Scribd
Upload
59 views32 pages

15 Threat Prevention TE & TEX Lab

This document discusses enabling and testing the SandBlast threat prevention capabilities on a Check Point gateway. It covers configuring the gateway as an MTA, enabling threat emulation and extraction, understanding related settings, and testing by sending malicious files via email to observe the gateway's behavior.

Uploaded by

charlyv3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
59 views32 pages

15 Threat Prevention TE & TEX Lab

This document discusses enabling and testing the SandBlast threat prevention capabilities on a Check Point gateway. It covers configuring the gateway as an MTA, enabling threat emulation and extraction, understanding related settings, and testing by sending malicious files via email to observe the gateway's behavior.

Uploaded by

charlyv3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 32

SANDBLAST NETWORK

LAB
R80 Training

Updated Nov. 5, 2020 ©2020 Check Point Software Technologies Ltd. 1


New threat variants are released daily. Your
organization needs a layer of protection that
will eliminate the vulnerability gap that exists
between when an infection occurs and the
time a new detection signature becomes
available.
Hackers constantly modify their strategies and
techniques to evade detection and reach
corporate resources. Check Point SandBlast
Zero-Day Protection, with evasion-resistant
malware detection, provides comprehensive
protection from even the most dangerous
attacks while ensuring quick delivery of safe
content to your users.

©2020 Check Point Software Technologies Ltd. 2


SandBlast Threat Prevention Lab
Enable SandBlast
SandBlast Activation Review

 Select the different options and  Select ThreatCloud Emulation


compare the differences. Service and select Next.

©2020 Check Point Software Technologies Ltd. 3


1. Name one advantage of doing the emulation
using the Cloud Emulation Service.
Review
2. Name one advantage of doing emulation
Questions locally on a dedicated Threat Emulation
appliance.

©2020 Check Point Software Technologies Ltd. 4


1. Name one advantage of doing the emulation using the
Cloud Emulation Service.
1. Some example answers; Can be enabled on any
gateway for the entire organization. Doesn’t require
Review adding additional hardware. Can easily scale by

Answers extending or purchasing a larger quota.

2. Name one advantage of doing emulation locally on a


dedicated Threat Emulation appliance.
2. One example answer; No data leaves the organization
so this solves privacy concerns.

©2020 Check Point Software Technologies Ltd. 5


SandBlast Threat Prevention Lab
Enable SandBlast
 In our SandBlast testing some
samples will be caught by IPS.
 Select IPS and ensure the
activation mode is set to Detect
only.
 In General Properties enable
Threat Extraction.
 This launches the MTA
configuration wizard.

©2020 Check Point Software Technologies Ltd. 6


SandBlast Threat Prevention Lab
Enable SandBlast
 In Domain enter “*” to
forward all emails.
 Select Win-DC as the Next
Hop mail server.
 Click Next and it checks the
connection to the mail server
on win-dc.
 Click Finish.

 To simplify our tests, we’ll


first test with Threat
Extraction disabled. Uncheck
Note: Enabling a Check Point gateway as an MTA
Threat Extraction. requires some infrastructure changes, either to
DNS MX records or to your existing mail server.

©2020 Check Point Software Technologies Ltd. 7


SandBlast Threat Prevention Lab
Enable SandBlast
• Select Threat Emulation. Notice the settings are according to policy and we use
the cloud environment.
• In Advanced you may notice only two images are available when first enabling
Threat Emulation.
• Click OK to close the Gateway object.

©2020 Check Point Software Technologies Ltd. 8


SandBlast Threat Prevention Lab
Enable SandBlast
 Go to the Threat Prevention policy.
 Notice the policy addition for MTA.
 Change the profile to our new Optimized (clone).

©2020 Check Point Software Technologies Ltd. 9


SandBlast Threat Prevention Lab
Enable SandBlast
• In SECURITY POLICIES, select Threat Prevention, then Updates.

• Click Schedule Updates. To understand the difference between an image and an engine
click the ? and read the online help.

Schedule Update

©2020 Check Point Software Technologies Ltd. 10


SandBlast Threat Prevention Lab
Enable SandBlast
 Go to SECURITY POLICY -> Threat
Prevention and click on Profiles and
double click to open the Optimized
(clone) profile.
 Select Threat Emulation.
 The default processes all enabled file
File types
types. To understand what these are
select the highlighted (x out of x).
 Click Cancel to accept the defaults.

©2020 Check Point Software Technologies Ltd. 11


SandBlast Threat Prevention Lab
Enable SandBlast
 Select Threat Emulation -> Emulation
Environments.
 To understand emulation
environments select Use the following
emulation environments.
 Change back to use recommended.

©2020 Check Point Software Technologies Ltd. 12


SandBlast Threat Prevention Lab
Enable SandBlast
 Select Threat Emulation -> Advanced.

 Notice the default is to allow the


connection and do emulation in the
background. Emulation takes time.
 Select Custom.

 For SMTP we’ll change this to


Maximum Prevention. Since the user is
unaware of any latency for SMTP
connections due to the MTA, we can
safely do this.

©2020 Check Point Software Technologies Ltd. 13


SandBlast Threat Prevention Lab
Enable SandBlast
• Select Threat Extraction.
• Notice the default is Extract files
from potential malicious parts.
• Click Configure to review what this
means.
• For this lab we’ll set the Extraction
method to Convert to PDF.
• Enable Web in the Protocol
section.
• Click OK.
• Install the Policy.

©2020 Check Point Software Technologies Ltd. 14


SandBlast Threat Prevention Lab
Enable SandBlast
• Common Threat Prevention
settings that all Profiles share
are configured in MANAGE &
SETTINGS -> Blades -> Threat
Prevention (Advanced
Settings…).
• This is also where Maximum
files size for emulation is set,
up to 15,000 KB (~15 MB).
• Click Cancel.

