Sky ATP
Juniper Sky Advanced Threat Prevention
Administration Guide
Published
2020-07-01
ii
Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA
408-745-2000 www.juniper.net
JuniperNetworks,theJuniperNetworkslogo,Juniper,andJunosareregisteredtrademarksofJuniperNetworks,Inc. in theUnitedStatesandothercountries. Allothertrademarks,servicemarks,registeredmarks,orregisteredservicemarks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
SkyATPJuniperSkyAdvancedThreatPreventionAdministrationGuide
Copyright © 2020 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
TheJuniperNetworksproductthatisthesubjectofthistechnicaldocumentationconsistsof(orisintendedforusewith) JuniperNetworkssoftware.UseofsuchsoftwareissubjecttothetermsandconditionsoftheEndUserLicenseAgreement (“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.
iii
About the Documentation | x
Documentation and Release Notes | x
Documentation Conventions | x
Documentation Feedback | xiii
Requesting Technical Support | xiii
Self-Help Online Tools and Resources | xiv
Creating a Service Request with JTAC | xiv
1Overview and Installation
Juniper Sky Advanced Threat Prevention Overview | 2
Juniper Sky Advanced Threat Prevention | 2
About Juniper Sky Advanced Threat Prevention | 2
Juniper Sky ATP Features | 4
How the SRX Series Device Remediates Traffic | 6
Juniper Sky ATP Use Cases | 7
Licensing | 8
How is Malware Analyzed and Detected? | 9
Analyzing and Detecting Malware | 9
Cache Lookup | 10
Antivirus Scan | 10
Static Analysis | 10
Dynamic Analysis | 11
Machine Learning Algorithm | 11
Threat Levels | 11
Licensing | 12
iv
About Policy Enforcer | 12
Policy Enforcer | 12
Install Juniper Sky Advanced Threat Prevention | 15
Juniper Sky Advanced Threat Prevention Installation Overview | 15
Managing the Juniper Sky Advanced Threat Prevention License | 15
Obtaining the Premium License Key | 16
License Management and SRX Series Devices | 17
Juniper Sky ATP Premium Evaluation License for vSRX | 17
License Management and vSRX Deployments | 17
High Availability | 19
Registering a Juniper Sky Advanced Threat Prevention Account | 20
Downloading and Running the Juniper Sky Advanced Threat Prevention Script | 24
2The Web Portal and Enrolling SRX Series Devices
The Juniper Sky ATP Web Portal | 31
Juniper Sky Advanced Threat Prevention Configuration Overview | 31
Juniper Sky Advanced Threat Prevention Web UI Overview | 34
Accessing the Web UI | 34
Dashboard Overview | 37
Reset Password | 38
Recover Realm Name | 40
Enroll SRX Series Devices | 43
Enrolling an SRX Series Device With Juniper Sky Advanced Threat Prevention | 43
Enrolling an SRX Series Device without the Juniper Sky ATP Web Portal | 47
Removing an SRX Series Device From Juniper Sky Advanced Threat Prevention | 49
Searching for SRX Series Devices Within Juniper Sky Advanced Threat Prevention | 50
Juniper Sky Advanced Threat Prevention RMA Process | 53
Device Information | 53
Cloud Feeds for Juniper Sky Advanced Threat Prevention: More Information | 54
v
3Configure
Whitelists and Blacklists | 57
Whitelist and Blacklist Overview | 57
Creating Whitelists and Blacklists | 59
Email Scanning: Juniper Sky ATP | 65
Email Management Overview | 65
Email Management: Configure SMTP | 67
Email Management: Configure IMAP | 70
Email Scanning: SRX Series Device | 74
Configuring the SMTP Email Management Policy on the SRX Series Device | 74
Configuring the IMAP Email Management Policy on the SRX Series Device | 80
Configuring Reverse Proxy on the SRX Series Device | 88
File Inspection Profiles | 92
File Inspection Profiles Overview | 92
Creating File Inspection Profiles | 94
Adaptive Threat Profiling | 97
Adaptive Threat Profiling Overview | 97
Overview | 97
Configure Adaptive Threat Profiling | 99
Deploy Adaptive Threat Profiling | 101
Use Case Examples | 103
Threat Detection Use Case | 103
Asset Classification Use Case | 107
Create an Adaptive Threat Profiling Feed | 108
Third Party Threat Feeds | 110
Enabling Third Party Threat Feeds | 110
vi
Global Configurations | 116
Global Configuration for Infected Hosts | 116
Configuring Threat Intelligence Sharing | 119
Configuring Trusted Proxy Servers | 121
