topic Re: Customized smartview reports in Firewall and Security Management

Customized smartview reports

Kim_Moberg — Sat, 17 Mar 2018 20:00:33 GMT

Been playing around SmartView to generate a customized view for an report to bring value to the business.

Right now just working with containers and infografic.

This is my result until now, and still working on it, changing the filters and what to look after.

I have been asking the questions of how many of our public hosts have been scanned by attackers which either been prevented or detected, and how many of these hosts have the attackers used advanced exploits against each hosts and again prevented or detected.

I am not sure if the advanced attacks view is configured the right way.

Not sure if I should exclude the SSL and Scanner and Web Server Enforcement Violations attempt but to my knowledge it is only scanners like Shodan or Nessus etc.

My query is:

Fieldname is Source (attackers ip)

Blade = IPS
Action = Prevent
Severity = Medium OR High OR Critical
Confidence Level = Medium OR High OR Critical
Protection type NOT Engine Settings
Type NOT Control
Attack name NOT "SSL Enforcement Violation" NOT "Scanner Enforcement Violation" NOT "Web Server Enforcement Violation"
Destination: "ip address a.b.d.*"

What are your though about this view? Would it provide any value for you, or what kind of questions do you ask to get intelligence from your logs?

Which answers are you asking for while trying to extract threat intelligence?

Any suggestions or ideas?

Note! I can recommend this webinar Security Visibility Best Practices with SmartEvent

Re: Customized smartview reports

Oren_Koren — Sun, 18 Mar 2018 06:50:05 GMT

Hey Kim,

lets start from the protections them self's(in your query) :

NOT on SSL Enforcement Violation -

look at CVE-2014-3566 - i believe that you would like to see this kind of attacks - maybe you want "NOT scanner" instead?(in most of the scanners signatures you will have it written in the name so it will deduce most of them).

NOT "Web Server Enforcement Violation"

look at "GNU Bash Remote Code Execution" (a part of this violation) - i believe that you want to see this kind of information. and its the same for like the first 'Violation', a general 'not scanner' will present the need in your case(in most cases).

so - change the query for "NOT scanner"

now - the intelligence part is very interesting and lets take 'CVE-2014-6271' (a part of Web Server Enforcement Violation' for example:

when we prevent/Detect this kind of attack, we write for you \interesting things inside the log : you will see on 'Ser Agent Kid' & 'resource' fields a relevant data that will present what the attacker was trying to do (depends on the attack type ofcorse).

i will advice you to collect this intelligence data for:

testing it by your self (does it work for the admin in the network)
find F/P and add exception

now - what should you do from now?

if your need is "present for me the targeted hosts" - the easy way is to exclude SMTP and scanners (will clean most of the attacks not answering your question)
add to smart-log table those two fields (Ser Agent Kid & Resource) so you will be able to see them without looking on the logs them selfs.
Widgets
- add a table widget that present:
  - Destination
  - attack name
  - resource
  - ser agent kid
  - logs (count them)
- add a time line and divide the columns into the attack types ( in this way you will see that in day X you had Y attacks from Z type) - it will look like that:

the green is: Web servers PHPMyAdmin Misconfiguration Code Injection

Thanks,

Oren

Re: Customized smartview reports

Kim_Moberg — Sun, 18 Mar 2018 16:17:29 GMT

Oren,

Thank you for explaining why I am missing out some very important incident if I filter out "SSL Enforcement Violations" and "Web Server Enforcement Violations". I get the point, and I will adjust my view to get a better understanding.

I am also afraid of filtering too much out which could be important.

I will try out your suggestions.

I really liked your presentation on getting the numbers right. And I see first IPS logs, Anti-bot and Anti-virus logs that one needs to look into to get a better understanding.

For the 107.881 Threat Prevention logs, I would like to narrow down to real advanced attacks which have been going on for the week.

You have told in other settings that one needs to focus on the important logs. With the below SmartEvent Report with 30 advanced attack, I would like to focus on advanced exploits used for an attacks but prevented by the IPS blade, and I guess the 4 logs that needs action would be those that have been detected and possible provided access to the attacker. Like the attempt to use of using the apache struts vulnerability attack that have been used against many public Apache installation. That one is a nasty one, that gain remote access to execute commands on the apache servers

Have I misunderstood any thing here?

Those advanced attacks, while looking into the the following fields in SmartEvent logs.

Blade: IPS

Severity level: Medium OR High OR Critical

Confidence Level = Medium OR High OR Critical

Suppressed logs = more than 1 incident

I have tried to filter our attacks that is not generated internally to externally.

Here you see that last 7 days with different kinds of attacks from outside in.

For example I do not have any IoT presented public but still an advanced exploit other than a normal scanner like Shodan etc.

These I want to present in my SmartEvent Report. 42 advanced attack last 7 days but prevented, and none detected by IPS. But after a drill down on the report, I could see how advanced the attack have been? But will it then be the real view of reality?

I would like to generate a company threat report, without to much explanation, but still being able to see the real picture of reality.

Thanks

Kim

Re: Customized smartview reports

Oren_Koren — Sun, 18 Mar 2018 20:00:11 GMT

Hey Kim,

i want to start from the following flow:

now lets ask our-self what are the important flows(order based):

Detect/Prevent -> Infection - you need to have action on it(if your policy is according to Check Point recommendation. the DNS trap log will be in detect but the malware will not connect outside)
Detect -> why it wasn't prevented - you need to have action on it(policy or network side)
Prevent/Detect - who is the 'harmful' user in my network
Prevent/Detect - find an unknown server

*i can think about lots of others relevant & important flows but we need to start from something not so overwhelming.

by looking on those events and aggregate them - you will have a VERY SMALL numbers of incidents to look on.

(in your case and based on what you wrote - 0 incident to look on)

i had a work-shop with a customer few days ago (2000~ hosts in the network) and we sew the same thing.

0 security events that need to have action because of them.

if you are interested to see ALL of the attacks==Detected+Prevented in your network (and you have the time for it) - you can look on the other flows and query based on business questions.

intelligence part - you should take ones a month a time to look on the intelligence you have in your logs. we prevented/detected according to policy but see the real 'attack line' and deep-dive to the actual attack line that the attacker was trying to run will make us all a better security experts.

reporting - you can create a report like you create a View (same thing for you) - the best thing is to create the view and play with it, then create the report and generate it automatically.

one last thing - there are lots of technics to find cyber security incidents in a network based on Check Point logs (high ports connections, timing of connection, amount of data sent/received, applications, logins, etc...) you should start from Threat Prevention blades logs and understand them. then create the relevant views for your questions.

after that (and if you have the time for it) - dive in to 'behavioral analysis'.

i hope my answer will help you.

Thanks,

Oren