©2020 Check Point Software Technologies Ltd. 15


SandBlast Threat Prevention Lab
Enable SandBlast
 Click Threat Extraction.
 Click Configure Mail Signatures.
 Here you can customize the
message the user receives.
 Click Cancel.

©2020 Check Point Software Technologies Ltd. 16


SandBlast Threat Prevention Lab
Test SandBlast
 To test Threat Emulation we’ll send emails with sample files from the
jump-server to [email protected]
 The Email Client (eM Client) on the jump server was configured to sends
the emails to the gateway which is now configured as an Mail Transfer
Agent (MTA).
 The gateway inspects the emails. When it has a verdict it sends the emails
to the mail server on Domain-Controller.
 On win-victim we check the emails with an Thunderbird email client.
 The jump server also includes utilities to change the MD5 signature of the
sample files.

©2020 Check Point Software Technologies Ltd. 17


SandBlast Threat Prevention Lab
Test SandBlast
 On the jump server is a malicious file resume.doc. Since it may be recognized
from a previous test, first create a variant.
 Open a cmd window and change to the MalicousFiles directory.
 C:\ cd \MalicousFiles
 Run create_variant.bat. Follow the prompts to create a variant of resume.doc.

©2020 Check Point Software Technologies Ltd. 18


SandBlast Threat Prevention Lab
Test SandBlast
Threat Emulation and Threat Extraction Test
 Launch the eM Client ( email client) from the jump-server .
 Create new email and attach to it the resume.doc in C:\MaliciousFiles.
 On the to: select User1 from the contact list.
 Connect over ssh to the gateway.To watch the cloud queue, enter
 # watch tecli show cloud queue ( watch this screen while you send the
email in the next step)
 Send the email.

Note: If you see an eM client license error, Click Activate Now or use
d3483451-4bb3-4d77-81c1-213ed2ca142d.

©2020 Check Point Software Technologies Ltd. 19


SandBlast Threat Prevention Lab
Test SandBlast
 In SmartConsole navigate to LOGS and select the Threat
Prevention All query.
 Enable AutoScroll.

Auto scroll

Threat Prevention All

©2020 Check Point Software Technologies Ltd. 20


SandBlast Threat Prevention Lab
Test SandBlast
 Emulation takes time. The jump-server sends an email to the R80 gateway.
The R80 gateway sends the file to the cloud for emulation. When a verdict
is returned the file is sent to the mail server on win-dc.
 How long does it take to process the file?

©2020 Check Point Software Technologies Ltd. 21


SandBlast Threat Prevention Lab
Test SandBlast
 Check the outlook client for the email.
 When malware is detected, the attachment is removed. Notice the
attachment is not resume.doc. It should be a message saying the file was
malicious.
 Would an average user been tricked into opening the attachment?

©2020 Check Point Software Technologies Ltd. 22


SandBlast Threat Prevention Lab
Test SandBlast
 Check the LOGS &
MONITOR Logs tab for
Threat Emulation
events.
 Click on View Report to
view a detailed
analysis.

©2020 Check Point Software Technologies Ltd. 23


SandBlast Threat Prevention Lab
Test SandBlast
 Send the same
resume.doc file again.
 How long does it take to
receive the email?
 It should be fairly quick
because it now has a
hash of the file.
 Check the LOGS &
MONITOR Logs tab for
Threat Emulation
events.

©2020 Check Point Software Technologies Ltd. 24


SandBlast Threat Prevention Lab
Test SandBlast
• Threat Extraction
enables us to remove
active content from files
and only send safe
content while the
emulation happens in
the background.
• Edit the Gateway object.
• Enable Threat Extraction.
• Install the policy.

©2020 Check Point Software Technologies Ltd. 25


SandBlast Threat Prevention Lab
Test SandBlast
 What would happen when a safe document is sent?
 Send the clean.doc file, followed by the resume.doc file.
 How long does it take to receive the email?
 Notice the Word document is converted to PDF.
 If you trust the source click on the link to the original attachment.
 In the UserCheck message enter a reason to access the Word doc.

©2020 Check Point Software Technologies Ltd. 26


SandBlast Threat Prevention Lab
Test SandBlast
 To test access over HTTP, Open Chrome on the win-victim machine and click on
the Download Files link in the bookmark. This web site includes sample files. Click
on one of the files. Open the files and notice that some have a watermark at the
top of the file with a link to the original file.

©2020 Check Point Software Technologies Ltd. 27


1. Open the logs for SMTP Emulation and see if
Review you can find Determined By field. Was the
verdict determined in the cloud or from a local
Questions cache?

©2020 Check Point Software Technologies Ltd. 28


1. Open the logs for SMTP Emulation and see if
Review you can find Determined By field. Was the
verdict determined in the cloud or from a local
Questions cache?
1. Local Cache

©2020 Check Point Software Technologies Ltd. 29


SandBlast Threat Prevention Lab
MTA Status
 Navigate to LOGS & MONITOR. Click + to open a new tab.
 Notice there are 3 MTA reports. Double click to open MTA Overview
or one of the other views.

©2020 Check Point Software Technologies Ltd. 30


SandBlast Threat Prevention Lab
Prep for Endpoint Labs
 To prepare for the endpoint labs, edit the Gateway object and set IPS, Anti-Bot
and Anti-Virus, Threat Emulation and Threat Extraction to Detect.
 Edit the Access Control policy. Right click on rule 4.1 and select Disable. Install
the policy.

©2020 Check Point Software Technologies Ltd. 31


End of the SandBlast
Threat Prevention Lab

©2020 Check Point Software Technologies Ltd. 32

You might also like