Welcome to the third article in the series about the new cloud-based personal computer protection management console - Check Point SandBlast Agent Management Platform. Let me remind you that in we got acquainted with the Infinity Portal and created a cloud-based agent management service Endpoint Management Service. In we examined the web management console interface and installed the agent with the standard policy on the user's machine. Today we will review the contents of the default Threat Prevention security policy and test its effectiveness against popular attacks.
Default Threat Prevention Policy Description
The figure above shows a standard Threat Prevention policy rule that, by default, applies to the entire organization (all installed agents) and includes three logical groups of protection components: Web & Files Protection, Behavioral Protection, and Analysis & Remediation. Let's take a closer look at each of the groups.
Web & File Protection
URL Filtering
URL Filtering allows you to control user access to web resources, for which 5 predefined categories of sites are used. Each of the 5 categories contains several more specific subcategories, which allows you to configure, for example, blocking access to the Games subcategory and allowing access to the Instant Messaging subcategory included in the same Productivity Loss category. The URLs associated with specific subcategories are determined by Check Point. You can check the category to which a particular URL belongs, or request a category override on a special resource .
The action can be set to Prevent, Detect, or Off. Also, when the Detect action is selected, a setting is automatically added to allow users to skip the URL Filtering warning and navigate to the resource of interest. In the case of the Prevent action, this setting can be removed and the user will not be able to access the prohibited site. Another convenient way to control prohibited resources is to configure the Block List, in which you can specify domains, IP addresses, or upload a .csv file with a list of domains to block.
In the standard policy, URL Filtering is set to the Detect action and one category is selected - Security, for which events will be detected. This category includes various anonymizers, Critical/High/Medium sites, phishing sites, spam and more. However, users will still be able to access the resource thanks to the βAllow user to dismiss the URL Filtering alert and access the websiteβ setting.
Download (web) Protection
Emulation & Extraction allows you to emulate downloaded files in the Check Point cloud sandbox and clean up documents on the fly, removing potentially malicious content, or converting the document to PDF. There are three modes of operation:
- Prevent - allows you to get a copy of the cleaned document before the final emulation verdict, or wait for the emulation to complete and immediately download the original file;
- Detect - performs emulation in the background, without preventing the user from receiving the original file, regardless of the verdict;
- off - any files are allowed to be loaded without going through emulation and cleaning potentially malicious components.
It is also possible to select an action for files that are not supported by the Check Point emulation and cleaning tools - you can allow or deny the download of all unsupported files.
The default policy for Download Protection is set to the Prevent action with the ability to get a copy of the original document cleaned of potentially malicious content, as well as allowing the download of files that are not supported by emulation and cleaning tools.
Credential Protection
The Credential Protection component protects user credentials and includes 2 components: Zero Phishing and Password Protection. Zero Phishing protects users from access to phishing resources, and Password protection notifies the user about the inadmissibility of using corporate credentials outside the protected domain. Zero Phishing can be set to Prevent, Detect or Off. With the Prevent action set, you have the option to allow users to skip the warning about a potential phishing resource and gain access to the resource, or disable this feature and always block access. With the Detect action, users always have the option to skip the warning and access the resource. Password Protection allows you to select protected domains for which passwords will be checked for compliance, and one of three actions: Detect & Alert (notifying the user), Detect or Off.
The default policy for Credential Protection is Prevent for any phishing resource that prevents users from accessing a potentially malicious site. Corporate password protection is also enabled, but this feature will not work without the specified domains.
File Protection
Files Protection is responsible for protecting files stored on the user's machine and includes two components: Anti-Malware and Files Threat Emulation. Anti-Malware is a tool that regularly scans all user and system files using signature analysis. In the settings of this component, you can configure the settings for regular scans or random scans, the signature update period, and the ability for users to cancel scheduled scans. Files Threat Emulation allows emulation of files stored on the user's machine in the Check Point Cloud Sandbox, however, this security feature only works in Detect mode.
The default policy for Files Protection includes protection with Anti-Malware and detection of malicious files with Files Threat Emulation. Regular scanning is performed every month, and the signatures on the user's machine are updated every 4 hours. This is configured to allow users to cancel a scheduled scan, but no later than 30 days from the last successful scan.
Behavioral Protection
Anti-Bot, Behavioral Guard & Anti-Ransomware, Anti-Exploit
The group of Behavioral Protection protection components includes three components: Anti-Bot, Behavioral Guard & Anti-Ransomware and Anti-Exploit. Anti-Bot allows you to monitor and block C&C connections using the constantly updated Check Point ThreatCloud database. Behavioral Guard & Anti-Ransomware constantly monitors activity (files, processes, network interactions) on the user's machine and helps prevent ransomware attacks at the initial stages. In addition, this protection element allows you to restore files that have been encrypted by malware. Files are restored to their original directories, or you can specify a specific path where all restored files will be stored. Anti-Exploit allows you to detect zero-day attacks. All Behavioral Protection components support three modes of operation: Prevent, Detect, and Off.
