Welcome to a new series of articles, this time on the topic of incident investigation, namely, malware analysis using Check Point Forensics. We have previously published on working in Smart Event, but this time we will look at forensic reports for specific events in different Check Point products:
Why is Forensics of Prevented Incidents Important? It would seem that he caught the virus, itβs already good, why deal with it? As practice shows, it is desirable not only to block an attack, but also to understand exactly how it works: what was the entry point, what vulnerability was used, what processes are involved, whether the registry and file system are affected, what family of viruses, what potential damage, etc. . This and other useful data can be obtained in the comprehensive Check Point Forensics reports (both textual and graphical). It is very difficult to get such a report manually. This data can then help you take action to prevent similar attacks from succeeding in the future. Today we will review the Check Point SandBlast Network forensics report.
SandBlast Network
The use of sandboxes to strengthen the protection of the network perimeter has long been commonplace and as indispensable as IPS. At Check Point, the Threat Emulation blade is responsible for the sandbox functionality, which is part of the SandBlast technologies (there is also Threat Extraction). We have published before also for Gaia version 77.30 (I highly recommend watching if you don't understand what is being discussed now). From an architectural point of view, nothing has fundamentally changed since then. If you have a Check Point Gateway on the network perimeter, then you can use two sandbox integration options:
- Sandblast Local Appliance - an additional SandBlast appliance is installed on your network, to which files are sent for analysis.
- SandBlast Cloud - files are sent for analysis to the Check Point cloud.
The sandbox can be considered the last line of defense at the network perimeter. It is connected only after analysis by classical means - antivirus, IPS. And if such traditional signature tools do not provide almost any analytics, then the sandbox can βtellβ in detail why the file was blocked and what exactly it does maliciously. Such a forensics report can be obtained from both local and cloud sandboxes.
Check Point Forensics Report
Let's say you, as an information security specialist, came to work and opened a dashboard in SmartConsole. Here you can see incidents over the past 24 hours and Threat Emulation events, the most dangerous attacks that were not blocked by signature analysis, draw your attention.
You can βdrill downβ these events and see all the logs for the Threat Emulation blade.
After that, you can additionally filter the logs by the level of criticality of threats (Severity), as well as by Confidence Level (reliability of operation):
Having opened the event of interest to us, you can get acquainted with the general information (src, dst, severity, sender, etc.):
And there you can see the section Forensics with available Summary report. By clicking on it, we will see a detailed analysis of the malware in the form of an interactive HTML page:
(This is part of the page. )
From the same report, we can download the original malware (in a password-protected archive), or immediately contact the Check Point response team.
A little lower you can see a beautiful animation that shows in percentage terms what already known malicious code our instance has something in common with (including the code itself and macros). This analytics is delivered using machine learning in the Check Point Threat Cloud.
Then you can see which activities in the sandbox made it possible to conclude that this file is malicious. In this case, we see the use of bypass techniques and an attempt to download ransomware:
You can see that in this case, emulation was carried out in two systems (Win 7, Win XP) and different software versions (Office, Adobe). Below is a video (slide show) with the process of opening this file in the sandbox:
Video example:
At the very end, we can see in detail how the attack developed. Either in tabular form or in graphical form:
In the same place, we can download this information in RAW format and a pcap file, for detailed analytics of the generated traffic in Wireshark:
Conclusion
Using this information, you can significantly enhance the protection of your network. Block virus distribution hosts, close exploitable vulnerabilities, block potential C&C feedback, and more. Do not neglect this analytics.
In the following articles, we will similarly look at reports from SandBlast Agent, SnadBlast Mobile, and CloudGiard SaaS. So stay tuned, , , )!
Source: habr.com