Juniper Sky ATP User Manual
Sky ATP
Published
2020-07-01
Juniper Sky Advanced Threat Prevention
Administration Guide
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks
are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.
Sky ATP Juniper Sky Advanced Threat Prevention Administration Guide
Copyright © 2020 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
ii
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)
Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement
(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you
agree to the terms and conditions of that EULA.
Table of Contents
1
About the Documentation | x
Documentation and Release Notes | x
Documentation Conventions | x
Documentation Feedback | xiii
Requesting Technical Support | xiii
Self-Help Online Tools and Resources | xiv
Creating a Service Request with JTAC | xiv
Overview and Installation
Juniper Sky Advanced Threat Prevention Overview | 2
iii
Juniper Sky Advanced Threat Prevention | 2
About Juniper Sky Advanced Threat Prevention | 2
Juniper Sky ATP Features | 4
How the SRX Series Device Remediates Traffic | 6
Juniper Sky ATP Use Cases | 7
Licensing | 8
How is Malware Analyzed and Detected? | 9
Analyzing and Detecting Malware | 9
Cache Lookup | 10
Antivirus Scan | 10
Static Analysis | 10
Dynamic Analysis | 11
Machine Learning Algorithm | 11
Threat Levels | 11
Licensing | 12
About Policy Enforcer | 12
2
Policy Enforcer | 12
Install Juniper Sky Advanced Threat Prevention | 15
Juniper Sky Advanced Threat Prevention Installation Overview | 15
Managing the Juniper Sky Advanced Threat Prevention License | 15
Obtaining the Premium License Key | 16
License Management and SRX Series Devices | 17
Juniper Sky ATP Premium Evaluation License for vSRX | 17
License Management and vSRX Deployments | 17
High Availability | 19
Registering a Juniper Sky Advanced Threat Prevention Account | 20
Downloading and Running the Juniper Sky Advanced Threat Prevention Script | 24
The Web Portal and Enrolling SRX Series Devices
iv
The Juniper Sky ATP Web Portal | 31
Juniper Sky Advanced Threat Prevention Configuration Overview | 31
Juniper Sky Advanced Threat Prevention Web UI Overview | 34
Accessing the Web UI | 34
Dashboard Overview | 37
Reset Password | 38
Recover Realm Name | 40
Enroll SRX Series Devices | 43
Enrolling an SRX Series Device With Juniper Sky Advanced Threat Prevention | 43
Enrolling an SRX Series Device without the Juniper Sky ATP Web Portal | 47
Removing an SRX Series Device From Juniper Sky Advanced Threat Prevention | 49
Searching for SRX Series Devices Within Juniper Sky Advanced Threat Prevention | 50
Juniper Sky Advanced Threat Prevention RMA Process | 53
Device Information | 53
Cloud Feeds for Juniper Sky Advanced Threat Prevention: More Information | 54
Configure
3
Whitelists and Blacklists | 57
Whitelist and Blacklist Overview | 57
Creating Whitelists and Blacklists | 59
Email Scanning: Juniper Sky ATP | 65
Email Management Overview | 65
Email Management: Configure SMTP | 67
Email Management: Configure IMAP | 70
Email Scanning: SRX Series Device | 74
Configuring the SMTP Email Management Policy on the SRX Series Device | 74
Configuring the IMAP Email Management Policy on the SRX Series Device | 80
v
Configuring Reverse Proxy on the SRX Series Device | 88
File Inspection Profiles | 92
File Inspection Profiles Overview | 92
Creating File Inspection Profiles | 94
Adaptive Threat Profiling | 97
Adaptive Threat Profiling Overview | 97
Overview | 97
Configure Adaptive Threat Profiling | 99
Deploy Adaptive Threat Profiling | 101
Use Case Examples | 103
Threat Detection Use Case | 103
Asset Classification Use Case | 107
Create an Adaptive Threat Profiling Feed | 108
Third Party Threat Feeds | 110
Enabling Third Party Threat Feeds | 110
Global Configurations | 116
4
Global Configuration for Infected Hosts | 116
Configuring Threat Intelligence Sharing | 119
Configuring Trusted Proxy Servers | 121
Realm Overview | 122
Realms and Tenant Systems | 122
Configuration Overview | 123
SRX Series and Tenant System Enrollment | 123
Realm Management | 124
Tenant Systems: Security-Intelligence and Anti-Malware Policies | 126
Tenant System Support for SecIntel Feeds | 126
