URL Rewriting and Analysis (using Outbreak Filters)

URL Defense Guide using Cisco Secure Email

Outbreak Filters

Outbreak Filters protect your network from large-scale virus outbreaks and smaller, non-viral attacks, such as phishing scams and malware distribution, as they occur.

LevelRiskMeaning
0NoneThere is no risk that the message is a threat.
1LowThe risk that the message is a threat is low.
2Low/MediumThe risk that the message is a threat is low to medium. It is a “suspected” threat.
3MediumEither the message is part of a confirmed outbreak or there is a medium to large risk of its content being a threat.
4HighEither the message is confirmed to be part of a large-scale outbreak or its content is very dangerous.
5ExtremeThe message’s content is confirmed to be part of an outbreak that is either extremely large scale or large scale and extremely dangerous.

Cisco Secure Email provides URL defense using Outbreak Filters in the following ways:

  • URL Rewriting
  • Cloud URL Analysis
  • Web Interaction Tracking

URL Rewriting

Outbreak Filters can rewrite URLs to redirect traffic to potentially harmful websites through a web security proxy, which either warns users that the website they are attempting to access may be malicious or blocks the website completely.

Cloud URL Analysis

What is Cloud URL Analysis?
Starting with AsyncOS 13.5, Cisco Talos Intelligence Cloud Services analyzes URLs. This cloud service integrates existing WBRS information with a variety of different analysis techniques. By actively analyzing many facets of a URL, from the structure of the URL itself to information about the domain and even page contents, Cisco Talos Intelligence Cloud Services provides the ability to detect and deliver intelligence on a variety of URL-based attacks.

Items to keep in mind about Cisco Talos Intelligence Cloud Services:

  • Cisco Talos Intelligence Cloud Services is transparent to the email administrator and the end user
  • No updates or upgrades are required
  • No configuration is needed to enable Cisco Talos Intelligence Cloud Services
  • Cisco Talos Intelligence Cloud Services is a process used by Outbreak Filters

📘

Cloud URL Analysis Prerequisites

  1. Service Logs must be enabled (Security Services > Service Logs)
  2. The Outbreak Filters feature is recommended to be enabled globally and per applicable mail policy. In order to utilize URL Category and URL Reputaion conditions and actions in Message and Content Filters, or URL Rewriting (option in Outbreak Filters), the feature has to be enabled.
  3. With-in URL Filtering & Outbreak Filters, enable Web Interaction Tracking
  4. Depending on the version of AsyncOS deployed, a Message Filter may be needed for URLs included in attachments
  • Message Filter dependency is removed as of AsyncOS 14.0

How Cisco Talos Intelligence Cloud Services is triggered

  1. An email with URL(s) looks suspicious
  2. With Outbreak Filters enabled, Cisco Talos Intelligence Cloud Services is triggered by Threat Level 1 to 5
    • Even if the email gateway is configured to NOT quarantine

Not all URLs are crawled by Cisco Talos Intelligence Cloud Services

  • Limited crawling capacity compared to ALL URLs received
  • Decisions are made as to what to crawl and what not to
  • URL redirects are consumed, up to 19 redirects

What happens to URLs received by Cisco Talos Intelligence Cloud Services?

  • Machine Learning analyzation
  • Heuristics (discover, learn, and report)
  • WBRS feeds (analyzed by and contribute to) (:point-left: this is also known as URL Filtering!)
    --- All of these determine which URLs require crawling

My Gateway/Cloud Gateway is running AsyncOS 13.5/13.7, what is the Message Filter needed?

  • Initially, Cisco Talos Intelligence Cloud Services runs against URLs within the email body alone. In order to consume URLs in attachments, a Message Filter is needed to expose those for analysis. Message Filters are administrable only from the command line on Cisco Secure Email. The following is our best practice Message Filter for Cisco Talos Intelligence Cloud Services:
expose_attachment_urls: if (url-reputation(-10.00, 10.00 , "", 1, 1)) OR (url-no-reputation("" , 1, 1)) {
                            log-entry("<<<=== THIS MESSAGE CONTAINED A URL, EXPOSING URL FOR CUA ===>>>");
                            no-op();
                        }
  • Note: Message Filter dependency is removed as of AsyncOS 14.0

Note: Cloud Gateway customers that do not have command line access may request this to be enabled for their instance: Command Line Interface (CLI) Access

Web Interaction Tracking

The web interaction tracking feature provides information about the end users who clicked on rewritten URLs and the action (allowed, blocked, or unknown) associated with each user's click. Once you enable this feature, you can use the Web Interaction Tracking report to view information such as the top malicious URLs clicked, top users who clicked on malicious URLs, and so on.