Investigative

Best Practices
with Threat
Prevention

©2015 Check Point Software Technologies Ltd. 1

 Introduction

Organizations today are facing unprecedented growth

in the diversity and number of security threats from
advanced and sophisticated malware.

To help stay ahead of modern malware,

Early detection and rapid response is essential!

©2015 Check Point Software Technologies Ltd. 2

 Introduction
Providing easy-to-use tools and guidelines for
implementing malware investigation process,
using the Threat Prevention Software Blades.

Using this guide you will be able to:

Investigate if a host is truly infected with malware

Identify the malware type and potential damages

Detect suspicious behavior that might indicate
Remediate infected computers
additional infected computers
Remediate infected computers
©2015 Check Point Software Technologies Ltd. 3
Advanced Threat Prevention
Block
Block access
access to
to
malware-infested
malware-infested websites
websites
Block
Block downloads
downloads ofof
known
known malware
malware
Anti-Virus

Fight
Fight targeted
targeted attacks
attacks that
that
use
use unknown
unknown malware
malware

Threat Emulation

Identify
Identify and
and Prevent
Prevent
bot
bot communications
communications

Anti-Bot

Stop
Stop attacks
attacks exploiting
exploiting known
known
vulnerabilities
vulnerabilities

IPS
©2015 Check Point Software Technologies Ltd. 4
Incident Handling Process
Prepare
Optimizing
Optimizing configuration
configuration
Prepare
repare
based
based on
on network
network topology
topology

Monitor
Monitor Threat
Threat Prevention
Prevention
events
events to
to identify
identify suspicious
suspicious
Identify
Identify
dentify hosts
hosts

Track
Conclude
Conclude ifif the
the host
host is
is
infected
infected and
and with
with what
what type
type of
of
Investigate
nvestigate malware
malware and
and its
its behavior
behavior

Investigate Track
Track infected
infected computers’
computers’
activity
activity to
to identify
identify additional
additional
Track
rack infected
infected computers
computers

Recover
Recover infected
infected machines
machines
Remediate
Remediate
emediate
©2015 Check Point Software Technologies Ltd. 5
Preparations
Maximizing visibility

©2015 Check Point Software Technologies Ltd. 6

Preparations
Improve Threat Visibility

1. Prepare my SmartEvent View

2. Improve visibility when computers are behind

proxy and/or DNS server

©2015 Check Point Software Technologies Ltd. 7

 Preparations
1. Prepare my SmartEvent View
Review Threat Prevention events grouped by Source:
1. In SmartEvent, click the Events tab
2. From the left-pane, click:
Predefined > Threat Prevention > All Events.
Note: Adjust presented time according to review period (default is 12H)

©2015 Check Point Software Technologies Ltd. 8

Periodic Monitoring with SmartEvent
Unlike log utilities, SmartEvent provides high-level
overview that also lets you zero in during an analysis.
Schedule a routine to review, analyze and
subsequently respond to alerts.

©2015 Check Point Software Technologies Ltd. 9

 Preparations
2.1 Improve visibility by using XFF when
computers are behind proxy server
In some network topologies, security events might
seem to be triggered by the proxy server, falsely
indicating that the proxy server is infected with bot,
while the actual infected computers are computers
deployed behind it.
• If computers are behind proxy, enable X-Forward-
For (XFF) on your proxy server to identify the
actual infected computers

©2015 Check Point Software Technologies Ltd. 10

Proxy XFF (X-Forwarded-For)

Use your Proxy’s XFF feature to include the Source

IP in the log.

1. Configure the Proxy to include the XFF, so the

XFF will be displayed in the log.
2. You can configure the Gateway to strip the XFF
field so it won’t be revealed. For more
information, follow SK100223.

©2015 Check Point Software Technologies Ltd. 11

 Preparations
2.2 Improve visibility when internal DNS server is
deployed by enabling ‘Malware DNS Trap’ feature
The issue: The Security Gateway blocks DNS requests to
malicious websites. However, when an internal DNS server
is deployed, the gateway will recognize the internal DNS
server IP as the source of these request indicating that the
DNS server might be infected while the actual infected
machine is a different computer, behind the DNS server
(see diagram on next page).
Solution: To identify computers generating DNS
request to malicious websites when internal DNS
server is deployed, enable ‘Malware DNS Trap’ feature
on Security Gateway
©2015 Check Point Software Technologies Ltd. 12
How Malware DNS Trap works?

HTTP to Bogus And what

IP about http
Host
Host Gateway
Gateway proxy?

