SANDBLAST TRAINING

SandBlast Local emulation

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 1
 01
INTRODUCTION

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 Check Point SandBlast (Local)

• How does a Local appliance help?

̶ SandBlast – Customers with Check Point gateway R77 or higher can offload Threat Emulation to

a dedicated SandBlast Appliance or Appliances

̶ The Gateway collects files and the SandBlast Appliance carries out the emulation / returns verdict

̶ API – Customers with the appliance can use the RESTful API to interact with the appliance using

JSON formatted data (http://downloads.checkpoint.com/dc/download.htm?ID=43199)

̶ Uploading files from customers or third parties? This can help!

̶ TEX/MTA – Customers can use the appliance for Threat Extraction (& MTA) and also for the

SandBlast Browser Extension.

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 3
 Cloud/Local pros and cons
Feature Cloud Pro Cloud Con Local Pro Local Con

Privacy N/A Not everyone can use Files are kept on site, N/A
cloud. Files must be control what is
shared shared

Latency Previous malicious Files need to be Ethernet speed from

verdicts are in cloud uploaded (often collection to
(fast response) slower than SandBlast Appliance
download)

Data samples Huge data sample set N/A Local gateway knows Dataset is smaller
your files best

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 4
 Cloud/Local pros and cons
Feature Cloud Pro Cloud Con Local Pro Local Con
Custom images N/A Cant be done Possible N/A

Alternative OS Possible, with N/A N/A Not possible due to

images (e.g. OSX) licensing permission licensing

Image updates Automatic and N/A N/A Must be downloaded

transparent and scheduled to not
disrupt scanning

Multi Site Cloud can work with Some gateways Can offer appliances More hardware
deployment any size CP gateway perform too many for all business sizes
emulations, and need and TE can be load
local balanced

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 5
 02
ACTIVATION

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 SandBlast Local emulation activation

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 7
 03
INITIALISATION

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 Local Emulation Activation
First time initialisation
• After first policy install with TE Blade enabled the SandBlast appliance will download
̶ Engine update (about 4MB in total) – (public/local emu)
̶ Static analysis rules (about 100KB in total) – (public/local emu)
̶ Detection rules (about 200KB per OS) – (local emu)
̶ OS images (WinXP, 2.5GB / Win 7,8 4GB each) – (local emu)
̶ Executable Analyser rules (9MB) – (local emu)
̶ Java files (80MB) – (local emu)
• OS images are downloaded as tar.gz archive and extracted
• The OS image is then be booted to auto install the CP activity agent (root kit)
• A read only post boot snapshot is then created that will be used for emulation (ensure
fast start – approx. 0.5 sec) per application
̶ For X series appliances, the initialisation stage will take about 20-30 minutes per VM image.

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 9
 Local Emulation Activation
First time initialisation
• Images: OS Images downloaded to the appliance to perform local emulation
• Detection Rules: Our white lists for documents is one example use case
• Static Analysis rules: Pre-processing rules for PDF and Office documents (using python) to identify
if there is anything active (and should be sent for emulation)
• Raw: Engine binary updates. Includes many components like archive unpacker, fake server scripts,
file magic to detect the real file type, jar file static analyser and more
• Types: Mapping of file types detected to real extension used in Windows. This is to rename the file
extension based on magic.
• Executable: EXE analyser using info from our "big data analysis" of malicious behaviours. This is
written in Java.
• Java: Java installation needed by the EXE analyser.
• Gradual Update: To identify which of the engine update roll out groups you fall into.