Tenant System Support for AAMW | 127
Security Profile CLI | 129
vi
Monitor and Take Action
Reports | 131
Reports Overview | 131
Configure Report Definitions | 135
Hosts | 137
Hosts Overview | 137
Host Details | 140
Identifying Infected Hosts | 142
Compromised Hosts: More Information | 142
About Block Drop and Block Close | 146
Host Details | 147
Automatic Lowering of Host Threat Level or Removal from Infected Hosts Feed | 148
Configuring the SRX Series Devices to Block Infected Hosts | 149
Command and Control Servers | 153
Command and Control Servers Overview | 153
Command and Control Server Details | 154
Identify Hosts Communicating with Command and Control Servers | 158
Command and Control Servers: More Information | 158
Configuring the SRX Series Device to Block Outbound Requests to a C&C Host | 161
File Scanning | 164
HTTP File Download Overview | 164
HTTP File Download Details | 166
File Summary | 167
HTTP Downloads | 168
Sample STIX Report | 169
Manual Scanning Overview | 169
File Scanning Limits | 171
Email Scanning | 173
vii
Email Attachments Scanning Overview | 173
Email Attachments Scanning Details | 174
File Summary | 176
SMTP Quarantine Overview: Blocked Emails | 177
IMAP Block Overview | 179
Telemetry | 181
Telemetry Overview | 181
Telemetry Details | 183
Encrypted Traffic Analysis | 185
Encrypted Traffic Analysis Overview | 185
Encrypted Traffic Analysis and Detection | 186
Workflow | 187
Configurations on SRX Series Devices | 188
Encrypted Traffic Analysis Details | 189
Policies on the SRX Series Device
5
6
7
Configure Juniper Sky ATP Policies on the SRX Series Device | 193
Juniper Sky Advanced Threat Prevention Policy Overview | 193
Enabling Juniper Sky ATP for Encrypted HTTPS Connections | 196
Example: Configuring a Juniper Sky Advanced Threat Prevention Policy Using the CLI | 197
Unified Policies | 202
Explicit Web Proxy Support | 204
Configure IP-Based Geolocations on the SRX Series Device | 206
Geolocation IPs and Juniper Sky Advanced Threat Prevention | 206
Configuring Juniper Sky Advanced Threat Prevention With Geolocation IP | 207
Administration
Juniper Sky ATP Administration | 210
viii
Modifying My Profile | 210
Creating and Editing User Profiles | 211
Application Tokens Overview | 213
Creating Application Tokens | 213
Multi-Factor Authentication Overview | 215
Configure Multi-Factor Authentication for Administrators | 215
Enable Multi-Factor Authentication | 216
Verification Codes for Multi-Factor Authentication: Mobile SMS | 217
Verification Codes for Multi-Factor Authentication: Email | 217
Unlock a User | 218
Troubleshoot
Troubleshooting Topics | 220
Juniper Sky Advanced Threat Prevention Troubleshooting Overview | 220
Troubleshooting Juniper Sky Advanced Threat Prevention: Checking DNS and Routing
Configurations | 221
Troubleshooting Juniper Sky Advanced Threat Prevention: Checking Certificates | 224
Troubleshooting Juniper Sky Advanced Threat Prevention: Checking the Routing Engine Status | 226
request services advanced-anti-malware data-connection | 228
request services advanced-anti-malware diagnostic | 230
Troubleshooting Juniper Sky Advanced Threat Prevention: Checking the application-identification
8
License | 234
Viewing Juniper Sky Advanced Threat Prevention System Log Messages | 235
Configuring traceoptions | 236
Viewing the traceoptions Log File | 238
Turning Off traceoptions | 238
Juniper Sky Advanced Threat Prevention Dashboard Reports Not Displaying | 239
Juniper Sky Advanced Threat Prevention RMA Process | 240
More Documentation
Sky ATP Tech Library Page Links | 242
Links to Documentation on Juniper.net | 242
ix
About the Documentation
IN THIS SECTION
Documentation and Release Notes | x
Documentation Conventions | x
Documentation Feedback | xiii
Requesting Technical Support | xiii
Use this guide to configure, monitor, and manage Juniper Sky ATP features to protect all hosts in your
network against evolving security threats.
x
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation, see the product
documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the documentation, follow the
product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.
