Juniper JN0-230 JNCIA Security Associate – Sky Advanced Threat Protection
Welcome back. Let’s now talk about the next topic, which is Juniper ATP Cloud, also known as Juniper Advanced Threat Protection and also known as Juniper Sky ATP. So, what exactly is Juniper ATP? Well, it’s a framework to protect your hosts against security threats. So it’s a collection of methods and techniques that can be deployed to protect your devices against threats. It is a cloud-based threat detection software that integrates with your SRX firewalls. It checks both inbound and outbound traffic for threats. It allows administrators to stop malware, quarantine infected hosts, prevent data exfiltration, and disrupt lateral movement.
Lateral movement is a peculiar characteristic of malware. Once it infects a host, it then tries to spread itself by infecting other hosts on the network. So the Juniper ATP cloud has the ability to disrupt the lateral movement of malware. The fact that it is a cloud-based solution and that it can be integrated with SRX firewalls makes it very easy to deploy. You do not have to purchase additional hardware. It also delivers protection against zero-day threats. From an architectural standpoint, let’s say this is the architecture of your organization, where you have an SRX firewall. On one side, you have hosts that are connected to the trust zone, and on the other side is the Internet. You can now connect the Sky ATPsolution to your SRX device directly. All that you need is an internet connection, a supported SRX device, and a licence for the solution. You do not need to deploy any additional hardware.
So, as your device is sitting in the trust zone of your firewall and communicating with other devices on the Internet, the SRX device is monitoring the traffic. If it finds anything that looks malicious, it is going to send a copy of that traffic to Sky ATP. Sky ATP is going to evaluate that traffic and provide a verdict. Based on the verdict, the traffic may be dropped. Or it could also be possible that the host may be quarantined. Moving on. The ATP solution is a scalable solution, and it does not require any additional hardware. It provides deep packet inspection capabilities, reporting capabilities, and inline malware blocking. It uses security policies to remediate malicious content and block it before being delivered to the destination host. And here’s an example of how this is done. So here we have a host connected to the SRX device, which is connected to the Sky ATP cloud and the Internet. Now, let’s say the host on the left is trying to download a file from the Internet. As the file download begins, the SRX is looking at this traffic. Now, when the file is almost downloaded, the SRX device is going to hold back the last few KB of that file. This means the file has not been fully delivered to the original host. It holds back the last few KB of that file, and it uploads the file to Sky ATP for evaluation purposes. Now, there are two things that can happen.
Number one, it’s possible that the file has already been evaluated by Sky ATP in the past. In that case, the verdict is provided immediately. So let’s say the file is not infected. So SRX will then forward the file to the end user. The other possible situation is that Sky APT has not seen this file in the past. In that case, Sky ATP will require some time to evaluate that file. So in that case, the file will be allowed to go through to the device while Sky ATP is still evaluating the file. Let’s say the evaluation is complete and SkyATP has determined that the file is malicious. In that case, the host on which the file was downloaded and the file itself were marked as infected based on a configured policy. The host can also be quarantined. So as you can see, Sky ATP provides almost real-time protection against threats for hosts connected to the SRX device. The Sky ATP service also monitors connections to CNC sites. CNC sites are command-and-control sites. These are commonly used by malware to upload data that has been stolen from computers. So for outbound traffic, the SRX device monitors traffic that matches CNC sites or command and control sites. And the reason the SRX device knows about this is because it is connected to the Sky ATP service. So the SRX device is monitoring for connections to CNC sites. It blocks these connections and also reports them to the Sky ATP service. Now, let’s talk about the licencing model. There are three options for licensing. The first one is free. Second, we have a basic feed-only license. And third, we have a premium license. Now, as a prerequisite, you do need to have the “App Secure” functionality enabled on the SRX device. Some SRX devices already have this enabled, while others will require a licence to enable it. But that is a prerequisite for using the Sky ATP service. Now, let’s talk about each of these licence types in detail. starting with the free license. This is available for customers with a valid support contract and using a supported SRX platform. Now, that part is important. Not all SRX devices may be compatible with the Sky ATP service. So if you plan to use the service, make sure you check the Juniper documentation to see which SRX platforms are supported.