Qu Bogus IP
er
y M
The log
ali
cio DNS
DNS displays
us
UR
L
Server
Server XFF field
added by
proxy
server

©2015 Check Point Software Technologies Ltd. 13

Identify

©2015 Check Point Software Technologies Ltd. 14

 Computers require immediate attention

Hosts with
Anti-Bot (AB)
incidents

Severity levels
Medium and
above should
be investigated
immediately

©2015 Check Point Software Technologies Ltd. 15

 Identify additional suspicious computers

Hosts with
multiple
Anti-Virus (AV)
incidents

Any severity.
Also when event
Severity is
Low…

©2015 Check Point Software Technologies Ltd. 16

 Detect mode incidents

Anti-Virus (AV)
or Threat
Emulation (TE)
incidents in
detect mode.

If the incident
was identified
but was not
blocked due to
detection mode
configuration,
further
investigate if the
machine got
infected
©2015 Check Point Software Technologies Ltd. 17
 Other Threat Prevention incidents

The suspicious computers detected so far should be treated

with high priority. However, if there are additional security
events related to computers that are not a part of the list of
computers flagged in the previous steps, these additional
computers can be treated with lower priority (using the same
investigation methodology described in the following
sections).

©2015 Check Point Software Technologies Ltd. 18

INVESTIGATE

©2015 Check Point Software Technologies Ltd. 19

 Investigate
Investigate a suspicious computer

Investigate suspicious computers in order to:

• Conclude if the computers infected (is it real?)
Cleaning an infected computer might consume a lot of
time and resources. To maximize efficiency, there is a
need to identify computers that are infected with high
confidence.
• Determine malware type (what is it?)
In addition it is also important to identify the malware type
in order to decide the right cleaning method.

©2015 Check Point Software Technologies Ltd. 20

 Investigate
Investigate a suspicious computer

After identifying suspicious computers, now it is time to

investigate the incidents following 3 steps:

1 2 3
Correlating Deep-dive Suspicious
events Analysis Indicators

©2015 Check Point Software Technologies Ltd. 21

 Investigate
1. Correlating events

When correlating multiple Threat Prevention events,

observe the following:

1.1 Events with different protection types

1.2 Events with different protection names

1.3 Suspicious Anti-Virus Events

©2015 Check Point Software Technologies Ltd. 22

Event Correlation
1.1 Events with different protection types
Anti-Bot uses several protection types:
Protection Type Protection Type Category
URL Reputation Address Reputation
DNS Reputation Reputation mechanism
IP Reputation for URL, DNS, or IP
addresses

Signatures Network Signatures

Heuristics to identify bot
communication patterns and behavior

Suspicious Mail Outgoing spam

Identifies outgoing spam

©2015 Check Point Software Technologies Ltd. 23

 1.1 Events with different protection types

If a computer triggered AB incidents of two different

Protection Types*, you can conclude that the host is
infected with high confidence.

*note that protection types from two different categories

indicates stronger confidence (e.g. IP reputation and Signature)
©2015 Check Point Software Technologies Ltd. 24
 Event Correlation
1.2 Events with different protection name

The Protection Name reflects the indicator (e.g. URL,

IP, pattern) which was used to detect the infection.
Each protection triggered on the host is further
evidence of possible infection, thus increasing the
assurance it is infected.

©2015 Check Point Software Technologies Ltd. 25

 Event Correlation
1.3 Suspicious Anti-Virus Events

Indications that Anti-Virus events are actually Bot

actions:
• Anti-Virus events followed by Anti-Bot events
• Multiple reputation events
• Suspicious Patterns
• Time pattern
• Repeating incidents

©2015 Check Point Software Technologies Ltd. 26

Investigate
2. Drill-down Event Analysis

Use the following tools and 2.1 Confidence Level

guidelines to gather more
information about a 2.2 Connection Scope
single event: 2.3 Address Analysis
2.4 Event Time
2.5 ThreatWiki
2.6 Malware Analysis

©2015 Check Point Software Technologies Ltd. 27

 Drill-down Event Analysis
2.1 Confidence Level

The higher the confidence level is the more chances

that the event is triggered by a real bot or AV incident.
Confidence level indicates how confident the Software
Blade is that recognized attacks are actually virus or
bot traffic. Some attack types are more subtle than
others and legitimate traffic can sometimes be
mistakenly recognized as a threat. The confidence
level value shows how well protections can correctly
recognize a specified attack.

