Getting Started with Threat Emulation

Threat Emulation Analysis Locations

You can choose a location for the emulation analysis that best meets the requirements of your company. Run the file emulation in the ThreatCloud or on a Threat Emulation Private Cloud Appliance (Emulation appliance) in the internal network.

• ThreatCloud - You can send all files to the Check Point ThreatCloud for emulation. Network bandwidth is used to send the files and there is a minimal performance impact on the Security Gateway.
• Internal network - You can use an Emulation appliance to run emulation on the files.

ThreatCloud Emulation

You can securely send files to the Check Point ThreatCloud for emulation. The ThreatCloud is always up-to-date with the latest Threat Emulation releases.

Sample ThreatCloud Emulation Workflow

1. The Security Gateway gets a file from the Internet or an external network.
2. The Security Gateway compares the cryptographic hash of the file with the database.
   • If the file is already in the database, no additional emulation is necessary
   • If the file is not in the database, it is necessary to run full emulation on the file
3. The file is sent over an SSL connection to the ThreatCloud.
4. The virtual computers in the ThreatCloud run emulation on the file.
5. The emulation results are sent securely to the Security Gateway for the applicable action.

Sample ThreatCloud Deployment

Local or Remote Emulation

You can install an Emulation appliance in the internal network.

Sample Workflow for Emulation Appliance in a Local Deployment

1. The Emulation appliance receives the traffic, and aggregates the files.
2. The Emulation appliance compares the cryptographic hash of the file with the database.
   • The file is already in the database, no more emulation is necessary.
   • If the file is not in the database, the virtual computers in the Emulation appliance run full emulation on the file.

Sample Workflow for Emulation Appliance in a Remote Deployment

1. The Security Gateway aggregates the files, and the files are sent to the Emulation appliance.
2. The Emulation appliance compares the cryptographic hash of the file with the database.
   • The file is already in the database, no more emulation is necessary.
   • If the file is not in the database, the virtual computers in the Emulation appliance run full emulation on the file.

Optimizing File Emulation

Files have unique cryptographic hashes, these file hashes are stored in a database after emulation is complete. Before emulation is run on a file, the appliance compares the file hash to the database:

• If the hash is not in the database, the file is sent for full emulation
• If the hash is in the database, then it is not necessary to run additional emulation on the file

This database helps to optimize emulation and give better network performance.

Threat Emulation Deployments

You can use inline or monitor deployments for file emulation.

Inline - Use Prevent and Ask actions to block traffic before it goes to the internal computer. You can configure how Threat Emulation handles connections while it finishes the emulation of a file:

• Background - The traffic is allowed to enter the internal network
• Hold - The traffic is blocked and does not enter the internal network until after emulation is finished

Monitor - Use a SPAN or TAP configuration to duplicate network traffic. The files are then sent directly to Threat Emulation and the computer in the internal network. If Threat Emulation discovers that a file contains malware, the applicable log action is done. Monitor deployments support only the Detect action.

Inline Deployments (Prevent and Ask)

Use the Prevent or Ask UserCheck action to quarantine a malicious file.

Sample Inline Emulation Workflow (Prevent Action)

1. The ThreatCloud or Emulation appliance gets a file from the Security Gateway.
2. Emulation is run on the file.
   • The file is safe, and it is sent to the computer in the internal network.
   • If the file contains malware, it is quarantined and logged.

Monitor Deployments

Sample Monitor Emulation Workflow

1. The ThreatCloud or Emulation appliance gets a copy of a file from the Security Gateway. The original file goes to the computer in the internal network.
2. Emulation is run on the file.
   • The file is safe, no other action is done
   • If the file is identified as malware, it is logged according to the Track action of the Threat Prevention rule

Deployments with a Mail Transfer Agent

If you use the Prevent action to block traffic, we recommend that you enable the Security Gateway as an MTA (Mail Transfer Agent) for SMTP traffic. You can use the MTA to help manage the emulation of emails and attachments.

Preparing for Local or Remote Emulation

Prepare the network and Emulation appliance for a Local or Remote deployment in the internal network.

1. Open SmartDashboard.
2. Create the network object for the Emulation appliance.
3. If you are running emulation on HTTPS traffic, configure the settings for HTTPS Inspection.
4. Make sure that the traffic is sent to the appliance according to the deployment:
   • Local Emulation - The Emulation appliance receives the traffic. The appliance can be configured for traffic the same as a Security Gateway.
   • Remote Emulation - The traffic is routed to the Emulation appliance.

Running the First Time Configuration Wizard

Use the First Time Configuration Wizard in SmartDashboard to enable Threat Emulation in the network. Configure the Security Gateway or Emulation appliance for your deployment.

Using Cloud Emulation

Files are sent to the Check Point ThreatCloud over a secure SSL connection for emulation. The emulation in the ThreatCloud is identical to emulation in the internal network, but it uses only a small amount of CPU, RAM, and disk space of the Security Gateway. The ThreatCloud is always up-to-date with all available operating system environments.

To enable ThreatCloud emulation:

1. Double-click the perimeter Security Gateway.

   The Gateway Properties window opens.

2. From the Network Security tab, select Threat Emulation.

   The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.

3. Select ThreatCloud Emulation Service.
4. Click Next.

   The Summary page opens.

5. Click Finish to enable Threat Emulation and close the First Time Configuration Wizard.
6. Click OK.

   The Gateway Properties window closes.

7. Install the policy on the Security Gateway.

Using Local or Remote Emulation

This section is for deployments that use an Emulation appliance and run emulation in the internal network.

To enable an Emulation appliance for Local and Remote emulation:

1. Double-click the Emulation appliance.

   The Gateway Properties window opens.