Realm Overview | 122
Realms and Tenant Systems | 122
Configuration Overview | 123
SRX Series and Tenant System Enrollment | 123
Realm Management | 124
Tenant Systems: Security-Intelligence and Anti-Malware Policies | 126
Tenant System Support for SecIntel Feeds | 126
Tenant System Support for AAMW | 127
Security Profile CLI | 129
4Monitor and Take Action
Reports | 131
Reports Overview | 131
Configure Report Definitions | 135
Hosts | 137
Hosts Overview | 137
Host Details | 140
Identifying Infected Hosts | 142
Compromised Hosts: More Information | 142
About Block Drop and Block Close | 146
Host Details | 147
Automatic Lowering of Host Threat Level or Removal from Infected Hosts Feed | 148
Configuring the SRX Series Devices to Block Infected Hosts | 149
Command and Control Servers | 153
Command and Control Servers Overview | 153
Command and Control Server Details | 154
vii
Identify Hosts Communicating with Command and Control Servers | 158
Command and Control Servers: More Information | 158
Configuring the SRX Series Device to Block Outbound Requests to a C&C Host | 161
File Scanning | 164
HTTP File Download Overview | 164
HTTP File Download Details | 166
File Summary | 167
HTTP Downloads | 168
Sample STIX Report | 169
Manual Scanning Overview | 169
File Scanning Limits | 171
Email Scanning | 173
Email Attachments Scanning Overview | 173
Email Attachments Scanning Details | 174
File Summary | 176
SMTP Quarantine Overview: Blocked Emails | 177
IMAP Block Overview | 179
Telemetry | 181
Telemetry Overview | 181
Telemetry Details | 183
Encrypted Traffic Analysis | 185
Encrypted Traffic Analysis Overview | 185
Encrypted Traffic Analysis and Detection | 186
Workflow | 187
Configurations on SRX Series Devices | 188
Encrypted Traffic Analysis Details | 189
viii
5Policies on the SRX Series Device
Configure Juniper Sky ATP Policies on the SRX Series Device | 193
Juniper Sky Advanced Threat Prevention Policy Overview | 193
Enabling Juniper Sky ATP for Encrypted HTTPS Connections | 196
Example: Configuring a Juniper Sky Advanced Threat Prevention Policy Using the CLI | 197
Unified Policies | 202
Explicit Web Proxy Support | 204
Configure IP-Based Geolocations on the SRX Series Device | 206
Geolocation IPs and Juniper Sky Advanced Threat Prevention | 206
Configuring Juniper Sky Advanced Threat Prevention With Geolocation IP | 207
6Administration
Juniper Sky ATP Administration | 210
Modifying My Profile | 210
Creating and Editing User Profiles | 211
Application Tokens Overview | 213
Creating Application Tokens | 213
Multi-Factor Authentication Overview | 215
Configure Multi-Factor Authentication for Administrators | 215
Enable Multi-Factor Authentication | 216
Verification Codes for Multi-Factor Authentication: Mobile SMS | 217
Verification Codes for Multi-Factor Authentication: Email | 217
Unlock a User | 218
7Troubleshoot
Troubleshooting Topics | 220
Juniper Sky Advanced Threat Prevention Troubleshooting Overview | 220
Troubleshooting Juniper Sky Advanced Threat Prevention: Checking DNS and Routing
Configurations | 221
Troubleshooting Juniper Sky Advanced Threat Prevention: Checking Certificates | 224
TroubleshootingJuniperSkyAdvancedThreatPrevention:CheckingtheRoutingEngineStatus | 226 request services advanced-anti-malware data-connection | 228
request services advanced-anti-malware diagnostic | 230
ix
TroubleshootingJuniperSkyAdvancedThreatPrevention:Checkingtheapplication-identification
License | 234
Viewing Juniper Sky Advanced Threat Prevention System Log Messages | 235
Configuring traceoptions | 236
Viewing the traceoptions Log File | 238
Turning Off traceoptions | 238
Juniper Sky Advanced Threat Prevention Dashboard Reports Not Displaying | 239
Juniper Sky Advanced Threat Prevention RMA Process | 240
8More Documentation
Sky ATP Tech Library Page Links | 242
Links to Documentation on Juniper.net | 242
x
IN THIS SECTION
Documentation and Release Notes | x
Documentation Conventions | x
Documentation Feedback | xiii
Requesting Technical Support | xiii
Use this guide to configure, monitor, and manage Juniper Sky ATP features to protect all hosts in your network against evolving security threats.