These books go beyond the technical documentation to explore the nuances of network architecture,
deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Documentation Conventions
Table 1 on page xi defines notice icons used in this guide.
Table 1: Notice Icons
xi
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Caution
Indicates a situation that might result in loss of data or hardware
damage.
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page xi defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
Fixed-width text like this
Italic text like this
Represents text that you type.Bold text like this
Represents output that appears on
the terminal screen.
Introduces or emphasizes important
•
new terms.
Identifies guide names.
•
Identifies RFC and Internet draft
•
titles.
To enter configuration mode, type
the configure command:
user@host> configure
user@host> show chassis alarms
No alarms currently active
A policy term is a named structure
•
that defines match conditions and
actions.
Junos OS CLI User Guide
•
RFC 1997, BGP Communities
•
Attribute
Table 2: Text and Syntax Conventions (continued)
xii
ExamplesDescriptionConvention
Italic text like this
Text like this
< > (angle brackets)
| (pipe symbol)
Represents variables (options for
which you substitute a value) in
commands or configuration
statements.
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy
levels; or labels on routing platform
components.
variables.
Indicates a choice between the
mutually exclusive keywords or
variables on either side of the symbol.
The set of choices is often enclosed
in parentheses for clarity.
Configure the machine’s domain
name:
[edit]
root@# set system domain-name
domain-name
To configure a stub area, include
•
the stub statement at the [edit
protocols ospf area area-id]
hierarchy level.
The console port is labeled
•
CONSOLE.
stub <default-metric metric>;Encloses optional keywords or
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
GUI Conventions
Indicates a comment specified on the
same line as the configuration
statement to which it applies.
Encloses a variable for which you can
substitute one or more values.
Identifies a level in the configuration
hierarchy.
Identifies a leaf statement at a
configuration hierarchy level.
rsvp { # Required for dynamic MPLS
only
community name members [
community-ids ]
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
Table 2: Text and Syntax Conventions (continued)
xiii
ExamplesDescriptionConvention
Bold text like this
> (bold right angle bracket)
Represents graphical user interface
(GUI) items you click or select.
Separates levels in a hierarchy of
menu selections.
In the Logical Interfaces box, select
•
All Interfaces.
To cancel the configuration, click
•
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback so that we can improve our documentation. You can use either
of the following methods:
Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper
•
Networks TechLibrary site, and do one of the following:
Click the thumbs-up icon if the information on the page was helpful to you.
•
Click the thumbs-down icon if the information on the page was not helpful to you or if you have
•
suggestions for improvement, and use the pop-up form to provide feedback.
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document or topic name,
•
URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).
If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
covered under warranty, and need post-sales technical support, you can access our tools and resources
online or open a case with JTAC.
JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User
•
Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
Product warranties—For product warranty information, visit https://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,
•
365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called
the Customer Support Center (CSC) that provides you with the following features:
Find CSC offerings: https://www.juniper.net/customers/support/
•
Search for known bugs: https://prsearch.juniper.net/
•
xiv
Find product documentation: https://www.juniper.net/documentation/
•
Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
•
Download the latest versions of software and review release notes:
•
https://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
•
https://kb.juniper.net/InfoCenter/
Join and participate in the Juniper Networks Community Forum:
•
https://www.juniper.net/company/communities/
Create a service request online: https://myjuniper.juniper.net
•
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:
https://entitlementsearch.juniper.net/entitlementsearch/
Creating a Service Request with JTAC
You can create a service request with JTAC on the Web or by telephone.
Visit https://myjuniper.juniper.net.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
•
For international or direct-dial options in countries without toll-free numbers, see
https://support.juniper.net/support/requesting-support/.
1
PART
Overview and Installation
Juniper Sky Advanced Threat Prevention Overview | 2
Install Juniper Sky Advanced Threat Prevention | 15
CHAPTER 1
Juniper Sky Advanced Threat Prevention Overview
IN THIS CHAPTER
Juniper Sky Advanced Threat Prevention | 2
How is Malware Analyzed and Detected? | 9
About Policy Enforcer | 12
Juniper Sky Advanced Threat Prevention
2
IN THIS SECTION
About Juniper Sky Advanced Threat Prevention | 2
Juniper Sky ATP Features | 4
How the SRX Series Device Remediates Traffic | 6
Juniper Sky ATP Use Cases | 7
Licensing | 8
About Juniper Sky Advanced Threat Prevention
Juniper Sky™ Advanced Threat Prevention (Juniper Sky ATP) is a security framework that protects all hosts
in your network against evolving security threats by employing cloud-based threat detection software
with a next-generation firewall system. See Figure 1 on page 3.
