Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dennis_Longneck
Participant

Automatic Adding of FBI/etc. Thread Indicators

On a regular basis we get emailed a list of threat indicators from the FBI and other CIBER organizations.  So when there are IP's or DNS names to block, we manually add them to our firewall rules.

 

I "thought" I saw somewhere there is a way to have automatic feeds to these and have the firewall updated automatically.  Do I recall correctly?  If so, is there any documentation on how to get this setup?

 

I have read this:

Configuring Threat Indicators (checkpoint.com)

But that is a manual process.  I am lokoing for a somewhat automatic process as possible.

Thanks for any suggestions/pointers.

Dennis

(1)
14 Replies
PhoneBoy
Admin
Admin

r1der
Contributor

Do you know if there's any advantage or disadvantage from either using the .txt feeds (Provider has a domain.txt and IP.txt) or the STIX feeds? 

Either choices seem like they can be automated with that ioc_feeds, but just wanted to double check since I have no experience in this.

Thanks!

0 Kudos
PhoneBoy
Admin
Admin

Not as far as I remember.

Ruan_Kotze
Advisor

Check Point's own InfinitySoC allows you to manage your own threat feed.  IOC management is still in Early Access, but our testing has gone very well.

Nir_Naaman
Employee
Employee

Check Point NDR Smart Intel is a Generally Available solution that automates indicator input feed ingestion and distribution to Check Point and 3rd party gateways. It is also the basis for Infinity Vision SOC's IOC Management facility.

Customers who purchase Infinity SOC are automatically entitled to use NDR applications.

Check out https://community.checkpoint.com/t5/CloudGuard-NDR/NDR-Smart-Intel-User-Guide/m-p/131434 for details.

0 Kudos
r1der
Contributor

Did you get this setup Dennis? I plan to do the same with a feed from MS-ISAC. Curious to see whether STIX or the TXT files would be best ingested into CP. Thanks!

0 Kudos
Dennis_Longneck
Participant

I did not get it setup.    Didn't see a way to automatically have it done....even with the MS-ISAC ones.  😞

skidsteerpilot
Explorer

We are running R80.40 and I have recently setup ioc_feeds with the MS-ISAC Taxii/Stix feeds. My lack of familiarity with Stix/Taxii/ioc_feeds probably quadrupled the time spent, but the short story is I had to use python/cabby (https://github.com/eclecticiq/cabby) and script a process to pull the feeds and parse out domain/url/ip data into a csv file for ioc_feeds to pull in. What I discovered was that Checkpoint will ingest a single Stix Package in txt format, but will not ingest a feed/file that consists of multiple Stix Packages rolled up into a single document, which is what I ended up with. I probably could have tinkered with the xml tags to see if I could get the CP to ingest, but not knowing what the CP was looking for, decided to stick with what I could easily decipher in the docs (csv). We comment each ioc with the associated feed so we can see it in the logs. This is not elegant, but it is functional. If there's a better way I'd be all ears....

From what I know IOC Feeds are only blocking outgoing connections and not incoming ones. Which is sometimes not what you want...

PhoneBoy
Admin
Admin

In R81 it also blocks outgoing connections.
Even in pre-R81, while the outgoing connection is not blocked, the reply traffic from those IPs will be blocked. 

0 Kudos
genisis__
Advisor

When using feeds, are the blocks shown in the logs?  Additionally if we are asked to blacklist an IP, how can we easily confirm this is already taken care of?

Are there any performance overheads?

0 Kudos
_Alex_
Advisor

Yes, because the feeds are added in AV/AB blades so you see them in TP logs. I didn't see any specific overheads by using the feature.

0 Kudos
genisis__
Advisor

nice,  when I was talking about overhead, I assume the gateway itself pulls the feed therefore connectivity would go via slowpath, interestingly if this was a VSX setup, is the tool aware of VSs?  Similar to log_exporter?

0 Kudos
asafav
Employee
Employee

The feed is being pulled with “slow path” Infrastructure but the enforcement itself is running with fastpath.

IOC feeds infra isn’t aware to the VSX gateways and behave for each one as a separated one.