2. From the Network Security tab, select Threat Emulation.

   The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.

3. Select Locally on a Threat Prevention device.
4. Click Next.

   The Summary page opens.

5. Click Finish to enable Threat Emulation on the Emulation appliance and close the First Time Configuration Wizard.
6. Click OK.

   The Gateway Properties window closes.

7. For Local emulation, install the policy on the Emulation appliance.

To enable Threat Emulation on the Security Gateway for Remote emulation:

1. Double-click the Security Gateway.

   The Gateway Properties window opens.

2. From the Network Security tab, select Threat Emulation.

   The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page.

3. Configure the Security Gateway for Remote Emulation:
   1. Select Other Emulation appliance.
   2. From the drop-down menu, select the Emulation appliance.
4. Click Next.

   The Summary page opens.

5. Click Finish to enable Threat Emulation on the Security Gateway close the First Time Configuration Wizard.
6. Click OK.

   The Gateway Properties window closes.

7. Install the policy on the Security Gateway and the Emulation appliance.

Using an MTA

You can enable the Security Gateway as an MTA (Mail Transfer Agent) to manage the emulation of SMTP traffic. It is possible that during file emulation, the email server cannot keep the connection open for the time that is necessary for full emulation. When this happens, there is a timeout for the email. A Threat Emulation deployment with an MTA avoids this problem, the MTA completes and closes the connection with the source email server and then sends the file for emulation. After the emulation is complete, the MTA sends the email to the mail server in the internal network.

• For topologies that use TLS between the Security Gateway and the mail server, Threat Emulation must use an MTA to decrypt emails for emulation.
• When Threat Emulation identifies that an email attachment is malicious, the MTA removes the attachment and sends the safe email.
• We recommend that you use an MTA for Threat Emulation profile settings that block SMTP traffic. Without an MTA, it is possible that safe emails are dropped and do not reach the computers in the internal network.

To use the Security Gateway as an MTA:

1. Enable the Security Gateway as an MTA.
2. Configure the network to forward emails to the MTA.

Enabling MTA on the Security Gateway

For a topology that uses TLS between the Security Gateway and the mail server, you must import the mail server certificate to the Security Gateway.

To enable the Security Gateway as an MTA:

1. Double-click the Security Gateway and from the navigation tree select Mail Transfer Agent.

   The Mail Transfer Agent page opens.

2. Select Enable as a Mail Transfer Agent.
3. In the Mail Forwarding section, add one or more rules.
   1. Click the add rule button.
   2. Right-click the Domain cell and select Edit.
   3. Enter the domain for the SMTP traffic for this rule. The default setting is to use the wildcard * to send all traffic.
   4. Click OK.
   5. Click the Next Hop cell and select the node object that is the mail server for this rule.

      You can also configure the MTA to only run emulation and not forward emails to the mail server.

4. Optional: Select Sign scanned emails and enter the message to add to emails when emulation is finished.
5. If the mail server uses TLS inspection, do these steps to enable the MTA to support it:
   1. Click Import.

      The Import Outbound Certificate window opens.

   2. Click Browse and select the certificate file.
   3. Enter the Private key password for the certificate.
   4. Click OK.
   5. Select Enable SMTP/TLS.
6. Optional: In the Advanced Settings section, click Configure Settings and configure the MTA interface and email settings.
7. Click OK and then install the policy.

Configuring the Network to Use an MTA

After you configure the Security Gateway as an MTA, change the settings to send SMTP traffic from external networks to the Security Gateway. Each organization has an MX record that points to the internal mail server, or a different MTA. The MX record defines the next hop for SMTP traffic that is sent to the organization. These procedures explain how to change the network settings to send SMTP to the Check Point MTA.

To configure an MTA for email that is sent to the internal mail server:

1. Connect to the DNS settings for the network.
2. Change the MX records, and define the Security Gateway as the next hop.

To configure an MTA for email that is sent to a different MTA:

1. Connect to the SMTP settings on the MTA that sends email to the internal mail server.
2. Change the SMTP settings and define the Security Gateway as the next hop.

Deploying MTA in BCC Mode

You can use the Check Point MTA to only monitor SMTP traffic. Configure the MTA to send emails only for emulation, but not to forward them to the mail server.

To configure the MTA not to forward emails:

1. Double-click the Security Gateway and from the navigation tree select Mail Transfer Agent.

   The Mail Transfer Agent page opens.

2. Make sure that all the Mail Forwarding rules are deleted.
3. Click the add rule button.
4. Click the Next Hop cell and click New.

   The Host Node window opens.

5. Configure these settings:
   • Name - For example, No_Forward
   • IPv4 Address - Enter 0.0.0.0
6. Click OK.

   The Host Node window closes, and the server object is added to the Next Hop cell.

7. Click OK and then install the policy.

Sample Workflow - Creating a Threat Emulation Profile

This is a sample workflow to create a Threat Prevention profile that includes Threat Emulation. To run emulation on HTTPS traffic, enable and configure HTTPS inspection.

To create a Threat Prevention profile for Threat Emulation:

1. From Threat Prevention > Profiles, click New.
2. Select the Threat Prevention Software Blades for the profile.
3. Configure the Protection Activation settings for the traffic.
4. From the Threat Emulation Settings page, set the Prevent and Ask UserCheck settings.
5. Configure the Threat Emulation Protected Scope for this profile, and define how traffic from external and internal networks is sent for emulation.
6. Select one or more protocols for this profile.

   The Software Blade runs emulation only for files and traffic that match the selected protocols.

7. Configure the file types for this profile.

   The Software Blade runs emulation only for files that match the selected file types.

8. Save the profile.