To obtain the most current version of all Juniper Networks® technical documentation, see the product documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
Iftheinformationinthelatestreleasenotesdiffersfromtheinformationinthedocumentation,followthe product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Table 1 on page xi defines notice icons used in this guide.
xi
Table 1: Notice Icons |
|
|
Icon |
Meaning |
Description |
|
Informational note |
Indicates important features or instructions. |
|
Caution |
Indicates a situation that might result in loss of data or hardware |
|
|
damage. |
|
Warning |
Alerts you to the risk of personal injury or death. |
|
Laser warning |
Alerts you to the risk of personal injury from a laser. |
|
Tip |
Indicates helpful information. |
|
Best practice |
Alerts you to a recommended use or implementation. |
Table 2 on page xi defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention |
Description |
Examples |
Bold text like this |
Represents text that you type. |
To enter configuration mode, type |
|
|
the configure command: |
|
|
user@host> configure |
Fixed-width text like this |
Represents output that appears on |
user@host> show chassis alarms |
|
the terminal screen. |
No alarms currently active |
|
|
Italictextlikethis |
• Introducesoremphasizesimportant |
|
new terms. |
|
• Identifies guide names. |
|
• Identifies RFC and Internet draft |
|
titles. |
•A policy term is a named structure that defines match conditions and actions.
•JunosOSCLIUserGuide
•RFC 1997, BGPCommunities Attribute
xii
Table 2: Text and Syntax Conventions (continued)
Convention |
Description |
Italictextlikethis |
Represents variables (options for |
|
which you substitute a value) in |
|
commands or configuration |
|
statements. |
Examples
Configure the machine’s domain name:
[edit]
root@# set system domain-name domain-name
Text like this |
Represents names of configuration |
|
statements, commands, files, and |
|
directories; configuration hierarchy |
|
levels; or labels on routing platform |
|
components. |
•To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level.
•The console port is labeled
CONSOLE.
< > (angle brackets) |
Encloses optional keywords or |
|
variables. |
| (pipe symbol) |
Indicates a choice between the |
|
mutually exclusive keywords or |
|
variablesoneithersideofthesymbol. |
|
The set of choices is often enclosed |
|
in parentheses for clarity. |
stub <default-metric metric>;
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
Indicatesacommentspecifiedonthe |
rsvp{#RequiredfordynamicMPLS |
same line as the configuration |
only |
statement to which it applies. |
|
Enclosesavariableforwhichyoucan |
community name members [ |
substitute one or more values. |
community-ids ] |
Identifies a level in the configuration |
[edit] |
hierarchy. |
routing-options { |
|
static { |
Identifies a leaf statement at a |
route default { |
configuration hierarchy level. |
nexthop address; |
|
retain; |
|
} |
|
} |
|
} |
GUI Conventions
xiii
Table 2: Text and Syntax Conventions (continued) |
|
|
Convention |
Description |
Examples |
Bold text like this |
Represents graphical user interface |
• IntheLogicalInterfacesbox,select |
|
(GUI) items you click or select. |
All Interfaces. |
|
|
• To cancel the configuration, click |
|
|
Cancel. |
> (bold right angle bracket) |
Separates levels in a hierarchy of |
Intheconfigurationeditorhierarchy, |
|
menu selections. |
select Protocols>Ospf. |
We encourage you to provide feedback so that we can improve our documentation. You can use either of the following methods:
•Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper Networks TechLibrary site, and do one of the following:
•Click the thumbs-up icon if the information on the page was helpful to you.