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 10
 Local Emulation Activation - Offline update
• For customers who don’t have fast internet connectivity or want to speed up
the deployment
• Download the package from Support Center
̶ (Search: sk92509)

• Create /var/log/file_repository/offline_update if needed

• Extract the file into this folder
̶ Before enabling TE
̶ If TE is enabled follow relevant step in sk92509

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 11
 Current OS images
• Windows XP 32 bit, running Adobe 9, Office 2003/7
• Windows 7 32 bit, running Adobe 9, Office 2003/7
• Windows 7 32 bit, running Adobe 9.4, Office 2010
• Windows 7 32 bit, running Adobe 11, Office 2013
• Windows 7 64 bit, running Adobe 11, Office 2013
• Windows 8.1 64 bit, running Adobe 11, Office 2013
• Windows 10 64-bit, running Adobe DC, Office 2016
• OS images are rather static (static/detection rules are updated more frequent)
• New revision is downloaded and initiated before the old is removed (2 weeks
later)
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 12
 04
MULTIPLE/CLUSTER OF
SANDBLAST APPLIANCES

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 Multiple SandBlast appliances
Local Cloud
• GUI only allows selection of one remote SandBlast appliance
• CLI option allows GWs use multiple SandBlast appliances
̶ tecli advanced remote (per GW)
• GWs will load share files between SBs based on file hash
̶ Same file will always be sent to the same SB appliance regardless of GW
̶ If the SB appliance is down it will be sent to the next on the list instead

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 14
 05
ARCHITECTURE

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 Local emulation architecture:
Gateway components
• CoreXL
̶ Parsers (shared with other blades) and simple policy decisions (scope – what to
collect for emulation)
• User Space
̶ DLPU instance per core – reassemble files from parsers
̶ Threat Emulation Daemon (TED) – receives the complete file for pre-processing,
emulation, post-processing and logging
̶ Modified QEMU-kvm is used for emulation
̶ CP Agent “root kit” that records VM activity (monitored by TED)

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 16
 Architecture

File arrives
kernel User space
at the
kernel and
we decide
whether we
need to
scan it or
not
(according
CoreXL CoreXL CoreXL
to the
policy) parser parser parser

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 17
 Architecture

kernel User space

The file is
sent to the
correlating
DLPU DLPU DLPU DLPU
process
instance in
the user
space.
CoreXL CoreXL CoreXL
The DLPU
process parser parser parser
handles the
file
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 18
 Architecture
Once DLPU
finishes file
reassembly
, it is send
it to TED –
the Threat TED
Emulation
Daemon
kernel User space

DLPU DLPU DLPU

CoreXL CoreXL CoreXL

parser parser parser

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 19
 Local emulation Architecture:
Gateway components
• Threat Emulation Daemon (TED)
̶ Receives the complete file and processes it through file type checks to understand if
emulation is needed (due to advanced features)
̶ Checks cache if the file was already emulated
̶ Checks system resources (CPU/Memory) to create an emulation queue if needed
̶ Static analysis
̶ Executes emulation according to policy settings
̶ Collects forensics details from the VM activity agent
̶ Collects statistics of the emulation environment
̶ Local logging/reporting and shares data with ThreatCloud

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 20
 Local emulation:
File emulation
1. Files are scanned by AV engine and ThreatCloud to detect known malware
̶ Including archives and files not supported by emulation
2. Files are injected into the OS image and opened
̶ Even when known by AV engine or ThreatCloud – confidence depended
3. Documents are opened in relevant versions of Office and Adobe available on
the OS image and EXE files are run as admin user
4. Max execution time is 60 sec default for no activity session(configurable in GUI)
5. All VMs run with same random MAC/IP
̶ Use Stateless Static NAT to avoid network issues
6. The Internet is faked and we will reply with proper response
7. Malicious files are stored in a repository on the GW in /var/log/mal_files
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 21
 Local emulation - Architectural overview
Kernel User Space TE_CLI
CoreXL DLPU
instanc instanc
TED – Threat Emulation
e
Parsers e
DLPU Daemon Resource Guard

e ar
CoreXL instanc

ep
Policy
instanc

Pr
e DB
e
Parsers
UserSpace Static Analysis

s
VM

es
Emulation
Operation

oc
Manager
System

Pr
VM Agent Forensics
KVM Controller Controller
Activity
Detection gatherer
CP Agent Statistics

e li z
Sharing with Check Point

na
Logging

Fi
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 22
 06
MECHANISMS

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 Archive support
• Support scanning of archive files such as zip, 7zip, tar, cab, etc…
• Each entry in the archive file is being scanned and emulated (if necessary).
The archive file verdict is determined according to the verdict of its entries.
• Once a malicious file is found inside an archive file, a log will be sent, and
the whole archive will be marked as malicious.

