

b. A Permitted Host will need to be configured – In this case, it will be ESA.

With the Host Type field selected with the IP Address option, and the designated IP Address of ESA in the required fields, then click Add.

3

2 Configuring the Cisco Email Security Appliance

Messages sent to ATD could take a considerable amount of time to scan if the attachments require a full sandbox scan. The operation of the ATD Email Connector is such that it does not ‘accept’ the email from the sending to ESA until its scan is complete and the message is delivered to the configured smart host.

To preserve ATD resources, the inbound ESA should perform all anti-spam, anti-virus and any other filtering that may ultimately result in the message being blocked. Redirection of the message to the ATD Email Connector should only occur when the message would be delivered or further processed if the ATD verdict is ‘clean’.

This portion will cover the configuration process on ESA to relay messages to ATD, in addition to accepting messages being sent back from ATD that have been further analyzed. This guide will walk thru how to configure the routing on the default incoming mail policy. Administrators can leverage this connectivity on custom policies, but that is out of scope for this document.

4

The goal of the inbound message handling configuration is to:

• Leverage all the security elements licensed for the Cisco Email Security Appliance: Anti-Spam, Anti-Virus, Outbreak Filters, etc.

• Perform built-in threat detection, attachment filtering and other threat compliance policy actions to filter messages that violate policy and would not be delivered regardless of the result of the advanced threat scan.

• Identify inbound messages that should be scanned by ATD

• Redirect the message to ATD for advanced threat scanning.

a. Cisco Email Security Scanning/Delivering to ATD via Content Filter

Login to your ESA appliance to configure the Incoming Content Filters.

Under the Mail Policies tab, navigate to Incoming Content Filters.

Click on the “Add Filter” button, at which point you will be taken to the Add Incoming Content Filter page. Choose a name for the filter name, and once complete, click on the “Add Condition” button.

5

Under the condition parameters, choose Attachment File Info and add a file filter based on the file type. Based on the supported file types of ATD, include file type conditions for file types that you wish to be forwarded to the Email Connector.

Next, under the conditions area, locate the Actions area. Here you will add an action to Send to Alternative Destination Host.

6

This host will be the IP (#.#.#.#) of the ATD appliance. Once you have filled the appropriate IP into the Mail Host field, click “OK”, then submit your changes. Ensure you click the “Commit Changes” button to publish the changes in configuration. Once the content filter for incoming mail has been established, head to Incoming Mail Policies and ensure that the content filter that was created for ATD is applied under the policies for Content Filters.

Submit and commit the changes.

b. Content Filter for Receiving Scanned email from McAfee ATD and Smart Host back to ESA

First, there should be a defined “Listener” on ESA dedicated to accept email from ATD. The documented process in ATD will be receiving email on port 25 from ESA that was described in the previous section. For delivery acceptance from ATD to ESA, this “Listener” should be customized on an existing “Listener” on port 4444 (or match what is configured in ATD). Network – Adding Listeners

7

Setting up the listeners on ESA is necessary to ensure that the ATD appliance will accept messages being forwarded from ESA.

• Head to the Network tab, and from the pulldown menu, select Listeners.

• Click the “Add Listener” button in the Listeners field Add the name of the listener. From the Interface pulldown menu, select mgmt. (or the existing IP interface used for email processing). Set TCP Port is set to 4444.

All other settings are left as default. Submit the changes.

8

This dedicated listener should have the security engines disabled to remove the risk of double counting or skewing the reports. Define in the HAT overview how the inbound email from ATD should be processed. Add the sending IP Address of ATD to the “WHITELIST” in the HAT for the new listener defined in the previous step (for example it is Accept From ATD).

Next, you will need to set a filter for accepting the mail as well to define how ESA will route the email.

Under the Mail Policies tab, navigate to Incoming Content Filters.

Click the “Add Filter” button, at which point you will be taken to the Add Outgoing Content Filter page. Choose a name for the filter name, and once complete, click on the “Add Condition” button.

At this point, two conditions will be implemented which allow scanning of the X-header of the returning message from ATD. Define two cases with an “and” clause to look for the X-Header added as well as being received on the newly defined listener. Enabling scanning of the “X-ATD”-#, will ensure that ESA will scan the X-header for the verdict and determine next steps based on the policy configuration. The recommended values to quarantine or drop for X-ATD are 4 or 5. The value of 3 should be marked up with a warning to the end user of potential malicious content and to open with care. Please see the appendix A for the other values of X-ATD.

This example below processes the inbound email by

• This is a filter that checks to make sure it is coming in on the custom/dedicated listener for email from ATD and looking for an ATD score of 5.

• We then will notify the administrator that this has occurred

• We will add a specific log entry to make sure we can track this in the logs

9

• Drops the message and does no further processing

After Submitted the filter should be seen at the top of the list

The same way that was done for the processing of emails to be sent to ATD, the administrator needs to add the defined filter to the default policy. Go to Mail Policies – Incoming Mail Policies and edit the content filters as before. Note: be careful of the order of the filters enabled as they are processed in the order defined in the list. Be sure to commit and save your changes.

