A new type of attack
Recently become quite popular "Deferred attack" (from the English. "Delayed the Poisoning Attacks" ). The bottom line is as follows: the attacker sends an email with a normal link that is not malicious at the time the message is scanned, but the attacker will soon change the site to which this user's link redirects. As a result, the user, clicking on the supposedly βnormalβ link, gets to a phishing resource, or to a malicious site where the malware is downloaded in the background and the user becomes infected. The magic is that at the time the letter is checked by the NGFW modules, the letter is legitimate and bypasses all levels of protection without any problems. In this article, we will look at how Check Point copes with this threat, and what settings need to be made.
Mail protection from "Check Point"
In functional NGFW "Check Point Security Gateway" has a functional e-mail protection and emulation of email attachments in a sandbox due to the mail agent - Mail Transfer Agent (MTA).
This is shown schematically in the figure below:
The MTA functionality is reduced to the following options:
- Sending file attachments to sandbox emulation (Threat Emulation blade);
- Decryption of messages encrypted using SSL / TLS (standard MitM with a certificate only for SMTPS);
- Checking the links in the letter for phishing or redirection to malicious resources;
- Removing malicious email attachments and delivering secure e-mail.
Solving the Delayed Attacks Problem
The way to combat this type of attack is called Click-Time URL Protection . In this case, the Check Point Security Gateway will each time redirect requests for all links through its cloud URL reputation check service and inspect websites for phishing, malware and other suspicious elements before opening it to the user.
If the website or file accessed via the link is malicious, then access to the resource will be blocked. Otherwise, the user will open the website successfully.
Benefits of Click-Time URL Protection:
The constantly updated URL base - " Check Point Threat Intelligence " (cloud analytics service) is updated every second with new indicators of compromise, patterns and other metrics that allow you to detect new malicious resources with high speed.
Preventing "Delayed Attacks" - the relatively new MTA bypass scheme is no longer valid due to the fact that links are checked every time they are clicked.
Inspection of all links - as a rule, links that are not explicitly indicated (for example, a password reset button or a "unsubscribe from news" button) are not checked by the MTA. The Click-Time URL Protection function "clicks" on all links in email and attachments.
This function is not yet built-in in MTA, it is provided in EA (Early Availability). However, this option can be enabled on the command line.
Enabling Click-Time URL Protection:
1. Make sure the Anti-Virus and Threat Emulation blades are enabled on the MTA gateway.
2. Install the latest βMTA Engineβ (MTA update) on the gateway. The latest version of MTA is currently under version R80.30 - Take 37. Information and instructions for installing MTA updates are available here .
3. Open SSH access to the gateway and switch to expert mode.
4. Enter the command vi $ FWDIR / conf / mail_security_config
5. At the very bottom of the file, add a new section [click_time_url]
6. Below this section, add the line (see screenshot below): enabled = 1
7. Save changes and exit the editor: wq
Note: if you have a cluster, then follow the above steps on both nodes.
8. In SmartConsole, set the Threat Prevention policy to Security Gateway / Cluster.
Note: To disable this option in the $ FWDIR / conf / mail_security_config file, edit the line enabled = 1 to enabled = 0. Then install the Threat Prevention policy on the Security Gateway / Cluster.
Enabling the Click-Time URL Protection option can be customized:
- Exclude specific recipients by email
- Include only for specific recipients by email
- Exclude specific domains by email
- Change explicit links in the email body
- Embed original URLs in modified AIT links
- Customize blocked pages
- Paste original URLs on blocked pages
Excluding specific recipients by their email
1. Connect to the MTA Security Gateway.
2. Create the following file: touch $ FWDIR / conf / mta_click_time_exclude_recipient_list
3. In this file, enter the emails of the employees whom you want to exclude from this setting. Each new mail entry starts with a new line without spaces. For example:
recipient1@mydomain.com
recipient2@mydomain.com
4. Open the vi $ FWDIR / conf / mail_security_config file in the editor
5. Under the [click_time_url] section add the following line: mode = exclude
6. If you have a cluster, follow the steps on both nodes.
7. Install the Threat Prevention policy on the gateway or cluster.
Enabling Click-Time URL Protection for Specific Recipients Only
1. Connect to the MTA Security Gateway.
2. Create the following file: touch $ FWDIR / conf / mta_click_time_allowed_recipient_list
3. In this file, enter the emails of the employees for whom you want to enable this MTA option. Each new mail entry starts with a new line without spaces. For example:
recipient1@mydomain.com
recipient2@mydomain.com
4. Open the vi $ FWDIR / conf / mail_security_config
5 file in the editor . Add the following line under the [click_time_url] section: mode = allowed
6. If you have a cluster, perform the steps on both nodes.
7. Install the Threat Prevention policy on the gateway or cluster.
Exclude specific domains from the Click-Time URL Protection feature
1. Connect to the MTA Security Gateway.
2. Create the following file: touch $ FWDIR / conf / mta_click_time_url_white_list
3. In this file, enter the domains you want to exclude from this setting. Each new domain starts with a new line without spaces. Regular expressions are supported since R80.20. For example:.
* Domain1.com. *
. * Domain2.com. *
4. If you have a cluster, then follow the steps on both nodes.
5. Install the Threat Prevention policy on the gateway or cluster.
Changing (re-writing) explicit links in the body of emails
Links that are presented in the form of hyperlinks (for example, a wonderful document) are relayed by the MTA, where the redirect goes to their resource and the link is secure. However, there are links like www.mydocument.com/download and they are not changed by default. To make the configuration more secure, do the following:
1. Connect to the MTA Security Gateway.
2. Open the vi $ FWDIR / conf / mail_security_config file in the editor
3. Under the [click_time_url] section add the following line: enforce_text_links = 1
4. If you have a cluster, then perform the actions on both nodes.
5. Install the Threat Prevention policy on the gateway or cluster.
Other options are also optionally configured by sk162618.
Recently, colleagues from the Moscow office of Check Point published a wonderful webinar about the new features of Threat Emulation (sandboxes) and MTA.
Instead of a conclusion
In the near future we are planning several more technical publications on various information security products. If you are interested in this topic, then stay tuned to our channels ( Telegram , Facebook , VK , TS Solution Blog )!