The free service only scans executable file types, and based on the result, the SRX device can allow traffic or block the request inline, like the example we saw earlier. Let’s now talk about the basic licensing, which is also called “feed only.” It includes scanning of executable files. It also supports request filtering using threatfeed types for command and control. We spoke about this. It also supports filtering using GeoIP. GeoIP is the mapping of IP addresses to geographical locations. And as you may know, some locations or geographies are known as sources of malware. So you can prevent connections to those geographies or locations. It also supports custom filtering, and it also supports threat intelligence feeds. That means it supports APIs to inject third-party intelligence feeds. Now, that is a good sign for any good threat intelligence service. Support for APIs gives you the flexibility to inject other intelligence feeds and make your threat protection more robust. Now, let’s talk about the Premium license. It includes all of the features found in the free and basic licenses. It performs deeper analysis on traffic using a wide range of analysis techniques. It scans all supported file types—not only executable files but all supported file types. And it also supports quarantining infected hosts. So that’s a high-level overview of the ATP service. The key takeaway here is that it’s a cloud-based service that can be integrated with your SRX device. So the SRX device can derive threat intelligence from that service, look at traffic, identify malware, and block it in real time. In the upcoming lecture, we’ll understand the different malware analysis techniques used by Sky ATP.
All right, now let’s talk about the different malware analysis techniques used by Juniper’s advanced threat protection. Primarily, there are four techniques. The first one is a cache lookup. The second one is antivirus scanning. Number three is static analysis. And number four is dynamic analysis. Now, let’s talk about each of these in detail, starting with the cache lookup. This is similar to the example that we spoke about in the earlier lecture. When a file is uploaded to the service, Juniper ATP checks if the file has been analyzed previously. If yes, the stored verdict is returned to the SRX device, and the file is not analyzed again. If not, the file is analyzed for malware. And while this is happening, the file is sent to the host while Juniper ATP examines the file.
If the analysis returns a malware verdict, the file and the host are flagged. The interesting part about this technique is that it is performed in real time. Next, we have an antivirus scan. This protects against viruses, trojans, worms, spyware, and root kits. It helps in defending against known threats and malware. This is because antiviruses rely on signatures for detection, and signatures are known for malware that has been detected in the past, which is why they help in defending against known malware threats in malware.Juniper ATP uses multiple antivirus software packages to analyse a file. The next analysis technique is static analysis. This is a very popular technique for malware analysis. Here the file is analysed without being executed, meaning we look at the file and try to identify what information we can collect. So we check for known metadata, such as the name of the file, the source of the file, the instructions contained in the file, and the file entropy. File entropy tries to check how random the file is.
A common technique used by malware is to encrypt portions of the code and then decrypt it during runtime. A lot of encryption in the code of the file is a strong indication that it is indeed malware. The important thing to note here is that all of the analysis performed as part of static analysis is done without executing the file. On the other hand, we have another technique called “dynamic analysis.” This involves executing the file in a sandboxed environment, or, in other words, an isolated environment. File activity is monitored and passed to a machine-learning algorithm to generate a verdict. Sophisticated malware can detect that it is being executed in a sandbox environment, and that’s because a sandbox environment lacks human interaction. Juniper ATP uses deception techniques to trick the malware into believing that it is executing in a real user environment. The way it does this is by generating a realistic pattern of user interaction like mouse movements, simulating keystrokes, and installing and launching common software programs.