•Click the thumbs-down icon if the information on the page was not helpful to you or if you have suggestions for improvement, and use the pop-up form to provide feedback.
•E-mail—Sendyourcommentstotechpubs-comments@juniper.net.Includethedocumentortopicname, URL or page number, and software version (if applicable).
TechnicalproductsupportisavailablethroughtheJuniperNetworksTechnicalAssistanceCenter(JTAC). If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
xiv
covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.
•JTACpolicies—ForacompleteunderstandingofourJTACproceduresandpolicies,reviewtheJTACUser Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•Productwarranties—Forproductwarrantyinformation,visithttps://www.juniper.net/support/warranty/.
•JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.
Forquickandeasyproblemresolution,JuniperNetworkshasdesignedanonlineself-serviceportalcalled the Customer Support Center (CSC) that provides you with the following features:
•Find CSC offerings: https://www.juniper.net/customers/support/
•Search for known bugs: https://prsearch.juniper.net/
•Find product documentation: https://www.juniper.net/documentation/
•Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
•Download the latest versions of software and review release notes: https://www.juniper.net/customers/csc/software/
•Search technical bulletins for relevant hardware and software notifications: https://kb.juniper.net/InfoCenter/
•Join and participate in the Juniper Networks Community Forum: https://www.juniper.net/company/communities/
•Create a service request online: https://myjuniper.juniper.net
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
You can create a service request with JTAC on the Web or by telephone.
•Visit https://myjuniper.juniper.net.
•Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see https://support.juniper.net/support/requesting-support/.
1
PART
Juniper Sky Advanced Threat Prevention Overview | 2
Install Juniper Sky Advanced Threat Prevention | 15
2
CHAPTER 1
IN THIS CHAPTER
Juniper Sky Advanced Threat Prevention | 2
How is Malware Analyzed and Detected? | 9
About Policy Enforcer | 12
IN THIS SECTION
About Juniper Sky Advanced Threat Prevention | 2
Juniper Sky ATP Features | 4
How the SRX Series Device Remediates Traffic | 6
Juniper Sky ATP Use Cases | 7
Licensing | 8
JuniperSky™AdvancedThreatPrevention(JuniperSkyATP)isasecurityframeworkthatprotectsallhosts in your network against evolving security threats by employing cloud-based threat detection software with a next-generation firewall system. See Figure 1 on page 3.
3
Figure 1: Juniper Sky ATP Overview
Juniper Sky ATP protects your network by performing the following tasks:
•The SRX Series device extracts potentially malicious objects and files and sends them to the cloud for analysis.
•Known malicious files are quickly identified and dropped before they can infect a host.
•Multiple techniques identify new malware, adding it to the known list of malware.
•CorrelationbetweennewlyidentifiedmalwareandknownCommandandControl(C&C)sitesaidsanalysis.
•The SRX Series device blocks known malicious file downloads and outbound C&C traffic.
Juniper Sky ATP supports the following modes:
•Layer 3 mode
•Tap mode
4
•Transparent mode using MAC address. For more information, see Transparent mode on SRX Series devices.
•Secure wire mode (high-level transparent mode using the interface to directly passing traffic, not by MAC address.) For more information, see Understanding Secure Wire.
Juniper Sky ATP is a cloud-based solution. Cloud environments are flexible and scalable, and a shared environmentensuresthateveryonebenefitsfromnewthreatintelligenceinnearreal-time.Yoursensitive dataissecuredeventhoughitisinacloudsharedenvironment.Securityanalystscanupdatetheirdefense when new attack techniques are discovered and distribute the threat intelligence with very little delay.
In addition, Juniper Sky ATP offers the following features:
•Integrated with the SRX Series device to simplify deployment and enhance the anti-threat capabilities of the firewall.
•Delivers protection against “zero-day” threats using a combination of tools to provide robust coverage against sophisticated, evasive threats.