©2015 Check Point Software Technologies Ltd. 28

 Drill-down Event Analysis
2.2 Connection Scope

Check the Source / Destination -

which hosts are involved?
AB incidents will be triggered primarily on outgoing
connections. However, consider these exceptions:
P2P • Communication between two infected hosts
communications
Incoming Traffic • Your web server is the C&C
• External Bots use your public services (e.g. Geo)

Internal Traffic • GW is placed between the host and server

©2015 Check Point Software Technologies Ltd. 29

 Drill-down Event Analysis
2.3 Address Analysis

Review and analyze the Destination / Resource field.

Signs that an address is malicious:
A. Unusual destination country
B. ‘Fishy’ Domain names
C. Randomized Domain names
D. Multiple destination addresses in the log
E. ‘whois’ shows suspicious info
F. Low reputation according to 3rd party engines
G. Low popularity using Google search

©2015 Check Point Software Technologies Ltd. 30

 Address Analysis

A. Destination Country

Check the location of the external resource i.e.

Destination Country.
Is this traffic typical for your organization?

©2015 Check Point Software Technologies Ltd. 31

 Address Analysis

B. ‘Fishy’ Domain name (typosquatting)

Common service that is misspelled. For example:

• ‘windoms’
• ‘hotmeil’
• ‘windows.cc’

©2015 Check Point Software Technologies Ltd. 32

 Address Analysis

C. Randomized Domain names

Check if the URL looks as if it was created by a DGA.

In most cases you will notice multiple AB or AV
reputation incidents over a short time frame (Bot
callback)

©2015 Check Point Software Technologies Ltd. 33

 Address Analysis

D. Multiple destinations in the event itself

A single protection triggered over multiple connections

• P2P connections to multiple Bots
• HTTP connection to a malicious Domain but different paths

©2015 Check Point Software Technologies Ltd. 34

 Address Analysis

E. Suspicious registration/status info using ‘whois’

Go to whois.domaintools.com to get more info about

the URL or IP.
• (IP) organization name and contacts
• (IP,URL) Server status: Is it inactive?
• (URL) Registration: Is the Domain
registered? only recently?
• (URL) The Domain is for sale.

©2015 Check Point Software Technologies Ltd. 35

 Address Analysis

F. External reputation engines

It is also recommended to use free web reputation

services such as: virustotal.com and mywot.com.

©2015 Check Point Software Technologies Ltd. 36

 Address Analysis

G. Site popularity

Check popularity of the Domain:

 Google the Domain and check number of results
 Use analysis engines (e.g. Alexa.com) and check it’s report

©2015 Check Point Software Technologies Ltd. 37

 Address Analysis – Guidelines

To understand how analysis of the destination address

impact the confidence that the host is indeed infected,
consider the Protection Type:
• Anti-Bot Network Patterns: address is independent
In most cases it will not be recognized yet by 3rd party
reputation engines since the detection is by pattern.

©2015 Check Point Software Technologies Ltd. 38

Address Analysis – Guidelines

• Reputation-based: analyze the address to validate

• For some specific types of bot activities, the destination
address will be legitimate:
– P2P communications
– Bot connectivity testing
– Suspicious Mail

©2015 Check Point Software Technologies Ltd. 39

 Drill-down Event Analysis
2.4 Event Time

Check the Time of the event.

Is it usual for your organization’s working hours?

©2015 Check Point Software Technologies Ltd. 40

 Drill-down Event Analysis
2.5 ThreatWiki

Search the Protection Name in the ThreatWiki tool:

threatwiki.checkpoint.com.
This tool queries the ThreatCloud
database and provides more
information about threats
and its classification.

©2015 Check Point Software Technologies Ltd. 41

 ThreatWiki

Go to threatwiki.checkpoint.com
and search the protection name:

©2015 Check Point Software Technologies Ltd. 42

 ThreatWiki

You can also navigate directly from the

event card in SmartEvent:

©2015 Check Point Software Technologies Ltd. 43

 ThreatWiki

The information presented will help you to

learn more about the threat

©2015 Check Point Software Technologies Ltd. 44

ThreatWiki

Malware Naming Convention

Check Point, as most security vendors,

uses this convention to define malware,
where:
Trojan . Win32 . ZeroAccess . A

Type Platform Family Variant

Type: Classifies the threat behavior

(Trojan, Virus, Adware, Backdoor)
Platform: The operating system on which
the threat works (Win32, DOS)
Family: Classification according to
similarities in the code, or origin.
Variant: Malware version, or any
differentiation that results in different hash

©2015 Check Point Software Technologies Ltd. 45

ThreatWiki

Risk Level

Classifies Risk level of threats:

(5) - (4) Critical and High:

Malware and Malicious tools with high or
critical risk for potential damage.
(3) Medium: Pornware or other Riskware,
as well as non-recent malware.
(2) Low: Adware - Unwanted software
that display advertisements, but can also
send information about the user.
(1) Very Low: “not-a-virus” - Risky but
legal software that can be used by
criminals for compromising users.