The ATP service also creates high-value fake targets known as “honeypots,” which are very attractive to malware. So typically on these honeypots, you’ll have stored credentials and user files, and you may also have a realistic network environment that is connected to the Internet. So Juniper ATP uses these analysis techniques to generate a threat score for the file or a threat level for the file. Each threat level has an associated definition. For example, if the threat level is zero, it’s a clean file with no action required. If the threat level is between one and three, it’s a low threat level. Between four and six is a medium threat level, and between seven and ten is a high threat level. Now, as an administrator, you can configure the threat level threshold so that hosts that have been compromised and have a specific threat level or above—for example, threat level seven and above—are added to the infected host list. And that is a number that you, as an administrator, can configure. You can configure the acceptable threat level threshold. The infected host can also be blocked by configuring security policies, and it’s also possible to configure email alerts to be sent when certain threat levels are reached on your hosts.
Welcome back. So far, we’ve discussed what Juniper ATP is as a service and what the analysis techniques used by Juniper ATP are. Now we’re going to talk about blocking mechanisms; there are a few of them. First, we’ll talk about allow lists and block lists. So what is an “allow list”? Well, it’s a list of trusted IPS, trusted hashes, email addresses, and URLs. Content downloaded from these locations will not be inspected because they have been configured to be on the Allow List. The opposite of this is the block list. It’s a list of known untrusted IPS and URLs—a list of IPS and URLs that have been known to be associated with threats.
Access to these locations is blocked, and content cannot be downloaded. Moving on, we can also define custom Allow List and Block List entries. So if we know that an IP or a URL can be trusted, we can add that to the Allow List. Or if we know of a URL that cannot be trusted and is a known source of malware, we can add that to the block list. The allow list is checked first, and then the block list. The SRX device checks for updates approximately every 2 hours. So every 2 hours, it tries to check if there are any new items that need to be added to the Allow List or the Block List. The second technique that can be used is email scanning. The SRX device submits potentially malicious email attachments to the Juniper ATP cloud for inspection. As you may know, email attachments are a very common source of malware on the network. Typically, attackers will send you infected attachments or infected files attached to emails. When the file is opened, the malware infects your host and then tries to spread on the network. So email scanning is a technique where the SRX device is going to check for potentially malicious email attachments and send them to the Juniper ATP cloud for further inspection. Attachments can be checked against Allow Lists and Block Lists. It prevents the spread of malware from email attachments.
Now, there are two popular email protocols. The first is SMTP, which is used for sending emails, and then you have IMAP, which is used for receiving emails. Now, depending on the protocol that you may be using for sending and receiving emails, ATP supports different actions for different protocols. So let’s talk about the actions for SMTP. The first available action is to quarantine malicious messages. The second action is to deliver malicious messages with warning headers attached to them. And the third action is to permit the emails. Now let’s talk about this in detail. The first one is to quarantine malicious messages. So when a malicious attachment is found with an email, the email is quarantined, encrypted, and stored in the Juniper ATP cloud. Then a replacement email is sent to the intended recipient informing them of the quarantine. The replacement email will contain a link to the Juniper ATP cloud portal, where the email can be previewed. The recipient can then request the admin’s release or delete the email. The second available action is to deliver malicious messages with warning headers. In this case, headers are added to email messages, and these headers are recognised by email servers. That means your emails will end up being classified as spam or junk. The last action is permit, which means the email is permitted and received intact. ATP also supports actions for IMAP. This is a protocol that is used for receiving emails.
The first one is to block malicious messages. With this action, any email found with malicious attachments will be blocked, and the other action is permit, which allows recipients to receive the email intact. So, to summarize, the email scanning feature works like this: When the SRX device sees an email with an attachment, it submits the attachment to the Sky ATP service for analysis. The service will analyse the attachment and then compute a threat score. If the threat score of the attachment is low, the email is allowed to pass. If the score is found to be high, the email is going to be quarantined. When the email is quarantined, a replacement email is sent to the original intended recipient. The replacement email contains a link to the Juniper ATP cloud portal. Using the link, the recipient can preview the email. Also, when the email is quarantined, it is encrypted and stored in the Sky ATP portal. Once the recipient takes a look at the email, he can then request that the administrator release or delete the email. The other blocking mechanism is file inspection profiles. This allows you to define which files or file categories should be sent to the Juniper ATP cloud for inspection. This is important because it is easier to configure file categories than to list every single file tab that needs to be inspected. So you can configure categories like this: executable files, Java files, documents, configuration files, OS packages, scripting files, archive files, et cetera.
