Introduction to Threat Prevention Software Blades
The Need for Threat Emulation
Cyber-threats continue to multiply and now it is easier than ever for criminals to create new malware that can easily bypass existing protections. On a daily basis, these criminals can change the malware signature and make it virtually impossible for signature based products to protect networks against infection. Threat Emulation can protect your network against new malware, zero-day vulnerabilities and targeted attacks.
Threat Emulation gives networks the necessary protection against unknown threats in files that are downloaded from the Internet or attached to emails. When emulation is done on a file:
- The file is opened on more than one virtual computer with different operating system environments
- The virtual computers are closely monitored for unusual and malicious behavior, such as an attempt to change registry keys or run an unauthorized process
- Any malicious behavior is immediately logged and you can use Prevent mode to block the file from the internal network
- The cryptographic hash of a new malicious file is saved to a database and the internal network is protected from that malware
- Information about malicious files and malware is shared with Check Point ThreatCloud and helps to protect all ThreatCloud users
Selecting the Correct Location
Where is the file emulation run?
What are the available emulation actions that I can use with a Threat Emulation profile?
- Prevent - Files do not go to the destination computer until emulation is completed. If Threat Emulation discovers that a file contains malware, the malicious file does not enter the internal network. Users can notice a delay when downloading a file, because they cannot download and open the file until the emulation is complete.
- Detect - The file is sent to the destination and to Threat Emulation. If Threat Emulation discovers that a file contains malware, the appropriate log action is done. Users receive all files without delay.
Emulation location options:
Emulation is run
Check Point ThreatCloud
Emulation appliance in the internal network
Note - For more about how to estimate the system requirements and amount of file emulations for a network, see sk93598.
Selecting the Threat Emulation Deployment
What are my options to send traffic for emulation?
- Inline - Traffic is sent for emulation before it is allowed to enter the internal network. You can use the Threat Prevention policy to block malware.
- SPAN/TAP - You can use a mirror or TAP port to duplicate network traffic. Files are sent to the computer in the internal network. If Threat Emulation discovers that a file contains malware, the appropriate log action is done.
- MTA (Mail Transfer Agent) - SMTP traffic goes to the Security Gateway, and is sent for emulation. The MTA acts as a mail proxy, and manages the SMTP connection with the source. The MTA sends email files to emulation after it closes the SMTP connection. When the file emulation is completed, the emails are sent to the mail server in the internal network. We recommend that you enable the MTA on the Security Gateway for Threat Emulation profiles that use the Prevent action for SMTP traffic.
- A Threat Emulation deployment that uses an MTA optimizes emulation for profiles that use the Prevent action.
I want to use the Prevent action and be able to block malicious files, what are my deployment options?
- ThreatCloud - Files are sent to the ThreatCloud for emulation. When the emulation is complete, ThreatCloud sends a notification to the Security Gateway that the files are safe. Then they go to computers in the internal network.
- Threat Emulation Private Cloud Appliance with inline deployment - The files are kept in the Emulation appliance and after emulation, safe files go to the computer in the internal network.
This table summarizes how Threat Emulation sends traffic for emulation:
Recommended with Prevent action for emails
Check Point ThreatCloud Network
Check Point ThreatCloud is a dynamically updated service that is based on an innovative global network of threat sensors and organizations that share threat data and collaborate to fight against modern malware. Customers can send their own threat data to the ThreatCloud and receive protection updates with enriched threat intelligence.
Customers that participate in the ThreatCloud network can use the collected malware data to benefit from increased security and protection. The ThreatCloud can then distribute attack information, and turn zero-day attacks into known signatures that the Anti-Virus Software Blade can block.
When you send files to the ThreatCloud service for emulation, your network gets up-to-date threat information and operating system environments.
You can always change this default behavior by altering a setting in SmartDashboard.
- Open .
- In the area, clear this setting: .
- Restart SmartDashboard.
- Install the Policy
For full details and instructions, see sk94509.
These are the specifications for the Threat Emulation deployments:
- Threat Cloud - R77 (or higher) Security Gateways with Gaia or SecurePlatform (64 or 32-bit)
- R77.20 (or higher) VSX Gateways
- For Local or Remote emulation:
Maximum size of file to send to emulation is: 100,000 KB
Check Point Threat Emulation Private Cloud Appliance with R77 or higher on the Gaia operating system (64-bit only), and R77.20 or higher VSX Gateways (Remote emulation only)
Make sure that:
- Each Virtual System has access to the Remote gateway or to the cloud.
- Each Virtual System Gateway has access to the Internet for updates from the Check Point Download Center.
Note - This release does not support:
- Active/Standby Bridge Mode
- Virtual System Load Sharing Security Clusters with more than two members.
Threat Emulation License Requirements
There are separate licenses for ThreatCloud and local emulation. Make sure that you have the correct Threat Emulation licenses for your network.
ThreatCloud Emulation Quota
If you configure Threat Emulation to send files to the Check Point ThreatCloud for emulation, the license is the ThreatCloud Emulation Quota. This quota is the maximum number of files that a company or organization can send for emulation. It is reset at the start of each month.
Emulation Appliance License and Contract
If you configure Threat Emulation to run emulation on an Emulation appliance, there is a license and a contract for the Software Blade.
- License for the emulation.
- Annual contract for the Emulation appliance updates (separate from the ThreatCloud Emulation Quota). Emulation is not done if this contract expires.
For Emulation appliance configurations, it is necessary to only have a license and contract for the appliance. Even though Threat Emulation is enabled on the Security Gateway, it does not require a Threat Emulation license or contract. If you want to be able to send files to the ThreatCloud, it is necessary to have a ThreatCloud Emulation Quota.
