Threat Indicators

What can I do here?

Use this window to create or edit a threat IndicatorClosed Pattern of relevant observable malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it. by importing a CSV file or STIXClosed Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) file, and selecting an action.

Getting Here - Security PoliciesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. > Threat Prevention > Policy > Custom Policy Tools > Indicators > New

Threat Indicators Overview

Threat Indicators lets you add feeds to the Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. engines, in addition to the feeds included in the Check Point packages and ThreatCloudClosed The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. feeds.

You can add indicator files in two ways:

An Indicator is a set of observables which represent a malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it.

An Observable is an eventClosed Record of a security or network incident that is based on one or more logs, and on a customizable set of rules that are defined in the Event Policy. or a stateful property that can be observed in an operational cyber domain. Such as: IP address, MD5 file signature, SHA1 file signature, SHA256 file signature, URL, Mail sender address.

Threat Indicators demonstrate an attack by:

  • Specific observable patterns

  • Additional information intended to represent objects and behaviors of interest in a cyber-security context

Indicators are derived from intelligence, self-analysis, governments, partners, and so on.

Supported Indicator Files

Indicator files must be in CSV or STIX XML (STIX 1.0) format:

Each record in CSV Check Point format and the STIX XML (STIX 1.0) format has these fields (files in CSV format which is not the Check Point format does not have to include all these fields, see Threat Indicators).

Field

Description

Valid Values

Value Criteria

Optional

UNIQ-NAME

Name of the observable

Free text

Must be unique

No

VALUE

A valid value for the type of the observable

As provided in this table

Value of parameter

No

TYPE

Type of the observable

  • URL

  • Domain

  • IP

  • IP Range

  • MD5

  • SHA1
  • SHA256

  • Mail-subject

  • Mail-from

  • Mail-to

  • Mail-cc

  • Mail-reply-to

Not case sensitive

No

CONFIDENCE

Degree of confidence the observable presents

  • low

  • medium

  • high

  • critical

Default - high

Yes

SEVERITY

Degree of threat the observable presents

  • low

  • medium

  • high

  • critical

Default - high

Yes

PRODUCT

Check Point Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. that processes the observable

  • AV

  • AB

AV - Check Point Anti-Virus Software Blade (default)

AB - Check Point Anti-BotClosed Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions. Software Blade

Note - only the Anti-Virus Software Blade can process MD5, SHA1 and SHA256 observables.

Yes

COMMENT

 

Free text

 

Yes

  • If an optional field is empty, the default value is used.

  • If a mandatory field is empty, the Indicator file does not load.

Observable Type

Validation Criteria

URL

Any valid URL

Domain

Any URL domain

IP

Standard IPv4 address

IP Range

A range of valid IPv4 addresses, separated by a hyphen: <IP>-<IP>

MD5

Any valid MD5

SHA1

Any valid SHA1

SHA256

Any valid SHA256

Mail-subject

Any non-empty text string

Mail-to

Mail-from

Mail-cc

Mail-reply-to

Can be one of these:

  • A single email address (Example: abc@domain.com)

  • An email domain (Examples: @domain.com, or domain.com)

  • As of this release, STIX 2.0 (JSON file) is not supported.

  • Custom Indicators CLI (load_indicators) are not supported.

  • The supported STIX elements are:

    stix:STIX_Package

    stix:STIX_Header

    stix:Title

    stix:Description

    stix:Indicators

    stix:Indicator

    indicator:Title

    indicator:Type

    indicator:Description

    indicator:ObservableClosed Event or stateful property that can be observed in an operational cyber domain.

    cybox:Object

    cybox:Properties

    FileObj:Hashes

    cyboxCommon:Hash

    cyboxCommon:Type

    cyboxCommon:Simple_Hash_Value

    stix:Observables

    cybox:Observable

    URIObj:Value

    URIObject:Value

    AddressObject:Address_Value

    AddressObj:Address_Value

    AddressObj:AddressObjectType

    AddressObjet:AddressObjectType

    cybox:Title

    • Condition Type Enum and Condition Application Enum support Equals and Any.

      <cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">

:
#! DESCRIPTION = indi file,,,,,,

"#! REFERENCE = Indicator Bulletin; Feb 20, 2014",,,,,,

# FILE FORMAT:,,,,,,

"# All lines beginning ""#"" are comments",,,,,,

"# All lines beginning ""#!"" are metadata read by the SW",,,,,,

"# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT",,,,,,

observ1,8d9b6b8912a2ed175b77acd40cbe9a73,MD5,medium,medium,AV,FILENAME:WUC
Invitation Letter Guests.doc

observ2,76700f862a0c241b8f4b754f76957bda,MD5,high,high,AV,FILENAME:essais~.swf|
NOTE:FWS type Flash file

observ4,5dda6d1446b3cdb0bd4a3f0adb85d030ff59e975,SHA1,low,high,AV,file_name.pdf
observ5,db435a875be456f088f11c579aa52f30bc83cfff272cfad5a3f6f4de74de0654,SHA256,high,high,AV,file_name.doc

observ7,http://somemaliciousdomain.com/uploadfiles/upload/exp.swf?info=
789c333432d333b4d4b330d133b7b230b03000001b39033b&infosize=00840000
,URL,high,high,AV,IPV4ADDR:196.168.25.25

