The Anti-Bot Component
Behavioral protection includes Anti-Bot, Behavioral Guard and Anti-Ransomware protections.
There are two emerging trends in today's threat landscape:
-
A profit-driven cybercrime industry that uses different tools to meet its goals. This industry includes cyber-criminals, malware operators, tool providers, coders, and affiliate programs. Their "products" can be easily ordered online from numerous sites (for example, do-it-yourself malware kits, spam sending, data theft, and denial of service attacks) and organizations are finding it difficult to fight off these attacks.
-
Ideological and state driven attacks that target people or organizations to promote a political cause or carry out a cyber-warfare campaign.
Both trends are driven by bot attacks.
A bot is malicious software that can invade your computer. There are many infection methods. These include opening attachments that exploit a vulnerability and accessing a website that results in a malicious download.
When a bot infects a computer, it:
-
Takes control over the computer and neutralizes its Anti-Virus defenses. Bots are difficult to detect because they hide within your computer and change the way they appear to the Anti-Virus software.
-
Connects to a Command and Control (C&C) center for instructions from cyber criminals. The cyber criminals, or bot herders, can remotely control it and instruct it to execute illegal activities without your knowledge. These activities include:
-
Data theft (personal, financial, intellectual property, organizational)
-
Sending SPAM
-
Attacking resources (Denial of Service Attacks)
-
Bandwidth consumption that affects productivity
-
In many cases, a single bot can create multiple threats. Bots are often used as tools in attacks known as Advanced Persistent Threats (APTs) where cyber criminals pinpoint individuals or organizations for attack. A botnet is a collection of compromised computers.
The Check Point Anti-Bot component detects and prevents these bot threats
The Anti-Bot component:
- Uses the ThreatCloud repository to receive updates, and queries the repository for classification of unidentified IP, URL, and DNS resources.
- Prevents damage by blocking bot communication to C&C sites and makes sure that no sensitive information is stolen or sent out of the organization.
The Endpoint Anti-Bot component uses these procedures to identify bot infected computers:
-
Identify the C&C addresses used by criminals to control bots
-
These web sites are constantly changing and new sites are added on an hourly basis. Bots can attempt to connect to thousands of potentially dangerous sites. It is a challenge to know which sites are legitimate and which are not.
The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery and more than 2,000 different botnet communication patterns. The ThreatSpect engine uses this information to classify bots and viruses.