Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Best Practices
with Threat
Prevention
Threat Emulation
Anti-Bot
IPS
©2015 Check Point Software Technologies Ltd. 4
Incident Handling Process
Prepare
Optimizing configuration
Prepare based on network topology
Track
Conclude if the host is
infected and with what type of
Investigate malware and its behavior
Bogus IP
The log
DNS displays
Server XFF field
added by
proxy
server
Hosts with
Anti-Bot (AB)
incidents
Severity levels
Medium and
above should
be investigated
immediately
Hosts with
multiple
Anti-Virus (AV)
incidents
Any severity.
Also when
event Severity
is Low…
Anti-Virus (AV)
or Threat
Emulation (TE)
incidents in
detect mode.
If the incident
was identified
but was not
blocked due to
detection mode
configuration,
further
investigate if the
machine got
infected
©2015 Check Point Software Technologies Ltd. 17
Other Threat Prevention incidents
1 2 3
Correlating Deep-dive Suspicious
events Analysis Indicators
A. Destination Country
G. Site popularity
Go to threatwiki.checkpoint.com
and search the protection name:
Risk Level
Malware Family
Obsolete Records
Propagation Attempt
X X X Destination address could be legitimate
Focus on the
following:
1. URLF alerts
2. Category field:
a. General
b. High Risk
c. In-active
3. Suspicious
Countries
4. Unusual working
hours
1. Isolate
2. Complete Classification
3. Consider Remediation Tools
4. Re-image
5. Recover
6. Increase Awareness
1-866-923-0907 (24/7)
Email address for events that are not time critical:
emergency-response@checkpoint.com