Security Intelligence and Command and Control Server Threats
When a compromised host tries to initiate contact with a possible Command and Control (CC) server on the Internet, the SRX Series enforcement point can intercept the traffic and perform an enforcement action based on real-time feed information from Spotlight Secure Connector that identifies the CC server IP address and URL. The data feed from Spotlight Secure is automatically passed through Spotlight Secure Connector as a Dynamic Address Entry (DAE) to the security policy without requiring an explicit commit or a configuration change to the SRX Series enforcement point. Figure 1 shows how SecIntel handles a CC threat.
Spotlight Secure delivers threat intelligence that identifies command and control servers to Spotlight Secure Connector.
Spotlight Secure Connector makes the information available to security policies on the SRX Series enforcement point. Spotlight Secure Connector brings together all of the available threat intelligence and makes it available to the security policies on the enforcement point. One instance of Spotlight Secure Connector can support many enforcement points with threat intelligence.
As the threat intelligence is updated on Spotlight Secure Connector, the SRX Series enforcement point can poll Spotlight Secure Connector to keep threat intelligence updated on the deployed security policies.
All CC server traffic that matches the feed data is discarded or redirected and the activity is tracked in Log Director. The SRX Series enforcement point security policies perform real-time enforcement.
Web application traffic is protected.
Enforcement actions include discarding or redirecting network traffic that is identified as a threat. All threat events are logged by Log Director.