Figure 1: Juniper Sky ATP Overview
3
Juniper Sky ATP protects your network by performing the following tasks:
The SRX Series device extracts potentially malicious objects and files and sends them to the cloud for
•
analysis.
Known malicious files are quickly identified and dropped before they can infect a host.
•
Multiple techniques identify new malware, adding it to the known list of malware.
•
Correlation between newly identified malware and known Command and Control (C&C) sites aids analysis.
•
The SRX Series device blocks known malicious file downloads and outbound C&C traffic.
•
Juniper Sky ATP supports the following modes:
Layer 3 mode
•
Tap mode
•
Transparent mode using MAC address. For more information, see Transparent mode on SRX Series
•
devices.
Secure wire mode (high-level transparent mode using the interface to directly passing traffic, not by
•
MAC address.) For more information, see Understanding Secure Wire.
Juniper Sky ATP Features
Juniper Sky ATP is a cloud-based solution. Cloud environments are flexible and scalable, and a shared
environment ensures that everyone benefits from new threat intelligence in near real-time. Your sensitive
data is secured even though it is in a cloud shared environment. Security analysts can update their defense
when new attack techniques are discovered and distribute the threat intelligence with very little delay.
In addition, Juniper Sky ATP offers the following features:
Integrated with the SRX Series device to simplify deployment and enhance the anti-threat capabilities
•
of the firewall.
Delivers protection against “zero-day” threats using a combination of tools to provide robust coverage
•
against sophisticated, evasive threats.
4
Checks inbound and outbound traffic with policy enhancements that allow users to stop malware,
•
quarantine infected systems, prevent data exfiltration, and disrupt lateral movement.
High availability to provide uninterrupted service.
•
Scalable to handle increasing loads that require more computing resources, increased network bandwidth
•
to receive more customer submissions, and a large storage for malware.
Provides deep inspection, actionable reporting, and inline malware blocking.
•
APIs for C&C feeds, whitelist and blacklist operations, and file submission. See the Threat Intelligence
•
Open API Setup Guide for more information.
Figure 2 on page 5 lists the Juniper Sky ATP components.
Figure 2: Juniper Sky ATP Components
5
Table 3 on page 5 briefly describes each Juniper Sky ATP component’s operation.
Table 3: Juniper Sky ATP Components
OperationComponent
Command and control (C&C) cloud
feeds
GeoIP cloud feeds
Infected host cloud feeds
Whitelists, blacklists and custom
cloud feeds
C&C feeds are essentially a list of servers that are known command and control
for botnets. The list also includes servers that are known sources for malware
downloads.
GeoIP feeds is an up-to-date mapping of IP addresses to geographical regions.
This gives you the ability to filter traffic to and from specific geographies in
the world.
Infected hosts indicate local devices that are potentially compromised because
they appear to be part of a C&C network or other exhibit other symptoms.
A whitelist is simply a list of known IP addresses that you trust and a blacklist
is a list that you do not trust.
NOTE: Custom feeds are not supported in this release.
Table 3: Juniper Sky ATP Components (continued)
OperationComponent
6
SRX Series device
Service portal (Web UI)
Submits extracted file content for analysis and detected C&C hits inside the
customer network.
Performs inline blocking based on verdicts from the analysis cluster.
Performs malware analysis and threat detection.Malware inspection pipeline
Inspects files, metadata, and other information.Internal compromise detection
Graphics interface displaying information about detected threats inside the
customer network.
Configuration management tool where customers can fine-tune which file
categories can be submitted into the cloud for processing.
How the SRX Series Device Remediates Traffic
The SRX Series devices use intelligence provided by Juniper Sky ATP to remediate malicious content
through the use of security policies. If configured, security policies block that content before it is delivered
to the destination address.
