The Check Point Threat Prevention Solution

Threat Prevention Components

To challenge today's malware landscape, Check Point's comprehensive Threat Prevention solution offers a multi-layered, pre- and post-infection defense approach and a consolidated platform that enables enterprise security to detect and block modern malware.

These Threat Prevention protections are available:

Each protection is unique. When combined, they supply a strong Threat Prevention solution. Data from malicious attacks are shared between the Threat Prevention protections and help to keep your network safe. For example, the signatures from threats that Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. identifies are added to the ThreatCloud for use by the other Threat Prevention protections.

IPS

The IPS protection delivers complete and proactive intrusion prevention. It delivers 1,000s of signatures, behavioral and preemptive protections. It gives another layer of security on top of Check Point Firewall technology. IPS protects both clients and servers, and lets you control the network usage of certain applications. The hybrid IPS detection engine provides multiple defense layers, which allows it excellent detection and prevention capabilities of known threats and in many cases future attacks as well. It also allows unparalleled deployment and configuration flexibility and excellent performance.

The IPS protection includes:

  • Detection and prevention of specific known exploits

  • Detection and prevention of vulnerabilities, including both known and unknown exploit tools, for example protection from specific CVEs

  • Detection and prevention of protocol misuse which in many cases indicates malicious activity or potential threat. Examples of commonly manipulated protocols are HTTP, SMTP, POP, and IMAP

  • Detection and prevention of outbound malware communications

  • Detection and prevention of tunneling attempts. These attempts may indicate data leakage or attempts to circumvent other security measures such as web filtering

  • Detection, prevention or restriction of certain applications which, in many cases, are bandwidth consuming or may cause security threats to the network, such as Peer to Peer and Instant Messaging applications

  • Detection and prevention of generic attack types without any pre-defined signatures, such as Malicious Code Protector

Check Point constantly updates the library of protections to stay ahead of emerging threats.

The unique capabilities of the Check Point IPS engine include:

For example, some malware can be downloaded by a user unknowingly when he browses to a legitimate web site, also known as a drive-by-download. This malware can exploit a browser vulnerability to create a special HTTP response and sending it to the client. IPS can identify and block this type of attack even though the firewall may be configured to allow the HTTP traffic to pass.

Anti-Bot

A bot is malicious software that can infect your computer. It is possible to infect a computer when you open attachments that exploit a vulnerability, or go to a web site that results in a malicious download.

  • Takes control of the computer and neutralizes its Anti-Virus defenses. It is not easy to find bots on your computer; they hide and change how they look to Anti-Virus software.

  • Connects to a C&C (Command and Control center) for instructions from cyber criminals. The cyber criminals, or bot herders, can remotely control it and instruct it to do illegal activities without your knowledge. Your computer can do one or more of these activities:

    • Steal data (personal, financial, intellectual property, organizational)

    • Send spam

    • Attack resources (Denial of Service Attacks)

    • Consume network bandwidth and reduce productivity

One bot can often create multiple threats. Bots are frequently used as part of Advanced Persistent Threats (APTs) where cyber criminals try to damage individuals or organizations.

The Anti-Bot Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. detects and prevents these bot and botnet threats. A botnet is a collection of compromised and infected computers.

  • Identify the C&C addresses used by criminals to control bots

    These web sites are constantly changing and new sites are added on an hourly basis. Bots can attempt to connect to thousands of potentially dangerous sites. It is a challenge to know which sites are legitimate and which are not.

  • Identify the communication patterns used by each botnet family

    These communication fingerprints are different for each family and can be used to identify a botnet family. Research is done for each botnet family to identify the unique language that it uses. There are thousands of existing different botnet families and new ones are constantly emerging.

  • Identify bot behavior

    Identify specified actions for a bot such as, when the computer sends spam or participates in DoS attacks.

After the discovery of bot infected machines, the Anti-Bot Software Blade blocks outbound communication to C&C sites based on the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase.. This neutralizes the threat and makes sure that no sensitive information is sent out.

Anti-Virus

Malware is a major threat to network operations that has become increasingly dangerous and sophisticated. Examples include worms, blended threats (combinations of malicious code and vulnerabilities for infection and dissemination) and trojans.

The Anti-Virus protection scans incoming and outgoing files to detect and prevent these threats, and provides pre-infection protection from malware contained in these files. The Anti-Virus protection is also supported by the Threat Prevention API (see Threat Prevention API ).

  • Identifies malware in the organization using the ThreatSpect engine and ThreatCloud repository:

    • Prevents malware infections from incoming malicious files types (Word, Excel, PowerPoint, PDF, etc.) in real-time. Incoming files are classified on the gateway and the result is then sent to the ThreatCloud repository for comparison against known malicious files, with almost no impact on performance.

    • Prevents malware download from the internet by preventing access to sites that are known to be connected to malware. Accessed URLs are checked by the gateway caching mechanisms or sent to the ThreatCloud repository to determine if they are permissible or not. If not, the attempt is stopped before any damage can take place.

