MITRE ATT&CK

MITRE ATT&CK is a knowledge base used for the development of threat models and methodologies for the global cybersecurity community.

MITRE ATT&CK lets Check Point customers review the security incidents in their network in a way that exposes the top techniques and tactics used by attackers against their network.

For each malicious file that is found, Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. (SandBlast technology) adds the techniques and tactics that were used in the attack to the relevant log.

Note - The Threat Emulation blade must be enabled if you want to add MITRE ATT&CK information to the logs.

Configuring Threat Emulation Logs with MITRE ATT&CK Data

  1. Open SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

  2. In the Gateways & Servers view, enable the Threat Emulation blade on the relevant Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

  3. Select the Security Gateway, click Actions > Open Shell.

  4. Run:

    tecli advanced engine version

    The Threat Emulation engine version must be higher than 58.990001056

  5. Open the Threat Prevention profile in use in the Threat Prevention policy (for example Optimized), and make sure the Threat Emulation blade is activated.

MITRE Logs

To view logs with the added MITRE data:

  1. In the Logs & Monitor view, open the Logs tab.

  2. In the search box, enter this query to find malicious files found by Threat Emulation:

    Blade:"threat Emulation" AND type:"log" AND NOT severity: "informational"

  3. Open one of the logs.

    The log shows the MITRE ATT&CK Techniques and Tactics used in the specific attack.

    The log may show multiple actions such as execution and persistence. For more on each technique as well as mitigation advice, visit the MITRE ATT&CK web site.

MITRE ATT&CK in SmartView

Focusing on malicious files, the MITRE ATT&CK view in Logs & Monitor gives you a high level overview of the techniques used by attackers against your network.

  1. Review the top techniques that were used.

  2. Double click on one of them.

  3. Use the sub-views identity the target of the attack and the attack vector.

Example:

Note - The MITRE ATT&CK view is only available in R81 and higher.

MITRE ATT&CK Best Practices

Adding MITRE ATT&CK data to your logs lets you:

  • Understand your unique attack landscape

    Focus on the top techniques used by your attackers. By gaining a high level view of your attackers intent, you can identity attack trends against your network.

    Use MITRE ATT&CK to verify that your Threat Prevention policy is protecting your network against all types of tactics and techniques.

    Review the Check Point Infinity Security Portfolio mapped to the MITRE ATT&CK Enterprise matrix.

    Example:

  • Take action according to your attacker's intent

    Review the mitigation options offered by MITRE. These mitigation options are related to the specific type of attack launched against your network.