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 24
 File Reclassifier
• Some times we don’t get a file name from the stream or the file has
the wrong extension
̶ Attacker can try to rename file extension to avoid detection
• Files extensions are therefore changed to the correct extension
based on the file magic (header/footer) before injecting the file into
the VM
• Then the file is emulated based on that extension

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 25
 Trusted sources
• Threat Emulation has a list of white domains from major software
providers and security vendors
• Threat Emulation also has a list of trusted vendor executable certificates
• When file arrives from a whitelisted domain or has whitelisted certificate
it is not being and a benign verdict is set.
emulated
• It helps us to handle a file faster and skip unnecessary emulations
• The white listed sources are being synced from the cloud every 24 hours

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 26
 Static Filtering
• Documents range from very simple to ultra complex
• Usually, the risk factor of a document varies according to the number of
advanced features it utilizes
tecli show
̶ E.g. JavaScript support statistics
in Acrobat reader
• The pre-emulation static filtering process allows skipping documents which
contain only safe features
̶ Filters are constantly updated
• Filters upto 80% of the documents, but depends on customer, and file
types (e.g. Flash is low filtering %)

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 27
 Fake Internet servers
• We block VMs network connectivity on the GW level
• So how does a bot communicate with its command and control? How does
a Malware download its payload?
• Fake server simulate fake internet to the VMs by faking response from any
servers to satisfy malware
̶ HTTP and DNS
• Example:
200 OK
GET /file.exe HTTP/1.0 Host: http://
172.16.0.1
172.16.0.1
www.evil.com DNS
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 28
 URL based detection
• Some Malware may expect more than just a “200 OK” response.
• We look at URLs using the AB/AV DB

cnc.com

200 OK
Virtual machine Fake server
cnc.com
Threat cloud

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 29
 Detection Rules
• Each OS image has a list of regular expressions representing events that its
applications generates and that we consider as normal or malicious actions
̶ The rules files are image specific but updated separately
• The whitelist events are filtered during execution of the document/applet
̶ All events that were not filtered by the detection (white list) rules are considered
malicious
• Machine learning is used for exe’s to build a picture of what bad files do.
The indicators are matches towards the execution reports for EXE files

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 30
 Detection Rules
• Each OS image has a list of regular expressions representing events that its
applications generates and that we consider as normal or malicious actions
̶ The rules files are image specific but updated separately
• The whitelist events are filtered during execution of the document/applet
̶ All events that were not filtered by the detection (white list) rules are considered
malicious
• Machine learning is used for exe’s to build a picture of what bad files do.
The indicators are matches towards the execution reports for EXE files

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 31
 PUSH FORWARD SOLUTION
EXPLOITS BASED IN FLASH

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 Why Flash is so compelling to attackers?
• Flash is cross everything
• Cross - platforms (OSx, Win, Linux)
• Cross - browsers (IE, FireFox, Chrome)
• Can be used for web attack (malicious site)
• Can be embedded into document and sent by email (PDF, doc)
• Flash is perfect for evading nowadays security protections
• For the reason above flash is often used to hide older known attacks (e.g.
JS exploit) which could otherwise detected by AV
• Today, Flash vulnerabilities are the most cost effective vector for the
attackers and the most popular one
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 33
 Web object context

HTML JavaScript Flash Browser

Object

External
Server

Input
parameters
Environment Flash Object Response
checks from server
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 34
 Instrumented runtime detection engine
• Simulate different contexts in order to push the Flash
execution BEYOND ENVIRONMENT CHECKS to the point
of exploitation
• Use multiple detection engines to DETECT THE EXPLOIT
or its traces at runtime

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 35
 Push Forward - Faking context
Fake
Parameters

