Appendix A - Maximizing Harmony Endpoint Catch Rate in Pentests or Attack Simulations

1. Enable Aggressive Behavioral Guard (BG) Mode.

   • Check Point releases all new behavioral detection rules (approximately 10% of all rules) in silent mode without triggering detections.

   • These silent rules are validated using dedicated ML models analyzing anonymous Harmony Endpoint clients’ telemetry worldwide to minimize false positives and correctly set Confidence levels.

   • Once validated, new BG rules are safely released and activated to trigger new detections in customer environments.

   • Aggressive BG mode allows to demonstrate complete behavioral detection potential.

   • To enable it, follow the instructions in Appendix B – Enabling Behavioral Guard Aggressive Mode.

2. Verify that Behavioral Guard is up to date.

   • Verify the engine update status in Windows registry:

     HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\EndPoint Security\TPCommon\Updater\ATPS\Status = Succeeded

     

3. Increase daily Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. file upload quota.

   • By default, Harmony Endpoint clients are allowed to submit maximum of 250 files per day and maximum 100 files of the same type (example, .EXE, DOCX) for cloud sandboxing.

   • These limits are enforced for fair Threat Emulation cloud usage.

   • It is more than enough for production environments because protected machines normally submit 15-20 new files per day (others are already known or do not require sandboxing).

   • However, in case of intense attack simulations or testing thousands of malicious samples, these limits can be easily hit, and they may reduce Threat Emulation catch rate.

   • To increase the daily limits, follow the instructions in Appendix C – Increasing Daily Threat Emulation Upload Quota.

4. Identify and configure only necessary exclusions for Breach and Attack Simulation (BAS) agents.

   • BAS platforms such as Picus Security, Cymulate, KnowBe4 operate via an agent which runs series of simulated attacks on protected machines.

   • File/folder-based exclusions typically recommended by BAS vendors can be over-permissive and significantly decrease Harmony Endpoint catch rate.

   • It is important to exclude BAS agent infrastructure only and avoid excluding attack scenarios (child processes, payloads)

     • Select predefined Detect policy profile and run several attack simulations.

     • Review detections and forensic reports.

     • Identify BAS agent infrastructure - Agent processes signed by BAS vendor, agent heartbeat Endpoint clients send "heartbeat" messages to the Endpoint Security Management Server to check the connectivity status and report updates. and management communication destination domains.

     • Exclude BAS software by vendor certificate CN (review executable properties) from file and behavior detections; exclude BAS vendor domains from Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT..

     • Do not exclude anything from Forensic Monitoring to keep visibility into BAS operations in forensic reports and threat hunting.

     • In case BAS agent infrastructure triggers Harmony Endpoint detections, exclude specific Protection Names in combination with the relevant BAS agent processes.

     • Avoid excluding file folders because they can be used for running attack simulations and dropping payloads.

     • For Cymulate and Picus Security exclusions examples, see Appendix E – BAS Exclusions Examples.