•Checks inbound and outbound traffic with policy enhancements that allow users to stop malware, quarantine infected systems, prevent data exfiltration, and disrupt lateral movement.
•High availability to provide uninterrupted service.
•Scalabletohandleincreasingloadsthatrequiremorecomputingresources,increasednetworkbandwidth to receive more customer submissions, and a large storage for malware.
•Provides deep inspection, actionable reporting, and inline malware blocking.
•APIs for C&C feeds, whitelist and blacklist operations, and file submission. See the Threat Intelligence Open API Setup Guide for more information.
Figure 2 on page 5 lists the Juniper Sky ATP components.
5
Figure 2: Juniper Sky ATP Components
Table 3 on page 5 briefly describes each Juniper Sky ATP component’s operation.
Table 3: Juniper Sky ATP Components
Component |
Operation |
Commandandcontrol(C&C)cloud |
C&Cfeedsareessentiallyalistofserversthatareknowncommandandcontrol |
feeds |
forbotnets. Thelistalsoincludesserversthatareknownsourcesformalware |
|
downloads. |
GeoIP cloud feeds |
GeoIPfeedsisanup-to-datemappingofIPaddressestogeographicalregions. |
|
This gives you the ability to filter traffic to and from specific geographies in |
|
the world. |
Infected host cloud feeds |
Infectedhostsindicatelocaldevicesthatarepotentiallycompromisedbecause |
|
they appear to be part of a C&C network or other exhibit other symptoms. |
Whitelists, blacklists and custom |
A whitelist is simply a list of known IP addresses that you trust and a blacklist |
cloud feeds |
is a list that you do not trust. |
|
NOTE: Custom feeds are not supported in this release. |
6
Table 3: Juniper Sky ATP Components (continued)
Component |
Operation |
SRX Series device |
Submits extracted file content for analysis and detected C&C hits inside the |
|
customer network. |
|
Performs inline blocking based on verdicts from the analysis cluster. |
Malware inspection pipeline |
Performs malware analysis and threat detection. |
Internal compromise detection |
Inspects files, metadata, and other information. |
Service portal (Web UI) |
Graphics interface displaying information about detected threats inside the |
|
customer network. |
|
Configuration management tool where customers can fine-tune which file |
|
categories can be submitted into the cloud for processing. |
The SRX Series devices use intelligence provided by Juniper Sky ATP to remediate malicious content throughtheuseofsecuritypolicies.Ifconfigured,securitypoliciesblockthatcontentbeforeitisdelivered to the destination address.
Forinboundtraffic,securitypoliciesontheSRXSeriesdevicelookforspecifictypesoffiles,like .exefiles, to inspect. When one is encountered, the security policy sends the file to the Juniper Sky ATP cloud for inspection.TheSRXSeriesdeviceholdsthelastfewKBofthefilefromthedestinationclientwhileJuniper Sky ATP checks if this file has already been analyzed. If so, a verdict is returned and the file is either sent to the client or blocked depending on the file’s threat level and the user-defined policy in place. If the cloud has not inspected this file before, the file is sent to the client while Juniper Sky ATP performs an exhaustive analysis. If the file’s threat level indicates malware (and depending on the user-defined configurations) the client system is marked as an infected host and blocked from outbound traffic. For more information, see “How is Malware Analyzed and Detected?” on page 9.
Figure 3 on page 7 shows an example flow of a client requesting a file download with Juniper Sky ATP.
7
Figure 3: Inspecting Inbound Files for Malware
Step Description
1AclientsystembehindanSRXSeriesdevicesrequestsafiledownloadfromtheInternet.TheSRXSeries device forwards that request to the appropriate server.
2TheSRXSeriesdevicereceivesthedownloadedfileandchecksitssecurityprofiletoseeifanyadditional action must be performed.
3Thedownloadedfiletypeisonthelistoffilesthatmustbeinspectedandissenttothecloudforanalysis.
4Juniper Sky ATP has inspected this file before and has the analysis stored in cache. In this example, the file is not malware and the verdict is sent back to the SRX Series device.