Flash Hooking Framework

Fake
Flash Object Fake server
Environment

De obfuscation
interceptor
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 36
 Context discovery stage
Context Fake context to make the SWF pass to the next stage
validation • Input fake parameters
• URL (fake in proxy)
• Shellcode (crash)
Vulnerability • Base64
• Arbitrary string/number
• In many cases, just non empty fake parameters are enough to
Exploit get to the pre/exploitation stage
• Fake environment versions
• Return different flash versions
Shellcode • Return different browser type/version
• Run different versions of flash
• Provide fake http response upon request (SWF, FLV, images,
Malware etc.) – fake server
• Deobfuscation
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 37
 Exploit detection
Context Detect exploitation:
validation
• Invalid flash buffer
Vulnerability • Flash version mismatch
• Heap spray detection
Exploit
• Export table guard
• Read+Write+Execute memory
Shellcode
• Execute on heap/stack
Malware • Crash detection
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 38
 MULTI FILE EXECUTION

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 Multiple File Execution
• In order to boost performance, multiple documents or applets of the same
type (e.g. PDF) are sent to the same OS virtual machine for emulation
• For each file that is sent to the machine a new instance of the emulated
program (e.g. Adobe Reader) is executed
• In case a file was flagged as malicious during multiple file execution it will
emulated again at a dedicated instance and the current instance will be
reverted
• Not supported with executables or CPU Level images

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 40
 Multiple File Execution
• In order to boost performance, multiple documents or applets of the same
type (e.g. PDF) are sent to the same OS virtual machine for emulation
• For each file that is sent to the machine a new instance of the emulated
program (e.g. Adobe Reader) is executed
• In case a file was flagged as malicious during multiple file execution it will
emulated again at a dedicated instance and the current instance will be
reverted
• Not supported with executables or CPU Level images

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 41
 Multiple File Execution
• In order to boost performance, multiple documents or applets of the same
type (e.g. PDF) are sent to the same OS virtual machine for emulation
• For each file that is sent to the machine a new instance of the emulated
program (e.g. Adobe Reader) is executed
• In case a file was flagged as malicious during multiple file execution it will
emulated again at a dedicated instance and the current instance will be
reverted
• Not supported with executables or CPU Level images

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 42
 Local emulation (1/2):
Detection of a malicious file
• A file could be emulated up to three times.
• Emulation 1: Files of the same format are emulated together in the same
VM.
̶ If no malicious activity is detected, emulation will stop.
̶ No further emulation takes place.
̶ All files will be considered benign.
̶ If malicious activity is detected, the files will be run once more – proceed to Optional
Emulation 2.

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 43
 Local emulation (2/2):
Detection of a malicious file
• Optional Emulation 2: Each file from the previous step is emulated in a
“clean” VM on its own.
̶ If detected as malicious it is considered malicious
̶ No further emulation takes place
̶ Screenshots / Forensics are gathered during this emulation run.
̶ If NOT detected as malicious it will run once more
• Optional Emulation 3: The file is emulated in another “clean” VM on its own
̶ If detected as malicious it is considered as malicious
̶ No further emulation takes place
̶ Screenshots / Forensics are gathered during this emulation run.
̶ If the file is NOT detected as malicious it is NOT considered as malicious.
̶ No further emulation takes place.
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 44
 Viewing the Emulation Process
• Download a VNC viewer such as: TightVNC http://www.tightvnc.com/
• Enable VNC Access
̶ Required access in FW policy (TCP 590x-590y)
̶ tecli debug emu enable
• During emulation, connect to SandBlast_IP:590x
̶ E.g. 172.27.254.254:5902 = VNC 2.

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 45
 Emulation cache
• Files will receive a TTL (Time To Live) in cache of 7 days
• After 7 days cache entries will automatically be removed
• TTL can be controlled by
̶ tecli cache ttl set <hours>
̶ tecli cache ttl default (reset to 7 days)
• Cache exists on both TE appliances and GWs
̶ Not synced on clusters
̶ One cache entry per VM

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 46
 Emulation cache – removing an entry
• If you want a file to be removed from Cache:
̶ tecli cache remove
̶ sha1
̶ filename
̶ extension
̶ benign
̶ malicious

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 47
 07
CUSTOM IMAGES

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 Local emulation:
The need for custom images
• Vendor provided OS images might be different from the customer
environment
̶ Different patch level of OS
̶ Different version or patch level of applications
̶ Missing applications
• Targeted malware can look for a specific a environment before performing
malicious activity
• Stuxnet is an example of such malware
̶ Would the current TE with the current OS images detect it?