©2015 Check Point Software Technologies Ltd. 46

ThreatWiki

Malware Family

 Click on the Malware Family name to

read more about this family.

For common family names, ThreatWiki

includes generic entries with extended
information.

 The first line in the description will

specify additional names for this family,
if exists.

©2015 Check Point Software Technologies Ltd. 47

ThreatWiki

Obsolete Records

In case the Protection has been removed

from the ThreatCloud database, there
would be a statement that this protection
is obsolete.

©2015 Check Point Software Technologies Ltd. 48

 Drill-down Event Analysis
2.6 Malware Analysis

In case of a virus incident, further investigate the type

of virus detected in order to understand the risk.

A. Study Threat Emulation Reports

This will also help you to conclude whether the user
machine is infected.
B. Cross-reference the file hash

©2015 Check Point Software Technologies Ltd. 49

 Malware Analysis

A. Study Threat Emulation Reports

• What URLs have been accessed by the TE VM machine?
• Check if the user accessed these URLs:

• Go to SmartLog search and type: “malicious_address”

• If the user accessed these URL, it means it is infected

• What Processes have been opened?

Check using our EP Compliance Blade!

©2015 Check Point Software Technologies Ltd. 50

 Malware Analysis

B. Cross-reference the file hash

Use VirusTotal to find more information about
the threat:
1. Go to www.virustotal.com
2. Choose “Search” and enter the file hash
3. A report will be presented with info about the
threat.

©2015 Check Point Software Technologies Ltd. 51

 Investigate
2. Drill-down Analysis - Summary

Understand the context of the event:

Malware Activity Connection Destination Time ThreatWiki Malware Investigation Guidelines
Scope Address Analysis
Communication with C&C site /
Malicious network activity / X X X X Perform full investigation
Malicious File Transfer
P2P communication with Botnet  X X X Connection scope is not defined
Connectivity Testing /
Lookup IP location X X X Destination address could be legitimate
Propagation Attempt
X X X Destination address could be legitimate
Adware If adware is permitted, classify event as
X
false-alarm
Spam The computer is infected, unless the
X X
user has deliberately sent Spam
AV,TE Virus Incidents Number of total events is a strong
X X X X
indicator for infection

©2015 Check Point Software Technologies Ltd. 52

 Investigate
3. Suspicious Indicators

If URL Filtering and Application Control are enabled,

search for additional unusual behavior from the host in
question. This will help to validate whether the host is
indeed infected.
Pay close attention to the following:
3.1 Malicious URLs

3.2 Direct Requests to the Internet

©2015 Check Point Software Technologies Ltd. 53

 Suspicious Indicators
3.1 Malicious URLs

Perform historical analysis to identify additional

connections to infected sites.
• Review HTTP/S outgoing connections and look for
suspicious URLs.
• Investigate according to analysis guidelines 2.3
• List all suspicious addresses you have identified

©2015 Check Point Software Technologies Ltd. 54

 Malicious URLs

• In below example, the administrator would like to

perform additional checks to confirm the infection.
• We will use SmartEvent to analyze the URLs the
user accessed around the time of the below
incidents

©2015 Check Point Software Technologies Ltd. 55

Malicious URLs

To review all sites the host has accessed, sorted by time:

1. In SmartEvent, click the Events tab
2. From the left-pane, click:
Predefined > APCL & URLF > More > Sites
3. On the upper right choose > Group by Source
4. Right click on Source > Edit Filter and add the suspicious IP
5. Sort by Start Time and scroll to the relevant time

©2015 Check Point Software Technologies Ltd. 56

 Malicious URLs

Focus on the
following:
1. URLF alerts
2. Category field:
a. General
b. High Risk
c. In-active
3. Suspicious
Countries
4. Unusual working
hours

©2015 Check Point Software Technologies Ltd. 57

 Suspicious Indicators
3.2 Direct Requests to the Internet

It is common for malware to send constructed packets

that will try to bypass the local servers.
Review outgoing connections from the host (including
FW drops) and search for direct requests to external
Internet addresses, such as:
• Clients not using DNS servers
• HTTP connections not via Proxy

©2015 Check Point Software Technologies Ltd. 58

Investigate
Summary

Correlating Deep-dive Suspicious

events Analysis Indicators

 Multiple protection  Confidence Level  Malicious URLs

types  Connection Scope  Direct Requests to
 Multiple Protection  Address Analysis Internet
names  Event Time
 Suspicious Anti-Virus  ThreatWiki
Events  Malware Analysis