  • Uses the ThreatCloud repository to receive binary signature updates and query the repository for URL reputation and Anti-Virus classification.

SandBlast

Cyber-threats continue to multiply and now it is easier than ever for criminals to create new malware that can easily bypass existing protections. On a daily basis, these criminals can change the malware signature and make it virtually impossible for signature-based products to protect networks against infection. To get ahead, enterprises need a multi-faceted prevention strategy that combines proactive protection that eliminates threats before they reach users. With Check Point's Threat Emulation and Threat Extraction technologies, SandBlast provides zero-day protection against unknown threats that cannot be identified by signature-based technologies.

Threat Emulation

Threat Emulation gives networks the necessary protection against unknown threats in web downloads and e-mail attachments. The Threat Emulation engine picks up malware at the exploit phase, before it enters the network. It quickly quarantines and runs the files in a virtual sandbox, which imitates a standard operating system, to discover malicious behavior before hackers can apply evasion techniques to bypass the sandbox.

  • E-mail attachments transferred using the SMTP or SMTPS protocols

  • Web downloads

  • Files sent to Threat Emulation through the Threat Prevention API (see Threat Prevention API )

  • Files transferred using FTP and SMB protocols

  • E-mail attachments transferred using the IMAP protocol

  • The file is opened on more than one virtual computer with different operating system environments.

  • The virtual computers are closely monitored for unusual and malicious behavior, such as an attempt to change registry keys or run an unauthorized process.

  • Any malicious behavior is immediately logged and you can use PreventClosed UserCheck rule action that blocks traffic and files and can show a UserCheck message. mode to block the file from the internal network.

  • The cryptographic hash of a new malicious file is saved to a database and the internal network is protected from that malware.

  • After the threat is caught, a signature is created for the new (previously unknown) malware which turns it into a known and documented malware. The new attack information is automatically shared with Check Point ThreatCloud to block future occurrences of similar threats at the gateway.

If the file is found not to be malicious, you can download the file after the emulation is complete.

To learn more about Threat Emulation (see The Threat Emulation Solution).

Threat Extraction

Threat Extraction is supported on R77.30 and higher.

Threat Extraction extracts potentially malicious content from files before they enter the corporate network. To remove possible threats, the Threat Extraction does one of these two actions:

  • Extracts exploitable content out of the file, or

  • Creates a safe copy of the file by converting it to PDF

Threat Extraction delivers the reconstructed file to users and blocks access to the original suspicious version, while Threat Emulation analyzes the file in the background. This way, users have immediate access to content, and can be confident they are protected from the most advanced malware and zero-day threats.

Threat Emulation runs in parallel to Threat Extraction for version R80.10 and above.

  • Queries to databases where the query contains a password in the clear

  • Embedded objects

  • Macros and JavaScript code that can be exploited to propagate viruses

  • Hyperlinks to sensitive information

  • Custom properties with sensitive information

  • Automatic saves that keep archives of deleted data

  • Sensitive document statistics such as owner, creation and modification dates

  • Summary properties

  • PDF documents with:

    • Actions such as launch, sound, or movie URIs

    • JavaScript actions that run code in the reader's Java interpreter

    • Submit actions that transmit the values of selected fields in a form to a specified URL

    • Incremental updates that keep earlier versions of the document

    • Document statistics that show creation and modification dates and changes to hyperlinks

    • Summarized lists of properties

Zero Phishing

Zero Phishing is a new technology and a Threat Prevention protection introduced in R81.20.

Zero Phishing prevents unknown zero-day and known phishing attacks on websites in real-time, by utilizing industry leading Machine-Learning algorithms and patented inspection technologies.

Phishing attacks continue to play a dominant role in the digital threat landscape, which is becoming more mature and sophisticated. Most cyber-attacks start with a phishing attempt.

The Check Point Zero Phishing protection scans the web traffic on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and sends it to the Check Point Cloud for scanning. This way, the Zero Phishing protection prevents access to the most sophisticated phishing websites, both known and completely unknown (zero-day phishing websites).

Because the protection is initiated on the network Security Gateway, the protection is browser-agnostic and platform-agnostic and it does not depend on an email security solution.

Protections usually provided by endpoint or email solutions are now available through the Security Gateway, with no need to install and maintain clients on any device.

The Zero Phishing protection uses two main engines:

  1. Real-time phishing prevention based on URLs

    The engine prevents both known and unknown zero-day phishing attacks, by analyzing various features on the URL in real-time. The engine sends the URL information to the URL-reputation cloud service to perform the analysis. For example: brand similarity, non-ASCII characters and time of registration.

    Using Machine-Learning, the risk is calculated and URLs are classified as phishing and blocked.

  2. In-browser Zero Phishing

    The Security Gateway performs patented Java Script injection to scan HTML forms when they are loaded on the browser (including dynamic forms).

    When the end-user clicks the input fields in the form, all HTML components are scanned in real-time, and the information is sent to the Check Point Zero Phishing cloud service for AI-based analysis.

    The risk is calculated and the phishing site is blocked accordingly.

Notes -