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 49
 Local emulation:
When to use custom OS images?
• To detect malicious documents we have so far not seen much need for custom
OS images
• To detect malicious executable like Stuxnet it is also not often needed
• When Stuxnet tries to propagate it perform OS actions that would be
considered as malware actions
̶ Report will show this but it would not show all actions that Stuxnet can
perform (like the SCADA part)
• Custom OS images is mostly needed for customers that are doing deep
forensics and want to figure out all actions a targeted malware would perform
in real environment
̶ Should rather be done manually with dedicated HW in Lab

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 50
 Local emulation:
Using custom OS images
• Use of custom OS images are supported on request
̶ Only for local/private cloud emulation options
• Image must be uploaded to Check Point for preparation for emulation use
̶ Manual process that takes considerable time
̶ Same process after every change to the image
• Based on demand/need Check Point consider to mostly automate this
process in the future
̶ Maybe also remove the need to upload the image to Check Point

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 51
 08
APPLIANCES

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 SandBlast Appliances
TE100X TE250X TE1000X TE2000X/HPP

Files / month 100K 250K 1M 1.5M/2M

Recommended Users Up to 1,000 Up to 3,000 Up to 10,000 Up to 20,000

Throughput 150 Mbps 700 Mbps 2 Gbps 4 Gbps

# of VM’s 4 8 28 40/56

Storage 1TB HDD Redundant dual hot swappable 2 TB HDD, RAID1

10/100/100 RJ-45 5 9 6 6

10GBase-F SFP+ 0 0 2 4

Includes TE, AB, TEX and AV Blades, enabling blade combinations impacts
sizing. Mgmt, Smart Event, FW, IA and ADNC are also included.

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 53
 SandBlast Appliance details
• Dedicated hardware with extra memory, and Haswell based CPU’s to take
advantage of CPU Level technology.
• License – The number of VMs on the SandBlast appliance that are used for
emulation – see next page.
• Annual Contract/NGTX license (depending on deployment and old/new
customer)
̶ When expired, no emulation will be done
̶ SandBlast appliance also need AV license for the AV pre-scan that is included in forensics
reports
• It is possible to use the Threat Prevention policy to also send files to SandBlast
Cloud emulation
̶ Requires NGTX license
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 54
 SandBlast Appliance in Price List
• There are 5 SandBlast Appliances in the pricelist:
̶ CPAP-TE100X-4VM
̶ CPAP-TE250X-8VM
̶ CPAP-TE1000X-28VM
̶ CPAP-TE2000X-40VM
̶ CPAP-TE2000X-56VM-HPP
• TE2000X has for now the same CPU, RAM, disk and NICs as TE2000X-HPP
̶ May change without notice
• The xVM part refer to number of Microsoft Windows and Office licenses
included in the appliance.
̶ CAL or OEM licenses can not be used (MS EULA)
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 55
 09
MULTI DOMAIN
AND VSX

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 SandBlast Appliance and MDM
• The SandBlast appliance gateway object is a normal gateway object
• Since engine release 6.5, the appliance can receive and emulate files from
gateways in other domains on the same MDM.
̶ This is done by establishing an SSL trust between the management and the emulator
that is not in the same domain (CMA)
̶ It is configured via CLI - sk102309

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 57
 SandBlast support in VSX
• SandBlast Cloud emulation - R77 or higher Security Gateway with Gaia
or SecurePlatform operating system (64 or 32-bit), and R77.20 or higher
VSX Gateways.
• SandBlast Remote emulation - Check Point Threat Emulation Private
Cloud Appliance with R77 or higher on the Gaia operating system (64-bit
only), and R77.20 or higher VSX Gateways

+
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 58
 LABS 6-8
©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​
 QUESTIONS?

Next – Deployment and Best prac

tice

©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees​ 60