For inbound traffic, security policies on the SRX Series device look for specific types of files, like .exe files,
to inspect. When one is encountered, the security policy sends the file to the Juniper Sky ATP cloud for
inspection. The SRX Series device holds the last few KB of the file from the destination client while Juniper
Sky ATP checks if this file has already been analyzed. If so, a verdict is returned and the file is either sent
to the client or blocked depending on the file’s threat level and the user-defined policy in place. If the
cloud has not inspected this file before, the file is sent to the client while Juniper Sky ATP performs an
exhaustive analysis. If the file’s threat level indicates malware (and depending on the user-defined
configurations) the client system is marked as an infected host and blocked from outbound traffic. For
more information, see “How is Malware Analyzed and Detected?” on page 9.
Figure 3 on page 7 shows an example flow of a client requesting a file download with Juniper Sky ATP.
Figure 3: Inspecting Inbound Files for Malware
7
DescriptionStep
1
2
4
5
A client system behind an SRX Series devices requests a file download from the Internet. The SRX Series
device forwards that request to the appropriate server.
The SRX Series device receives the downloaded file and checks its security profile to see if any additional
action must be performed.
The downloaded file type is on the list of files that must be inspected and is sent to the cloud for analysis.3
Juniper Sky ATP has inspected this file before and has the analysis stored in cache. In this example, the
file is not malware and the verdict is sent back to the SRX Series device.
Based on user-defined policies and because this file is not malware, the SRX Series device sends the file
to the client.
For outbound traffic, the SRX Series device monitors traffic that matches C&C feeds it receives, blocks
these C&C requests, and reports them to Juniper Sky ATP. A list of infected hosts is available so that the
SRX Series device can block inbound and outbound traffic.
Juniper Sky ATP Use Cases
Juniper Sky ATP can be used anywhere in an SRX Series deployment. See Figure 4 on page 8.
Figure 4: Juniper Sky ATP Use Cases
8
Campus edge firewall—Juniper Sky ATP analyzes files downloaded from the Internet and protects
•
end-user devices.
Data center edge—Like the campus edge firewall, Juniper Sky ATP prevents infected files and application
•
malware from running on your computers.
Branch router—Juniper Sky ATP provides protection from split-tunneling deployments. A disadvantage
•
of split-tunneling is that users can bypass security set in place by your company’s infrastructure.
Licensing
Juniper Sky ATP has three service levels: Free, Basic (feed only), and Premium. No license is required for
the free version, but you must obtain a license for Basic and Premium levels.
To understand more about Juniper Sky ATP licenses, see Licenses for Juniper Sky Advanced Threat
Prevention (ATP). Please refer to the Licensing Guide for general information about License Management.
Please refer to the product Data Sheets for further details, or contact your Juniper Account Team or
Juniper Partner.
How is Malware Analyzed and Detected?
IN THIS SECTION
Analyzing and Detecting Malware | 9
Cache Lookup | 10
Antivirus Scan | 10
Static Analysis | 10
Dynamic Analysis | 11
Machine Learning Algorithm | 11
Threat Levels | 11
Licensing | 12
9
Analyzing and Detecting Malware
Juniper Sky ATP uses a pipeline approach to analyzing and detecting malware. If an analysis reveals that
the file is absolutely malware, it is not necessary to continue the pipeline to further examine the malware.
See Figure 5 on page 9.
Figure 5: Example Juniper Sky ATP Pipeline Approach for Analyzing Malware
Each analysis technique creates a verdict number, which is combined to create a final verdict number
between 1 and 10. A verdict number is a score or threat level. The higher the number, the higher the
malware threat. The SRX Series device compares this verdict number to the policy settings and either
permits or denies the session. If the session is denied, a reset packet is sent to the client and the packets
are dropped from the server.
Cache Lookup
When a file is analyzed, a file hash is generated, and the results of the analysis are stored in a database.
When a file is uploaded to the Juniper Sky ATP cloud, the first step is to check whether this file has been
looked at before. If it has, the stored verdict is returned to the SRX Series device and there is no need to
re-analyze the file. In addition to files scanned by Juniper Sky ATP, information about common malware
files is also stored to provide faster response.
Cache lookup is performed in real time. All other techniques are done offline. This means that if the cache
lookup does not return a verdict, the file is sent to the client system while the Juniper Sky ATP cloud
continues to examine the file using the remaining pipeline techniques. If a later analysis returns a malware
verdict, then the file and host are flagged.
10
Antivirus Scan
The advantage of antivirus software is its protection against a large number of potential threats, such as
viruses, trojans, worms, spyware, and rootkits. The disadvantage of antivirus software is that it is always
behind the malware. The virus comes first and the patch to the virus comes second. Antivirus is better at
defending familiar threats and known malware than zero-day threats.
