Configuring Threat Indicators

Threat Indicators lets you add feeds to the Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. and Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. engines on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., in addition to the feeds included in the Check Point packages and ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. feeds.

You can add indicator files in two ways:

Manually Uploading Threat Indicator Files through SmartConsole
Importing Automated Custom Intelligence Feeds

An Indicator is a set of observables which represent a malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it.

An Observable is an event or a stateful property that can be observed in an operational cyber domain. Such as: IP address, MD5 file signature, SHA1 file signature, SHA256 file signature, URL, Mail sender address.

Threat Indicators demonstrate an attack by:

Specific observable patterns
Additional information intended to represent objects and behaviors of interest in a cyber-security context

Indicators are derived from intelligence, self-analysis, governments, partners, and so on.

Supported Indicator Files

Indicator Pattern of relevant observable malicious activity in an operational cyber domain, with relevant information on how to interpret it and how to handle it. files must be in CSV or STIX Structured Threat Information eXpression™. A language that describes cyber threat information in a standardized and structured way. XML (STIX 1.0) format:

SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. supports CSV files only in the Check Point format.
The CLI also supports other formats of CSV files, as long as their upload complies with the required rules (see Importing Automated Custom Intelligence Feeds).

Each record in CSV Check Point format and the STIX XML (STIX 1.0) format has these fields (files in CSV format which is not the Check Point format does not have to include all these fields, see Importing Automated Custom Intelligence Feeds).

Fields

Field	Description	Valid Values	Value Criteria	Optional
UNIQ-NAME	Name of the observable	Free text	Must be unique	No
VALUE	A valid value for the type of the observable	As provided in this table	Value of parameter	No
TYPE	Type of the observable	`URL` `Domain` `IP` `IP Range` `MD5` `SHA1` `SHA256` `Mail-subject` `Mail-from` `Mail-to` `Mail-cc` `Mail-reply-to`	Not case sensitive	No
CONFIDENCE	Degree of confidence the observable presents	`low` `medium` `high` `critical`	Default - high	Yes
SEVERITY	Degree of threat the observable presents	`low` `medium` `high` `critical`	Default - high	Yes
PRODUCT	Check Point Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. that processes the observable	`AV` `AB`	AV - Check Point Anti-Virus Software Blade (default) AB - Check Point Anti-Bot Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions. Software Blade Note - Only the Anti-Virus Software Blade can process MD5, SHA1 and SHA256 observables.	Yes
COMMENT		Free text		Yes

Notes:

If an optional field is empty, the default value is used.
If a mandatory field is empty, the Indicator file does not load.

These are the valid values for each observable type

Observable Type	Validation Criteria
URL	Any valid URL
Domain	Any URL domain
IP	Standard IPv4 address
IP Range	A range of valid IPv4 addresses, separated by a hyphen: `<IP>-<IP>`
MD5	Any valid MD5
SHA1	Any valid SHA1
SHA256	Any valid SHA256
Mail-subject	Any non-empty text string
Mail-to Mail-from Mail-cc Mail-reply-to	Can be one of these: A single email address (Example: `abc@domain.com`) An email domain (Examples: `@domain.com`, or `domain.com`)

Notes:

As of this release, STIX 2.0 (JSON file) is not supported.
Custom Indicators CLI (load_indicators) are not supported.

The supported STIX elements are:

stix:STIX_Package

stix:STIX_Header

stix:Title

stix:Description

stix:Indicators

stix:Indicator

indicator:Title

indicator:Type

indicator:Description

indicator:Observable Event or stateful property that can be observed in an operational cyber domain.

cybox:Object

cybox:Properties

FileObj:Hashes

cyboxCommon:Hash

cyboxCommon:Type

cyboxCommon:Simple_Hash_Value

stix:Observables

cybox:Observable

URIObj:Value

URIObject:Value

AddressObject:Address_Value

AddressObj:Address_Value

AddressObj:AddressObjectType

AddressObjet:AddressObjectType

cybox:Title

Condition Type Enum and Condition Application Enum support Equals and Any.

<cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">

Example of a CSV Indicator File in Check Point Format

#! DESCRIPTION = indi file,,,,,,

"#! REFERENCE = Indicator Bulletin; Feb 20, 2014",,,,,,

# FILE FORMAT:,,,,,,

"# All lines beginning ""#"" are comments",,,,,,

"# All lines beginning ""#!"" are metadata read by the SW",,,,,,

"# UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT",,,,,,

observ1,8d9b6b8912a2ed175b77acd40cbe9a73,MD5,medium,medium,AV,FILENAME:WUC Invitation Letter Guests.doc

observ2,76700f862a0c241b8f4b754f76957bda,MD5,high,high,AV,FILENAME:essais~.swf| NOTE:FWS type Flash file

observ4,5dda6d1446b3cdb0bd4a3f0adb85d030ff59e975,SHA1,low,high,AV,file_name.pdf
observ5,db435a875be456f088f11c579aa52f30bc83cfff272cfad5a3f6f4de74de0654,SHA256,high,high,AV,file_name.doc

observ7,http://somemaliciousdomain.com/uploadfiles/upload/exp.swf?info= 789c333432d333b4d4b330d133b7b230b03000001b39033b&infosize=00840000 ,URL,high,high,AV,IPV4ADDR:196.168.25.25

observ8,svr01.passport.ServeUser.com,Dpmain,low,high,AB,TCP:80| IPV4ADDR:172.18.18.25|NOTE:Embedded EXE Remote C&C and Encoded Data

observ9,somemaliciousdomain2.com,Domain,,low,AV,TCP:8080|IPV4ADDR:172.22.14.10

observ10,http://www.bogusdomain.com/search?q=%24%2B%25&form=MOZSBR&pc= MOZI,URL,low,low,AB,IPV4ADDR:172.25.1.5

observ11,http://somebogussolution.com/register/card/log.asp?isnew=-1&LocalInfo= Microsoft%20Windows%20XP%20Service%20Pack%202&szHostName= ADAM-E512679EFD&tmp3=tmp3,URL,medium,,AB,

observ14,172.16.47.44,IP,high,medium,AB,TCP:8080

observ15,172.16.73.69,IP,medium,medium,AV,TCP:443|NOTE:Related to Flash exploitation

observ16,abc@def.com,mail-to,,high,AV,"NOTE:truncated; samples have appended to the subject the string ""PH000000NNNNNNN"" where NNNNNNN is a varying number"

observ34,stamdomain.com,domain,,,AB,

observ35,stamdomain.com,mail-from,high,medium,AV,

observ37,xyz.com,mail-from,medium,medium,AB,

observ38,@xyz.com,mail-from,medium,medium,AB,

observ39,a@xyz.com,mail-from,medium,medium,AB,

Example of a STIX 1.0 XML Indicator File

<stix:STIX_Package

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xmlns:stix="http://stix.mitre.org/stix-1"

    xmlns:indicator="http://stix.mitre.org/Indicator-2"

    xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"

    xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2"

    xmlns:cybox="http://cybox.mitre.org/cybox-2"

    xmlns:cyboxCommon="http://cybox.mitre.org/common-2"

    xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"

    xmlns:example="http://example.com/"

    xsi:schemaLocation="

    http://stix.mitre.org/stix-1 ../stix_core.xsd

    http://stix.mitre.org/Indicator-2 ../indicator.xsd

    http://stix.mitre.org/default_vocabularies-1 ../stix_default_vocabularies.xsd

    http://cybox.mitre.org/objects#FileObject-2 ../cybox/objects/File_Object.xsd

    http://cybox.mitre.org/default_vocabularies-2 ../cybox/cybox_default_vocabularies.xsd"

    id="example:STIXPackage-ac823873-4c51-4dd1-936e-a39d40151cc3"

    version="1.0.1">

    <stix:STIX_Header>

        <stix:Title>Example file watchlist</stix:Title>

        <stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Watchlist</stix:Package_Intent>

    </stix:STIX_Header>

    <stix:Indicators>

        <stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-611935aa-4db5-4b63-88ac-ac651634f09b">

