Configuring Threat Indicators
Threat Indicators lets you add feeds to the Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. engines on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., in addition to the feeds included in the Check Point packages and ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. feeds.
You can add indicator files in two ways:
An Indicator is a set of observables which represent a malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it.
An Observable is an event or a stateful property that can be observed in an operational cyber domain. Such as: IP address, MD5 file signature, SHA1 file signature, SHA256 file signature, URL, Mail sender address.
Threat Indicators demonstrate an attack by:
-
Specific observable patterns
-
Additional information intended to represent objects and behaviors of interest in a cyber-security context
Indicators are derived from intelligence, self-analysis, governments, partners, and so on.
Supported Indicator Files
Indicator Pattern of relevant observable malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it. files must be in CSV or STIX Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) format:
-
SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. supports CSV files only in the Check Point format.
-
The CLI also supports other formats of CSV files, as long as their upload complies with the required rules (see Importing Automated Custom Intelligence Feeds).
Each record in CSV Check Point format and the STIX XML (STIX 1.0) format has these fields (files in CSV format which is not the Check Point format does not have to include all these fields, see Importing Automated Custom Intelligence Feeds).
|
Notes:
|
Observable Type |
Validation Criteria |
---|---|
URL |
Any valid URL |
Domain |
Any URL domain |
IP |
Standard IPv4 address |
IP Range |
A range of valid IPv4 addresses, separated by a hyphen: |
MD5 |
Any valid MD5 |
SHA1 |
Any valid SHA1 |
SHA256 |
Any valid SHA256 |
Mail-subject |
Any non-empty text string |
Mail-to Mail-from Mail-cc Mail-reply-to |
Can be one of these:
|
|
Notes:
|
The supported STIX elements are:
-
Condition Type Enum and Condition Application Enum support Equals and Any.
<cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">
Manually Uploading Threat Indicator Files through SmartConsole
When you manually upload threat indicator files through SmartConsole, the files must be in a CSV Check Point format or STIX XML (STIX 1.0) format. The files must contain records of equal size. If an Indicator file has records which do not have the same number of fields, it does not load. See Supported Indicator Files for the required fields and observable values.
-
Use commas to separate the fields in a record
-
Enter one record per line, or use '\n' to separate the records
-
If free text contains quotation marks, commas, or line breaks, it must be enclosed in quotation marks
-
To enclose part of free text in quotations, use double quotation marks:
"<text>"
Step |
Instructions |
---|---|
1 |
Go to the applicable profile > Indicators > make sure that Enable indicator scanning is selected. |
1 |
Go to Security Policies > Threat Prevention > Policy > Custom Policy Tools > Indicators. The Indicators page opens. |
2 |
Click New. The Indicators configuration window opens. |
3 |
Enter a Name. Each Indicator must have a unique name. |
4 |
Enter Object Comment (optional). |
5 |
Click Import to browse to the Indicator file. The content of each file must be unique. You cannot load duplicate files. |
6 |
Select an action for this Indicator
|
7 |
Add Tag. |
8 |
Click OK. If you leave an optional field empty, a warning notifies you that the default values are used in the empty fields. Click OK. The Indicator file loads. |
9 |
In SmartConsole, install the policy. |
Step |
Instructions |
---|---|
1 |
Select an Indicator. |
2 |
Click Delete. |
3 |
In the window that opens, click Yes to confirm. |
You can edit properties of an Indicator object, except for the file it uses. If you want an Indicator to use a different file, you must delete it and create a new one.
Uploading Threat Indicator Files through the CLI
You can upload indicator files through the CLI in Check Point CSV format and other CSV formats, and in STIX XML (STIX 1.0) format.
-
URL - HTTP/HTTPS (transport http --resource)
For example:
http://10.0.0.1/my_feeds/stix_feed.xml
*Self-signed certificate HTTPS resource prompts for a user agreement to update the bundle.
You can skip the certificate verification by running on the gateway:
"export EXT_IOC_NO_SSL_VALIDATION=1"
-
File on the gateway
(
--transport local_file --resource "/home/admin/my_feed.csv"
) -
Directory on the gateway, which contains the same feed_format
(
--transport local_directory --resource "/home/admin/my_feed_folder"
)
Use these commands to upload and manage threat indicator files through the CLI.
Parameter |
Description |
Examples |
---|---|---|
|
Push feeds now |
|
|
Print all existing feeds |
|
|
Print specific feed details |
|
|
Print fetching interval |
|
|
Set interval for fetching in seconds *Feed fetching interval - the same for all feeds |
|
|
Print scanning mode |
|
|
Set scanning mode - on/off |
|
|
Add a new feed Mandatory fields:
Optional fields:
|
Examples:
|
|
Modify existing feed Fields that are not mentioned stay as they were before |
|
|
Delete existing feed |
|
Examples:
-
Add a new remote feed
[Expert@HostName:0]# ioc_feeds add --feed_name remote_csv_feed --transport http --resource "http://10.10.1.100/ioc/ioc_csv_file.csv" --feed_action Prevent
-
Add a new local feed
[Expert@HostName:0]# ioc_feeds add --feed_name ioc_stix_file --transport local_file --resource "/home/admin/ioc/ioc_stix_file.xml"
-
Print existing feeds
[Expert@HostName:0]# ioc_feeds show
-
Delete a feed
[Expert@HostName:0]# ioc_feeds delete --feed_name ioc_stix_file
-
Test feed fetching and parsing
[Expert@HostName:0]# ioc_feeds add --feed_name remote_stix_file --transport http --resource "http://www.public_indicators.com/ioc_stix_file.xml" --test true
Importing Automated Custom Intelligence Feeds
You can import threat indicator feeds from external sources directly to the Security Gateway. The gateway automatically pulls and enforces an indicator file, over HTTP or HTTPS, or by reading from a local file or folder. There is no need to install policy to enforce the feeds, but you must import the files on each gateway separately.
Automated custom intelligence feeds support STIX XML (STIX 1.0) files, CSV files in Check Point format, and CSV files in other formats. To import Threat Indicator files in CSV format that is different than the Check Point CSV format, follow the syntax rules provided in this section.
-
The supported observables are: Name, Value, Type, Confidence, Severity, Product, Comment.
-
Define the file's format, delimiter and the comment lines to skip:
Use "
--format
" and specify your observables inside square brackets.Use "
--comment
" for content to ignore in the original file.Note - Comment specified within the square brackets of "
--format
" is fetched from the original file. content inside the square brackets of "--comment
" is ignored. -
Value and Type observables are mandatory.
-
The Value observable is specified according to its location in the original file:
#<location_of_item>
For example:
If the Value observable is in the 3rd place in your CSV row, enter:
--format [value:#3]
-
For all other observables, you can enter their location in the original file, or specify their value.
For example, if you want the value of the Type observable to be the domain specified in every CSV row, enter:
--format [type:domain]
-
When the feed's resource is a remote source (transport equals HTTP or HTTPS), every time the feed is fetched, it parses according to the format that was specified for this feed.
Examples:
# This list consists of High Level Sensitivity website URLs
|
|
If you enter this command, the gateway takes the domain specified in the first place of every row, and ignores anything that starts with # and the word Site.
|
|
If you enter this command, the gateway takes the IP address from the 3rd place in the row, takes the comment from the second place in the row, and ignores all content preceded by #:
|
To learn more about Custom Intelligence Feeds, see sk132193.