Print Download PDF Send Feedback

Previous

Next

The Threat Emulation Solution

In This Section:

ThreatCloud Emulation

Threat Emulation Analysis Locations

Optimizing File Emulation

Selecting the Threat Emulation Deployment

ThreatCloud Emulation

You can securely send files to the Check Point ThreatCloud for emulation. The ThreatCloud is always up-to-date with the latest Threat Emulation releases.

Sample ThreatCloud Emulation Workflow

  1. The Security Gateway gets a file from the Internet or an external network.
  2. The Security Gateway compares the cryptographic hash of the file with the database.
    • If the file is already in the database, no additional emulation is necessary
    • If the file is not in the database, it is necessary to run full emulation on the file
  3. The file is sent over an SSL connection to the ThreatCloud.
  4. The virtual computers in the ThreatCloud run emulation on the file.
  5. The emulation results are sent securely to the Security Gateway for the applicable action.

Sample ThreatCloud Deployment

Item

Description

1

Internet and external networks

2

Perimeter Security Gateway

3

Check Point ThreatCloud servers

4

Computers and servers in the internal network

Threat Emulation Analysis Locations

You can choose a location for the emulation analysis that best meets the requirements of your company.

Local or Remote Emulation

You can install an Emulation appliance in the internal network.

Sample Workflow for Emulation Appliance in a Local Deployment

  1. The Emulation appliance receives the traffic, and aggregates the files.
  2. The Emulation appliance compares the cryptographic hash of the file with the database.
    • The file is already in the database, no more emulation is necessary.
    • If the file is not in the database, the virtual computers in the Emulation appliance run full emulation on the file.

Item

Description

1

Internet and external networks

2

Perimeter Security Gateway

3

Threat Emulation Private Cloud Appliance

4

Computers and servers in the internal network

Sample Workflow for Emulation Appliance in a Remote Deployment

  1. The Security Gateway aggregates the files, and the files are sent to the Emulation appliance.
  2. The Emulation appliance compares the cryptographic hash of the file with the database.
    • The file is already in the database, no more emulation is necessary.
    • If the file is not in the database, the virtual computers in the Emulation appliance run full emulation on the file.

Item

Description

1

Internet and external networks

2

Perimeter Security Gateway

3

Threat Emulation Private Cloud Appliance

4

Computers and servers in the internal network

Preparing for Local or Remote Emulation

Prepare the network and Emulation appliance for a Local or Remote deployment in the internal network.

  1. Open SmartConsole.
  2. Create the network object for the Emulation appliance.
  3. If you are running emulation on HTTPS traffic, configure the settings for HTTPS Inspection.
  4. Make sure that the traffic is sent to the appliance according to the deployment:
    • Local Emulation - The Emulation appliance receives the traffic. The appliance can be configured for traffic the same as a Security Gateway.
    • Remote Emulation - The traffic is routed to the Emulation appliance.

Optimizing File Emulation

Files have unique cryptographic hashes, these file hashes are stored in a database after emulation is complete. Before emulation is run on a file, the appliance compares the file hash to the database:

This database helps to optimize emulation and give better network performance.

Selecting the Threat Emulation Deployment

What are my options to send traffic for emulation?

I want to use the Prevent action and be able to block malicious files, what are my deployment options?

This table summarizes how Threat Emulation sends traffic for emulation:

 

Block Malware

Inline

Yes

SPAN/TAP

No

MTA

Recommended with Prevent action for emails

Inline Deployments (Prevent and Ask)

Use the Prevent or Ask UserCheck action to quarantine a malicious file.

Sample Inline Emulation Workflow (Prevent Action)

  1. The ThreatCloud or Emulation appliance gets a file from the Security Gateway.
  2. Emulation is run on the file.
    • The file is safe, and it is sent to the computer in the internal network.
    • If the file contains malware, it is quarantined and logged.

Monitor Deployments

Sample Monitor Emulation Workflow

  1. The ThreatCloud or Emulation appliance gets a copy of a file from the Security Gateway. The original file goes to the computer in the internal network.
  2. Emulation is run on the file.
    • The file is safe, no other action is done
    • If the file is identified as malware, it is logged according to the Track action of the Threat Prevention rule

Threat Emulation Deployments with a Mail Transfer Agent

SMTP traffic goes to the Security Gateway, and is sent for emulation. The MTA acts as a mail proxy, and manages the SMTP connection with the source. The MTA sends email files to emulation after it closes the SMTP connection. When the file emulation is completed, the emails are sent to the mail server in the internal network.

For more information on how to work with the Mail Transfer Agent, see Mail Transfer Agent.