Welcome to the new series of articles, this time on the topic of incident investigation, namely, malware analysis using Check Point forensics. Earlier, we published several video tutorials on working in Smart Event, but this time we will look at forensic reports on specific events in different Check Point products:
- Sandblast network
- Sandblast agent
- Sandblast mobile
- CloudGuard SaaS
Why is forensics of prevented incidents important? It would seem that I caught the virus, it’s already good, why deal with it? As practice shows, it is advisable not only to block the attack, but also to understand how it works: what was the entry point, what vulnerability was used, what processes were involved, whether the registry and file system were affected, what virus family, what potential damage, etc. . These and other useful data can be obtained in comprehensive reports of Check Point forensics (both in text and graphical form). Getting such a report manually is very difficult. Then this data can help take the necessary measures and exclude the possibility of the success of such attacks in the future. Today we’ll review the Check Point SandBlast Network forensics report.
Using sandboxes to enhance network perimeter security has long been commonplace and as a must-have component like IPS. At Check Point, the Threat Emulation blade is responsible for the sandbox functionality, which is part of SandBlast technologies (there is also Threat Extraction in the same place). We have already published a short Check Point SandBlast course for Gaia version 77.30 (I highly recommend viewing it if you don’t understand what this is about). From the point of view of architecture, nothing has fundamentally changed since then. If you have Check Point Gateway on the perimeter of the network, then you can use two options for integration with the sandbox:
- SandBlast Local Appliance – an additional SandBlast appliance is put on your network, to which files are sent for analysis.
- Sandblast cloud – files are sent for analysis to the Check Point cloud.
The sandbox can be considered the last line of defense on the perimeter of the network. It connects only after analysis by classical means – antivirus, IPS. And if such traditional signature tools do not provide practically any analytics, then the sandbox can “tell” in detail why the file was locked and what exactly it does malicious. Such a forensics report can be obtained from both local and cloud-based sandboxes.
Check point forensics report
Suppose you, as an information security specialist, came to work and opened a dashboard in SmartConsole. Immediately, you see incidents in the last 24 hours and your attention is drawn to Threat Emulation events – the most dangerous attacks that were not blocked by signature analysis.
You can “drill down” into these events (drill down) and see all the logs on the Threat Emulation blade.
After that, you can additionally filter the logs by the level of criticality of threats (Severity), as well as by Confidence Level (reliability of operation):
Having opened the event of interest to us, you can familiarize yourself with the general information (src, dst, severity, sender, etc.):
And there you can notice the section Forensics with affordable Summary report. By clicking on it, a detailed analysis of the malware in the form of an interactive HTML page will open in front of us:
(This is part of the page. The original can be viewed here)
From the same report, we can download the original malware (in the password-protected archive), or contact the Check Point response team right away.
A little lower, you can see a beautiful animation, which in percentage terms shows which already known malicious code our instance has in common (including the code itself and macros). This analytics is provided using machine learning in the Check Point Threat Cloud.
Then you can see what kind of activity in the sandbox made it possible to conclude that this file is malicious. In this case, we see the use of bypass techniques and an attempt to download encryptors:
You may notice that in this case the emulation was performed in two systems (Win 7, Win XP) and different software versions (Office, Adobe). Below is a video (slide show) with the process of opening this file in the sandbox:
At the very end, we can see in detail how the attack developed. Either in tabular form or in graphical form:
There we can download this information in RAW format and a pcap file for detailed analysis of generated traffic in Wireshark:
Using this information can significantly strengthen the protection of your network. Block virus propagation hosts, close vulnerabilities, block possible feedback from C&C, and much more. Do not neglect this analytics.
In the following articles, we will similarly review the reports of SandBlast Agent, SnadBlast Mobile, as well as CloudGiard SaaS. So stay tuned (Telegram, Facebook, VK, TS Solution Blog)!