Juniper Sky ATP utilizes multiple antivirus software packages, not just one, to analyze a file. The results
are then fed into the machine learning algorithm to overcome false positives and false negatives.
Static Analysis
Static analysis examines files without actually running them. Basic static analysis is straightforward and
fast, typically around 30 seconds. The following are examples of areas static analysis inspects:
Metadata information—Name of the file, the vendor or creator of this file, and the original data the file
•
was compiled on.
Categories of instructions used—Is the file modifying the Windows registry? Is it touching disk I/O APIs?.
•
File entropy—How random is the file? A common technique for malware is to encrypt portions of the
•
code and then decrypt it during runtime. A lot of encryption is a strong indication a this file is malware.
The output of the static analysis is fed into the machine learning algorithm to improve the verdict accuracy.
Dynamic Analysis
The majority of the time spent inspecting a file is in dynamic analysis. With dynamic analysis, often called
sandboxing, a file is studied as it is executed in a secure environment. During this analysis, an operating
system environment is set up, typically in a virtual machine, and tools are started to monitor all activity.
The file is uploaded to this environment and is allowed to run for several minutes. Once the allotted time
has passed, the record of activity is downloaded and passed to the machine learning algorithm to generate
a verdict.
Sophisticated malware can detect a sandbox environment due to its lack of human interaction, such as
mouse movement. Juniper Sky ATP uses a number of deception techniques to trick the malware into
determining this is a real user environment. For example, Juniper Sky ATP can:
Generate a realistic pattern of user interaction such as mouse movement, simulating keystrokes, and
•
installing and launching common software packages.
Create fake high-value targets in the client, such as stored credentials, user files, and a realistic network
•
with Internet access.
11
Create vulnerable areas in the operating system.
•
Deception techniques by themselves greatly boost the detection rate while reducing false positives. They
also boosts the detection rate of the sandbox the file is running in because they get the malware to perform
more activity. The more the file runs the more data is obtained to detect whether it is malware.
Machine Learning Algorithm
Juniper Sky ATP uses its own proprietary implementation of machine learning to assist in analysis. Machine
learning recognizes patterns and correlates information for improved file analysis. The machine learning
algorithm is programmed with features from thousands of malware samples and thousands of goodware
samples. It learns what malware looks like, and is regularly re-programmed to get smarter as threats evolve.
Threat Levels
Juniper Sky ATP assigns a number between 0-10 to indicate the threat level of files scanned for malware
and the threat level for infected hosts. See Table 4 on page 11.
Table 4: Threat Level Definitions
DefinitionThreat Level
Clean; no action is required.0
Low threat level.1 - 3
Medium threat level.4 - 6
Table 4: Threat Level Definitions (continued)
DefinitionThreat Level
High threat level.7 -10
For more information on threat levels, see the Juniper Sky ATP Web UI online help.
Licensing
Juniper Sky ATP has three service levels: Free, Basic (feed only), and Premium. No license is required for
the free version, but you must obtain a license for Basic and Premium levels.
To understand more about Juniper Sky ATP licenses, see Licenses for Juniper Sky Advanced Threat
Prevention (ATP). Please refer to the Licensing Guide for general information about License Management.
Please refer to the product Data Sheets for further details, or contact your Juniper Account Team or
Juniper Partner.
12
RELATED DOCUMENTATION
Juniper Sky Advanced Threat Prevention | 2
Dashboard Overview | 37
About Policy Enforcer
IN THIS SECTION
Policy Enforcer | 12
Policy Enforcer
View the Policy Enforcer data sheet (This takes you out of the help center to the Juniper web site):
https://www.juniper.net/assets/fr/fr/local/pdf/datasheets/1000602-en.pdf
Policy Enforcer provides centralized, integrated management of all your security devices (both physical
and virtual), giving you the ability to combine threat intelligence from different solutions and act on that
intelligence from one management point.
It also automates the enforcement of security policies across the network and quarantines infected
endpoints to prevent threats across firewalls and switches. It works with cloud-based Juniper Sky Advanced
Threat Prevention (Juniper Sky ATP) to protect both perimeter-oriented threats as well as threats within
the network. For example, if a user downloads a file from the Internet and that file passes through an SRX
firewall, the file can be sent to the Juniper Sky ATP cloud for malware inspection (depending on your
configuration settings.) If the file is determined to be malware, Policy Enforcer identifies the IP address
and MAC address of the host that downloaded the file. Based on a user-defined policy, that host can be
put into a quarantine VLAN or blocked from accessing the Internet.