5Basedonuser-definedpoliciesandbecausethisfileisnotmalware,theSRXSeriesdevicesendsthefile to the client.
For outbound traffic, the SRX Series device monitors traffic that matches C&C feeds it receives, blocks these C&C requests, and reports them to Juniper Sky ATP. A list of infected hosts is available so that the SRX Series device can block inbound and outbound traffic.
Juniper Sky ATP can be used anywhere in an SRX Series deployment. See Figure 4 on page 8.
8
Figure 4: Juniper Sky ATP Use Cases
•Campus edge firewall—Juniper Sky ATP analyzes files downloaded from the Internet and protects end-user devices.
•Datacenteredge—Likethecampusedgefirewall,JuniperSkyATPpreventsinfectedfilesandapplication malware from running on your computers.
•Branch router—Juniper Sky ATP provides protection from split-tunneling deployments. A disadvantage of split-tunneling is that users can bypass security set in place by your company’s infrastructure.
Juniper Sky ATP has three service levels: Free, Basic (feed only), and Premium. No license is required for the free version, but you must obtain a license for Basic and Premium levels.
To understand more about Juniper Sky ATP licenses, see Licenses for Juniper Sky Advanced Threat Prevention(ATP).PleaserefertotheLicensingGuideforgeneralinformationaboutLicenseManagement. Please refer to the product Data Sheets for further details, or contact your Juniper Account Team or Juniper Partner.
9
IN THIS SECTION
Analyzing and Detecting Malware | 9
Cache Lookup | 10
Antivirus Scan | 10
Static Analysis | 10
Dynamic Analysis | 11
Machine Learning Algorithm | 11
Threat Levels | 11
Licensing | 12
Juniper Sky ATP uses a pipeline approach to analyzing and detecting malware. If an analysis reveals that thefileisabsolutelymalware,itisnotnecessarytocontinuethepipelinetofurtherexaminethemalware. See Figure 5 on page 9.
Figure 5: Example Juniper Sky ATP Pipeline Approach for Analyzing Malware
10
Each analysis technique creates a verdict number, which is combined to create a final verdict number between 1 and 10. A verdict number is a score or threat level. The higher the number, the higher the malware threat. The SRX Series device compares this verdict number to the policy settings and either permits or denies the session. If the session is denied, a reset packet is sent to the client and the packets are dropped from the server.
When a file is analyzed, a file hash is generated, and the results of the analysis are stored in a database. When a file is uploaded to the Juniper Sky ATP cloud, the first step is to check whether this file has been looked at before. If it has, the stored verdict is returned to the SRX Series device and there is no need to re-analyze the file. In addition to files scanned by Juniper Sky ATP, information about common malware files is also stored to provide faster response.
Cachelookupisperformedinrealtime. Allothertechniquesaredoneoffline. Thismeansthatifthecache lookup does not return a verdict, the file is sent to the client system while the Juniper Sky ATP cloud continuestoexaminethefileusingtheremainingpipelinetechniques. Ifalateranalysisreturnsamalware verdict, then the file and host are flagged.
The advantage of antivirus software is its protection against a large number of potential threats, such as viruses, trojans, worms, spyware, and rootkits. The disadvantage of antivirus software is that it is always behind the malware. The virus comes first and the patch to the virus comes second. Antivirus is better at defending familiar threats and known malware than zero-day threats.
Juniper Sky ATP utilizes multiple antivirus software packages, not just one, to analyze a file. The results are then fed into the machine learning algorithm to overcome false positives and false negatives.
Static analysis examines files without actually running them. Basic static analysis is straightforward and fast, typically around 30 seconds. The following are examples of areas static analysis inspects:
•Metadata information—Name of the file, the vendor or creator of this file, and the original data the file was compiled on.
•Categoriesofinstructionsused—IsthefilemodifyingtheWindowsregistry?IsittouchingdiskI/OAPIs?.
•File entropy—How random is the file? A common technique for malware is to encrypt portions of the code and then decrypt it during runtime. A lot of encryption is a strong indication a this file is malware.
Theoutputofthestaticanalysisisfedintothemachinelearningalgorithmtoimprovetheverdictaccuracy.