observ8,svr01.passport.ServeUser.com,Dpmain,low,high,AB,TCP:80|
IPV4ADDR:172.18.18.25|NOTE:Embedded EXE Remote C&C and Encoded Data

observ9,somemaliciousdomain2.com,Domain,,low,AV,TCP:8080|IPV4ADDR:172.22.14.10

observ10,http://www.bogusdomain.com/search?q=%24%2B%25&form=MOZSBR&pc=
MOZI,URL,low,low,AB,IPV4ADDR:172.25.1.5

observ11,http://somebogussolution.com/register/card/log.asp?isnew=-1&LocalInfo=
Microsoft%20Windows%20XP%20Service%20Pack%202&szHostName=
ADAM-E512679EFD&tmp3=tmp3,URL,medium,,AB,

observ14,172.16.47.44,IP,high,medium,AB,TCP:8080

observ15,172.16.73.69,IP,medium,medium,AV,TCP:443|NOTE:Related to Flash
exploitation

observ16,abc@def.com,mail-to,,high,AV,"NOTE:truncated; samples have appended to
the subject the string ""PH000000NNNNNNN"" where NNNNNNN is a varying number"

observ34,stamdomain.com,domain,,,AB,

observ35,stamdomain.com,mail-from,high,medium,AV,

observ37,xyz.com,mail-from,medium,medium,AB,

observ38,@xyz.com,mail-from,medium,medium,AB,

observ39,a@xyz.com,mail-from,medium,medium,AB, 

<stix:STIX_Package
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:stix="http://stix.mitre.org/stix-1"
    xmlns:indicator="http://stix.mitre.org/Indicator-2"
    xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
    xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"
    xmlns:cybox="http://cybox.mitre.org/cybox-2"
    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
    xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
    xmlns:example="http://example.com/"
    xsi:schemaLocation="
    http://stix.mitre.org/stix-1 ../stix_core.xsd
    http://stix.mitre.org/Indicator-2 ../indicator.xsd
    http://stix.mitre.org/default_vocabularies-1 ../stix_default_vocabularies.xsd
    http://cybox.mitre.org/objects#FileObject-2 ../cybox/objects/File_Object.xsd
    http://cybox.mitre.org/default_vocabularies-2 ../cybox/cybox_default_vocabularies.xsd"
    id="example:STIXPackage-ac823873-4c51-4dd1-936e-a39d40151cc3"
    version="1.0.1">
    <stix:STIX_Header>
        <stix:Title>Example file watchlist</stix:Title>
        <stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Watchlist</stix:Package_Intent>
    </stix:STIX_Header>
    <stix:Indicators>
        <stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-611935aa-4db5-4b63-88ac-ac651634f09b">
            <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>
            <indicator:Description>Indicator that contains malicious file hashes.</indicator:Description>
            <indicator:Observable id="example:Observable-c9ca84dc-4542-4292-af54-3c5c914ccbbc">
                <cybox:Object id="example:Object-c670b175-bfa3-48e9-a218-aa7c55f1f884">
                    <cybox:Properties xsi:type="FileObj:FileObjectType">
                        <FileObj:Hashes>
                            <cyboxCommon:Hash>
                                <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0" condition="Equals">MD5</cyboxCommon:Type>
                                <cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">0522e955aaee70b102e843f14c13a92c##comma##0522e955aaee70b102e843f14c13a92d##comma##0522e955aaee70b102e843f14c13a92e</cyboxCommon:Simple_Hash_Value>
                            </cyboxCommon:Hash>
                        </FileObj:Hashes>
                    </cybox:Properties>
                </cybox:Object>
            </indicator:Observable>
        </stix:Indicator>
    </stix:Indicators>
</stix:STIX_Package>

Manually Uploading Threat Indicator Files through SmartConsole

When you manually upload threat indicator files through SmartConsole, the files must be in a CSV Check Point format or STIX XML (STIX 1.0) format. The files must contain records of equal size. If an Indicator file has records which do not have the same number of fields, it does not load. See Threat Indicators for the required fields and observable values.

  • Use commas to separate the fields in a record

  • Enter one record per line, or use '\n' to separate the records

  • If free text contains quotation marks, commas, or line breaks, it must be enclosed in quotation marks

  • To enclose part of free text in quotations, use double quotation marks: "<text>"

Step

Instructions

1

Go to Security Policies > Threat Prevention > Policy > Custom Policy Tools > Indicators.

The Indicators page opens.

2

Click New.

The Indicators configuration window opens.

3

Enter a Name.

Each Indicator must have a unique name.

4

Enter Object Comment (optional).

5

Click Import to browse to the Indicator file.

The content of each file must be unique. You cannot load duplicate files.

6

Select an action for this Indicator

  • Ask - Threat Prevention Software Blade asks what to do with the detected observable

  • Prevent - Threat Prevention Software Blade blocks the detected observable

  • Detect - Threat Prevention Software Blade creates a log entry, and lets the detected observable go through

  • Inactive - Threat Prevention Software Blade does nothing

7

Add Tag.

8

Click OK.

If you leave an optional field empty, a warning notifies you that the default values are used in the empty fields. Click OK. The Indicator file loads.

9

In SmartConsole, install the policy.

Step

Instructions

1

Select an Indicator.

2

Click Delete.

3

In the window that opens, click Yes to confirm.

You can edit properties of an Indicator object, except for the file it uses. If you want an Indicator to use a different file, you must delete it and create a new one.