Policy Enforcer provides the following:
Pervasive Security—Combine security features and intelligence from devices across your network,
•
including switches, routers, firewalls, to create a “secure fabric” that leverages information you can use
to create policies that address threats in real-time and into the future. With monitoring capabilities, it
can also act as a sensor, providing visibility for intra- and inter-network communications.
User Intent-Based Policies—Create policies according to logical business structures such as users, user
•
groups, geographical locations, sites, tenants, applications, or threat risks. This allows network devices
(switches, routers, firewalls and other security devices) to share information, resources, and when threats
are detected, remediation actions within the network.
13
Threat Intelligence Aggregation—Gather threat information from multiple locations and devices, both
•
physical and virtual, as well as third party solutions.
Figure 6 on page 14 illustrates the flow diagram of Policy Enforcer over a traditional SRX configuration.
Figure 6: Comparing Traditional SRX Customers to Policy Enforcer Customers
14
RELATED DOCUMENTATION
Hosts Overview | 137
Host Details | 140
Dashboard Overview | 37
CHAPTER 2
Install Juniper Sky Advanced Threat Prevention
IN THIS CHAPTER
Juniper Sky Advanced Threat Prevention Installation Overview | 15
Managing the Juniper Sky Advanced Threat Prevention License | 15
Registering a Juniper Sky Advanced Threat Prevention Account | 20
Downloading and Running the Juniper Sky Advanced Threat Prevention Script | 24
15
Juniper Sky Advanced Threat Prevention Installation Overview
Although Juniper Sky ATP is a free add-on to an SRX Series device, you must still enable it prior to using
it. To enable Juniper Sky ATP, perform the following tasks:
1. (Optional) Obtain a Juniper Sky ATP premium license. See Licenses for Juniper Sky Advanced Threat
Prevention (ATP). This link takes you to the Juniper Licensing Guide.
2. Register an account on the Juniper Sky ATP cloud Web portal. See “Registering a Juniper Sky Advanced
Threat Prevention Account” on page 20.
3. Download and run the Juniper Sky ATP script on your SRX Series device. See “Downloading and Running
the Juniper Sky Advanced Threat Prevention Script” on page 24.
Managing the Juniper Sky Advanced Threat Prevention License
IN THIS SECTION
Obtaining the Premium License Key | 16
License Management and SRX Series Devices | 17
Juniper Sky ATP Premium Evaluation License for vSRX | 17
License Management and vSRX Deployments | 17
High Availability | 19
This topic describes how to install the Juniper Sky ATP premium license onto your SRX Series devices and
vSRX deployments. You do not need to install the Juniper Sky ATP free license as these are included your
base software. Note that the free license has a limited feature set (see Juniper Sky Advanced Threat Prevention
License Types and Sky Advanced Threat Prevention File Limitations).
When installing the license key, you must use the license that is specific your device type. For example,
the Juniper Sky ATP premium license available for the SRX Series device cannot be used on vSRX
deployments.
Obtaining the Premium License Key
16
The Juniper Sky ATP premium license can be found on the Juniper Networks product price list. The
procedure for obtaining the premium license entitlement is the same as for all other Juniper Network
products. The following steps provide an overview.
1. Contact your local sales office or Juniper Networks partner to place an order for the Juniper Sky ATP
premium license.
After your order is complete, an authorization code is e-mailed to you. An authorization code is a unique
16-digit alphanumeric used in conjunction with your device serial number to generate a premium license
entitlement.
2. (SRX Series devices only) Use the show chassis hardware CLI command to find the serial number of
the SRX Series devices that are to be tied to the Juniper Sky ATP premium license.
[edit]
root@SRX# run show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis CM1915AK0326 SRX1500
Midplane REV 09 750-058562 ACMH1590 SRX1500
Pseudo CB 0
Routing Engine 0 BUILTIN BUILTIN SRX Routing Engine
FPC 0 REV 08 711-053832 ACMG3280 FEB
PIC 0 BUILTIN BUILTIN 12x1G-T-4x1G-SFP-4x10G
Loading...