CGI TAP for AWS

Demo lab guide

Version 1.0

©2018 Check Point Software Technologies Ltd. All rights reserved | P. 1

ONLY for designated groups and individuals

[Internal Use] for Check Point employees

Table of Contents

Introduction............................................................................................................................................................... 3
Environment :............................................................................................................................................................ 4
Accessing the envitroment : ................................................................................................................................ 5
Lab 1: Advanced threat identification ............................................................................................................. 6
Lab 2: ADVANCED THREAT HUNTING ............................................................................................................ 8

©2020 Check Point Software Technologies Ltd. All rights reserved | P. 2

ONLY for designated groups and individuals
Introduction

Check Point CloudGuard IaaS TAP for AWS delivers unparalleled, seamless cyber
observability into your AWS environment. The offering includes a CloudGuard IaaS
gateway that is automatically deployed via Terraform in the customer’s VPC, for
performing Deep Packet Inspection (DPI) on inter-VPC (“North-South”) and intra-VPC
(“East-West”) network traffic. AWS Traffic Mirroring is provisioned as part of the
Terraform template to selectively mirror network traffic to the CloudGuard IaaS instance
for inspection. CloudGuard IaaS TAP’s passive operation means that there is zero
impact to the business traffic: no added latency, no potential packet loss, nor any need
for routing changes within the VPC.

CloudGuard IaaS TAP applies a multitude of industry-leading analytics engines on the

traffic in real time, including application fingerprinting, reputation-based and behavioral
analysis, pre-infection and post-infection pattern matching, static and dynamic content
inspection, as well as applying various AI models for anomaly detection and false-
positive reduction. These engines leverage Check Point’s ThreatCloud, a real time
collaborative big data repository delivering up to date threat intelligence that drives
threat prevention. The analytical results are delivered to a Cyber Defense Center SaaS
Web portal, in the form of logs for further analysis and visualization. Packet captures can
also be extracted for further triage and network forensics. Threat Emulation reports
accessible from the portal provide further deep insight into transmitted file payloads.
Insightful reports can be generated and scheduled for tracking compliance posture and
providing management visibility.

©2020 Check Point Software Technologies Ltd. All rights reserved | P. 3

ONLY for designated groups and individuals
Environment :
T-Pot honeypot connected to the internet
CloudGuard IaaS TAP sensor in detect mode, listen to the honeypot traffic.

©2020 Check Point Software Technologies Ltd. All rights reserved | P. 4

ONLY for designated groups and individuals
 Accessing the envitroment :
1. Open the Chrome

2.Access to the portal:

3.sign in

4. approve the certificate

©2020 Check Point Software Technologies Ltd. All rights reserved | P. 5

ONLY for designated groups and individuals
Lab 1: Advanced threat identification

In that lab, you will learn how to get security visibility awareness

1. Go to overview
2. Change the filter to “This Month”

3. Focus on the most important threat alerts

4. Go to views
5. Select the top attacks

6. Change the view to “this year”

©2020 Check Point Software Technologies Ltd. All rights reserved | P. 6

ONLY for designated groups and individuals
7. Review the top attacks

8. Review reports per needs

©2020 Check Point Software Technologies Ltd. All rights reserved | P. 7

ONLY for designated groups and individuals
 Lab 2: ADVANCED THREAT HUNTING
In that lab, you will learn how to review the advanced analytical tools.

 Threat Topology – a heuristics-based flexible graphical mapping of VPC network

traffic, supporting rapid identification of anomalous behavior
 Activity Mapping – data flow analytics for identifying traffic anomalies such as data
exfiltration
 Vulnerability Sonar – patent-pending fully-passive detection of exposed, vulnerable
and potentially-compromised servers and endpoints
 Recurrent Connections – AI-based detection of automation-based flows (i.e. bots)
 AnalystMind – add-on AI Machine Learning-based identification of top-priority
threats

1. Got to Analytics

2. Go to “Vulnerability Sonar” (fully-passive detection of exposed, vulnerable and

potentially-compromised servers and endpoints)

3. Review “Top scanners”

©2020 Check Point Software Technologies Ltd. All rights reserved | P. 8

ONLY for designated groups and individuals
4. In order to drill down :
a. Right Click on “SIPVicious Security Scanner”
b. Drill down

5. Go to “Threat Topology”

6. Change the time period to “last month“

©2020 Check Point Software Technologies Ltd. All rights reserved | P. 9

ONLY for designated groups and individuals
7. You will get a heuristics-based flexible graphical mapping of VPC network traffic.
We are able to see the “T-Pot” (honeypot) machine in the center
We are also able to see attempts to attack the machine

©2020 Check Point Software Technologies Ltd. All rights reserved | P. 10

ONLY for designated groups and individuals
8. Go to “Activity Map”

9. Review the amount of traffic per day per hour

10. Each sell will provide information about his color:

©2020 Check Point Software Technologies Ltd. All rights reserved | P. 11

ONLY for designated groups and individuals