The Check Point Threat Prevention Solution
Threat Prevention Components
To challenge today's malware landscape, Check Point's comprehensive Threat Prevention solution offers a multi-layered, pre- and post-infection defense approach and a consolidated platform that enables enterprise security to detect and block modern malware.
These Threat Prevention Software Blades are available:
-
IPS
A complete IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). cyber security solution, for comprehensive protection against malicious and unwanted network traffic, which focuses on application and server vulnerabilities, as well as in-the-wild attacks by exploit kits and malicious attackers.
-
Anti-Bot
Post-infection detection of bots on hosts. Prevents bot damages by blocking bot C&C (Command and Control) communications. The Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. is continuously updated from ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware., a collaborative network to fight cybercrime. Anti-Bot Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions. discovers infections by correlating multiple detection methods.
-
Anti-Virus
Pre-infection detection and blocking of malware at the gateway. The Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. Software Blade is continuously updated from ThreatCloud. It detects and blocks malware by correlating multiple detection engines before users are affected.
-
SandBlast
Protection against infections from undiscovered exploits, zero-day and targeted attacks using:
Threat EmulationThis innovative solution quickly inspects files and runs them in a virtual sandbox to discover malicious behavior. Discovered malware is prevented from entering the network. The Emulation service reports to the ThreatCloud and automatically shares the newly identified threat information with other customers.
Threat ExtractionProtection against incoming malicious content. The extraction capability removes exploitable content, including active content and embedded objects, reconstructs files to eliminate potential threats, and promptly delivers sanitized content to users to maintain business flow. To remove possible threats, the blade creates a safe copy of the file, while the inspects the original file for potential threats.
Each Software Blade gives unique network protections. When combined, they supply a strong Threat Prevention solution. Data from malicious attacks are shared between the Threat Prevention Software Blades and help to keep your network safe. For example, the signatures from threats that Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. identifies are added to the ThreatCloud for use by the other Threat Prevention blades.
IPS
The IPS Software Blade delivers complete and proactive intrusion prevention. It delivers 1,000s of signatures, behavioral and preemptive protections. It gives another layer of security on top of Check Point Firewall technology. IPS protects both clients and servers, and lets you control the network usage of certain applications. The hybrid IPS detection engine provides multiple defense layers, which allows it excellent detection and prevention capabilities of known threats and in many cases future attacks as well. It also allows unparalleled deployment and configuration flexibility and excellent performance.
IPS protection includes:
-
Detection and prevention of specific known exploits
-
Detection and prevention of vulnerabilities, including both known and unknown exploit tools, for example protection from specific CVEs
-
Detection and prevention of protocol misuse which in many cases indicates malicious activity or potential threat. Examples of commonly manipulated protocols are HTTP, SMTP, POP, and IMAP
-
Detection and prevention of outbound malware communications
-
Detection and prevention of tunneling attempts. These attempts may indicate data leakage or attempts to circumvent other security measures such as web filtering
-
Detection, prevention or restriction of certain applications which, in many cases, are bandwidth consuming or may cause security threats to the network, such as Peer to Peer and Instant Messaging applications
-
Detection and prevention of generic attack types without any pre-defined signatures, such as Malicious Code Protector
Check Point constantly updates the library of protections to stay ahead of emerging threats.
The unique capabilities of the Check Point IPS engine include:
-
Clear, simple management interface
-
Reduced management overhead by using one management console for all Check Point products
-
Integrated management with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.
-
Easy navigation from business-level overview to a packet capture for a single attack
-
#1 security coverage for Microsoft and Adobe vulnerabilities
-
Resource throttling so that high IPS activity will not impact other blade functionality
-
Complete integration with Check Point configuration and monitoring tools in SmartConsole, to let you take immediate action based on IPS information
For example, some malware can be downloaded by a user unknowingly when he browses to a legitimate web site, also known as a drive-by-download. This malware can exploit a browser vulnerability to create a special HTTP response and sending it to the client. IPS can identify and block this type of attack even though the firewall may be configured to allow the HTTP traffic to pass.
Anti-Bot
A bot is malicious software that can infect your computer. It is possible to infect a computer when you open attachments that exploit a vulnerability, or go to a web site that results in a malicious download.
-
Takes control of the computer and neutralizes its Anti-Virus defenses. It is not easy to find bots on your computer; they hide and change how they look to Anti-Virus software.
-
Connects to a C&C (Command and Control center) for instructions from cyber criminals. The cyber criminals, or bot herders, can remotely control it and instruct it to do illegal activities without your knowledge. Your computer can do one or more of these activities:
-
Steal data (personal, financial, intellectual property, organizational)
-
Send spam
-
Attack resources (Denial of Service Attacks)
-
Consume network bandwidth and reduce productivity
-
One bot can often create multiple threats. Bots are frequently used as part of Advanced Persistent Threats (APTs) where cyber criminals try to damage individuals or organizations.
The Anti-Bot Software Blade detects and prevents these bot and botnet threats. A botnet is a collection of compromised and infected computers.
-
Identify the C&C addresses used by criminals to control bots
These web sites are constantly changing and new sites are added on an hourly basis. Bots can attempt to connect to thousands of potentially dangerous sites. It is a challenge to know which sites are legitimate and which are not.
-
Identify the communication patterns used by each botnet family
These communication fingerprints are different for each family and can be used to identify a botnet family. Research is done for each botnet family to identify the unique language that it uses. There are thousands of existing different botnet families and new ones are constantly emerging.
-
Identify bot behavior
Identify specified actions for a bot such as, when the computer sends spam or participates in DoS attacks.
