IoC Feeds

Introduction

An Indicator of Compromise (IoC) identifies malicious activity in a cyber environment, and consists of:

Together, these elements turn raw data into actionable threat intelligence.

An Observable is an event or a stateful property that can be observed in an operational cyber environment, such as:

Observables are raw data points. They become actionable threat indicators with added behavior descriptions and context.

Threat indicators demonstrate attacks through:

Observable patterns

Example: Repeated communication with known command-and-control (C2) servers or the presence of malicious files.
Behavioral characteristics

Example: Lateral movement, process injection, data exfiltration attempts, unusual login activity, and other attacker techniques.
Contextual and descriptive metadata

Context gives meaning to the indicator and enables automated and human-driven response. Contextual information may include:
- Indicator type
- Source
- Severity
- Confidence level
- Recommended action (prevent, detect, log)
- Timestamps
- Descriptions
- References
- Associated security products such as Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., or IPS.

Indicators are derived from multiple sources, including:

The IoC Feeds feature fetches feeds from a third-party server directly to the Security Gateway A dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The Security Gateway enforces the feeds through the Anti-Bot, Anti-Virus and IPS engines, in addition to the feeds included in the Check Point packages and ThreatCloud feeds. The IoC Feeds feature manages and monitors indicators with minimum operational overhead.

To configure an IoC Feed for Locally Managed Spark Firewall Appliances:

In the WebUI, go to Threat Prevention view > Threat Prevention section > IoC Feeds page.
Select IoC Feeds enabled.
Click New.

The Add Feed configuration window opens.
Select Active.
In the Feed Name field, enter a unique name for the feed.
In the Resource field, enter the full URL that starts with http:// or https://

The supported feed formats are:
- Check Point format
- Custom CSV format
These are the supported types of observables:
- IP
- IP range
- Domain
- URL
- Hashes (MD5, SHA1, SHA256)
- Email attributes (Subject, From, To, CC, Reply to)
See sk132193 for more information on the feed settings.
Click Test.

The Security Gateway checks if it can fetch the feed.
In the Action field, select the applicable action:
- Prevent - Threat Prevention Software Blades block the detected observable.
- Detect - Threat Prevention Software Blades logs and allows the detected observable to pass.
Click Save.

The new IoC Feed appears in the IoC Feeds page.
By default, the Security Gateway fetches the feed every 30 minutes and enforces them immediately. To change the interval:
1. Click Settings in the top toolbar of the WebUI.
  
  The IoC Feeds Settings window opens.
2. In the Fetch Interval (sec) field, change the value (in seconds) as necessary.
3. Click Save.
You can edit, delete or enable/disable a feed using the top toolbar of the WebUI.

IoC Feeds do not support:

Snort and STIX formats
User authentication for a feed
Use of Gateway proxy for connection to the external feed
These commands in Expert mode: add, push, export, show_interval, set_interval, set_scanning_mode, yes, no_proxy, self_sign_certificate, format, delimeter, comment, feed_file_type, severity, confidence, performance_impact.
Fetching feeds from an HTTPS server with a self signed certificate.