Professional Documents
Culture Documents
Investigative Best Practices With Threat Prevention: 1 ©2015 Check Point Software Technologies Ltd. 1
Investigative Best Practices With Threat Prevention: 1 ©2015 Check Point Software Technologies Ltd. 1
Best Practices
with Threat
Prevention
Fight
Fight targeted
targeted attacks
attacks that
that
use
use unknown
unknown malware
malware
Threat Emulation
Identify
Identify and
and Prevent
Prevent
bot
bot communications
communications
Anti-Bot
Stop
Stop attacks
attacks exploiting
exploiting known
known
vulnerabilities
vulnerabilities
IPS
©2015 Check Point Software Technologies Ltd. 4
Incident Handling Process
Prepare
Optimizing
Optimizing configuration
configuration
Prepare
repare
based
based on
on network
network topology
topology
Monitor
Monitor Threat
Threat Prevention
Prevention
events
events to
to identify
identify suspicious
suspicious
Identify
Identify
dentify hosts
hosts
Track
Conclude
Conclude ifif the
the host
host is
is
infected
infected and
and with
with what
what type
type of
of
Investigate
nvestigate malware
malware and
and its
its behavior
behavior
Investigate Track
Track infected
infected computers’
computers’
activity
activity to
to identify
identify additional
additional
Track
rack infected
infected computers
computers
Recover
Recover infected
infected machines
machines
Remediate
Remediate
emediate
©2015 Check Point Software Technologies Ltd. 5
Preparations
Maximizing visibility
Qu Bogus IP
er
y M
The log
ali
cio DNS
DNS displays
us
UR
L
Server
Server XFF field
added by
proxy
server
Hosts with
Anti-Bot (AB)
incidents
Severity levels
Medium and
above should
be investigated
immediately
Hosts with
multiple
Anti-Virus (AV)
incidents
Any severity.
Also when event
Severity is
Low…
Anti-Virus (AV)
or Threat
Emulation (TE)
incidents in
detect mode.
If the incident
was identified
but was not
blocked due to
detection mode
configuration,
further
investigate if the
machine got
infected
©2015 Check Point Software Technologies Ltd. 17
Other Threat Prevention incidents
1 2 3
Correlating Deep-dive Suspicious
events Analysis Indicators
A. Destination Country
G. Site popularity
Go to threatwiki.checkpoint.com
and search the protection name:
Risk Level
Malware Family
Obsolete Records
Focus on the
following:
1. URLF alerts
2. Category field:
a. General
b. High Risk
c. In-active
3. Suspicious
Countries
4. Unusual working
hours
1. Isolate
2. Complete Classification
3. Consider Remediation Tools
4. Re-image
5. Recover
6. Increase Awareness
1-866-923-0907 (24/7)
Email address for events that are not time critical:
emergency-response@checkpoint.com
Conclude
Conclude ifif the
the host
host is
is infected:
infected:
Investigate •• Correlate
Correlate events
events onon the
the host
host
•• Drill-down
Drill-down analysis
analysis for
for each
each event
event
•• Look
Look for
for suspicious
suspicious indicators
indicators
Use
Use past
past findings
findings to
to identify
identify new
new infections:
infections:
Review •• Classify
Classify related
related events
events
•• Who
Who communicated
communicated with
with the
the malicious
malicious addresses?
addresses?
Recover
Recover the
the infected
infected machine.
machine.
Remediate Re-image
Re-image ifif possible.
possible.
©2015 Check Point Software Technologies Ltd. 74