11
The majority of the time spent inspecting a file is in dynamic analysis. With dynamic analysis, often called sandboxing, a file is studied as it is executed in a secure environment. During this analysis, an operating system environment is set up, typically in a virtual machine, and tools are started to monitor all activity. The file is uploaded to this environment and is allowed to run for several minutes. Once the allotted time haspassed,therecordofactivityisdownloadedandpassedtothemachinelearningalgorithmtogenerate a verdict.
Sophisticated malware can detect a sandbox environment due to its lack of human interaction, such as mouse movement. Juniper Sky ATP uses a number of deceptiontechniques to trick the malware into determining this is a real user environment. For example, Juniper Sky ATP can:
•Generate a realistic pattern of user interaction such as mouse movement, simulating keystrokes, and installing and launching common software packages.
•Createfakehigh-valuetargetsintheclient,suchasstoredcredentials,userfiles,andarealisticnetwork with Internet access.
•Create vulnerable areas in the operating system.
Deceptiontechniquesbythemselvesgreatlyboostthedetectionratewhilereducingfalsepositives. They alsobooststhedetectionrateofthesandboxthefileisrunninginbecausetheygetthemalwaretoperform more activity. The more the file runs the more data is obtained to detect whether it is malware.
JuniperSkyATPusesitsownproprietaryimplementationofmachinelearningtoassistinanalysis.Machine learning recognizes patterns and correlates information for improved file analysis. The machine learning algorithm is programmed with features from thousands of malware samples and thousands of goodware samples.Itlearnswhatmalwarelookslike,andisregularlyre-programmedtogetsmarterasthreatsevolve.
Juniper Sky ATP assigns a number between 0-10 to indicate the threat level of files scanned for malware and the threat level for infected hosts. See Table 4 on page 11.
Table 4: Threat Level Definitions |
|
Threat Level |
Definition |
0 |
Clean; no action is required. |
1 - 3 |
Low threat level. |
4 - 6 |
Medium threat level. |
12
Table 4: Threat Level Definitions (continued)
Threat Level |
Definition |
7 -10 |
High threat level. |
For more information on threat levels, see the Juniper Sky ATP Web UI online help.
Juniper Sky ATP has three service levels: Free, Basic (feed only), and Premium. No license is required for the free version, but you must obtain a license for Basic and Premium levels.
To understand more about Juniper Sky ATP licenses, see Licenses for Juniper Sky Advanced Threat Prevention(ATP).PleaserefertotheLicensingGuideforgeneralinformationaboutLicenseManagement. Please refer to the product Data Sheets for further details, or contact your Juniper Account Team or Juniper Partner.
RELATED DOCUMENTATION
Juniper Sky Advanced Threat Prevention | 2
Dashboard Overview | 37
IN THIS SECTION
Policy Enforcer | 12
View the Policy Enforcer data sheet (This takes you out of the help center to the Juniper web site): https://www.juniper.net/assets/fr/fr/local/pdf/datasheets/1000602-en.pdf
Policy Enforcer provides centralized, integrated management of all your security devices (both physical and virtual), giving you the ability to combine threat intelligence from different solutions and act on that intelligence from one management point.
13
It also automates the enforcement of security policies across the network and quarantines infected endpointstopreventthreatsacrossfirewallsandswitches.Itworkswithcloud-basedJuniperSkyAdvanced Threat Prevention (Juniper Sky ATP) to protect both perimeter-oriented threats as well as threats within thenetwork. Forexample,ifauserdownloadsafilefromtheInternetandthatfilepassesthroughanSRX firewall, the file can be sent to the Juniper Sky ATP cloud for malware inspection (depending on your configuration settings.) If the file is determined to be malware, Policy Enforcer identifies the IP address and MAC address of the host that downloaded the file. Based on a user-defined policy, that host can be put into a quarantine VLAN or blocked from accessing the Internet.
Policy Enforcer provides the following:
•Pervasive Security—Combine security features and intelligence from devices across your network, including switches, routers, firewalls, to create a “secure fabric” that leverages information you can use to create policies that address threats in real-time and into the future. With monitoring capabilities, it can also act as a sensor, providing visibility for intraand inter-network communications.