The Need for Anti-Bot
There are two emerging trends in today's threat landscape:
- A profit-driven cybercrime industry that uses different tools to meet its goals. This industry includes cyber-criminals, malware operators, tool providers, coders, and affiliate programs. Their "products" can be easily ordered online from numerous sites (for example, do-it-yourself malware kits, spam sending, data theft, and denial of service attacks) and organizations are finding it difficult to fight off these attacks.
- Ideological and state driven attacks that target people or organizations to promote a political cause or carry out a cyber-warfare campaign.
Both of these trends are driven by bot attacks.
A bot is malicious software that can invade your computer. There are many infection methods. These include opening attachments that exploit a vulnerability and accessing a web site that results in a malicious download.
When a bot infects a computer, it:
- Takes control over the computer and neutralizes its Anti-Virus defenses. Bots are difficult to detect since they hide within your computer and change the way they appear to Anti-Virus software.
- Connects to a Command and Control (C&C) center for instructions from cyber criminals. The cyber criminals, or bot herders, can remotely control it and instruct it to execute illegal activities without your knowledge. These activities include:
- Data theft (personal, financial, intellectual property, organizational)
- Sending SPAM
- Attacking resources (Denial of Service Attacks)
- Bandwidth consumption that affects productivity
In many cases, a single bot can create multiple threats. Bots are often used as tools in attacks known as Advanced Persistent Threats (APTs) where cyber criminals pinpoint individuals or organizations for attack. A botnet is a collection of compromised computers.
Check Point's Anti-Bot Software Blade detects and prevents these bot threats.
The Check Point Anti-Bot Solution
The Anti-Bot Software Blade:
- Identifies bot infected machines in the organization by analyzing network traffic using the multi-layered ThreatSpect engine.
- Uses the ThreatCloud repository to receive updates and queries it for classification of unidentified IP, URL, and DNS resources.
- Prevents damage by blocking bot communication to C&C sites and makes sure that no sensitive information is stolen or sent out of the organization.
- Gives the organization threat visibility using different views and reports that help assess damages and decide on next steps.
Identifying Bot Infected Computers
The Anti-Bot Software Blade uses these procedures to identify bot infected computers:
- Identify the C&C addresses used by criminals to control bots
These web sites are constantly changing and new sites are added on an hourly basis. Bots can attempt to connect to thousands of potentially dangerous sites. It is a challenge to know which sites are legitimate and which are not.
- Identify the communication patterns used by each botnet family
These communication fingerprints are different for each family and can be used to identify a botnet family. Research is done for each botnet family to identify the unique language that it uses. There are thousands of existing different botnet families and new ones are constantly emerging.
- Identify bot behavior
Identify specified actions for a bot such as, when the computer sends spam or participates in DoS attacks.
Check Point uses the ThreatSpect engine and ThreatCloud repository to find bots based on these procedures.
ThreatSpect engine and ThreatCloud repository
The ThreatSpect engine is a unique multi-tiered engine that analyzes network traffic and correlates information across multiple layers to find bots and other malware. It combines information on remote operator hideouts, unique botnet traffic patterns and behavior to identify thousands of different botnet families and outbreak types.
The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery and more than 2,000 different botnet communication patterns. The ThreatSpect engine uses this information to classify bots and viruses.
The Security Gateway gets automatic binary signature and reputation updates from the ThreatCloud repository. It can query the cloud for new, unclassified IP/URL/DNS resources that it finds.
The layers of the ThreatSpect engine:
- - Analyzes the reputation of URLs, IP addresses and external domains that computers in the organization access. The engine searches for known or suspicious activity, such as a C&C.
- - Detects threats by identifying unique patterns in files or in the network.
- - Detects infected machines in the organization based on analysis of outgoing mail traffic.
- - Detects unique patterns that indicate the presence of a bot. For example, how a C&C communicates with a bot-infected machine.
Preventing Bot Damage
After the discovery of bot infected machines, the Anti-Bot Software Blade blocks outbound communication to C&C sites based on the Rule Base. This neutralizes the threat and makes sure that no sensitive information is sent out.
The Need for Anti-Virus
Malware is a major threat to network operations that has become increasingly dangerous and sophisticated. Examples include worms, blended threats (combinations of malicious code and vulnerabilities for infection and dissemination) and trojans.
The Anti-Virus Software Blade scans incoming and outgoing files to detect and prevent these threats. It also gives pre-infection protection from malware contained these files.
The Check Point Anti-Virus Solution
The Anti-Virus Software Blade:
- Identifies malware in the organization using the ThreatSpect engine and ThreatCloud repository:
- Prevents malware infections from incoming malicious files types (Word, Excel, PowerPoint, PDF, etc.) in real-time. Incoming files are classified on the gateway and the result is then sent to the ThreatCloud repository for comparison against known malicious files, with almost no impact on performance.
- Prevents malware download from the internet by preventing access to sites that are known to be connected to malware. Accessed URLs are checked by the gateway caching mechanisms or sent to the ThreatCloud repository to determine if they are permissible or not. If not, the attempt is stopped before any damage can take place.
- Uses the ThreatCloud repository to receive binary signature updates and query the repository for URL reputation and Anti-Virus classification.
Anti-Bot and Anti-Virus Licensing and Contracts
Make sure that you have a valid Security Gateway license and Anti-Bot and/or Anti-Virus contracts. For clusters, make sure you have a contract and license for each cluster member.
New and upgraded installations automatically receive a 30 day trial license and updates. Contact your Check Point representative to get full licenses and contracts.
The Anti-Bot blade and/or Anti-Virus blades do not work if you do not have a valid contract. When contracts are about to expire or have already expired, warnings show in these places:
- The section of the pane of the Threat Prevention tab.
- The Check Point User Center, when you log in to your account.