Introducing ThreatCloud Graph: A Multi-Dimensional Perspective on Cyber Security

In the face of complex and sophisticated cyber threats, enterprises struggle to stay ahead. Addressing this core challenge, Check Point introduces ThreatCloud Graph, focused on proactive prevention of emerging threats. This groundbreaking feature within ThreatCloud AI, the brain behind all of Check Point´s products, offers a novel approach to cyber security.

Contextualizing ThreatCloud Graph within ThreatCloud AI

Check Point leverages AI technology extensively in its cybersecurity solutions. ThreatCloud AI, the backbone of Check Point’s security infrastructure, uses over 40 AI engines to process and analyze massive amounts of data. This approach ensures real-time dynamic security intelligence, enabling the identification and prevention of complex and sophisticated cyber attacks. By integrating AI into its multi-layered security system, Check Point delivers comprehensive and proactive protection, keeping pace with the evolving nature of cyber threats. This AI-driven approach is central to the effectiveness of capabilities like ThreatCloud Graph, enhancing their capability to safeguard enterprises against emerging cybersecurity challenges. With ThreatCloud Graph, Check Point extends these capabilities to analyze the complex web of relationships between digital entities, offering a multi-dimensional perspective on cyber threats.

ThreatCloud Graph is tailored for enterprise needs, addressing the increasing complexity and sophistication of cyber attacks. It offers:

• Holistic Threat Prevention: Analyzing relationships between URLs, IPs, and domains to anticipate potential threats. This comprehensive approach provides a complete understanding of the threat landscape with a focus on threat prevention.
• Graph Patterns and Attack Insight: Deciphering complex attack patterns, including advanced threats like DNS poisoning. This capability enables deeper insights into potential attack strategies, enhancing proactive prevention mechanisms.
• Proactive Zero-Day Threat Prevention: Utilizing ThreatCloud AI’s knowledge to identify and mitigate emerging threats. This feature evaluates the reputations of digital entities such as URLs, domains, and IPs based on their relations to previously known malicious artifacts, such as common IP addresses, registrars, and name servers, providing crucial preemptive security against new, undocumented threats.

Unveiling a Multi-Dimensional perspective

This innovative feature marks a paradigm shift in threat detection by moving beyond the traditional analysis of standalone entities, such as URLs, IPs, and domain names. ThreatCloud Graph delves into the interconnected web of relationships between these entities, unveiling a multi-dimensional perspective on cyber threats.

Traditionally, threats have been identified based on malicious content detected by engines, designed to identity specific threat types. However, ThreatCloud Graph recognizes that threats never operate in isolation: they are part of larger networks and campaigns, often traceable to entities like name servers and registrars. By highlighting relationships between URLs, IPs, name servers, and more, ThreatCloud Graph identifies patterns and links common entities, allowing the prevention of zero-day threats even in the absence of detected malicious content.

Figure 1 –ThreatCloud Graph Illustration

Holistic Perspective on Threat Indicators

One of the key features of ThreatCloud Graph is its ability to store and index the entire threat landscape within a graph database. This database is designed to handle highly connected data, making it ideal for applications involving complex relationships. The flexibility and scalability of ThreatCloud Graph’s infrastructure allow for easy expansion to accommodate additional relationships and various types of attacks.

ThreatCloud Graph introduces a holistic perspective on threat indicators, shifting from a single Indicator of Compromise (IOC) to a multi-dimensional view based on attack patterns. By leveraging ThreatCloud AI’s powerful knowledge of attack patterns, ThreatCloud Graph aims to prevent zero-day IOCs, such as URLs, domains, and Ips, by establishing their reputation through relations to previously known malicious artifacts. This is achieved through commonalities in IP addresses, registrars, and name servers.

The working mechanism of ThreatCloud Graph involves analyzing the relationships of URLs with domain hosts. ThreatCloud Graph can identify potential threats by examining the shared relations of known malicious domains. Further analysis ensures that these relations are unique to malicious entities and not shared by legitimate domains, ultimately identifying specific URLs as malicious.

ThreatCloud Graph in Action

An illustrative example of the ThreatCloud graph capability is the recent prevention of a phishing campaign targeting ‘Telegram’.Recently, a malicious actor initiated the registration of many domains with the intent to target Chinese ‘Telegram’ users and extract their credentials.

Figure 2 – Users browsing to this domain are served a ‘Telegram’ spoofed website

How does it work?

Users who accessed these domains, were directed to a webpage that closely mimicked Telegram’s login interface (Figure 2). Some of these domain names resembled Telegram, such as ‘teleqremn.fit’ and ‘telegcam.work,’ while others were more distant variations like ‘teleiiream.club’ or ‘teleprumn.vip’.

ThreatCloud AI immediately initiated tracking of these domains, capturing related indicators such as IP addresses, registrars, and DNS servers.

At the same time, a graph was created, highlighting significant multi-dimensional connections among all these domains. The graph unveiled that all these domains were registered in China through ‘22net, Inc.’ and they were all hosted on the same IPs using the same DNS servers.

ThreatCloud’s proactive analysis of registered domains combined with the new ThreatCloud Graph capability within ThreatCloud AI, enabled us to identify this campaign as malicious, long before the domains became active and before other security vendors categorized the domains as malicious.

By the time they surfaced in the wild, ThreatCloud AI had already recognized and blocked them, and by this provided zero-day protection to Check Point’s customers.

Conclusion

ThreatCloud Graph is ideal for enterprises due to its multi-dimensional approach to cybersecurity. It goes beyond analyzing standalone threats, instead examining the relationships between digital entities like URLs, IPs, and domain names. This holistic perspective enables enterprises to anticipate and neutralize sophisticated cyber threats more effectively. Additionally, its integration with ThreatCloud AI’s extensive knowledge base allows for the proactive prevention of emerging threats, including zero-day attacks. This makes ThreatCloud Graph a powerful tool in an enterprise’s cybersecurity arsenal, offering advanced, AI-driven protection in an increasingly complex threat landscape.

Organizations using Check Point to secure their business, gain accurate prevention against the most advanced and emerging attacks through the power of ThreatCloud AI, the brain behind all of Check Point’s products.