Directly Targeted Hosts (Prevented Attacks)

Description

In the main Cyber Attack View, in the Prevented Attacks section, double-click Directly Targeted Hosts.

Note - Select the desired report period in the top left corner of this view. For example, Last 7 Days, This Month, and so on.

This drill-down view shows a summary of network and hosts exploit attempts.

Host exploit attempts generate the majority of Threat Prevention events.

Drill-Down View

This is an obfuscated example of the drill-down view:

To see the applicable logs (the next drill-down level), double-click on the desired value.

Available Widgets

Widgets available in the drill-down view:

Widget

Type

Description

Top Hosts

Infographic

Shows:

  • The total number of attacked internal hosts.

  • The total number of detected exploit attempts.

Top 5 Attackers

Chart

Shows the top attackers sorted by the number of their exploit attempts.

Shows:

  • The source IP addresses of top attackers.

  • The number of logs for exploit attempts.

Different colors show different exploited vulnerabilities. For more information, see the Top Detected Exploits Attempts widget.

Top 5 Attacked Hosts

Chart

Shows the top attacked hosts sorted by the number of attempted exploits.

Shows:

  • The IP addresses of top attacked internal hosts.

  • The number of logs for attempted exploits.

Top Detected Exploit Attempts

Chart

Shows the top exploit attempts on internal hosts.

Shows:

  • The names of the top detected exploits.

  • The number of logs for these exploits.

Different colors show different exploited vulnerabilities.

Top Detected Attacked Hosts on the Network

Table

Shows the list of internal hosts and the exploit attempts they encountered.

Shows:

  • The IP addresses of your attacked internal hosts.

  • Names of exploited vulnerabilities.

  • CVE

  • Amount of reported events for each attacked internal host.

  • Severity.

Timeline of Exploit Attacks

Timeline

Shows the names of exploited vulnerabilities and their timeline.

The timeline is divided into different exploit attempts.

Different colors show different exploited vulnerabilities.

Widget Query

In addition to the Default Query, the widget runs this query:

Custom Filter = blade:IPS NOT ("SMTP" OR "Adobe Reader Violation" OR "Content Protection Violation" OR "Mail Content Protection Violation" OR "SMTP Protection Violation" OR "Phishing Enforcement Protection" OR "Adobe Flash Protection Violation" OR "Adobe Reader Violation" OR "Content Protection Violation" OR "Instant Messenger" OR "Adobe Flash Protection Violation" OR "Scanner Enforcement Violation" OR "Port Scan" OR "Novell NMAP Protocol Violation" OR "Adobe Flash Protection Violation" OR "Adobe Shockwave Protection Violation" OR "Web Client Enforcement Violation" OR "Exploit Kit")

Best Practices

Best practices against network and host exploits:

Category

Description

General Best Practices

  • Examine the Top Detected Exploit Attempts widget to understand what are the top exploits and vulnerabilities used to attack your network. This lets you determine if your network is under a specific massive attack, or if this is a false positive.

    This widget also shows the top attacked hosts.

    This lets you plan a "patch procedure" for your hosts based on the current exploit attempts.

  • To understand if an attacker performed a reconnaissance of a specific host:

    a) In the Top 5 Attacked Hosts widget, right-click a chart bar for a host.

    b) In the context menu, click Filter: "<IP Address>".

    c) At the top, click Cyber Attack View - Gateway.

    d) Pay attention to the Hosts Scanned by Attackers counter.

  • Examine the Timeline of Exploit Attacks for trends. This lets you understand if your network is under a specific massive attack, or if this is a false positive.

  • Examine the Top 5 Attackers widget. Double-click on each IP address to see the applicable logs. In the logs, examine the source countries. Decide if you need to block these countries with a Geo Policy.

  • In the logs examine the Resource field (see Log Fields), which may contain the malicious request. This is the full path the attacker tried to access on your attacked internal host.

  • You can perform the detected attack by yourself (for example, you can use a local penetration tester). This provides a real test if the ability to exploit your internal host exists.

Best Practices for events that the Security Gateway prevented

  • Examine the Top Detected Exploit Attempts to determine if the Security Gateway prevented an attack campaign against you network.

  • Examine (once a month) what are the top exploit attempts against your network. The Check Point Security CheckUp report uses the same queries and shows a full list of attacks and assets in your organization.