Now, there’s a whole list of categories that you can configure, and the full list is available in the Juniper Sky ATP documentation. Let’s talk about the next technique, which is advanced threat profiling. And this is a very interesting one. It allows SRX devices in your network to generate threatfeeds, propagate them to Juniper ATP, and then consume them on other SRX devices in your network. So essentially, the SRX devices sitting in your network are now acting as sensors, collecting threat intelligence and sending it to the Juniper ATB portal, which will then send it to other SRX devices connected to your network. This is especially important if you are a scaled-out organization. If you have offices in different locations or different sites, it is likely that your devices are going to move across these sites. So if one SRX device notices a threat on the network, it can then inform the ATP portal. The ATP portal can then inform other devices connected to the network. You can configure security or IDP policies that, when matched, can inject the source or destination IP addresses into a threat feed to Juniper ATP. This can then be leveraged by other devices on the network. So essentially, this is how it works. You have multiple SREX devices in your network, and you have a subscription to Sky ATP Cloud. Now, one of the SREX devices notices a threat on the network, and it informs Sky ATP. Sky ATP will then analyse that, deduplicate any records, and then forward it to other SREX devices connected to your network. The next mechanism we’re going to talk about is SEC intelligence feeds. This provides threat intelligence from juniper ATP, juniper threatlabs, and other third party feeds to MX seriesdevices, srxeries devices, and NFX series devices.It helps block CNC communications or command and control site communications. So those are the different blocking mechanisms available with Juniper ATP.
At the JNCI security level, we only need to understand the high-level operation of Sky ATP and its blocking mechanisms, not how to configure them. So we’re not going to get into the configuration part, but I do want to show you what the Sky ATP portal looks like. All right, I’m here at the Sky ATB portal, and this is what the dashboard looks like. As you can see, I do not have any data on this portal, and that’s because this subscription is connected to an SRX device that doesn’t have any traffic going through it. So as a result, we’re not seeing much data on the dashboard, but nonetheless, we can get a feel for the dashboard. So you’ve got some widgets over here that are for command and control servers and malware source locations. Here we have a widget for top-infected file categories, top-scanned file categories, top malware identified, and top compromised hosts. Now this dashboard is completely flexible, so you can move around these widgets. The next thing available here is a monitor. This now includes everything we discussed, such as CNC servers, filescanning, encrypted traffic, blocked email, and telemetry. The other one is devices. This is going to show you a list of devices enrolled in the service. Right now I only have one connected device, and it’s easier to enrol additional devices. If you want to enrol an SRX device, the first thing to make sure of is that it has a supported platform, because not all platforms are supported. The second thing to make sure is that you have a sky ATP licence installed on the SRX device. Then you will come over to the Sky ATP portal, click Enroll, and you’ll be provided with a URL.
You just need to execute that URL on the SRX device. All the required packages will be downloaded on the SRXdevice and will then connect to the sky ATB portal. So if I click on the SRX device over here, I can see the information about the enrol device. Moving on. We have the option to configure this as well. So we can configure file inspection profiles. We spoke about this. We can configure email management, whitelists, blacklists, or allow lists and block lists. We can configure adaptive threat profiling. We can configure SEC intelligence feeds, and we can also configure threat levels for infected hosts. So as you can see here on my subscription, I’ve configured this as seven. We spoke about email alerts that can be configured over here. And the other thing over here is reports. It has some prebuilt reports that you can run. For example, threat assessments for the last 24 hours, threat assessments for the last week, and threat assessments for the last month Now, if you wanted to run any report, you could simply check the box here and click “run.” Now that’s going to run the report and download a PDF on your local machine. All right, so that’s about Sky ATP at a high level. From the examination perspective, all we need to know is, “What is Sky ATP as a service?” What are the techniques used for analysing malware, and what are the blocking mechanisms?
Popular posts
Recent Posts