The default policy for Behavioral Protection is Prevent for the Anti-Bot and Behavioral Guard & Anti-Ransomware components, restoring encrypted files to their original directories. The Anti-Exploit component is disabled and not in use.
Analysis & Remediation
Automated Attack Analysis (Forensics), Remediation & Response
Two security components are available for analysis and investigation of security incidents: Automated Attack Analysis (Forensics) and Remediation & Response. Automated Attack Analysis (Forensics) allows you to generate reports on the results of repelling attacks with a detailed description - up to the analysis of the process of executing malware on the user's machine. It is also possible to use the Threat Hunting feature, which allows you to proactively search for anomalies and potentially malicious behavior using pre-installed or custom filters. Remediation & Response allows you to configure the settings for restoring and quarantining files after an attack: user interaction with quarantined files is regulated, and it is also possible to store quarantined files in a directory specified by the administrator.
The standard Analysis & Remediation policy includes protection, which includes automatic recovery actions (terminating processes, restoring files, etc.), as well as the option to send files to quarantine, and users can only delete files from quarantine.
Standard Threat Prevention Policy: Testing
Check Point CheckMe Endpoint
The fastest and easiest way to check the security of a user machine against the most popular types of attacks is to test using a resource , which carries out a number of typical attacks of various categories and allows you to get a report on the results of testing. In this case, the Endpoint testing option was used, in which the executable file is downloaded and launched on the computer, and then the verification process begins.
In the process of checking the security of the working computer, SandBlast Agent signals about identified and reflected attacks on the user's computer, for example: the Anti-Bot blade reports the detection of an infection, the Anti-Malware blade detected and deleted the malicious CP_AM.exe file, and the Threat Emulation blade installed that the CP_ZD.exe file is malicious.
Based on the results of testing with CheckMe Endpoint, we have the following result: out of 6 categories of attacks, the standard Threat Prevention policy failed only with one category - Browser Exploit. This is because the default Threat Prevention policy does not include the Anti-Exploit blade. It is worth noting that without the SandBlast Agent installed, the user's computer passed the scan only for the Ransomware category.
KnowBe4 RanSim
To test the operation of the Anti-Ransomware blade, you can use a free solution , which runs a series of tests on the user's machine: 18 ransomware infection scripts and 1 cryptominer infection script. It should be noted that the presence of many blades in the standard policy (Threat Emulation, Anti-Malware, Behavioral Guard) with the Prevent action does not allow running this test correctly. However, even with a reduced security level (Threat Emulation in Off mode), the Anti-Ransomware blade test shows good results: 18 out of 19 tests were successfully passed (1 did not start).
Malicious files and documents
It is indicative to check the operation of various blades of the standard Threat Prevention policy using malicious files of popular formats downloaded to the user's machine. This test involved 66 files of PDF, DOC, DOCX, EXE, XLS, XLSX, CAB, RTF formats. The test results showed that SandBlast Agent was able to block 64 malicious files out of 66. Infected files were deleted after downloading, or cleaned of malicious content using Threat Extraction and received by the user.
Recommendations for improving the Threat Prevention policy
1. URL Filtering
The first thing that needs to be corrected in the standard policy to increase the level of security of the client machine is to change the URL Filtering blade to Prevent and specify the appropriate categories for blocking. In our case, all categories were selected, except for General Use, since they include most of the resources to which it is necessary to restrict access to users in the workplace. Also, for such sites, it is desirable to remove the ability for users to skip the warning window by unchecking the βAllow user to dismiss the URL Filtering alert and access the websiteβ option.
2.Download Protection
The second option worth paying attention to is the ability for users to download files that are not supported by Check Point emulation. Since we're looking at security enhancements to the default Threat Prevention policy in this section, the best option is to prevent unsupported files from being downloaded.
3. File protection
You also need to pay attention to the settings for protecting files - in particular, the settings for periodic scans and the ability for the user to postpone forced scans. In this case, it is necessary to take into account the time frame of the user's work, and a good option in terms of security and performance is to set the forced scan to run every day, with the time being randomly selected (from 00:00 to 8:00), and the user can delay the scan for a maximum of one week.
4. Anti-Exploit
A significant drawback of the standard Threat Prevention policy is the disabled Anti-Exploit blade. It is recommended that you enable this blade with the Prevent action to protect your workstation from exploit attacks. With this fix, the CheckMe retest successfully completes without finding vulnerabilities on the user's workstation.
Conclusion
To summarize: in this article, we got acquainted with the components of the standard Threat Prevention policy, tested this policy using various methods and tools, and also described recommendations for improving the settings of the standard policy to increase the level of security of the user machine. In the next article in the series, we will move on to studying the Data Protection policy and look at the Global Policy Settings.
. In order not to miss the following publications on the topic of SandBlast Agent Management Platform - follow the updates in our social networks (, , , , ).
Source: habr.com