Configuring Threat Indicators

Indicators of Compromise (IoCs) represent a combination of observable objects, behavioral patterns, and contextual intelligence that together describe malicious activity within an operational cyber domain.

An Indicator is a set of observables that collectively represent or demonstrate malicious activity.

An Observable is an event or a stateful property that can be observed in an operational cyber domain, such as: IP address, a file signature, a URL, an email address and so on. On their own, observables are raw data points. When enriched with behavior and context, they become actionable threat indicators.

Threat indicators demonstrate attacks through:

• Specific observable patterns, such as repeated communication with known command-and-control servers or the presence of malicious files.

• Behavioral characteristics, including lateral movement, process injection, data exfiltration attempts, unusual login activity, and other attacker techniques.

• Contextual and descriptive metadata, which gives meaning to the indicator and enables automated and human-driven response. This contextual information may include the indicator type, source, severity, confidence level, recommended action (prevent, detect, log), timestamps, descriptions, references, and associated security products such as Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., or IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System)..

Indicators are derived from multiple sources, including threat intelligence providers, internal analysis, government organizations, and trusted partners.

The IoC Indicator of Compromise. Artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of Malware files, or URLs or domain names of botnet command and control servers. Identified through a process of incident response and computer forensics, intrusion detection systems and anti-virus software can use IoC's to detect future attacks. Feeds feature lets you fetch feeds from a third-party server directly to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The Security Gateway enforces the feeds through the Anti-Bot Malicious software that neutralizes Anti-Virus defenses, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions., Anti-Virus and IPS engines, in addition to the feeds included in the Check Point packages and ThreatCloud The cyber intelligence center of all of Check Point products. Dynamically updated based on an innovative global network of threat sensors and invites organizations to share threat data and collaborate in the fight against modern malware. feeds. The IoC Feeds feature helps you manage and monitor indicators with minimum operational overhead. You can upload the feeds through SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. or the CLI.