            <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">File Hash Watchlist</indicator:Type>

            <indicator:Description>Indicator that contains malicious file hashes.</indicator:Description>

            <indicator:Observable id="example:Observable-c9ca84dc-4542-4292-af54-3c5c914ccbbc">

                <cybox:Object id="example:Object-c670b175-bfa3-48e9-a218-aa7c55f1f884">

                    <cybox:Properties xsi:type="FileObj:FileObjectType">

                        <FileObj:Hashes>

                            <cyboxCommon:Hash>

                                <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0" condition="Equals">MD5</cyboxCommon:Type>

                                <cyboxCommon:Simple_Hash_Value condition="Equals" apply_condition="ANY">0522e955aaee70b102e843f14c13a92c##comma##0522e955aaee70b102e843f14c13a92d##comma##0522e955aaee70b102e843f14c13a92e</cyboxCommon:Simple_Hash_Value>

                            </cyboxCommon:Hash>

                        </FileObj:Hashes>

                    </cybox:Properties>

                </cybox:Object>

            </indicator:Observable>

        </stix:Indicator>

    </stix:Indicators>

</stix:STIX_Package>

Manually Uploading Threat Indicator Files through SmartConsole

When you manually upload threat indicator files through SmartConsole, the files must be in a CSV Check Point format or STIX XML (STIX 1.0) format. The files must contain records of equal size. If an Indicator file has records which do not have the same number of fields, it does not load. See Supported Indicator Files for the required fields and observable values.

To load Indicator files through SmartConsole

Step	Instructions
1	Go to the applicable profile > Indicators > make sure that Enable indicator scanning is selected.
1	Go to Security Policies > Threat Prevention > Policy > Custom Policy Tools > Indicators. The Indicators page opens.
2	Click New. The Indicators configuration window opens.
3	Enter a Name. Each Indicator must have a unique name.
4	Enter Object Comment (optional).
5	Click Import to browse to the Indicator file. The content of each file must be unique. You cannot load duplicate files.
6	Select an action for this Indicator Ask - Threat Prevention Software Blade asks what to do with the detected observable Prevent - Threat Prevention Software Blade blocks the detected observable Detect - Threat Prevention Software Blade creates a log entry, and lets the detected observable go through Inactive - Threat Prevention Software Blade does nothing
7	Add Tag.
8	Click OK. If you leave an optional field empty, a warning notifies you that the default values are used in the empty fields. Click OK. The Indicator file loads.
9	In SmartConsole, install the policy.

To delete Indicators

Step	Instructions
1	Select an Indicator.
2	Click Delete.
3	In the window that opens, click Yes to confirm.

You can edit properties of an Indicator object, except for the file it uses. If you want an Indicator to use a different file, you must delete it and create a new one.

Uploading Threat Indicator Files through the CLI

You can upload indicator files through the CLI in Check Point CSV format and other CSV formats, and in STIX XML (STIX 1.0) format.

Use these commands to upload and manage threat indicator files through the CLI.

Commands

Parameter	Description	Examples
`push`	Push feeds now	`ioc_feeds push`
`show`	Print all existing feeds	`ioc_feeds show`
`show --feed_name <feed>`	Print specific feed details	`ioc_feeds show --feed_name local_feed`
`show_interval`	Print fetching interval	`ioc_feeds show_interval`
`set_interval sec`	Set interval for fetching in seconds *Feed fetching interval - the same for all feeds	`ioc_feeds set_interval 1000`
`show_scanning_mode`	Print scanning mode	`ioc_feeds show_scanning_mode`
`set_scanning_mode`	Set scanning mode - on/off	`ioc_feeds set_scanning_mode off`
`add`	Add a new feed Mandatory fields: `--feed_name <feed>` `--transport <http/https/local_file/local_directory>` `--resource <url/full_path>` Optional fields: `--state <true/false>` - Active/inactive. Default = true. `--feed_action <Prevent/Detect/Ask>` - Default = Prevent UserCheck rule action that blocks traffic and files and can show a UserCheck message. `--user_name <user>` - Prompt for password appears `--proxy <none>` - Do not use proxy `--proxy <proxy:port>` - Override gateway proxy for feed (If you do not specify a proxy flag - the gateway proxy is used) `--proxy_user_name <user>` - Prompt for password appears `--test true` - Test feed fetching and parsing	Examples: `ioc_feeds add --feed_name local_feed --transport local_file --resource /home/admin/my_feed.csv` `ioc_feeds add --feed_name remote_feed --transport http --resource 10.0.0.1/my_feeds/stix_feed.xml --proxy 127.10.10.1:8080 --state false -feed_action detect --user_name admin@checkpoint.com`
`modify`	Modify existing feed Fields that are not mentioned stay as they were before	`ioc_feeds modify --feed_name local_feed --state true`
`delete`	Delete existing feed	`ioc_feeds delete --feed_name local_feed`