©2015 Check Point Software Technologies Ltd. 59

 Track
Track infected computers’ activity to
trace additional infections on network

©2015 Check Point Software Technologies Ltd. 60

 Review
Identify Additional Infections

When validating infections, as shown in the previous

stage (Investigate), use these new findings to trace
additional infections in your network:

1. Classify Related Events

2. Review Traffic to Malicious Addresses

©2015 Check Point Software Technologies Ltd. 61

 Review
1. Classify Related Events

After confirming infections, look for repeating events on

other hosts:
1. In SmartEvent view, group events by Protection Name
2. Classify as infected hosts with the same confirmed incidents
3. Investigate hosts with events of similar malware family

©2015 Check Point Software Technologies Ltd. 62

Classify Related Events

• It is recommended to use the SmartEvent Ticketing

feature in order to keep track of past investigations

©2015 Check Point Software Technologies Ltd. 63

Review
2. Review Traffic to Malicious Addresses

• List all suspicious addresses you have identified

during the investigation phase conducted previously:

These are all the malicious or unknown destination

addresses seen from the infected host.
• Investigate all machines that have been
communicating with these addresses. These
machines are likely to be infected.

©2015 Check Point Software Technologies Ltd. 64

Review Traffic to Malicious Addresses

Review all outbound activity to malicious addresses

you have identified:
1. Open SmartLog
2. Go to quick search and type:
dst:<malicious_address>

©2015 Check Point Software Technologies Ltd. 65

Remediate

©2015 Check Point Software Technologies Ltd. 66

Remediate
Remediation Procedure

1. Isolate
2. Complete Classification
3. Consider Remediation Tools
4. Re-image
5. Recover

6. Increase Awareness

©2015 Check Point Software Technologies Ltd. 67

Remediation Procedure
1. Isolate

Disconnect the computer

from the network and notify
the user that the computer
cannot be re-connected
until all malware has
been successfully removed.

©2015 Check Point Software Technologies Ltd. 68

Remediation Procedure
2. Complete Classification

Study the malware before proceeding with

remediation (as shown in ‘Investigate’ phase).
What is the malware family and it’s primary
purpose?
– AB log should include it
– search the Web for aliases

©2015 Check Point Software Technologies Ltd. 69

 Remediation Procedure
3. Consider Remediation Tools

• If it is possible to identify the malware

installed, use dedicated remediation utilities
• You can find a list of tools on the
Check Point website

©2015 Check Point Software Technologies Ltd. 70

 Remediation Procedure
4. Re-image

• It is always recommended to re-image an infected

machine to ensure that it is completely free of
malware.
• Also notice that malware can remove itself
from the machine when it detects that a
malware removal tool is running.

©2015 Check Point Software Technologies Ltd. 71

 Remediation Procedure
5. Recover

• Change any default passwords (e.g. local admin

passwords and certificates). These are precisely the
types of credentials the bot will aim to acquire.
• If possible, consider remediating all infected
machines at the same time. Otherwise, other infected
hosts could begin to re-infect (the previously cleaned)
hosts using stolen credentials.

©2015 Check Point Software Technologies Ltd. 72

Remediation Procedure
6. Increase Awareness

Following the incident, awareness should be

increased to identify re-occurrence infections.

Not sure what to do?

Contact our Incident Response Hotline!

1-866-923-0907 (24/7)
Email address for events that are not time critical:
[email protected] 

©2015 Check Point Software Technologies Ltd. 73

 Summary
Improve
Improve Visibility
Visibility to
to detect
detect infections
infections at
at early
early stage:
stage:
Identify •• Use
Use SmartEvent
SmartEvent
•• Perform
Perform Periodic
Periodic Monitoring
Monitoring
•• Consider
Consider Your
Your Topology
Topology

Conclude
Conclude ifif the
the host
host is
is infected:
infected:
Investigate •• Correlate
Correlate events
events onon the
the host
host
•• Drill-down
Drill-down analysis
analysis for
for each
each event
event
•• Look
Look for
for suspicious
suspicious indicators
indicators

Use
Use past
past findings
findings to
to identify
identify new
new infections:
infections:
Review •• Classify
Classify related
related events
events
•• Who
Who communicated
communicated with
with the
the malicious
malicious addresses?
addresses?

Recover
Recover the
the infected
infected machine.
machine.
Remediate Re-image
Re-image ifif possible.
possible.
©2015 Check Point Software Technologies Ltd. 74