•User Intent-Based Policies—Create policies according to logical business structures such as users, user groups, geographical locations, sites, tenants, applications, or threat risks. This allows network devices (switches,routers,firewallsandothersecuritydevices)toshareinformation,resources,andwhenthreats are detected, remediation actions within the network.
•Threat Intelligence Aggregation—Gather threat information from multiple locations and devices, both physical and virtual, as well as third party solutions.
Figure 6 on page 14 illustrates the flow diagram of Policy Enforcer over a traditional SRX configuration.
14
Figure 6: Comparing Traditional SRX Customers to Policy Enforcer Customers
RELATED DOCUMENTATION
Hosts Overview | 137
Host Details | 140
Dashboard Overview | 37
15
CHAPTER 2
IN THIS CHAPTER
Juniper Sky Advanced Threat Prevention Installation Overview | 15
Managing the Juniper Sky Advanced Threat Prevention License | 15
Registering a Juniper Sky Advanced Threat Prevention Account | 20
Downloading and Running the Juniper Sky Advanced Threat Prevention Script | 24
Although Juniper Sky ATP is a free add-on to an SRX Series device, you must still enable it prior to using it. To enable Juniper Sky ATP, perform the following tasks:
1.(Optional) Obtain a Juniper Sky ATP premium license. See Licenses for Juniper Sky Advanced Threat Prevention (ATP). This link takes you to the Juniper Licensing Guide.
2.RegisteranaccountontheJuniperSkyATPcloudWebportal.See“RegisteringaJuniperSkyAdvanced Threat Prevention Account” on page 20.
3.DownloadandruntheJuniperSkyATPscriptonyourSRXSeriesdevice.See“DownloadingandRunning the Juniper Sky Advanced Threat Prevention Script” on page 24.
IN THIS SECTION
Obtaining the Premium License Key | 16
License Management and SRX Series Devices | 17
Juniper Sky ATP Premium Evaluation License for vSRX | 17
16
License Management and vSRX Deployments | 17
High Availability | 19
ThistopicdescribeshowtoinstalltheJuniperSkyATPpremiumlicenseontoyourSRXSeriesdevicesand vSRXdeployments. YoudonotneedtoinstalltheJuniperSkyATPfreelicenseastheseareincludedyour basesoftware.Notethatthefreelicensehasalimitedfeatureset(seeJuniperSkyAdvancedThreatPrevention LicenseTypes and SkyAdvancedThreatPreventionFileLimitations).
When installing the license key, you must use the license that is specific your device type. For example, the Juniper Sky ATP premium license available for the SRX Series device cannot be used on vSRX deployments.
The Juniper Sky ATP premium license can be found on the Juniper Networks product price list. The procedure for obtaining the premium license entitlement is the same as for all other Juniper Network products. The following steps provide an overview.
1.Contact your local sales office or Juniper Networks partner to place an order for the Juniper Sky ATP premium license.
Afteryourorderiscomplete,anauthorizationcodeise-mailedtoyou.Anauthorizationcodeisaunique 16-digitalphanumericusedinconjunctionwithyourdeviceserialnumbertogenerateapremiumlicense entitlement.
2.(SRX Series devices only) Use the show chassis hardware CLI command to find the serial number of the SRX Series devices that are to be tied to the Juniper Sky ATP premium license.
[edit] |
|
|
|
|
root@SRX# run show chassis hardware |
|
|
||
Hardware inventory: |
|
|
|
|
Item |
Version |
Part number |
Serial number |
Description |
Chassis |
|
|
CM1915AK0326 |
SRX1500 |
Midplane |
REV 09 |
750-058562 |
ACMH1590 |
SRX1500 |
Pseudo CB 0 |
|
|
|
|
Routing Engine 0 |
|
BUILTIN |
BUILTIN |
SRX Routing Engine |
FPC 0 |
REV 08 |
711-053832 |
ACMG3280 |
FEB |
PIC 0 |
|
BUILTIN |
BUILTIN |
12x1G-T-4x1G-SFP-4x10G |