After the discovery of bot infected machines, the Anti-Bot Software Blade blocks outbound communication to C&C sites based on the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. This neutralizes the threat and makes sure that no sensitive information is sent out.
Anti-Virus
Malware is a major threat to network operations that has become increasingly dangerous and sophisticated. Examples include worms, blended threats (combinations of malicious code and vulnerabilities for infection and dissemination) and trojans.
The Anti-Virus Software Blade scans incoming and outgoing files to detect and prevent these threats, and provides pre-infection protection from malware contained in these files. The Anti-Virus blade is also supported by the Threat Prevention API (see Threat Prevention API).
-
Identifies malware in the organization using the ThreatSpect engine and ThreatCloud repository:
-
Prevents malware infections from incoming malicious files types (Word, Excel, PowerPoint, PDF, etc.) in real-time. Incoming files are classified on the gateway and the result is then sent to the ThreatCloud repository for comparison against known malicious files, with almost no impact on performance.
-
Prevents malware download from the internet by preventing access to sites that are known to be connected to malware. Accessed URLs are checked by the gateway caching mechanisms or sent to the ThreatCloud repository to determine if they are permissible or not. If not, the attempt is stopped before any damage can take place.
-
-
Uses the ThreatCloud repository to receive binary signature updates and query the repository for URL reputation and Anti-Virus classification.
SandBlast
Cyber-threats continue to multiply and now it is easier than ever for criminals to create new malware that can easily bypass existing protections. On a daily basis, these criminals can change the malware signature and make it virtually impossible for signature-based products to protect networks against infection. To get ahead, enterprises need a multi-faceted prevention strategy that combines proactive protection that eliminates threats before they reach users. With Check Point's Threat Emulation and Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. technologies, SandBlast provides zero-day protection against unknown threats that cannot be identified by signature-based technologies.
Threat Emulation
Threat Emulation gives networks the necessary protection against unknown threats in web downloads and e-mail attachments. The Threat Emulation engine picks up malware at the exploit phase, before it enters the network. It quickly quarantines and runs the files in a virtual sandbox, which imitates a standard operating system, to discover malicious behavior before hackers can apply evasion techniques to bypass the sandbox.
-
E-mail attachments transferred using the SMTP or SMTPS protocols
-
Web downloads
-
Files sent to Threat Emulation through the Threat Prevention API (see Threat Prevention API)
-
Files transferred using FTP and SMB protocols
-
E-mail attachments transferred using the IMAP protocol
-
The file is opened on more than one virtual computer with different operating system environments.
-
The virtual computers are closely monitored for unusual and malicious behavior, such as an attempt to change registry keys or run an unauthorized process.
-
Any malicious behavior is immediately logged and you can use Prevent UserCheck rule action that blocks traffic and files and can show a UserCheck message. mode to block the file from the internal network.
-
The cryptographic hash of a new malicious file is saved to a database and the internal network is protected from that malware.
-
After the threat is caught, a signature is created for the new (previously unknown) malware which turns it into a known and documented malware. The new attack information is automatically shared with Check Point ThreatCloud to block future occurrences of similar threats at the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..
If the file is found not to be malicious, you can download the file after the emulation is complete.
To learn more about Threat Emulation (see The Threat Emulation Solution).
Threat Extraction
Threat Extraction is supported on R77.30 and higher.
The Threat Extraction blade extracts potentially malicious content from files before they enter the corporate network. To remove possible threats, the Threat Extraction does one of these two actions:
-
Extracts exploitable content out of the file, or
-
Creates a safe copy of the file by converting it to PDF
-
E-mail attachments received through the Mail transfer Agent (see Configuring Threat Extraction Settings )
-
Web downloads (see Threat Extraction General Settings)
-
Files sent to Threat Extraction through the Threat Prevention API (see Threat Prevention API)
Threat Extraction delivers the reconstructed file to users and blocks access to the original suspicious version, while Threat Emulation analyzes the file in the background. This way, users have immediate access to content, and can be confident they are protected from the most advanced malware and zero-day threats.
Threat Emulation runs in parallel to Threat Extraction for version R80.10 and above.
-
Queries to databases where the query contains a password in the clear
-
Embedded objects
-
Macros and JavaScript code that can be exploited to propagate viruses
-
Hyperlinks to sensitive information
-
Custom properties with sensitive information
-
Automatic saves that keep archives of deleted data
-
Sensitive document statistics such as owner, creation and modification dates
-
Summary properties
-
PDF documents with:
-
Actions such as launch, sound, or movie URIs
-
JavaScript actions that run code in the reader's Java interpreter
-
Submit actions that transmit the values of selected fields in a form to a specified URL
-
Incremental updates that keep earlier versions of the document
-
Document statistics that show creation and modification dates and changes to hyperlinks
-
Summarized lists of properties
-
Assigning Administrators for Threat Prevention
You can control the administrator Threat Prevention permissions with a customized Permission Profile. The customized profile can have different Read/Write permissions for Threat Prevention policy, settings, profiles and protections.
Analyzing Threats
Networks today are more exposed to cyber-threats than ever. This creates a challenge for organizations in understanding the security threats and assessing damage. SmartConsole helps the security administrator find the cause of cyber-threats, and remediate the network.
The Logs & Monitor > Logs view presents the threats as logs.
The other views in the Logs & Monitor view combine logs into meaningful security events. For example, malicious activity that occurred on a host in the network in a selected time interval (the last hour, day, week or month). They also show pre- and post-infections statistics.
You can create rich and customizable views and reports for log and event monitoring, which inform key stakeholders about security activities. For each log or event, you can see a lot of useful information from the ThreatWiki and IPS Advisories about the malware, the virus or the attack.