The Check Point ThreatCloud

Check Point ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. is a dynamically updated service that is based on an innovative global network of threat sensors and organizations that share threat data and collaborate to fight against modern malware. Customers can send their own threat data to the ThreatCloud and benefit from increased security and protection and enriched threat intelligence. The ThreatCloud distributes attack information, and turns zero-day attacks into known signatures that the Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. can block. The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. not collect or send any personal data.

Participation in Check Point information collection is a unique opportunity for Check Point customers to be a part of a strategic community of advanced security research. This research aims to improve coverage, quality, and accuracy of security services and obtain valuable information for organizations.

The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery and more than 2,000 different botnet communication patterns. The ThreatSpect engine uses this information to classify bots and viruses.

For the reputation and signature layers of the ThreatSpect engine, each Security Gateway also has:

A local database, the Malware database that contains commonly used signatures, URLs, and their related reputations. You can configure automatic or scheduled updates for this database.
A local cache that gives answers to 99% of URL reputation requests. When the cache does not have an answer, it queries the ThreatCloud repository.
- For Anti-Virus - the signature is sent for file classification.
- For Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. - the host name is sent for reputation classification.

Access the ThreatCloud repository from:

SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. - You can add specific malwares to rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. exceptions when necessary. From the Threat Prevention Rule Base All rules configured in a given Security Policy. Synonym: Rulebase. in SmartConsole, click the plus sign in the Protection column in the rule exceptions, and the Protection viewer opens.
ThreatWiki - A tool to see the entire Malware database. Open ThreatWiki in SmartConsole or access it from the Check Point website.

Data which Check Point Collects

When you enable information collection, the Check Point Security Gateway collects and securely submits event IDs, URLs, and external IP addresses to the Check Point Lab regarding potential security risks.

This is an example of an event that was detected by a Check Point Security Gateway. It includes the event ID, URL, and external IP addresses. Note that the data does not contain confidential data or internal resource information. The source IP address is obscured. Information sent to the Check Point Lab is stored in an aggregated form.

Configuring Check Point ThreatCloud on a Gateway

To configure the Security Gateway to share information with the Check Point ThreatCloud

Step	Instructions
1	Double-click the Security Gateway. The gateway window opens and shows the General Properties page.
2	Configure the settings for the Anti-Bot Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions. and Anti-Virus Software Blades. From the navigation tree click Anti-Bot and Anti-Virus. The Anti-Bot and Anti-Virus page opens. To configure a Security Gateway to share Anti-Bot and Anti-Virus information with the ThreatCloud, select Support the global community by sharing attack data with Check Point ThreatCloud. - If you do not select this check box, no information is shared with Check Point about the attack. If you select this checkbox, you can select which information is exposed about the attack: Receive alerts about threats (requires sharing additional end-user data) - all attack information is exposed. Anonymize collected data (selected by default). Select one of these options: End-user data (selected by default) - End-user information is anonymized, gateway is exposed. End-user data and customer identity - both end-user and gateway data are hidden.
3	Configure the settings for the IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). Software Blade. From the navigation tree click IPS. The IPS page opens. To configure a Security Gateway to share IPS information with the ThreatCloud, select Help Improve Check Point Threat Prevention product by sending anonymous information about feature usage, infections details and product customizations. Note - To disable sharing IPS information with the Check Point cloud, clear this option.
4	Click OK.

Check Point ThreatCloud Network

Check Point ThreatCloud is a dynamically updated service that is based on an innovative global network of threat sensors and organizations that share threat data and collaborate to fight against modern malware. Customers can send their own threat data to the ThreatCloud and receive protection updates with enriched threat intelligence.

Customers that participate in the ThreatCloud network can use the collected malware data to benefit from increased security and protection. The ThreatCloud can then distribute attack information, and turn zero-day attacks into known signatures that the Anti-Virus Software Blade can block.

When you send files to the ThreatCloud service for emulation, your network gets up-to-date threat information and operating system environments. The connection to the ThreatCloud is enabled by default. This connection gives many management features. We recommend that it be enabled. If you want to block this connection, you can change the default setting.

To block ThreatCloud

Step	Instructions
1	From the menu bar, click Global Properties.
2	From the navigation tree, click Security Management Access.
3	In the Internet Access area, clear: Improve product experience by sending information to Check Point.
4	Publish the SmartConsole session.
5	Restart SmartConsole.
6	Install the Policy.

To learn more, see sk94509.

The ThreatCloud Intellistore

ThreatCloud Intellistore is a threat intelligence marketplace which supplements ThreatCloud and provides intelligence data from leading cyber security vendors. The data includes threat information such as IP addresses, domains, URLs, command and control networks, DOS attacks and more. Intellistore classifies the information feeds according to specific geographies, types of attacks or industries, and you can select the feeds that best suit your needs.

A security feed represents specialized intelligence gathered and analyzed by the vendors. ThreatCloud translates these feeds into protections which run on Security Gateway.