10

Appendix A: Headers summary

In-line with convention the ATD Email Connector will always add a ‘Received’ header to a message. Additionally, since the ATD Email Connector uses Email headers to communicate the results of the ATD scans to the Smart Host/Secure Email Gateway which is responsible for enforcing the organizational policy, it may also add a number of headers with the prefix X-ATD. All of the X-ATD headers discussed below will be removed from a message when it is received by ATD to prevent interference from outside sources. No other headers will modified. In this section we describe the headers, their values, and the conditions under which they will be added to a message being returned from ATD Basic headers

The basic headers have a very simple format which is intended to be evaluated by a Secure Email Gateway. X-ATD-VERDICT - This header is added to all messages that have passed through ATD. Its value indicates the overall threat verdict for the Email. Possible values for this header are shown in the table below

5 Malicious

-1 Clean 4 Malicious -2 Failure to scan 3 Likely malicious -3 Scan timeout 2 Low activities -6 No attachments to scan 1 Very low activity -7 Scanning is disabled (see X-

ATDSILENTMODE) 0 Informational -8 ATD is too busy to service new scanning

requests. At least one attachment has not been scanned and does not have a cached result (see X-ATD-TOOBUSY)

The value of the X-ATD-VERDICT value indicates the most severe verdict for all of the attachments of the email. The most severe verdict in relation to other verdicts is calculated by ATD. To ensure ATD is offering the best protection, inability to scan (due to timeout, failure, or resource shortage) will take priority over all but ‘Malicious’ and ‘likely malicious’ verdicts. X-ATD-SILENTMODE - This informational header is added to all messages that have passed through ATD when the email scanning capability is disabled from with the ATD UI by enabling ‘Profiling Mode’. The value of this header will always be ‘1’.

11

X-ATD-TOOBUSY - This informational header is added to all messages that have passed through ATD while it is too busy to process new attachments for scanning, and ATD is configured in Email pass-through mode. Its value will always be ‘1’. Since ATD includes a results cache, the X-ATD-VERDICT should be referenced to determine whether the attachments were scanned in a previous submission. Advanced headers

Advanced headers are formatted as comma separated lists. They are made available for interpretation by custom parsers, for logging and data analytics. They are human readable and may also be useful for troubleshooting. X-ATD-FILENAMES - This header is added to all messages that have passed through ATD that have attachments. It contains a comma separated list the names of all the attachments in a message. X-ATD-ALTFILENAMES - This header is added to all messages that have passed through ATD that have attachments. It contains a comma separated list whose entries correspond with those of the X-ATD- FILENAMES. If the result of scan was retrieved from the cache, filenames in this list represent the filename under which the attachment was originally scanned. X-ATD-FILEHASHES - This header is added to all messages that have passed through ATD that have attachments. It contains a comma separated list of the hashes corresponding with the filenames present in XATD-FILENAMES. X-ATD-FILEVERDICTS - This header is added to all messages that have passed through ATD that have attachments. It contains a comma separated list of the verdicts for each attachment, corresponding with the filenames and hashes present in X-ATD-FILENAMES. Possible values for this header are shown in the table below.

5 Malicious

-1 Clean 4 Malicious -2 Failure to scan 3 Likely malicious -3 Scan timeout 2 Low activities -4 Attachment filtered by global

file-type rules 1 Very low activity -5 Attachment filtered by file

filtering rules 0 Informational -8 Attachment not scanned. ATD

Too Busy Sample message

Example of the headers returned by ATD: Received: from seg.company.com ([10.173.232.95] helo=seg.company.com) by mailboxes.company.com with esmtp (Exim 4.86_2) (envelope-from <joe@othercompany.com>) id 1ctAaW-0002aE-GO for joe@company.com; Wed, 29 Mar 2017 11:12:24 +0100 Received: from vatd2-ec.company.com (unknown [10.173.232.131]) by seg.company.com with smtp (TLS: TLSv1/SSLv3,256bits,DHE-RSA-AES256-GCM-SHA384)

12

id 6e81_1f77_9725a691_26ca_4250_8b8d_7151c1875908; Wed, 29 Mar 2017 10:12:23 +0000 Received: from seg.company.com (unknown [10.173.232.95]) by vatd2-ec.company.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-GCM-SHA384) id 507f_6949_28a3ec56_2d34_4ed3_ae1e_6d29a2e45700; Wed, 29 Mar 2017 15:41:42 +0530 Received: from [10.252.60.50] (unknown [10.252.60.50]) by seg.company.com with smtp id 6e81_1f66_cfa5dfe7_7322_4656_a65c_517885309124; Wed, 29 Mar 2017 10:11:42 +0000 To: joe@exchange.company.com From: Bill <bill@othercompany.com> Subject: Test ATD Email Date: Wed, 29 Mar 2017 11:11:41 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="------------68F516BFEF9F32D5955D50AF" X-ATD-FILENAMES: OCS-Tree.pdf,OCS-Leaf.pdf X-ATD-ALTFILENAMES: OCS-Tree.pdf,OCS-Leaf.pdf X-ATD-FILEHASHES: 5718e9d6cc4d870bd750159d7e70b518,9e51ba2ab334a1e0d8df70697a9ccf0c X-ATD-FILEVERDICTS: -1,0 X-ATD-VERDICT: 0 Advanced Content Filter Example using the above values

McAfee LLC McAfee, the McAfee logo are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. 2821 Mission College Blvd. and/or other countries. Copyright © 2017 McAfee LLC. www.mcafee.com Santa Clara, CA 95054 Cisco and Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and USA other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks