156-315.81.20 Custom Threat Protection

Custom Threat Protection Detailed Explanation

This detailed guide will help you understand Custom Threat Protection, focusing on Intrusion Prevention System (IPS), SandBlast features, Anti-Bot and Anti-Virus, and IoT Security.

Key Objective 1: Intrusion Prevention System (IPS)

What is IPS?

The Intrusion Prevention System (IPS) is a critical component of Check Point’s threat prevention suite. It detects and blocks malicious traffic based on attack signatures and behavioral analysis.

Tuning IPS to Detect and Block Specific Attack Signatures

1. Understanding Attack Signatures:

   • Attack signatures are predefined patterns of malicious activity, such as SQL injection or buffer overflow.
   • IPS uses these signatures to identify known threats.

2. How to Tune IPS:

   • In SmartConsole, navigate to Threat Prevention > IPS Protections.
   • Search for specific protections or attack categories (e.g., “SQL Injection” or “Web Attacks”).
   • Customize the action for each signature:
     • Prevent: Blocks the attack immediately.
     • Detect: Logs the attack but doesn’t block it.

3. Example Use Case:

   • A company faces SQL injection attempts on its web server.
   • Enable and set the SQL injection protection to Prevent.

Using IPS Profiles for Performance Optimization

1. What are IPS Profiles?

   • IPS profiles group protections based on risk level and performance impact.
   • Examples:
     • Optimized Profile: Balances security and performance.
     • Strict Profile: Focuses on maximum security.
     • Basic Profile: Focuses on performance with minimal protections.

2. How to Apply an IPS Profile:

   • In SmartConsole, create or modify an existing IPS profile.
   • Assign the profile to a specific gateway or policy.
   • Test the profile by simulating traffic and reviewing logs.

3. Performance Tips:

   • Disable protections irrelevant to your environment (e.g., FTP-related protections if FTP isn’t used).
   • Use the Basic Profile for high-throughput environments where latency is critical.

Key Objective 2: Threat Emulation and Threat Extraction

What is SandBlast?

SandBlast is Check Point’s advanced threat prevention technology, designed to protect against zero-day threats. It includes two key features:

1. Threat Emulation: Simulates files in a secure virtual environment to detect malicious behavior.
2. Threat Extraction: Removes potentially malicious content while preserving usability.

Configuring SandBlast Features to Mitigate Zero-Day Threats

1. Enable Threat Emulation:

   • In SmartConsole, go to Threat Prevention > Threat Emulation.
   • Select the file types to emulate (e.g., PDFs, Office documents, executables).
   • Define the emulation environment (e.g., Windows or macOS).

2. Example Workflow:

   • An employee receives an email with an attachment.
   • The attachment is sent to the Threat Emulation engine.
   • If malicious activity is detected, the file is blocked before reaching the user.

Extracting Safe Content from Potentially Malicious Files

1. Enable Threat Extraction:

   • In SmartConsole, navigate to Threat Prevention > Threat Extraction.
   • Configure the types of content to clean (e.g., embedded links, macros, JavaScript).

2. How It Works:

   • Threat Extraction removes risky elements like macros from Office documents while keeping the content readable.
   • Users receive a clean, usable version of the file.

3. Example Use Case:

   • A hospital receives medical reports via email. Threat Extraction removes any hidden macros to ensure patient data remains safe.

Key Objective 3: Anti-Bot and Anti-Virus

What is Anti-Bot?

Anti-Bot prevents malware from communicating with its command-and-control (C&C) servers, effectively neutralizing threats that have already infiltrated the network.

Configuring Anti-Bot for Malware Communication Prevention

1. Enable Anti-Bot Protection:

   • In SmartConsole, navigate to Threat Prevention > Anti-Bot.
   • Apply Anti-Bot protections to relevant policies.

2. Advanced Configuration:

   • Use Check Point’s ThreatCloud for real-time updates on C&C servers.
   • Enable alerts for blocked bot communication attempts.

3. Example Workflow:

   • A workstation is infected with ransomware.
   • Anti-Bot blocks the ransomware’s attempt to communicate with its C&C server, preventing further damage.

Optimizing Anti-Virus Profiles to Protect Endpoints

1. Enable Anti-Virus Protection:

   • In SmartConsole, navigate to Threat Prevention > Anti-Virus.
   • Specify the types of files to scan (e.g., email attachments, web downloads).

2. Best Practices:

   • Use ThreatCloud for up-to-date virus signatures.
   • Configure the policy to quarantine or block suspicious files automatically.

3. Example Use Case:

   • A remote employee downloads a file containing malware.
   • Anti-Virus detects and blocks the file before it executes.

Key Objective 4: IoT Security

Why is IoT Security Important?

IoT devices often lack robust security features, making them attractive targets for attackers. Check Point’s IoT protection framework secures these devices and prevents them from being exploited.

Securing IoT Devices Using Check Point’s IoT Protection Framework

1. Discover IoT Devices:

   • Use the IoT discovery tool in SmartConsole to identify connected IoT devices.
   • Categorize devices based on type (e.g., printers, cameras, sensors).

2. Apply IoT-Specific Protections:

   • Use predefined IoT protection profiles to block known vulnerabilities.
   • Update the profiles regularly to address emerging threats.

Applying Micro-Segmentation for IoT Networks

1. What is Micro-Segmentation?

   • Micro-segmentation isolates IoT devices into secure zones, reducing their attack surface.

2. How to Implement:

   • Create VLANs or dedicated subnets for IoT devices.
   • Apply strict access control rules to limit communication between zones.

3. Example Use Case:

   • A factory segments its IoT-enabled machinery into a dedicated VLAN, preventing unauthorized access from other parts of the network.

Advanced Use Cases

Customizing IPS Profiles for High-Risk Zones

• Scenario: A financial institution’s data center is a high-risk target for attackers.
• Solution:
  • Apply a Strict IPS Profile to the data center gateways.
  • Enable maximum logging and alerts for all detected threats.

Deploying Threat Emulation in Sensitive Environments

• Scenario: A healthcare provider needs to protect patient records from zero-day malware.
• Solution:
  • Enable Threat Emulation for all incoming files.
  • Configure the policy to block any files exhibiting malicious behavior.

Custom Threat Protection (Additional Content)

Key Objective 1: Intrusion Prevention System (IPS)

Essential IPS CLI Commands

Check Point provides several useful commands to monitor and troubleshoot IPS:

• ips stat
  Displays the current status of the IPS Blade, including whether it's enabled, profile used, and last update time.

• ips update status
  Checks the update status of the IPS signature database. Useful for verifying whether protections are current and synced with ThreatCloud.

IPS and SecureXL/CoreXL Integration

• Performance Note: Not all IPS protections are accelerated.

Feature	SecureXL / Fast Path
Stateless traffic	Accelerated
Lightweight IPS signatures	Some supported
Complex IPS protections	Slow path (CPU)
HTTPS-inspected traffic	Handled in software

• Implication: Enabling certain heavy IPS protections (e.g., for SMB or exploit detection) may move traffic to the slow path, increasing CPU usage.

Best Practice:
Use the Optimized Profile in production and activate Strict Profile only in high-risk zones.

Key Objective 2: SandBlast – Threat Emulation & Threat Extraction

Deployment Models for Threat Emulation

Threat Emulation can operate in the following modes:

Mode	Description
Cloud-Based	Files sent to Check Point’s cloud sandbox (ThreatCloud)
On-Prem (TE Appliance)	Local sandboxing using dedicated hardware or VM
Hybrid	Priority to local; fallback to cloud if unavailable

Configuration Path:
SmartConsole > Threat Prevention > Threat Emulation Settings

Traffic Flow Awareness for Emulated Files

Files are analyzed based on how they are transferred. Supported traffic paths include:

• SMTP (e.g., email attachments)
• HTTP/HTTPS (e.g., browser downloads)
• SMB (e.g., internal file shares)

Ensure the Threat Prevention Blade is applied to the relevant network zones and protocols.

Supported File Types – Limitations

Threat Emulation only analyzes structured, executable content:

File Type	Emulated?
.exe, .pdf, .doc	Yes
.zip, .rar	Yes
.jpg, .png	No
.mp3, .mp4	No

Files like images or media are not emulated, even if they’re sent via supported protocols.

Key Objective 3: Anti-Bot & Anti-Virus

Useful CLI for Sandboxing and Malware Inspection

• tecli show status
  Shows the current operational status of Threat Emulation services.

• tecli show files
  Lists files currently under analysis, including their verdict and source.

These tools are helpful for confirming whether files are reaching the sandbox engine and how quickly they're processed.

Anti-Virus vs. Traditional Anti-Virus – Know the Difference

Check Point provides two distinct AV modes:

Mode	Description
Anti-Virus Blade	Modern engine, integrated with ThreatCloud for real-time detection and C&C blocking
Traditional Anti-Virus	Legacy mode, less effective, only used in very old environments

• Where configured:
  • Anti-Virus is managed via Threat Prevention policies.
  • Traditional AV appears under the Legacy SmartDashboard or older policy setups.

Best Practice:
Always use the modern Anti-Virus Blade unless compatibility requires traditional AV.

Key Objective 4: IoT Security & Micro-Segmentation

Identity Awareness + IoT Tagging – Advanced Use Case

When combined with Identity Awareness, IoT security becomes more context-aware:

• Devices can be tagged by function (e.g., HVAC, Camera, Sensor).
• Access policies can use IoT + identity (e.g., only allow printers to connect to print servers).
• Enables role-based access control for non-human endpoints.

Integration with IoT Controllers and Cloud Platforms

Check Point supports integration with:

• IoT Protect / Infinity IoT: Cloud platform for continuous IoT threat assessment.
• 3rd-party IoT Controllers: May feed device identities or risk profiles into policy.

Integration Benefits:

• Automated policy generation based on device risk.
• Centralized visibility across thousands of unmanaged devices.

Micro-Segmentation with VLANs / ACLs

• Devices are segmented by VLAN, VRF, or security group.
• Fine-grained access control policies define allowed communication paths.

Example:
A building’s access control system can’t talk to the guest Wi-Fi VLAN.

Advanced Use Case Validity & Exam Scenario Alignment

Scenario Type	Valid for Exams?	Justification
High-risk zones with IPS Strict Profile	Yes	Matches best practices; often asked in CCSE scenario items
Sandbox protection in healthcare	Yes	Good use of TE with medical file scanning via SMB/SMTP
IoT micro-segmentation with VLANs	Yes	Ideal for case-study or network diagram-based questions

Summary Table of Key Additions

Category	Supplemented Insight
IPS CLI	ips stat, ips update status
IPS & Acceleration	Certain IPS bypass SecureXL/CoreXL → handled in slow path
SandBlast Deployment	Local vs. cloud vs. hybrid sandboxing
File Types for Emulation	Only executable/structured types are emulated
AV CLI	tecli show status, tecli show files
Anti-Virus Modes	Modern AV vs. Traditional AV (legacy distinction)
IoT Integration	Identity-aware IoT tagging, controller integration (IoT Protect)
Micro-Segmentation	VLAN-based control + contextual access enforcement