Examples:

Importing Automated Custom Intelligence Feeds

You can import threat indicator feeds from external sources directly to the Security Gateway. The gateway automatically pulls and enforces an indicator file, over HTTP or HTTPS, or by reading from a local file or folder. There is no need to install policy to enforce the feeds, but you must import the files on each gateway separately.

Automated custom intelligence feeds support STIX XML (STIX 1.0) files, CSV files in Check Point format, and CSV files in other formats. To import Threat Indicator files in CSV format that is different than the Check Point CSV format, follow the syntax rules provided in this section.

Syntax Rules:

The supported observables are: Name, Value, Type, Confidence, Severity, Product, Comment.
Define the file's format, delimiter and the comment lines to skip:

Use "--format" and specify your observables inside square brackets.

Use "--comment" for content to ignore in the original file.

Note - Comment specified within the square brackets of "--format" is fetched from the original file. content inside the square brackets of "--comment" is ignored.
Value and Type observables are mandatory.
The Value observable is specified according to its location in the original file: #<location_of_item>

For example:

If the Value observable is in the 3rd place in your CSV row, enter:

--format [value:#3]
For all other observables, you can enter their location in the original file, or specify their value.

For example, if you want the value of the Type observable to be the domain specified in every CSV row, enter:

--format [type:domain]
When the feed's resource is a remote source (transport equals HTTP or HTTPS), every time the feed is fetched, it parses according to the format that was specified for this feed.

Examples:

Original CSV file is a list of domains

# This list consists of High Level Sensitivity website URLs

# Columns (tab delimited):

# (1) site

#

Site

4kqd3hniqgptupi3p.k7oudl.top

stggsjv6mqiibmax.torshop.li

grrgelpetkavanis4.pv

52ou5k3t73ypjije.ie7t8k.top

ja:many.cu.ma

If you enter this command, the gateway takes the domain specified in the first place of every row, and ignores anything that starts with # and the word Site.

ioc_feeds add --feed_name domain_list --transport https --resource "https://isc.sans.edu/feeds/suspiciousdomains_High.txt" --format [type:domain,value:1] --comment "#, Site"

This is the original CSV file

# category Descriptive tag name for this entry. For this report,

# the text sshpwauth will appear.

#

# A commented footer section shows an aggregate account of ASNs and

# addresses seen in the current report

#

3 | organization A | 18.30.10.26 | 2018-12-15 08:16:39 | sshpwauth

3 | organization B | 18.30.21.197 | 2018-12-28 17:43:41 | sshpwauth

17 | organization C | 128.46.80.71 | 2019-01-04 17:56:00 | sshpwauth

111| organization D | 128.197.31.119 | 2019-01-10 03:12: 18| sshpwauth

If you enter this command, the gateway takes the IP address from the 3rd place in the row, takes the comment from the second place in the row, and ignores all content preceded by #:

ioc_feeds add --feed_name ip_list_with_spaces --transport local_file --resource "/home/admin/ioc/ip_list_with_spaces.txt" --format [value:#3,comment:#2,type:ip] --comment [#] --delimiter "|"

To learn more about Custom Intelligence Feeds, see sk132193.